From 8362be052b75759d1670badf242e222cec6116fb Mon Sep 17 00:00:00 2001
From: Andrea Dell'Amico <adellam@sevenseas.org>
Date: Fri, 8 Apr 2016 18:16:00 +0200
Subject: [PATCH] library/roles/ubuntu-deb-general: Create a generic directory
 where to store local SSL certificates.

---
 ubuntu-deb-general/defaults/main.yml |  6 ++++++
 ubuntu-deb-general/tasks/main.yml    |  3 ++-
 ubuntu-deb-general/tasks/pki-dir.yml | 10 ++++++++++
 3 files changed, 18 insertions(+), 1 deletion(-)
 create mode 100644 ubuntu-deb-general/tasks/pki-dir.yml

diff --git a/ubuntu-deb-general/defaults/main.yml b/ubuntu-deb-general/defaults/main.yml
index c03cedb..304bd06 100644
--- a/ubuntu-deb-general/defaults/main.yml
+++ b/ubuntu-deb-general/defaults/main.yml
@@ -81,6 +81,12 @@ services_to_be_disabled:
   - rpcbind
   - atd
   - acpid
+
+# A generic PKI directory where the local certificates will be stored
+pki_dir: /etc/pki
+pki_subdirs:
+  - certs
+  - keys
   
 disable_ipv6: True
 ipv6_sysctl_value: 1
diff --git a/ubuntu-deb-general/tasks/main.yml b/ubuntu-deb-general/tasks/main.yml
index 952b15f..e09a43f 100644
--- a/ubuntu-deb-general/tasks/main.yml
+++ b/ubuntu-deb-general/tasks/main.yml
@@ -5,7 +5,6 @@
 - include: packages.yml
 - include: ntp.yml
 - include: remove-unneeded-pkgs.yml
-- include: disable-unneeded-services.yml
 - include: manage-ipv6-status.yml
   when: is_not_debian_less_than_6
 - include: disable-ipv6-old-servers.yml
@@ -23,5 +22,7 @@
 - include: unattended-upgrades.yml
 - include: install_external_ca_cert.yml
 - include: manage_su_limits.yml
+- include: pki-dir.yml
+- include: disable-unneeded-services.yml
 
 
diff --git a/ubuntu-deb-general/tasks/pki-dir.yml b/ubuntu-deb-general/tasks/pki-dir.yml
new file mode 100644
index 0000000..3c9d243
--- /dev/null
+++ b/ubuntu-deb-general/tasks/pki-dir.yml
@@ -0,0 +1,10 @@
+---
+- name: Ensure that the PKI directory exists
+  file: path={{ pki_dir }} state=directory owner=root group=root mode=0755
+  tags: [ 'pki', 'ssl' ]
+
+- name: Ensure that the PKI subdirectories exist
+  file: path={{ pki_dir }}/{{ item }} state=directory owner=root group=root mode=0755
+  with_items: '{{ pki_subdirs }}'
+  tags: [ 'pki', 'ssl' ]
+