diff --git a/defaults/main.yml b/defaults/main.yml index 2a5e1ea..fc63d59 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -155,3 +155,11 @@ pki_method: standalone pki_handler_ca_changed: "ca cert changed" pki_handler_cert_changed: "cert changed" pki_handler_cert_installed: "cert installed" + +# Default permissions used on pki_setup_host +# pki_owner: "root" +# pki_group: "root" +pki_cert_mode: "0644" +pki_cert_dir_mode: "0755" +pki_key_mode: "0600" +pki_key_dir_mode: "0700" diff --git a/tasks/main_ca.yml b/tasks/main_ca.yml index 4651122..f715cd8 100644 --- a/tasks/main_ca.yml +++ b/tasks/main_ca.yml @@ -21,8 +21,9 @@ file: state: directory path: "{{ item.path }}" - owner: "{{ item.owner | default(omit) }}" - mode: "{{ item.mode | default(omit) }}" + owner: "{{ item.owner | default(pki_owner) | default(omit) }}" + group: "{{ item.group | default(pki_group) | default(omit) }}" + mode: "{{ item.mode | default('0755') }}" with_items: - "{{ pki_ca_dirs }}" delegate_to: "{{ pki_setup_host }}" diff --git a/tasks/main_certs.yml b/tasks/main_certs.yml index 57fa16a..2dbd56f 100644 --- a/tasks/main_certs.yml +++ b/tasks/main_certs.yml @@ -21,8 +21,9 @@ file: state: directory path: "{{ item.path }}" - owner: "{{ item.owner | default(omit) }}" - mode: "{{ item.mode | default(omit) }}" + owner: "{{ item.owner | default(pki_owner) | default(omit) }}" + group: "{{ item.group | default(pki_group) | default(omit) }}" + mode: "{{ item.mode | default('0755') }}" with_items: - "{{ pki_cert_dirs }}" when: pki_create_certificates | default(true) diff --git a/tasks/standalone/create_ca.yml b/tasks/standalone/create_ca.yml index c1620e1..bf47227 100644 --- a/tasks/standalone/create_ca.yml +++ b/tasks/standalone/create_ca.yml @@ -24,17 +24,17 @@ file: state: directory path: "{{ item.path }}" - owner: "{{ item.owner | default(omit) }}" - mode: "{{ item.mode | default(omit) }}" + owner: "{{ item.owner | default(pki_owner) | default(omit) }}" + group: "{{ item.group | default(pki_group) | default(omit) }}" + mode: "{{ item.mode | default('0755') }}" with_items: - path: "{{ ca_dir }}" - mode: "0755" - path: "{{ ca_dir ~ '/csr' }}" - mode: "0700" + mode: "{{ pki_key_dir_mode }}" - path: "{{ ca_dir ~ '/private' }}" - mode: "0700" + mode: "{{ pki_key_dir_mode }}" - path: "{{ ca_dir ~ '/certs' }}" - mode: "0755" + mode: "{{ pki_cert_dir_mode }}" # NOTE(noonedeadpunk): Incorrect permissions lead to CA certs re-generation as # openssl_privatekey gets changed when harmonizing ownership/permissions @@ -42,9 +42,9 @@ file: state: file path: "{{ ca_dir ~ '/private/' ~ ca.name ~ '.key.pem' }}" - mode: "{{ ca.key_mode | default('0600') }}" - owner: "{{ ca.key_owner | default('root') }}" - group: "{{ ca.key_group | default('root') }}" + mode: "{{ ca.key_mode | default(pki_key_mode) }}" + owner: "{{ ca.key_owner | default(pki_owner) | default(omit) }}" + group: "{{ ca.key_group | default(pki_group) | default(omit) }}" failed_when: false - name: Initialise the serial number for {{ ca.name }} @@ -59,9 +59,9 @@ passphrase: "{{ ca.key_passphrase | default(omit) }}" cipher: "{{ ('key_passphrase' in ca and ca.key_passphrase) | ternary('auto', omit) }}" backup: "{{ ca.backup | default(True) }}" - mode: "{{ ca.key_mode | default('0600') }}" - owner: "{{ ca.key_owner | default('root') }}" - group: "{{ ca.key_group | default('root') }}" + mode: "{{ ca.key_mode | default(pki_key_mode) }}" + owner: "{{ ca.key_owner | default(pki_owner) | default(omit) }}" + group: "{{ ca.key_group | default(pki_group) | default(omit) }}" register: ca_privkey - name: Read the serial number for {{ ca.name }} diff --git a/vars/standalone_cert.yml b/vars/standalone_cert.yml index 4fa81b6..42a4d9f 100644 --- a/vars/standalone_cert.yml +++ b/vars/standalone_cert.yml @@ -17,10 +17,10 @@ _pki_cert_dirs: - path: "{{ pki_dir }}" - path: "{{ pki_dir ~ '/certs' }}" - mode: "0755" + mode: "{{ pki_cert_dir_mode }}" - path: "{{ pki_dir ~ '/certs/csr' }}" - mode: "0700" + mode: "{{ pki_key_dir_mode }}" - path: "{{ pki_dir ~ '/certs/private' }}" - mode: "0700" + mode: "{{ pki_key_dir_mode }}" - path: "{{ pki_dir ~ '/certs/certs' }}" - mode: "0755" + mode: "{{ pki_cert_dir_mode }}"