From 2f0da6e313eb95aa7f93c09c2ff7a7f8eccea913 Mon Sep 17 00:00:00 2001 From: Salvoxia Date: Mon, 13 Jan 2025 21:10:42 +0100 Subject: [PATCH] Enhancement: Add TLS configuration Introduced blocky__cert_file, blocky__key_file, blocky__min_tls_version, blocky__ports_https and blocky__ports_tls Changed logLevel to log.level to disable deprecation warning Added certificate testing to molecule --- .github/workflows/ci.yml | 3 +++ defaults/main.yml | 9 +++++++++ molecule/default/converge.yml | 5 +++++ molecule/default/prepare.yml | 31 +++++++++++++++++++++++++++++ molecule/default/verify.yml | 29 +++++++++++++++++++++++++++ molecule/test_requirements.yml | 3 +++ templates/config.yaml.from_0.24.j2 | 17 +++++++++++++++- templates/config.yaml.up_to_0.23.j2 | 17 +++++++++++++++- 8 files changed, 112 insertions(+), 2 deletions(-) create mode 100644 molecule/default/prepare.yml create mode 100644 molecule/default/verify.yml create mode 100644 molecule/test_requirements.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 27003ce..8094496 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -31,6 +31,9 @@ jobs: - name: Install test dependencies. run: pip3 install ansible ansible-lint + - name: Install ansible test dependencies + run: ansible-galaxy install -r molecule/test_requirements.yml + - name: Lint code. run: | ansible-lint . diff --git a/defaults/main.yml b/defaults/main.yml index 1ad3d3a..3992397 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -35,6 +35,8 @@ blocky__blocking_whitelists: blocky__ports_dns: 53 blocky__ports_http: 4000 +blocky__ports_tls: "" +blocky__ports_https: "" blocky__log_level: info @@ -62,3 +64,10 @@ blocky__hosts_dns_ignore: false blocky__hosts_dns_domain: "" # NOTE: ansible_host must be an IPv4 blocky__hosts_dns_host_ip_var: "ansible_host" + +# SSL certificate file. blocky__key_file must be set as well for this to have any effect. +blocky__cert_file: "" +# SSL key file. blocky__cert_file must be set as well for this to have any effect. +blocky__key_file: "" +# Minimum TLS version blocky is serving +blocky__min_tls_version: "" diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml index 1c993e7..8ba2907 100644 --- a/molecule/default/converge.yml +++ b/molecule/default/converge.yml @@ -8,6 +8,10 @@ blocky__hosts_dns_domain: ".local.example.com" blocky__blocking_blacklists: {} blocky__ports_dns: 127.0.0.1:5353 + blocky__cert_file: "/etc/cert/blocky_cert.pem" + blocky__key_file: "/etc/cert/blocky_key.key" + blocky__ports_https: 443 + blocky__ports_tls: 853 blocky__custom_dns: app1.srv.example.com: 10.10.1.1 one.local.example.com: 10.10.1.2 @@ -23,5 +27,6 @@ ansible.builtin.set_fact: blocky__version: "{{ lookup('ansible.builtin.env', 'MOLECULE_BLOCKY_VERSION') }}" when: lookup('ansible.builtin.env', 'MOLECULE_BLOCKY_VERSION') | length > 0 + roles: - role: ngine_io.blocky_dns diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml new file mode 100644 index 0000000..2792c85 --- /dev/null +++ b/molecule/default/prepare.yml @@ -0,0 +1,31 @@ +--- +- name: "Prepare" + hosts: instance + tasks: + - name: Create certificate directory + ansible.builtin.file: + path: "/etc/cert" + state: directory + # This is for the test only, open permissions are not a problem + group: root + owner: root + mode: "0755" + + - name: Create private key (RSA, 4096 bits) + community.crypto.openssl_privatekey: + path: "/etc/cert/blocky_key.key" + mode: "0755" + + - name: Create certificate signing request (CSR) for self-signed certificate + community.crypto.openssl_csr_pipe: + privatekey_path: "/etc/cert/blocky_key.key" + common_name: "blocky.example.com" + register: csr + + - name: Create self-signed certificate from CSR + community.crypto.x509_certificate: + path: "/etc/cert/blocky_cert.pem" + csr_content: "{{ csr.csr }}" + privatekey_path: "/etc/cert/blocky_key.key" + provider: selfsigned + mode: "0755" diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml new file mode 100644 index 0000000..d0bf473 --- /dev/null +++ b/molecule/default/verify.yml @@ -0,0 +1,29 @@ +--- +- name: "Verify" + hosts: instance + tasks: + - name: Get cert from https port + community.crypto.get_certificate: + host: localhost + port: 443 + asn1_base64: true + register: cert + + - name: Assert the correct certificate is served + ansible.builtin.assert: + that: + - cert.subject.CN is defined + - cert.subject.CN == 'blocky.example.com' + + - name: Get cert from tls port + community.crypto.get_certificate: + host: localhost + port: 853 + asn1_base64: true + register: cert + + - name: Assert the correct certificate is served + ansible.builtin.assert: + that: + - cert.subject.CN is defined + - cert.subject.CN == 'blocky.example.com' diff --git a/molecule/test_requirements.yml b/molecule/test_requirements.yml new file mode 100644 index 0000000..341849b --- /dev/null +++ b/molecule/test_requirements.yml @@ -0,0 +1,3 @@ +--- +collections: + - name: community.crypto diff --git a/templates/config.yaml.from_0.24.j2 b/templates/config.yaml.from_0.24.j2 index 08c5733..feb6129 100644 --- a/templates/config.yaml.from_0.24.j2 +++ b/templates/config.yaml.from_0.24.j2 @@ -14,6 +14,14 @@ {% endfor -%} {% endif -%} +{% if blocky__cert_file | trim | length > 0 and blocky__key_file | trim | length > 0 -%} +certFile: "{{ blocky__cert_file | trim }}" +keyFile: "{{ blocky__key_file | trim }}" +{% endif -%} +{% if blocky__min_tls_version | trim | length > 0 -%} +minTlsServeVersion: "{{ blocky__min_tls_version | trim }}" +{% endif -%} + upstreams: groups: {{ blocky__upstreams | to_nice_yaml(indent=2) | trim | indent(4) }} @@ -30,8 +38,15 @@ blocking: ports: dns: {{ blocky__ports_dns | to_nice_yaml(indent=2) | trim | indent(2) }} http: {{ blocky__ports_http | to_nice_yaml(indent=2) | trim | indent(2) }} +{% if blocky__ports_https | trim | length > 0 %} + https: {{ blocky__ports_https | to_nice_yaml(indent=2) | trim | indent(2) }} +{% endif %} +{% if blocky__ports_tls | trim | length > 0 %} + tls: {{ blocky__ports_tls | to_nice_yaml(indent=2) | trim | indent(2) }} +{% endif %} -logLevel: {{ blocky__log_level | to_yaml }} +log: + level: {{ blocky__log_level | to_nice_yaml(indent=2) | trim | indent(2) }} caching: minTime: 5m diff --git a/templates/config.yaml.up_to_0.23.j2 b/templates/config.yaml.up_to_0.23.j2 index 8263421..f67f17a 100644 --- a/templates/config.yaml.up_to_0.23.j2 +++ b/templates/config.yaml.up_to_0.23.j2 @@ -14,6 +14,14 @@ {% endfor -%} {% endif -%} +{% if blocky__cert_file | length > 0 and blocky__key_file | length > 0 -%} +certFile: "{{ blocky__cert_file }}" +keyFile: "{{ blocky__key_file }}" +{% endif -%} +{% if blocky__min_tls_version | length > 0 -%} +minTlsServeVersion: "{{ blocky__min_tls_version }}" +{% endif -%} + upstream: {{ blocky__upstreams | to_nice_yaml(indent=2) | trim | indent(2) }} @@ -29,8 +37,15 @@ blocking: ports: dns: {{ blocky__ports_dns | to_nice_yaml(indent=2) | trim | indent(2) }} http: {{ blocky__ports_http | to_nice_yaml(indent=2) | trim | indent(2) }} + {% if blocky__ports_https | trim | length > 0 -%} + https: {{ blocky__ports_https | to_nice_yaml(indent=2) | trim | indent(2) }} + {% endif -%} + {% if blocky__ports_tls | trim | length > 0 -%} + tls: {{ blocky__ports_tls | to_nice_yaml(indent=2) | trim | indent(2) }} + {% endif %} -logLevel: {{ blocky__log_level | to_yaml }} +log: + level: {{ blocky__log_level | to_nice_yaml(indent=2) | trim | indent(2) }} caching: minTime: 5m