do not move default key to private path as the folder only is created…

… when it is assumed that the user brings his own cert/key, instead harden file perms
ansible-community · Dec 12, 2024 · 4dfa6d3 · 4dfa6d3
1 parent 2a9d141
commit 4dfa6d3
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 9 deletions.
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -287,7 +287,7 @@ validate_certs_during_api_reachable_check: true
 
 vault_tls_certs_path: "{{ lookup('env', 'VAULT_TLS_DIR') | default(('/opt/vault/tls' if (vault_install_hashi_repo) else '/etc/vault/tls'), true) }}"
 _vault_tls_private_path: "{{ lookup('env', 'VAULT_TLS_DIR') | default(('/opt/vault/tls' if (vault_install_hashi_repo) else '/etc/vault/tls'), true) }}"
-vault_tls_private_path: "{{ _vault_tls_private_path ~ ('/private' if vault_harden_file_perms) }}"
+vault_tls_private_path: "{{ _vault_tls_private_path ~ ('/private' if vault_harden_file_perms and vault_tls_copy_keys) }}"
 vault_tls_src_files: "{{ lookup('env', 'VAULT_TLS_SRC_FILES') | default(role_path ~ '/files', true) }}"
 
 vault_tls_disable: "{{ lookup('env', 'VAULT_TLS_DISABLE') | default(1, true) }}"

diff --git a/tasks/install_hashi_repo.yml b/tasks/install_hashi_repo.yml
@@ -117,21 +117,23 @@
     path: /etc/vault.d/vault.env
   when: vault_harden_file_perms
 
-- name: Move generated cert to private path
-  become: true
-  ansible.builtin.command:
-    cmd: mv /opt/vault/tls/tls.key /opt/vault/tls/private/tls.key
-    creates: /opt/vault/tls/private/tls.key
-    removes: /opt/vault/tls/tls.key
+- name: Harden perms of default cert/key
+  ansible.builtin.file:
+    path: "/opt/vault/tls/{{ item }}"
+    mode: "0400"
+  with_items:
+    - tls.crt
+    - tls.key
   when:
+    - vault_harden_file_perms
     - not vault_tls_disable
     - not vault_tls_copy_keys
 
-- name: Delete default certs
+- name: Delete default cert/key
   become: true
   ansible.builtin.file:
     state: absent
-    path: /opt/vault/tls/{{ item }}
+    path: "/opt/vault/tls/{{ item }}"
   with_items:
     - tls.crt
     - tls.key