commit f88e680af5bcac9a1346e13b82f47699b20eb9da Author: shnee Date: Fri Apr 1 10:29:52 2022 -0400 Init commit, 20.04 works. diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..7a0f30c --- /dev/null +++ b/LICENSE @@ -0,0 +1,22 @@ + +MIT License + +Copyright (c) 2022 shnee + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/README.md b/README.md new file mode 100644 index 0000000..9f7d4b7 --- /dev/null +++ b/README.md @@ -0,0 +1,64 @@ +Ansible Role: trust-ca-certs +================================================================================ + +An ansible role to add a certificate to the system's cert trust. + +Currently this role will only work and Debian based distro's and has only been +tested on Ubuntu 20.04. + +Role Variables +---------------------------------------- + +```yaml +# These packages are required for this role to work. The second layer of the +# dict must match `ansible_os_family` of the remote host. +dep_packages: + Debian: [ca-certificates] + RedHat: [] + +# This is a list of certs in the format: +# - name: +# base_64_content: +# +# The content must be in pem format and the file name must end in .crt for +# Ubuntu. +certs: [] + +# The location that certs must be put before they get added to the trust. The +# second layer of the dict must match `ansible_os_family` of the remote host. +remote_cert_location: + Debian: /usr/local/share/ca-certificates + +# The location where certs are put after being processed. The second layer of +# the dict must match `ansible_os_family` of the remote host. +remote_store_cert_location: + Debian: /etc/ssl/certs +``` + +Example Playbook +---------------------------------------- + +```yaml +- name: Add certificate to system's trust. + hosts: all + vars: + certs: + - name: my-root-ca.crt + base_64_content: "{{ my_root_ca_cert_pem_base_64 }}" + - name: other-root-ca.crt + base_64_content: "{{ other_root_ca_crt_base_64 }}" + vars_files: + - ./certs.yml + roles: + - trust-ca-certs +``` + +License +---------------------------------------- + +MIT + +Author Information +---------------------------------------- + +This role was created by [shnee](https://github.com/shnee). diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..748f66c --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,24 @@ +--- +# These packages are required for this role to work. The second layer of the +# dict must match `ansible_os_family` of the remote host. +dep_packages: + Debian: [ca-certificates] + RedHat: [] + +# This is a list of certs in the format: +# - name: +# base_64_content: +# +# The content must be in pem format and the file name must end in .crt for +# Ubuntu. +certs: [] + +# The location that certs must be put before they get added to the trust. The +# second layer of the dict must match `ansible_os_family` of the remote host. +remote_cert_location: + Debian: /usr/local/share/ca-certificates + +# The location where certs are put after being processed. The second layer of +# the dict must match `ansible_os_family` of the remote host. +remote_store_cert_location: + Debian: /etc/ssl/certs diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..1568605 --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,7 @@ +--- +- name: Add certs to store + ansible.builtin.command: + cmd: update-ca-certificates + become: true + register: update_certs_output + changed_when: update_certs_output | regex_search("^[1-9]+[0-9]* added") diff --git a/meta/main.yml b/meta/main.yml new file mode 100644 index 0000000..7073f0a --- /dev/null +++ b/meta/main.yml @@ -0,0 +1,20 @@ +--- +galaxy_info: + author: shnee + description: Install CA certs to the system's trust. + + license: MIT + + min_ansible_version: 2.1 + + platforms: + - name: Ubuntu + versions: + - focal # 20.04 + + galaxy_tags: + - certificates + - ssl + - x509 + +dependencies: [] diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..5af70e4 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,23 @@ +--- +- name: Fail if on an unsupported distro. + fail: + msg: "{{ ansible_os_family }} family of distros is untested/unsupported." + when: ansible_os_family != 'Debian' + +- name: Install dependencies. + ansible.builtin.package: + name: "{{ dep_packages[ansible_os_family] }}" + state: present + become: true + +- name: Copy certs to remote machine. + ansible.builtin.copy: + dest: "{{ remote_cert_location[ansible_os_family] }}/{{ item.name }}" + content: "{{ item.base_64_content | b64decode }}" + owner: root + group: root + mode: '0644' + become: true + loop: "{{ certs }}" + # Add certs to the trust only if this task caused a change. + notify: Add certs to store