Init commit, 20.04 works.

4 years ago · f88e680af5
commit f88e680af5
6 changed files with 160 additions and 0 deletions
--- a/22
+++ b/22
@ -0,0 +1,22 @@
+
+MIT License
+
+Copyright (c) 2022 shnee
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
--- a/README.md
+++ b/README.md
@ -0,0 +1,64 @@
+Ansible Role: trust-ca-certs
+================================================================================
+
+An ansible role to add a certificate to the system's cert trust.
+
+Currently this role will only work and Debian based distro's and has only been
+tested on Ubuntu 20.04.
+
+Role Variables
+----------------------------------------
+
+```yaml
+# These packages are required for this role to work. The second layer of the
+# dict must match `ansible_os_family` of the remote host.
+dep_packages:
+  Debian: [ca-certificates]
+  RedHat: []
+
+# This is a list of certs in the format:
+# - name: <name of cert>
+#   base_64_content: <base64 encoded content of the cert file>
+#
+# The content must be in pem format and the file name must end in .crt for
+# Ubuntu.
+certs: []
+
+# The location that certs must be put before they get added to the trust. The
+# second layer of the dict must match `ansible_os_family` of the remote host.
+remote_cert_location:
+  Debian: /usr/local/share/ca-certificates
+
+# The location where certs are put after being processed. The second layer of
+# the dict must match `ansible_os_family` of the remote host.
+remote_store_cert_location:
+  Debian: /etc/ssl/certs
+```
+
+Example Playbook
+----------------------------------------
+
+```yaml
+- name: Add certificate to system's trust.
+  hosts: all
+  vars:
+    certs:
+      - name: my-root-ca.crt
+        base_64_content: "{{ my_root_ca_cert_pem_base_64 }}"
+      - name: other-root-ca.crt
+        base_64_content: "{{ other_root_ca_crt_base_64 }}"
+  vars_files:
+    - ./certs.yml
+  roles:
+    - trust-ca-certs
+```
+
+License
+----------------------------------------
+
+MIT
+
+Author Information
+----------------------------------------
+
+This role was created by [shnee](https://github.com/shnee).
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -0,0 +1,24 @@
+---
+# These packages are required for this role to work. The second layer of the
+# dict must match `ansible_os_family` of the remote host.
+dep_packages:
+  Debian: [ca-certificates]
+  RedHat: []
+
+# This is a list of certs in the format:
+# - name: <name of cert>
+#   base_64_content: <base64 encoded content of the cert file>
+#
+# The content must be in pem format and the file name must end in .crt for
+# Ubuntu.
+certs: []
+
+# The location that certs must be put before they get added to the trust. The
+# second layer of the dict must match `ansible_os_family` of the remote host.
+remote_cert_location:
+  Debian: /usr/local/share/ca-certificates
+
+# The location where certs are put after being processed. The second layer of
+# the dict must match `ansible_os_family` of the remote host.
+remote_store_cert_location:
+  Debian: /etc/ssl/certs
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -0,0 +1,7 @@
+---
+- name: Add certs to store
+  ansible.builtin.command:
+    cmd: update-ca-certificates
+  become: true
+  register: update_certs_output
+  changed_when: update_certs_output | regex_search("^[1-9]+[0-9]* added")
--- a/meta/main.yml
+++ b/meta/main.yml
@ -0,0 +1,20 @@
+---
+galaxy_info:
+  author: shnee
+  description: Install CA certs to the system's trust.
+
+  license: MIT
+
+  min_ansible_version: 2.1
+
+  platforms:
+    - name: Ubuntu
+      versions:
+        - focal  # 20.04
+
+  galaxy_tags:
+    - certificates
+    - ssl
+    - x509
+
+dependencies: []
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -0,0 +1,23 @@
+---
+- name: Fail if on an unsupported distro.
+  fail:
+    msg: "{{ ansible_os_family }} family of distros is untested/unsupported."
+  when: ansible_os_family != 'Debian'
+
+- name: Install dependencies.
+  ansible.builtin.package:
+    name: "{{ dep_packages[ansible_os_family] }}"
+    state: present
+  become: true
+
+- name: Copy certs to remote machine.
+  ansible.builtin.copy:
+    dest: "{{ remote_cert_location[ansible_os_family] }}/{{ item.name }}"
+    content: "{{ item.base_64_content | b64decode }}"
+    owner: root
+    group: root
+    mode: '0644'
+  become: true
+  loop: "{{ certs }}"
+  # Add certs to the trust only if this task caused a change.
+  notify: Add certs to store