From 861c6f4fe152d25a91e69dffd2528f55194be0a0 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Mon, 4 Jun 2018 19:34:24 -0500
Subject: [PATCH] roles/trustca: Generic role for adding CA certs

The `trustca` role can be used to add CA certificates to the system
trust store. It requires a variable, `ca`, to be defined, referring to
the name of a file containing a CA certificate to install.
---
 roles/trustca/handlers/main.yml |  2 ++
 roles/trustca/tasks/main.yml    | 16 ++++++++++++++++
 roles/trustca/vars/CentOS.yml   |  2 ++
 roles/trustca/vars/Fedora.yml   |  2 ++
 roles/trustca/vars/defaults.yml |  2 ++
 5 files changed, 24 insertions(+)
 create mode 100644 roles/trustca/handlers/main.yml
 create mode 100644 roles/trustca/tasks/main.yml
 create mode 100644 roles/trustca/vars/CentOS.yml
 create mode 100644 roles/trustca/vars/Fedora.yml
 create mode 100644 roles/trustca/vars/defaults.yml

diff --git a/roles/trustca/handlers/main.yml b/roles/trustca/handlers/main.yml
new file mode 100644
index 0000000..b55fb3c
--- /dev/null
+++ b/roles/trustca/handlers/main.yml
@@ -0,0 +1,2 @@
+- name: update ca certs
+  command: '{{ ca_update_cmd }}'
diff --git a/roles/trustca/tasks/main.yml b/roles/trustca/tasks/main.yml
new file mode 100644
index 0000000..c094d60
--- /dev/null
+++ b/roles/trustca/tasks/main.yml
@@ -0,0 +1,16 @@
+- name: load distribution-specific variables
+  include_vars: '{{ item }}'
+  with_first_found:
+  - '{{ ansible_distribution }}.yml'
+  - '{{ ansible_os_family }}.yml'
+  - defaults.yml
+- name: ensure ca cert dir exists
+  file:
+    path={{ ca_store_dir }}
+    state=directory
+- name: ensure ca cert is installed
+  copy:
+    src={{ ca }}.crt
+    dest={{ ca_store_dir }}
+  notify: update ca certs
+- meta: flush_handlers
diff --git a/roles/trustca/vars/CentOS.yml b/roles/trustca/vars/CentOS.yml
new file mode 100644
index 0000000..133ba10
--- /dev/null
+++ b/roles/trustca/vars/CentOS.yml
@@ -0,0 +1,2 @@
+ca_store_dir: /etc/pki/ca-trust/source/anchors
+ca_update_cmd: update-ca-trust
diff --git a/roles/trustca/vars/Fedora.yml b/roles/trustca/vars/Fedora.yml
new file mode 100644
index 0000000..133ba10
--- /dev/null
+++ b/roles/trustca/vars/Fedora.yml
@@ -0,0 +1,2 @@
+ca_store_dir: /etc/pki/ca-trust/source/anchors
+ca_update_cmd: update-ca-trust
diff --git a/roles/trustca/vars/defaults.yml b/roles/trustca/vars/defaults.yml
new file mode 100644
index 0000000..845b8d1
--- /dev/null
+++ b/roles/trustca/vars/defaults.yml
@@ -0,0 +1,2 @@
+ca_store_dir: /usr/local/share/ca-certificates
+ca_update_cmd: update-ca-certificates