Merge pull request #1 from adfinis/tls_encryption

feat: add TLS encryption for WebUI / Director connection
adfinis · Jul 9, 2024 · 107f9a9 · 107f9a9
2 parents bf7ea27 + fce76b4
commit 107f9a9
Show file tree

Hide file tree

Showing 4 changed files with 64 additions and 1 deletion.
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -5,5 +5,22 @@ bareos_webui_configuration:
   - section: session
     option: timeout
     value: 3600
+  - section: "{{ bareos_webui_directors.name }}"
+    option: ca_file
+    value: "{{ bareos_webui_tls_ca_cert_dest }}"
+  - section: "{{ bareos_webui_directors.name }}"
+    option: cert_file
+    value: "{{ bareos_webui_tls_cert_chain_dest }}"
 
 bareos_webui_directors: []
+
+# Enable TLS
+bareos_webui_tls_enable: false
+
+# The path of the CA certificate file.
+bareos_webui_tls_ca_cert_src: ""
+bareos_webui_tls_ca_cert_dest: "/etc/bareos/bareosCA.pem"
+
+# The path of the cert+key combo of the director
+bareos_webui_tls_cert_chain_src: ""
+bareos_webui_tls_cert_chain_dest: "/etc/bareos/webui-chain.pem"
diff --git a/meta/argument_specs.yml b/meta/argument_specs.yml
@@ -15,3 +15,12 @@ argument_specs:
       bareos_webui_configuration:
         type: "list"
         description: "Configuration for the webui."
+      bareos_webui_tls_enable:
+        type: "bool"
+        description: "Option to enable TLS encryption"
+      bareos_webui_tls_ca_cert:
+        type: "str"
+        description: "CA certificate for the webui"
+      bareos_webui_tls_cert_chain:
+        type: "str"
+        description: "Certificate chain (key + cert) for the webui"
diff --git a/tasks/assert.yml b/tasks/assert.yml
@@ -43,7 +43,6 @@
       - bareos_webui_configuration is defined
       - bareos_webui_configuration is iterable
     quiet: yes
-
 - name: assert | Test items in bareos_webui_configuration are set correctly
   ansible.builtin.assert:
     that:
@@ -56,3 +55,23 @@
   loop: "{{ bareos_webui_configuration }}"
   loop_control:
     label: "{{ item.section }}:{{ item.option }}"
+
+- name: assert | Test bareos_webui_tls_enable
+  ansible.builtin.assert:
+    that:
+      - bareos_webui_tls_enable is defined
+      - bareos_webui_tls_enable is boolean
+    quiet: yes
+
+- name: assert | Test bareos_webui_tls certificate configurations are set correctly
+  ansible.builtin.assert:
+    that:
+      - item is defined
+      - item is string
+    quiet: yes
+  loop:
+    - "{{ bareos_webui_tls_ca_cert_src }}"
+    - "{{ bareos_webui_tls_ca_cert_dest }}"
+    - "{{ bareos_webui_tls_cert_chain_src }}"
+    - "{{ bareos_webui_tls_cert_chain_dest }}"
+  when: bareos_webui_tls_enable
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -58,6 +58,24 @@
   loop_control:
     label: "{{ item.section }}:{{ item.option }}"
 
+- name: Place TLS certificates
+  ansible.builtin.copy:
+    src: "{{ item.src }}"
+    dest: "{{ item.dst }}"
+    owner: bareos
+    group: bareos
+    mode: "0640"
+    backup: "{{ bareos_dir_backup_configurations }}"
+  loop:
+    - src: bareos_webui_tls_ca_cert_src
+      dest: bareos_webui_tls_ca_cert_dest
+    - src: bareos_webui_tls_cert_chain_src
+      dest: bareos_webui_tls_cert_chain_dest
+  when:
+    - bareos_webui_tls_enable
+    - bareos_webui_tls_ca_cert_src != ""
+    - bareos_webui_tls_cert_chain_src != ""
+
 - name: Set SELinux boolean httpd_can_network_connect
   ansible.posix.seboolean:
     name: httpd_can_network_connect