feat: support optional copying of custom SSL certificates

6C656C65 · 6C656C65 · commit 435b7361e253 · 2025-05-16T21:29:32.000+02:00
diff --git a/README.md b/README.md
@@ -25,6 +25,30 @@ git submodule add https://github.com/6C656C65/pyproxy_ansible roles/pyproxy
 By default, the installation method uses Docker Compose.
 You can change the installation method and adjust other settings in the `./defaults/main.yml` file, either directly or by overriding variables in your playbook.
 
+### 🔐 **SSL Certificate Handling**
+
+If you want to provide your own SSL inspection certificates, you can configure the role to copy them to the target machine.
+
+* Set the variable `pyproxy."method".ssl_inspect_ca_folder` to the **path of the folder** containing your certificates (e.g. `certs/`).
+* The expected files inside this folder are typically `cert.pem` and `key.pem` or a custom CA used by pyproxy.
+* These files will be copied to `{{ pyproxy."method".install_path }}/certs/ca`.
+
+For example for the docker method here are some variables :
+```yaml
+pyproxy:
+  docker:
+    ssl_inspect_ca_folder: "certs/"
+    volumes:
+      - source: /opt/pyproxy/certs/ca
+        target: /app/certs/ca
+        type: folder
+```
+Don't forget to add the CA volume for the "compose" and "docker" methods.
+
+⚠️ If the variable `pyproxy.docker.ssl_inspect_ca_folder` is **not defined**, the certificate copy step is skipped automatically.
+
+> The path is resolved relative to the role or playbook. Make sure the folder exists and is accessible during the playbook run.
+
 ## 📄 **License**
 
 This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -18,9 +18,13 @@ pyproxy:
       - source: /opt/pyproxy/config.ini
         target: /app/config.ini
         type: file
+      # - source: /opt/pyproxy/certs/ca
+      #   target: /app/certs/ca
+      #   type: folder
     environment:
       - name: PYPROXY_DEBUG
         value: "True"
+    # ssl_inspect_ca_folder: certs/
 
 # Docker
   docker:
@@ -38,16 +42,21 @@ pyproxy:
       - source: /opt/pyproxy/config.ini
         target: /app/config.ini
         type: file
+      # - source: /opt/pyproxy/certs/ca
+      #   target: /app/certs/ca
+      #   type: folder
     environment:
       - name: PYPROXY_DEBUG
         value: "True"
+    # ssl_inspect_ca_folder: certs/
 
 # Source
   source:
     repo: "https://github.com/6C656C65/pyproxy.git"
     install_path: "/opt/pyproxy"
     venv_path: "/opt/pyproxy/venv"
     service_name: "pyproxy"
+    ssl_inspect_ca_folder: certs/
 
 # These variables configure the config.ini file that will be copied to the machine.
 # You must configure either a volume for the "compose" or "docker" method, or an argument for the "source" method.
diff --git a/tasks/install_from_compose.yml b/tasks/install_from_compose.yml
@@ -25,6 +25,22 @@
     mode: "{{ '0755' if item.type == 'directory' else '0644' }}"
   loop: "{{ pyproxy.compose.volumes }}"
 
+- name: Create the destination directory for SSL Inspection
+  ansible.builtin.file:
+    path: "{{ pyproxy.compose.install_path }}/certs/ca"
+    state: directory
+    mode: '0755'
+  when: pyproxy.compose.ssl_inspect_ca_folder is defined
+
+- name: Copy SSL certificate files if var is defined
+  copy:
+    src: "{{ pyproxy.compose.ssl_inspect_ca_folder }}/"
+    dest: "{{ pyproxy.compose.install_path }}/certs/ca"
+    owner: 1000
+    group: 1000
+    mode: "0600"
+  when: pyproxy.compose.ssl_inspect_ca_folder is defined
+
 - name: Pull the latest image using docker-compose
   ansible.builtin.command: docker-compose pull
   args:
diff --git a/tasks/install_from_docker.yml b/tasks/install_from_docker.yml
@@ -24,6 +24,22 @@
     mode: "{{ '0755' if item.type == 'directory' else '0644' }}"
   loop: "{{ pyproxy.docker.volumes }}"
 
+- name: Create the destination directory for SSL Inspection
+  ansible.builtin.file:
+    path: "{{ pyproxy.docker.install_path }}/certs/ca"
+    state: directory
+    mode: '0755'
+  when: pyproxy.docker.ssl_inspect_ca_folder is defined
+
+- name: Copy SSL certificate files if var is defined
+  copy:
+    src: "{{ pyproxy.docker.ssl_inspect_ca_folder }}/"
+    dest: "{{ pyproxy.docker.install_path }}/certs/ca"
+    owner: 1000
+    group: 1000
+    mode: "0600"
+  when: pyproxy.docker.ssl_inspect_ca_folder is defined
+
 - name: Run pyproxy container
   community.docker.docker_container:
     name: "{{ pyproxy.docker.name }}"
diff --git a/tasks/install_from_source.yml b/tasks/install_from_source.yml
@@ -45,6 +45,22 @@
     dest: "{{ pyproxy.source.install_path }}/config.ini"
     mode: '0644'
 
+- name: Create the destination directory for SSL Inspection
+  ansible.builtin.file:
+    path: "{{ pyproxy.source.install_path }}/certs/ca"
+    state: directory
+    mode: '0755'
+  when: pyproxy.source.ssl_inspect_ca_folder is defined
+
+- name: Copy SSL certificate files if var is defined
+  copy:
+    src: "{{ pyproxy.source.ssl_inspect_ca_folder }}/"
+    dest: "{{ pyproxy.source.install_path }}/certs/ca"
+    owner: 1000
+    group: 1000
+    mode: "0600"
+  when: pyproxy.source.ssl_inspect_ca_folder is defined
+
 - name: Create a systemd service
   ansible.builtin.template:
     src: pyproxy.service
