Init commit, 20.04 works.

4 years ago · f88e680af5
commit f88e680af5
6 changed files with 160 additions and 0 deletions
--- a/22
+++ b/22
@ -0,0 +1,22 @@
 MIT License
 Copyright (c) 2022 shnee
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
 in the Software without restriction, including without limitation the rights
 to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 copies of the Software, and to permit persons to whom the Software is
 furnished to do so, subject to the following conditions:
 The above copyright notice and this permission notice shall be included in all
 copies or substantial portions of the Software.
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
--- a/README.md
+++ b/README.md
@ -0,0 +1,64 @@
 Ansible Role: trust-ca-certs
 ================================================================================
 An ansible role to add a certificate to the system's cert trust.
 Currently this role will only work and Debian based distro's and has only been
 tested on Ubuntu 20.04.
 Role Variables
 ----------------------------------------
 ```yaml
 # These packages are required for this role to work. The second layer of the
 # dict must match `ansible_os_family` of the remote host.
 dep_packages:
  Debian: [ca-certificates]
  RedHat: []
 # This is a list of certs in the format:
 # - name: <name of cert>
 #   base_64_content: <base64 encoded content of the cert file>
 #
 # The content must be in pem format and the file name must end in .crt for
 # Ubuntu.
 certs: []
 # The location that certs must be put before they get added to the trust. The
 # second layer of the dict must match `ansible_os_family` of the remote host.
 remote_cert_location:
  Debian: /usr/local/share/ca-certificates
 # The location where certs are put after being processed. The second layer of
 # the dict must match `ansible_os_family` of the remote host.
 remote_store_cert_location:
  Debian: /etc/ssl/certs
 ```
 Example Playbook
 ----------------------------------------
 ```yaml
 - name: Add certificate to system's trust.
  hosts: all
  vars:
    certs:
      - name: my-root-ca.crt
        base_64_content: "{{ my_root_ca_cert_pem_base_64 }}"
      - name: other-root-ca.crt
        base_64_content: "{{ other_root_ca_crt_base_64 }}"
  vars_files:
    - ./certs.yml
  roles:
    - trust-ca-certs
 ```
 License
 ----------------------------------------
 MIT
 Author Information
 ----------------------------------------
 This role was created by [shnee](https://github.com/shnee).
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -0,0 +1,24 @@
 ---
 # These packages are required for this role to work. The second layer of the
 # dict must match `ansible_os_family` of the remote host.
 dep_packages:
  Debian: [ca-certificates]
  RedHat: []
 # This is a list of certs in the format:
 # - name: <name of cert>
 #   base_64_content: <base64 encoded content of the cert file>
 #
 # The content must be in pem format and the file name must end in .crt for
 # Ubuntu.
 certs: []
 # The location that certs must be put before they get added to the trust. The
 # second layer of the dict must match `ansible_os_family` of the remote host.
 remote_cert_location:
  Debian: /usr/local/share/ca-certificates
 # The location where certs are put after being processed. The second layer of
 # the dict must match `ansible_os_family` of the remote host.
 remote_store_cert_location:
  Debian: /etc/ssl/certs
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -0,0 +1,7 @@
 ---
 - name: Add certs to store
  ansible.builtin.command:
    cmd: update-ca-certificates
  become: true
  register: update_certs_output
  changed_when: update_certs_output | regex_search("^[1-9]+[0-9]* added")
--- a/meta/main.yml
+++ b/meta/main.yml
@ -0,0 +1,20 @@
 ---
 galaxy_info:
  author: shnee
  description: Install CA certs to the system's trust.
  license: MIT
  min_ansible_version: 2.1
  platforms:
    - name: Ubuntu
      versions:
        - focal  # 20.04
  galaxy_tags:
    - certificates
    - ssl
    - x509
 dependencies: []
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -0,0 +1,23 @@
 ---
 - name: Fail if on an unsupported distro.
  fail:
    msg: "{{ ansible_os_family }} family of distros is untested/unsupported."
  when: ansible_os_family != 'Debian'
 - name: Install dependencies.
  ansible.builtin.package:
    name: "{{ dep_packages[ansible_os_family] }}"
    state: present
  become: true
 - name: Copy certs to remote machine.
  ansible.builtin.copy:
    dest: "{{ remote_cert_location[ansible_os_family] }}/{{ item.name }}"
    content: "{{ item.base_64_content | b64decode }}"
    owner: root
    group: root
    mode: '0644'
  become: true
  loop: "{{ certs }}"
  # Add certs to the trust only if this task caused a change.
  notify: Add certs to store