Enhancement/tls config (#8)

ngine-io · Jan 15, 2025 · a1aee9d · a1aee9d
1 parent dd92441
commit a1aee9d
Show file tree

Hide file tree

Showing 7 changed files with 109 additions and 2 deletions.
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -35,6 +35,8 @@ blocky__blocking_whitelists:
 
 blocky__ports_dns: 53
 blocky__ports_http: 4000
+blocky__ports_tls: ""
+blocky__ports_https: ""
 
 blocky__log_level: info
 
@@ -62,3 +64,10 @@ blocky__hosts_dns_ignore: false
 blocky__hosts_dns_domain: ""
 # NOTE: ansible_host must be an IPv4
 blocky__hosts_dns_host_ip_var: "ansible_host"
+
+# SSL certificate file. blocky__key_file must be set as well for this to have any effect.
+blocky__cert_file: ""
+# SSL key file.  blocky__cert_file must be set as well for this to have any effect.
+blocky__key_file: ""
+# Minimum TLS version blocky is serving
+blocky__min_tls_version: ""
diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml
@@ -8,6 +8,10 @@
     blocky__hosts_dns_domain: ".local.example.com"
     blocky__blocking_blacklists: {}
     blocky__ports_dns: 127.0.0.1:5353
+    blocky__cert_file: "/etc/cert/blocky_cert.pem"
+    blocky__key_file: "/etc/cert/blocky_key.key"
+    blocky__ports_https: 443
+    blocky__ports_tls: 853
     blocky__custom_dns:
       app1.srv.example.com: 10.10.1.1
       one.local.example.com: 10.10.1.2
@@ -23,5 +27,6 @@
       ansible.builtin.set_fact:
         blocky__version: "{{ lookup('ansible.builtin.env', 'MOLECULE_BLOCKY_VERSION') }}"
       when: lookup('ansible.builtin.env', 'MOLECULE_BLOCKY_VERSION') | length > 0
+
   roles:
     - role: ngine_io.blocky_dns
diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml
@@ -0,0 +1,31 @@
+---
+- name: "Prepare"
+  hosts: instance
+  tasks:
+    - name: Create certificate directory
+      ansible.builtin.file:
+        path: "/etc/cert"
+        state: directory
+        # This is for the test only, open permissions are not a problem
+        group: root
+        owner: root
+        mode: "0755"
+
+    - name: Create private key (RSA, 4096 bits)
+      community.crypto.openssl_privatekey:
+        path: "/etc/cert/blocky_key.key"
+        mode: "0755"
+
+    - name: Create certificate signing request (CSR) for self-signed certificate
+      community.crypto.openssl_csr_pipe:
+        privatekey_path: "/etc/cert/blocky_key.key"
+        common_name: "blocky.example.com"
+      register: csr
+
+    - name: Create self-signed certificate from CSR
+      community.crypto.x509_certificate:
+        path: "/etc/cert/blocky_cert.pem"
+        csr_content: "{{ csr.csr }}"
+        privatekey_path: "/etc/cert/blocky_key.key"
+        provider: selfsigned
+        mode: "0755"
diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml
@@ -0,0 +1,29 @@
+---
+- name: "Verify"
+  hosts: instance
+  tasks:
+    - name: Get cert from https port
+      community.crypto.get_certificate:
+        host: localhost
+        port: 443
+        asn1_base64: true
+      register: cert
+
+    - name: Assert the correct certificate is served
+      ansible.builtin.assert:
+        that:
+          - cert.subject.CN is defined
+          - cert.subject.CN == 'blocky.example.com'
+
+    - name: Get cert from tls port
+      community.crypto.get_certificate:
+        host: localhost
+        port: 853
+        asn1_base64: true
+      register: cert
+
+    - name: Assert the correct certificate is served
+      ansible.builtin.assert:
+        that:
+          - cert.subject.CN is defined
+          - cert.subject.CN == 'blocky.example.com'
diff --git a/molecule/test_requirements.yml b/molecule/test_requirements.yml
@@ -0,0 +1,3 @@
+---
+collections:
+  - name: community.crypto
diff --git a/templates/config.yaml.from_0.24.j2 b/templates/config.yaml.from_0.24.j2
@@ -14,6 +14,14 @@
 {% endfor -%}
 {% endif -%}
 
+{% if blocky__cert_file | trim | length > 0 and blocky__key_file | trim | length > 0 -%}
+certFile: "{{ blocky__cert_file | trim }}"
+keyFile: "{{ blocky__key_file | trim }}"
+{% endif -%}
+{% if blocky__min_tls_version | trim | length > 0 -%}
+minTlsServeVersion: "{{ blocky__min_tls_version | trim }}"
+{% endif -%}
+
 upstreams:
   groups:
     {{ blocky__upstreams | to_nice_yaml(indent=2) | trim | indent(4) }}
@@ -30,8 +38,15 @@ blocking:
 ports:
   dns: {{ blocky__ports_dns | to_nice_yaml(indent=2) | trim | indent(2) }}
   http: {{ blocky__ports_http | to_nice_yaml(indent=2) | trim | indent(2) }}
+{% if blocky__ports_https | trim | length > 0 %}
+  https: {{ blocky__ports_https | to_nice_yaml(indent=2) | trim | indent(2) }}
+{% endif %}
+{% if blocky__ports_tls | trim | length > 0 %}
+  tls: {{ blocky__ports_tls | to_nice_yaml(indent=2) | trim | indent(2) }}
+{% endif %}
 
-logLevel: {{ blocky__log_level | to_yaml }}
+log:
+  level: {{ blocky__log_level | to_nice_yaml(indent=2) | trim | indent(2) }}
 
 caching:
   minTime: 5m

diff --git a/templates/config.yaml.up_to_0.23.j2 b/templates/config.yaml.up_to_0.23.j2
@@ -14,6 +14,14 @@
 {% endfor -%}
 {% endif -%}
 
+{% if blocky__cert_file | length > 0 and blocky__key_file | length > 0 -%}
+certFile: "{{ blocky__cert_file }}"
+keyFile: "{{ blocky__key_file }}"
+{% endif -%}
+{% if blocky__min_tls_version | length > 0 -%}
+minTlsServeVersion: "{{ blocky__min_tls_version }}"
+{% endif -%}
+
 upstream:
   {{ blocky__upstreams | to_nice_yaml(indent=2) | trim | indent(2) }}
 
@@ -29,8 +37,15 @@ blocking:
 ports:
   dns: {{ blocky__ports_dns | to_nice_yaml(indent=2) | trim | indent(2) }}
   http: {{ blocky__ports_http | to_nice_yaml(indent=2) | trim | indent(2) }}
+  {% if blocky__ports_https | trim | length > 0 -%}
+  https: {{ blocky__ports_https | to_nice_yaml(indent=2) | trim | indent(2) }}
+  {% endif -%}
+  {% if blocky__ports_tls | trim | length > 0 -%}
+  tls: {{ blocky__ports_tls | to_nice_yaml(indent=2) | trim | indent(2) }}
+  {% endif %}
 
-logLevel: {{ blocky__log_level | to_yaml }}
+log:
+  level: {{ blocky__log_level | to_nice_yaml(indent=2) | trim | indent(2) }}
 
 caching:
   minTime: 5m