From 0c7195cfff6afba712a0fcd768397ef63766838e Mon Sep 17 00:00:00 2001
From: lakrass <leon.krass@sva.de>
Date: Thu, 12 Dec 2024 15:33:30 +0100
Subject: [PATCH] feat: use private tls path, harden perms of generated
 cert/key

---
 defaults/main.yml            |  3 ++-
 tasks/install_hashi_repo.yml | 16 ++++++++++++++--
 2 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index dc46b36..e673d52 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -292,7 +292,8 @@ vault_systemd_unit_path: /lib/systemd/system
 validate_certs_during_api_reachable_check: true
 
 vault_tls_certs_path: "{{ lookup('env', 'VAULT_TLS_DIR') | default(('/opt/vault/tls' if (vault_install_hashi_repo) else '/etc/vault/tls'), true) }}"
-vault_tls_private_path: "{{ lookup('env', 'VAULT_TLS_DIR') | default(('/opt/vault/tls' if (vault_install_hashi_repo) else '/etc/vault/tls'), true) }}"
+_vault_tls_private_path: "{{ lookup('env', 'VAULT_TLS_DIR') | default(('/opt/vault/tls' if (vault_install_hashi_repo) else '/etc/vault/tls'), true) }}"
+vault_tls_private_path: "{{ _vault_tls_private_path ~ ('/private' if vault_harden_file_perms and vault_tls_copy_keys) }}"
 vault_tls_src_files: "{{ lookup('env', 'VAULT_TLS_SRC_FILES') | default(role_path ~ '/files', true) }}"
 
 vault_tls_disable: "{{ lookup('env', 'VAULT_TLS_DISABLE') | default(true, true) }}"
diff --git a/tasks/install_hashi_repo.yml b/tasks/install_hashi_repo.yml
index dc55fdd..b0b05ed 100644
--- a/tasks/install_hashi_repo.yml
+++ b/tasks/install_hashi_repo.yml
@@ -117,11 +117,23 @@
     path: /etc/vault.d/vault.env
   when: vault_harden_file_perms
 
-- name: Delete default certs
+- name: Harden perms of default cert/key
+  ansible.builtin.file:
+    path: "/opt/vault/tls/{{ item }}"
+    mode: "0400"
+  with_items:
+    - tls.crt
+    - tls.key
+  when:
+    - vault_harden_file_perms
+    - not vault_tls_disable
+    - not vault_tls_copy_keys
+
+- name: Delete default cert/key
   become: true
   ansible.builtin.file:
     state: absent
-    path: /opt/vault/tls/{{ item }}
+    path: "/opt/vault/tls/{{ item }}"
   with_items:
     - tls.crt
     - tls.key