public_git
/
ansibleguy.infra_mariadb
mirror of https://github.com/ansibleguy/infra_certs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

added config checks/validations

This commit is contained in:
AnsibleGuy 2023-02-12 21:45:42 +01:00
parent 635ed0c5b0
commit 3de0fee286
7 changed files with 58 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
defaults/main/0_hardcoded.yml Normal file
View File

@ -0,0 +1,12 @@
---
CERT_HC:
letsencrypt:
options:
service: ['apache', 'nginx']
verbosity: ['v', 'vv', 'vvv', 'vvvv']
options:
key_size:
ca: [1024, '1024', 2048, '2048', 4096, '4096', 8192, '8192']
cert: [1024, '1024', 2048, '2048', 4096, '4096']

2
defaults/main.yml → defaults/main/1_main.yml
View File

@ -63,6 +63,7 @@ defaults_certs:
certs: {} # see 'default_le_certbot_cert' below certs: {} # see 'default_le_certbot_cert' below
renew: false # if a renewal should be started by the role; the renewal service will auto-renew the certificates otherwise renew: false # if a renewal should be started by the role; the renewal service will auto-renew the certificates otherwise
email: email:
key_size:
ca: ca:
path: path:
@ -100,3 +101,4 @@ default_le_certbot_cert:
# example2: # example2:
# domains: ['example2.ansibleguy.net'] # domains: ['example2.ansibleguy.net']
# email: 'dummy@ansibleguy.net' # email: 'dummy@ansibleguy.net'

24
filter_plugins/utils.py
View File

@ -13,6 +13,7 @@ class FilterModule(object):
"check_email": self.check_email, "check_email": self.check_email,
"le_domains_changed": self.le_domains_changed, "le_domains_changed": self.le_domains_changed,
"ensure_list": self.ensure_list, "ensure_list": self.ensure_list,
"validate_email": self.validate_email,
} }
@staticmethod @staticmethod
@ -20,7 +21,7 @@ class FilterModule(object):
return regex_replace(r'[^0-9a-zA-Z\.]+', '', key.replace(' ', '_')) return regex_replace(r'[^0-9a-zA-Z\.]+', '', key.replace(' ', '_'))
@staticmethod @staticmethod
def valid_hostname(name: str) -> bool: def _valid_domain(name: str) -> bool:
# see: https://validators.readthedocs.io/en/latest/_modules/validators/domain.html # see: https://validators.readthedocs.io/en/latest/_modules/validators/domain.html
domain = regex_compile( domain = regex_compile(
r'^(([a-zA-Z]{1})|([a-zA-Z]{1}[a-zA-Z]{1})|' r'^(([a-zA-Z]{1})|([a-zA-Z]{1}[a-zA-Z]{1})|'
@ -28,11 +29,14 @@ class FilterModule(object):
r'([a-zA-Z0-9][-_.a-zA-Z0-9]{0,61}[a-zA-Z0-9]))\.' r'([a-zA-Z0-9][-_.a-zA-Z0-9]{0,61}[a-zA-Z0-9]))\.'
r'([a-zA-Z]{2,13}|[a-zA-Z0-9-]{2,30}.[a-zA-Z]{2,3})$' r'([a-zA-Z]{2,13}|[a-zA-Z0-9-]{2,30}.[a-zA-Z]{2,3})$'
) )
valid_domain = domain.match(name) is not None return domain.match(name) is not None
@classmethod
def valid_hostname(cls, name: str) -> bool:
# see: https://en.wikipedia.org/wiki/Hostname#Restrictions_on_valid_host_names # see: https://en.wikipedia.org/wiki/Hostname#Restrictions_on_valid_host_names
expr_hostname = r'^[a-zA-Z0-9-\.]{1,253}$' expr_hostname = r'^[a-zA-Z0-9-\.]{1,253}$'
valid_hostname = regex_match(expr_hostname, name) is not None valid_hostname = regex_match(expr_hostname, name) is not None
return all([valid_domain, valid_hostname]) return all([cls._valid_domain(name), valid_hostname])
@staticmethod @staticmethod
def valid_ip(ip: str) -> bool: def valid_ip(ip: str) -> bool:
@ -52,6 +56,20 @@ class FilterModule(object):
return True return True
@classmethod
def validate_email(cls, email: str) -> bool:
# ToDo: further checks like https://validators.readthedocs.io/en/latest/_modules/validators/email.html#email
if email.find('@') == -1:
return False
full_len = len(email)
sub_len = len(email.replace('@', ''))
if full_len != (sub_len + 1):
return False
return cls._valid_domain(email.split('@', 1)[1])
@staticmethod @staticmethod
def le_domains_changed(running_config: str, cert_key: str, config_domains: list) -> bool: def le_domains_changed(running_config: str, cert_key: str, config_domains: list) -> bool:
changed = False changed = False

10
tasks/debian/letsencrypt/cert.yml
View File

@ -7,6 +7,16 @@
- debug is defined - debug is defined
- debug - debug
# ToDo: path validation
- name: "Certificates | Debian | LetsEncrypt Certbot | {{ le_name }} | Checking config"
ansible.builtin.assert:
that:
- CERT_CONFIG.letsencrypt.service in CERT_HC.letsencrypt.options.service
- CERT_CONFIG.letsencrypt.verbosity in CERT_HC.letsencrypt.options.verbosity
- le_cert.key_size in CERT_HC.options.key_size.cert
- le_cert.domains | length > 0
- le_cert.email | validate_email or CERT_CONFIG.cert.email | validate_email
- name: "Certificates | Debian | LetsEncrypt Certbot | {{ le_name }} | Creating directory" - name: "Certificates | Debian | LetsEncrypt Certbot | {{ le_name }} | Creating directory"
ansible.builtin.file: ansible.builtin.file:
path: "{{ item }}" path: "{{ item }}"

2
tasks/debian/letsencrypt/main.yml
View File

@ -6,7 +6,7 @@
- CERT_CONFIG.letsencrypt.certs | length > 0 - CERT_CONFIG.letsencrypt.certs | length > 0
- CERT_CONFIG.letsencrypt.service | default(false, true) - CERT_CONFIG.letsencrypt.service | default(false, true)
- CERT_CONFIG.letsencrypt.email | default(false, true) or CERT_CONFIG.letsencrypt.certs | check_email - CERT_CONFIG.letsencrypt.email | default(false, true) or CERT_CONFIG.letsencrypt.certs | check_email
- "CERT_CONFIG.letsencrypt.service in ['apache', 'nginx']" - CERT_CONFIG.letsencrypt.service in CERT_HC.letsencrypt.options.service
- name: Certificates | Debian | LetsEncrypt Certbot | Configure for Apache2 - name: Certificates | Debian | LetsEncrypt Certbot | Configure for Apache2
ansible.builtin.import_tasks: apache.yml ansible.builtin.import_tasks: apache.yml

6
tasks/internal/ca_minimal.yml
View File

@ -2,6 +2,12 @@
# creating a minimal ca # creating a minimal ca
- name: Certificates | Internal | Minimal CA | Checking config
ansible.builtin.assert:
that:
- config_ca.ca.key_size in CERT_HC.options.key_size.ca
- config_ca.ca.email is none or config_ca.ca.email | validate_email
- name: Certificates | Internal | Minimal CA | Creating ca directory - name: Certificates | Internal | Minimal CA | Creating ca directory
ansible.builtin.file: ansible.builtin.file:
path: "{{ config_ca.ca.path | default(config_ca.path, true) }}" path: "{{ config_ca.ca.path | default(config_ca.path, true) }}"

6
tasks/internal/cert.yml
View File

@ -1,5 +1,11 @@
--- ---
- name: Certificates | Internal | Cert | Checking config
ansible.builtin.assert:
that:
- config_cert.cert.key_size in CERT_HC.options.key_size.cert
- config_cert.cert.email is none or config_cert.cert.email | validate_email
- name: Certificates | Internal | Cert | Generate private key (encrypted) - name: Certificates | Internal | Cert | Generate private key (encrypted)
community.crypto.openssl_privatekey: community.crypto.openssl_privatekey:
path: "{{ config_cert.path }}/{{ name | default(config_cert.cert.name) }}.{{ config_cert.extension_key }}" path: "{{ config_cert.path }}/{{ name | default(config_cert.cert.name) }}.{{ config_cert.extension_key }}"