From 76ff7a65c7ec99b1ceef9afabf4c302b8580312b Mon Sep 17 00:00:00 2001
From: Maciej Delmanowski <drybjed@gmail.com>
Date: Wed, 22 Apr 2015 19:11:10 +0200
Subject: [PATCH 1/2] Reorder Changelog entries

---
 CHANGES.rst | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/CHANGES.rst b/CHANGES.rst
index b5395a0..f0cb977 100644
--- a/CHANGES.rst
+++ b/CHANGES.rst
@@ -6,14 +6,16 @@ v0.1.0
 
 *Unreleased*
 
-- Add support for managing the list of active Root CA Certificates in
-  ``/etc/ca-certificates.conf``. Current set of active Root CA Certificates is
-  preserved. [drybjed]
+- Add Changelog. [drybjed]
 
 - Blacklist CNNIC Root CA following the `Google decision to remove CNNIC`_ from
   their Root CA store. [drybjed]
 
 .. _Google decision to remove CNNIC: http://googleonlinesecurity.blogspot.com/2015/03/maintaining-digital-certificate-security.html
 
-- Add Changelog. [drybjed]
+- Add support for managing the list of active Root CA Certificates in
+  ``/etc/ca-certificates.conf``. Current set of active Root CA Certificates is
+  preserved. [drybjed]
+
+- Reorder Changelog entries. [drybjed]
 

From beaa87809a828bc95ec168587450192289cf2c00 Mon Sep 17 00:00:00 2001
From: Maciej Delmanowski <drybjed@gmail.com>
Date: Wed, 22 Apr 2015 19:12:32 +0200
Subject: [PATCH 2/2] Add a way to copy arbitrary files to remote hosts

---
 CHANGES.rst                       |  3 +++
 defaults/main.yml                 | 34 +++++++++++++++++++++++++++++++
 tasks/manage_pki_certificates.yml | 22 ++++++++++++++++++++
 3 files changed, 59 insertions(+)

diff --git a/CHANGES.rst b/CHANGES.rst
index f0cb977..6ae16ea 100644
--- a/CHANGES.rst
+++ b/CHANGES.rst
@@ -19,3 +19,6 @@ v0.1.0
 
 - Reorder Changelog entries. [drybjed]
 
+- Add a way to copy arbitrary files from Ansible Controller to remote host PKI
+  directories. [drybjed]
+
diff --git a/defaults/main.yml b/defaults/main.yml
index 69a882f..0dc434e 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -398,6 +398,40 @@ pki_inject_public_files: []
 pki_inject_private_files: []
 
 
+# ---- Copy external files to PKI directories ----
+
+# Using these lists, you can copy arbitrary files from Ansible Controller to
+# remote host's PKI directories. They will automatically be secured with proper
+# permissions. If not specified, files will be copied to default PKI realm.
+
+# Examples:
+#
+#   # Copy a particular certificate file to default realm
+#   pki_copy_public_files:
+#
+#     - src: '/srv/certificates/example.com.crt'
+#       dest: 'certs/example.com.crt'
+#
+#   # Copy a particular private key file to default realm
+#   pki_copy_private_files:
+#
+#     - src: '/srv/certificates/private/example.com.key'
+#       dest: 'private/example.com.key'
+#
+#   # Copy a file to specific realm
+#   pki_copy_public_files:
+#
+#     - src: '/etc/fstab'
+#       dest: 'certs/fstab'
+#       realm: 'domain'
+
+# Copy public files to remote hosts
+pki_copy_public_files: []
+
+# Copy private files to remote hosts
+pki_copy_private_files: []
+
+
 # ---- System CA certificate store management ----
 
 # Set default trust policy for new certificates added to 'ca-certificates'
diff --git a/tasks/manage_pki_certificates.yml b/tasks/manage_pki_certificates.yml
index b734c14..96ee995 100644
--- a/tasks/manage_pki_certificates.yml
+++ b/tasks/manage_pki_certificates.yml
@@ -90,6 +90,28 @@
   when: (item.0.source is defined and (item.0.destination is defined and item.0.destination) and
         (item.0.name is undefined or item.0.name not in pki_realm_blacklist))
 
+- name: Download custom private files
+  copy:
+    src: '{{ item.src }}'
+    dest: '{{ pki_base_path + "/" + item.realm | default(pki_default_realm) + "/" + item.dest }}'
+    owner: '{{ item.owner | default(pki_owner) }}'
+    group: '{{ item.group | default(pki_private_group) }}'
+    mode: '{{ item.mode   | default(pki_private_mode) }}'
+  with_items: pki_copy_private_files
+  when: item.src is defined and item.src and
+        item.dest is defined and item.dest
+
+- name: Download custom public files
+  copy:
+    src: '{{ item.src }}'
+    dest: '{{ pki_base_path + "/" + item.realm | default(pki_default_realm) + "/" + item.dest }}'
+    owner: '{{ item.owner | default(pki_owner) }}'
+    group: '{{ item.group | default(pki_public_group) }}'
+    mode: '{{ item.mode   | default(pki_public_mode) }}'
+  with_items: pki_copy_public_files
+  when: item.src is defined and item.src and
+        item.dest is defined and item.dest
+
 - name: Execute PKI Makefiles
   environment:
     LANG: 'C'