Use a new evobsd_ssl_cert_hostname var instead of ansible_fqdn

On OpenBSD, ansible_fqdn is the reverse of the IP, which is not always properly configured

roles/base/defaults/main.yml

@@ -29,4 +29,5 @@ evobsd_dumpserverstate_include: true
 evobsd_install_url: "https://cdn.openbsd.org/pub/OpenBSD"
 
 # default_ssl.yml
-evobsd_default_ssl_cert: true
+evobsd_default_ssl_cert: true
+evobsd_ssl_cert_hostname: "{{ inventory_hostname }}.{{ general_technical_realm }}"

roles/base/tasks/default_ssl.yml

@@ -12,14 +12,14 @@
         state: directory
       ignore_errors: '{{ ansible_check_mode }}'
 
-    - name: Create private key and csr for default site ({{ ansible_fqdn }})
+    - name: Create private key and csr for default site ({{ evobsd_ssl_cert_hostname }})
       ansible.builtin.command:
-        cmd: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/{{ ansible_fqdn }}.csr -batch -subj "/CN={{ ansible_fqdn }}"
+        cmd: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ evobsd_ssl_cert_hostname }}.key -out /etc/ssl/{{ evobsd_ssl_cert_hostname }}.csr -batch -subj "/CN={{ evobsd_ssl_cert_hostname }}"
       args:
-        creates: "/etc/ssl/private/{{ ansible_fqdn }}.key"
+        creates: "/etc/ssl/private/{{ evobsd_ssl_cert_hostname }}.key"
 
     - name: Create certificate for default site
       ansible.builtin.command:
-        cmd: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ ansible_fqdn }}.csr -signkey /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/certs/{{ ansible_fqdn }}.crt
+        cmd: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ evobsd_ssl_cert_hostname }}.csr -signkey /etc/ssl/private/{{ evobsd_ssl_cert_hostname }}.key -out /etc/ssl/certs/{{ evobsd_ssl_cert_hostname }}.crt
       args:
-        creates: "/etc/ssl/certs/{{ ansible_fqdn }}.crt"
+        creates: "/etc/ssl/certs/{{ evobsd_ssl_cert_hostname }}.crt"

roles/nagios-nrpe/defaults/main.yml

@@ -6,3 +6,5 @@ nagios_nrpe_allowed_hosts:
   | union(nagios_nrpe_additional_allowed_hosts) | unique }}"
 
 nagios_nrpe_default_ntp_server: "pool.ntp.org"
+
+evobsd_ssl_cert_hostname: "{{ inventory_hostname }}.{{ general_technical_realm }}"

roles/nagios-nrpe/templates/evolix_bsd.cfg.j2

@@ -2,8 +2,8 @@
 allowed_hosts={{ nagios_nrpe_allowed_hosts | join(',') }}
 
 # SSL Certificate
-ssl_cert_file=/etc/ssl/certs/{{ ansible_fqdn }}.crt
-ssl_privatekey_file=/etc/ssl/private/{{ ansible_fqdn }}.key
+ssl_cert_file=/etc/ssl/certs/{{ evobsd_ssl_cert_hostname }}.crt
+ssl_privatekey_file=/etc/ssl/private/{{ evobsd_ssl_cert_hostname }}.key
 
 {% if ansible_distribution_version is version_compare("7.2",'>=') %}
 # Allow older cipher suites for older Icinga version

vars/main.yml

@@ -27,6 +27,8 @@
 # evobsd_ssh_group: "foo-ssh"
 # evobsd_sudo_group: "foo-sudo"
 #
+# evobsd_ssl_cert_hostname: "{{ inventory_hostname }}.{{ general_technical_realm }}"
+#
 # evolix_users:
 #  foo:
 #    name: foo