From 33890cacb183b69bf0032fd3dbd41b9c20cab4b1 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Tue, 12 Sep 2023 00:41:07 +0200
Subject: x509/certificates: generic config handling

---
 chaos-at-home/ch-http-proxy.yml                    | 32 +++++++++++-----------
 dan/sk-testvm.yml                                  | 10 +++----
 roles/nginx/vhost/defaults/main.yml                |  4 +++
 roles/nginx/vhost/tasks/main.yml                   |  2 ++
 .../x509/acmetool/cert/finalize/defaults/main.yml  |  2 ++
 roles/x509/ownca/cert/prepare/defaults/main.yml    |  4 +++
 roles/x509/ownca/cert/prepare/tasks/main.yml       |  4 +--
 .../x509/selfsigned/cert/prepare/defaults/main.yml |  4 +++
 roles/x509/selfsigned/cert/prepare/tasks/main.yml  |  4 +--
 roles/x509/static/cert/prepare/defaults/main.yml   |  1 +
 roles/x509/uacme/cert/prepare/defaults/main.yml    |  1 +
 11 files changed, 42 insertions(+), 26 deletions(-)

diff --git a/chaos-at-home/ch-http-proxy.yml b/chaos-at-home/ch-http-proxy.yml
index 24fd6f92..cab4e450 100644
--- a/chaos-at-home/ch-http-proxy.yml
+++ b/chaos-at-home/ch-http-proxy.yml
@@ -49,16 +49,16 @@
         template: generic
         tls:
           certificate_provider: acmetool
+          certificate_config:
+            request:
+              challenge:
+                http-self-test: false
         hostnames:
         - web.chaos-at-home.org
         locations:
           '/':
             root: /var/www/default
             index: index.html
-      acmetool_cert_config:
-        request:
-          challenge:
-            http-self-test: false
     include_role:
       name: nginx/vhost
 
@@ -115,6 +115,10 @@
         template: generic
         tls:
           certificate_provider: acmetool
+          certificate_config:
+            request:
+              challenge:
+                http-self-test: false
         hostnames:
         - passwd.chaos-at-home.org
         locations:
@@ -123,10 +127,6 @@
             proxy_ssl:
               verify: "on"
               trusted_certificate: /etc/ssl/whawty-auth-ca/ca.pem
-      acmetool_cert_config:
-        request:
-          challenge:
-            http-self-test: false
     include_role:
       name: nginx/vhost
 
@@ -183,6 +183,10 @@
         template: generic
         tls:
           certificate_provider: acmetool
+          certificate_config:
+            request:
+              challenge:
+                http-self-test: false
         hostnames:
         - webmail.chaos-at-home.org
         locations:
@@ -195,10 +199,6 @@
               ciphers: "DEFAULT@SECLEVEL=0"
             extra_directives: |-
               client_max_body_size 200M;
-      acmetool_cert_config:
-        request:
-          challenge:
-            http-self-test: false
     include_role:
       name: nginx/vhost
 
@@ -209,6 +209,10 @@
         template: generic
         tls:
           certificate_provider: acmetool
+          certificate_config:
+            request:
+              challenge:
+                http-self-test: false
         hostnames:
         - webdav.chaos-at-home.org
         locations:
@@ -219,10 +223,6 @@
               trusted_certificate: /etc/ssl/prometheus-old-ca/ca.pem
               protocols: TLSv1
               ciphers: "DEFAULT@SECLEVEL=0"
-      acmetool_cert_config:
-        request:
-          challenge:
-            http-self-test: false
     include_role:
       name: nginx/vhost
 
diff --git a/dan/sk-testvm.yml b/dan/sk-testvm.yml
index a004f9b5..33d237cd 100644
--- a/dan/sk-testvm.yml
+++ b/dan/sk-testvm.yml
@@ -30,6 +30,7 @@
       template: generic
       tls:
         certificate_provider: "{{ cert_provider }}"
+        certificate_config: "{{ lookup('vars', cert_provider+'_cert_config__default', default={}) }}"
         hsts: no
       hostnames:
       - testvm.elev8.at
@@ -37,15 +38,13 @@
         '/':
           root: /var/www/default
           index: index.html
-    static_cert_config: "{{ static_cert_config__default }}"
-    selfsigned_cert_config: "{{ selfsigned_cert_config__default }}"
-    ownca_cert_config: "{{ ownca_cert_config__default }}"
   - role: nginx/vhost
     nginx_vhost:
       name: test
       template: generic
       tls:
         certificate_provider: "{{ cert_provider }}"
+        certificate_config: "{{ lookup('vars', cert_provider+'_cert_config__test', default={}) }}"
         hsts: no
       hostnames:
       - test.spreadspace.org
@@ -56,9 +55,6 @@
         '/':
           root: /var/www/test
           index: index.html
-    static_cert_config: "{{ static_cert_config__test }}"
-    selfsigned_cert_config: "{{ selfsigned_cert_config__test }}"
-    ownca_cert_config: "{{ ownca_cert_config__test }}"
   # - role: apps/mumble
   #   mumble_version: v1.4.274-4
   #   mumble_instance: spreadspace
@@ -75,6 +71,7 @@
   #     rememberchannel: true
   #   mumble_tls:
   #     certificate_provider: "{{ cert_provider }}"
+  #     certificate_config: "{{ lookup('vars', cert_provider+'_cert_config__test', default={}) }}"
   # - role: apps/coturn
   #   coturn_version: 4.6.2-r4
   #   coturn_realm: spreadspace
@@ -86,6 +83,7 @@
   #   coturn_auth_secret: "somewhat-secret"
   #   coturn_tls:
   #     certificate_provider: "{{ cert_provider }}"
+  #     certificate_config: "{{ lookup('vars', cert_provider+'_cert_config__test', default={}) }}"
   post_tasks:
   - name: make sure document root directories exist
     loop:
diff --git a/roles/nginx/vhost/defaults/main.yml b/roles/nginx/vhost/defaults/main.yml
index 0eb67b42..834e1e10 100644
--- a/roles/nginx/vhost/defaults/main.yml
+++ b/roles/nginx/vhost/defaults/main.yml
@@ -34,6 +34,10 @@
 #     variant: legacy
 #     hsts: false
 #     certificate_provider: acmetool
+#     certificate_config:
+#       request:
+#         challenge:
+#           http-self-test: false
 #   hostnames:
 #   - static.example.com
 #   extra_directives: |-
diff --git a/roles/nginx/vhost/tasks/main.yml b/roles/nginx/vhost/tasks/main.yml
index 2c1f0f29..5468bcc6 100644
--- a/roles/nginx/vhost/tasks/main.yml
+++ b/roles/nginx/vhost/tasks/main.yml
@@ -4,6 +4,7 @@
   vars:
     x509_certificate_name: "{{ nginx_vhost.name }}"
     x509_certificate_hostnames: "{{ nginx_vhost.hostnames }}"
+    x509_certificate_config: "{{ nginx_vhost.tls.certificate_config | default({}) }}"
     x509_certificate_reload_services:
     - nginx
   include_role:
@@ -43,6 +44,7 @@
     vars:
       x509_certificate_name: "{{ nginx_vhost.name }}"
       x509_certificate_hostnames: "{{ nginx_vhost.hostnames }}"
+      x509_certificate_config: "{{ nginx_vhost.tls.certificate_config | default({}) }}"
       x509_certificate_reload_services:
       - nginx
     include_role:
diff --git a/roles/x509/acmetool/cert/finalize/defaults/main.yml b/roles/x509/acmetool/cert/finalize/defaults/main.yml
index b9a80136..06c8e04a 100644
--- a/roles/x509/acmetool/cert/finalize/defaults/main.yml
+++ b/roles/x509/acmetool/cert/finalize/defaults/main.yml
@@ -3,3 +3,5 @@ acmetool_cert_hostnames: "{{ x509_certificate_hostnames }}"
 acmetool_cert_name: "{{ x509_certificate_name | default(acmetool_cert_hostnames[0]) }}"
 
 acmetool_reconcile_disabled: false
+
+acmetool_cert_config: "{{ x509_certificate_config }}"
diff --git a/roles/x509/ownca/cert/prepare/defaults/main.yml b/roles/x509/ownca/cert/prepare/defaults/main.yml
index 4953db74..89dced63 100644
--- a/roles/x509/ownca/cert/prepare/defaults/main.yml
+++ b/roles/x509/ownca/cert/prepare/defaults/main.yml
@@ -4,6 +4,7 @@ ownca_cert_name: "{{ x509_certificate_name | default(ownca_cert_hostnames[0]) }}
 
 ownca_cert_base_dir: "/etc/ssl"
 
+ownca_cert_config: "{{ x509_certificate_config }}"
 # ownca_cert_config:
 #   path: "{{ ownca_cert_base_dir }}/{{ ownca_cert_name }}"
 #   mode: "0750"
@@ -28,6 +29,9 @@ ownca_cert_base_dir: "/etc/ssl"
 #     mode: "0644"
 #     owner: root
 #     group: www-data
+#     common_name: foo
+#     san_extra:
+#     - "IP:192.0.2.1"
 #     country_name: "AT"
 #     locality_name: "Graz"
 #     organization_name: "spreadspace"
diff --git a/roles/x509/ownca/cert/prepare/tasks/main.yml b/roles/x509/ownca/cert/prepare/tasks/main.yml
index a2d14ed6..6eb3525f 100644
--- a/roles/x509/ownca/cert/prepare/tasks/main.yml
+++ b/roles/x509/ownca/cert/prepare/tasks/main.yml
@@ -31,8 +31,8 @@
     privatekey_path: "{{ ownca_cert_path }}/{{ ownca_cert_name }}-key.pem"
     create_subject_key_identifier: "{{ ownca_cert_config.cert.create_subject_key_identifier | default(omit) }}"
     digest: "{{ ownca_cert_config.cert.digest | default(omit) }}"
-    common_name: "{{ ownca_cert_name }}"
-    subject_alt_name: "{{ ['DNS:'] | product(ownca_cert_hostnames) | map('join') | list }}"
+    common_name: "{{ ownca_cert_config.cert.common_name | default(ownca_cert_name) }}"
+    subject_alt_name: "{{ ['DNS:'] | product(ownca_cert_hostnames) | map('join') | union(ownca_cert_config.cert.san_extra | default([])) | list }}"
     subject_alt_name_critical: yes
     use_common_name_for_san: no
     country_name: "{{ ownca_cert_config.cert.country_name | default(omit) }}"
diff --git a/roles/x509/selfsigned/cert/prepare/defaults/main.yml b/roles/x509/selfsigned/cert/prepare/defaults/main.yml
index 53dc3b06..e45343e5 100644
--- a/roles/x509/selfsigned/cert/prepare/defaults/main.yml
+++ b/roles/x509/selfsigned/cert/prepare/defaults/main.yml
@@ -4,6 +4,7 @@ selfsigned_cert_name: "{{ x509_certificate_name | default(selfsigned_cert_hostna
 
 selfsigned_cert_base_dir: "/etc/ssl"
 
+selfsigned_cert_config: "{{ x509_certificate_config }}"
 # selfsigned_cert_config:
 #   path: "{{ selfsigned_cert_base_dir }}/{{ selfsigned_cert_name }}"
 #   mode: "0750"
@@ -19,6 +20,9 @@ selfsigned_cert_base_dir: "/etc/ssl"
 #     mode: "0644"
 #     owner: root
 #     group: www-data
+#     common_name: foo
+#     san_extra:
+#     - "IP:192.0.2.1"
 #     country_name: "AT"
 #     locality_name: "Graz"
 #     organization_name: "spreadspace"
diff --git a/roles/x509/selfsigned/cert/prepare/tasks/main.yml b/roles/x509/selfsigned/cert/prepare/tasks/main.yml
index e7a47742..72999807 100644
--- a/roles/x509/selfsigned/cert/prepare/tasks/main.yml
+++ b/roles/x509/selfsigned/cert/prepare/tasks/main.yml
@@ -31,8 +31,8 @@
     privatekey_path: "{{ selfsigned_cert_path }}/{{ selfsigned_cert_name }}-key.pem"
     create_subject_key_identifier: "{{ selfsigned_cert_config.cert.create_subject_key_identifier | default(omit) }}"
     digest: "{{ selfsigned_cert_config.cert.digest | default(omit) }}"
-    common_name: "{{ selfsigned_cert_name }}"
-    subject_alt_name: "{{ ['DNS:'] | product(selfsigned_cert_hostnames) | map('join') | list }}"
+    common_name: "{{ selfsigned_cert_config.cert.common_name | default(selfsigned_cert_name) }}"
+    subject_alt_name: "{{ ['DNS:'] | product(selfsigned_cert_hostnames) | map('join') | union(selfsigned_cert_config.cert.san_extra | default([])) | list }}"
     subject_alt_name_critical: yes
     use_common_name_for_san: no
     country_name: "{{ selfsigned_cert_config.cert.country_name | default(omit) }}"
diff --git a/roles/x509/static/cert/prepare/defaults/main.yml b/roles/x509/static/cert/prepare/defaults/main.yml
index d632a5de..b9a2f88f 100644
--- a/roles/x509/static/cert/prepare/defaults/main.yml
+++ b/roles/x509/static/cert/prepare/defaults/main.yml
@@ -4,6 +4,7 @@ static_cert_name: "{{ x509_certificate_name | default(static_cert_hostnames[0])
 
 static_cert_base_dir: "/etc/ssl"
 
+static_cert_config: "{{ x509_certificate_config }}"
 # static_cert_config:
 #   path: "{{ static_cert_base_dir }}/{{ static_cert_name }}"
 #   mode: "0750"
diff --git a/roles/x509/uacme/cert/prepare/defaults/main.yml b/roles/x509/uacme/cert/prepare/defaults/main.yml
index b15c1e44..60b59649 100644
--- a/roles/x509/uacme/cert/prepare/defaults/main.yml
+++ b/roles/x509/uacme/cert/prepare/defaults/main.yml
@@ -2,6 +2,7 @@
 uacme_cert_hostnames: "{{ x509_certificate_hostnames }}"
 uacme_cert_name: "{{ x509_certificate_name | default(uacme_cert_hostnames[0]) }}"
 
+uacme_cert_config: "{{ x509_certificate_config }}"
 # uacme_cert_config:
 #   key:
 #     mode: "0640"
-- 
cgit v1.2.3