base: Generate default (self-signed) certificate

CHANGELOG

@@ -35,6 +35,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 * base: added handlers for entries in fstab
 * forwarding: added tags to distinguish IPv4 from IPv6
 * accounts: add a "users" tag so that new users are not created and customized password are not reset based on vars files when executing evolixisation.yml again
+* base: Generate default (self-signed) certificate
 
 ### Changed
 

roles/base/defaults/main.yml

@@ -27,3 +27,6 @@ evobsd_dumpserverstate_include: true
 
 # packages.yml
 evobsd_install_url: "https://cdn.openbsd.org/pub/OpenBSD"
+
+# default_ssl.yml
+evobsd_default_ssl_cert: true

roles/base/tasks/default_ssl.yml

@@ -0,0 +1,24 @@
+---
+
+- name: Default certificate is present
+  when: evobsd_default_ssl_cert | bool
+  block:
+    - name: Create private key and csr for default site ({{ ansible_fqdn }})
+      ansible.builtin.command:
+        cmd: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/{{ ansible_fqdn }}.csr -batch -subj "/CN={{ ansible_fqdn }}"
+      args:
+        creates: "/etc/ssl/private/{{ ansible_fqdn }}.key"
+
+    - name: Adjust rights on private key
+      ansible.builtin.file:
+        path: /etc/ssl/private/{{ ansible_fqdn }}.key
+        owner: root
+        group: ssl-cert
+        mode: "0640"
+      ignore_errors: '{{ ansible_check_mode }}'
+
+    - name: Create certificate for default site
+      ansible.builtin.command:
+        cmd: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ ansible_fqdn }}.csr -signkey /etc/ssl/private/{{ ansible_fqdn }}.key -out /etc/ssl/certs/{{ ansible_fqdn }}.crt
+      args:
+        creates: "/etc/ssl/certs/{{ ansible_fqdn }}.crt"

roles/base/tasks/main.yml

@@ -11,3 +11,4 @@
 - include: fstab_entries.yml
 - include: ntp.yml
 - include: utils.yml
+- include: default_ssl.yml