feat: use private folder for tls keys and harden perms of generated c…

…ert/key when file perm hardening is enabled
ansible-community · Dec 12, 2024 · 889771c · 889771c
1 parent c643ee7
commit 889771c
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 3 deletions.
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -292,7 +292,8 @@ vault_systemd_unit_path: /lib/systemd/system
 validate_certs_during_api_reachable_check: true
 
 vault_tls_certs_path: "{{ lookup('env', 'VAULT_TLS_DIR') | default(('/opt/vault/tls' if (vault_install_hashi_repo) else '/etc/vault/tls'), true) }}"
-vault_tls_private_path: "{{ lookup('env', 'VAULT_TLS_DIR') | default(('/opt/vault/tls' if (vault_install_hashi_repo) else '/etc/vault/tls'), true) }}"
+_vault_tls_private_path: "{{ lookup('env', 'VAULT_TLS_DIR') | default(('/opt/vault/tls' if (vault_install_hashi_repo) else '/etc/vault/tls'), true) }}"
+vault_tls_private_path: "{{ _vault_tls_private_path ~ ('/private' if vault_harden_file_perms and vault_tls_copy_keys) }}"
 vault_tls_src_files: "{{ lookup('env', 'VAULT_TLS_SRC_FILES') | default(role_path ~ '/files', true) }}"
 
 vault_tls_disable: "{{ lookup('env', 'VAULT_TLS_DISABLE') | default(true, true) }}"

diff --git a/tasks/install_hashi_repo.yml b/tasks/install_hashi_repo.yml
@@ -117,11 +117,23 @@
     path: /etc/vault.d/vault.env
   when: vault_harden_file_perms
 
-- name: Delete default certs
+- name: Harden perms of default cert/key
+  ansible.builtin.file:
+    path: "/opt/vault/tls/{{ item }}"
+    mode: "0400"
+  with_items:
+    - tls.crt
+    - tls.key
+  when:
+    - vault_harden_file_perms
+    - not vault_tls_disable
+    - not vault_tls_copy_keys
+
+- name: Delete default cert/key
   become: true
   ansible.builtin.file:
     state: absent
-    path: /opt/vault/tls/{{ item }}
+    path: "/opt/vault/tls/{{ item }}"
   with_items:
     - tls.crt
     - tls.key