signed_certificate: check for file permissions

3 files changed, 13 insertions, 2 deletions

diff --git a/galaxy.yml b/galaxy.yml
index 4eb14e6..bc8d4e9 100644
--- a/galaxy.yml
+++ b/galaxy.yml
@@ -1,6 +1,6 @@
 namespace: kompetenzbolzen
 name: stuff
-version: 0.0.2
+version: 0.0.3
 readme: README.md
 authors:
 - Jonas Gunz <himself@jonasgunz.de>
diff --git a/roles/signed_certificate/defaults/main.yml b/roles/signed_certificate/defaults/main.yml
index c46ef37..d0ee48e 100644
--- a/roles/signed_certificate/defaults/main.yml
+++ b/roles/signed_certificate/defaults/main.yml
@@ -4,7 +4,7 @@ key_path: '/etc/ssl/private/'
 cert_path: '/etc/ssl/certs/'
 alt_name: '{{  "DNS:" + ansible_facts.fqdn  }}'
 owner: root
-group: root
+group: ssl-cert
 
 signed_certificate:
   issuer_cn: ''
diff --git a/roles/signed_certificate/tasks/main.yml b/roles/signed_certificate/tasks/main.yml
index 3e1a7b2..d5491ac 100644
--- a/roles/signed_certificate/tasks/main.yml
+++ b/roles/signed_certificate/tasks/main.yml
@@ -21,9 +21,20 @@
     path: '{{ key_path }}/{{ cert_name }}.key'
     owner: '{{ owner }}'
     group: '{{ group }}'
+    mode: '640'
   become: yes
   when: key_check.failed
 
+- name: Check file permissions for Key
+  file:
+    path: '{{ key_path }}/{{ cert_name }}.key'
+    state: file
+    owner: '{{ owner }}'
+    group: '{{ group }}'
+    mode: '640'
+  become: yes
+  when: not key_check.failed
+
 - name: Read existing Certificate
   community.crypto.x509_certificate_info:
     path: '{{ cert_path }}/{{ cert_name }}.pem'