Skip to content

Commit

Permalink
Merge pull request debops#20 from drybjed/file-copy
Browse files Browse the repository at this point in the history
Support for copying of arbitrary files to PKI realms
  • Loading branch information
drybjed committed Apr 22, 2015
2 parents 329e2d9 + beaa878 commit 837c3ee
Show file tree
Hide file tree
Showing 3 changed files with 65 additions and 4 deletions.
13 changes: 9 additions & 4 deletions CHANGES.rst
Original file line number Diff line number Diff line change
Expand Up @@ -6,14 +6,19 @@ v0.1.0

*Unreleased*

- Add support for managing the list of active Root CA Certificates in
``/etc/ca-certificates.conf``. Current set of active Root CA Certificates is
preserved. [drybjed]
- Add Changelog. [drybjed]

- Blacklist CNNIC Root CA following the `Google decision to remove CNNIC`_ from
their Root CA store. [drybjed]

.. _Google decision to remove CNNIC: http://googleonlinesecurity.blogspot.com/2015/03/maintaining-digital-certificate-security.html

- Add Changelog. [drybjed]
- Add support for managing the list of active Root CA Certificates in
``/etc/ca-certificates.conf``. Current set of active Root CA Certificates is
preserved. [drybjed]

- Reorder Changelog entries. [drybjed]

- Add a way to copy arbitrary files from Ansible Controller to remote host PKI
directories. [drybjed]

34 changes: 34 additions & 0 deletions defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -398,6 +398,40 @@ pki_inject_public_files: []
pki_inject_private_files: []


# ---- Copy external files to PKI directories ----

# Using these lists, you can copy arbitrary files from Ansible Controller to
# remote host's PKI directories. They will automatically be secured with proper
# permissions. If not specified, files will be copied to default PKI realm.

# Examples:
#
# # Copy a particular certificate file to default realm
# pki_copy_public_files:
#
# - src: '/srv/certificates/example.com.crt'
# dest: 'certs/example.com.crt'
#
# # Copy a particular private key file to default realm
# pki_copy_private_files:
#
# - src: '/srv/certificates/private/example.com.key'
# dest: 'private/example.com.key'
#
# # Copy a file to specific realm
# pki_copy_public_files:
#
# - src: '/etc/fstab'
# dest: 'certs/fstab'
# realm: 'domain'

# Copy public files to remote hosts
pki_copy_public_files: []

# Copy private files to remote hosts
pki_copy_private_files: []


# ---- System CA certificate store management ----

# Set default trust policy for new certificates added to 'ca-certificates'
Expand Down
22 changes: 22 additions & 0 deletions tasks/manage_pki_certificates.yml
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,28 @@
when: (item.0.source is defined and (item.0.destination is defined and item.0.destination) and
(item.0.name is undefined or item.0.name not in pki_realm_blacklist))

- name: Download custom private files
copy:
src: '{{ item.src }}'
dest: '{{ pki_base_path + "/" + item.realm | default(pki_default_realm) + "/" + item.dest }}'
owner: '{{ item.owner | default(pki_owner) }}'
group: '{{ item.group | default(pki_private_group) }}'
mode: '{{ item.mode | default(pki_private_mode) }}'
with_items: pki_copy_private_files
when: item.src is defined and item.src and
item.dest is defined and item.dest

- name: Download custom public files
copy:
src: '{{ item.src }}'
dest: '{{ pki_base_path + "/" + item.realm | default(pki_default_realm) + "/" + item.dest }}'
owner: '{{ item.owner | default(pki_owner) }}'
group: '{{ item.group | default(pki_public_group) }}'
mode: '{{ item.mode | default(pki_public_mode) }}'
with_items: pki_copy_public_files
when: item.src is defined and item.src and
item.dest is defined and item.dest

- name: Execute PKI Makefiles
environment:
LANG: 'C'
Expand Down

0 comments on commit 837c3ee

Please sign in to comment.