From 79cdef90e78237a4b197905304506c5ed15fd232 Mon Sep 17 00:00:00 2001
From: Jonas Gunz <himself@jonasgunz.de>
Date: Tue, 7 Sep 2021 02:27:06 +0200
Subject: signed_certificate: check for file permissions

---
 roles/signed_certificate/defaults/main.yml |  2 +-
 roles/signed_certificate/tasks/main.yml    | 11 +++++++++++
 2 files changed, 12 insertions(+), 1 deletion(-)

(limited to 'roles/signed_certificate')

diff --git a/roles/signed_certificate/defaults/main.yml b/roles/signed_certificate/defaults/main.yml
index c46ef37..d0ee48e 100644
--- a/roles/signed_certificate/defaults/main.yml
+++ b/roles/signed_certificate/defaults/main.yml
@@ -4,7 +4,7 @@ key_path: '/etc/ssl/private/'
 cert_path: '/etc/ssl/certs/'
 alt_name: '{{  "DNS:" + ansible_facts.fqdn  }}'
 owner: root
-group: root
+group: ssl-cert
 
 signed_certificate:
   issuer_cn: ''
diff --git a/roles/signed_certificate/tasks/main.yml b/roles/signed_certificate/tasks/main.yml
index 3e1a7b2..d5491ac 100644
--- a/roles/signed_certificate/tasks/main.yml
+++ b/roles/signed_certificate/tasks/main.yml
@@ -21,9 +21,20 @@
     path: '{{ key_path }}/{{ cert_name }}.key'
     owner: '{{ owner }}'
     group: '{{ group }}'
+    mode: '640'
   become: yes
   when: key_check.failed
 
+- name: Check file permissions for Key
+  file:
+    path: '{{ key_path }}/{{ cert_name }}.key'
+    state: file
+    owner: '{{ owner }}'
+    group: '{{ group }}'
+    mode: '640'
+  become: yes
+  when: not key_check.failed
+
 - name: Read existing Certificate
   community.crypto.x509_certificate_info:
     path: '{{ cert_path }}/{{ cert_name }}.pem'
-- 
cgit v1.2.3