library/roles/ubuntu-deb-general: Create a generic directory where to store local SSL certificates.

ubuntu-deb-general/defaults/main.yml

@@ -82,6 +82,12 @@ services_to_be_disabled:
   - atd
   - acpid
 
+# A generic PKI directory where the local certificates will be stored
+pki_dir: /etc/pki
+pki_subdirs:
+  - certs
+  - keys
+  
 disable_ipv6: True
 ipv6_sysctl_value: 1
 ipv6_sysctl_file: /etc/sysctl.d/10-ipv6-disable.conf

ubuntu-deb-general/tasks/main.yml

@@ -5,7 +5,6 @@
 - include: packages.yml
 - include: ntp.yml
 - include: remove-unneeded-pkgs.yml
-- include: disable-unneeded-services.yml
 - include: manage-ipv6-status.yml
   when: is_not_debian_less_than_6
 - include: disable-ipv6-old-servers.yml
@@ -23,5 +22,7 @@
 - include: unattended-upgrades.yml
 - include: install_external_ca_cert.yml
 - include: manage_su_limits.yml
+- include: pki-dir.yml
+- include: disable-unneeded-services.yml
 
 

ubuntu-deb-general/tasks/pki-dir.yml

@@ -0,0 +1,10 @@
+---
+- name: Ensure that the PKI directory exists
+  file: path={{ pki_dir }} state=directory owner=root group=root mode=0755
+  tags: [ 'pki', 'ssl' ]
+
+- name: Ensure that the PKI subdirectories exist
+  file: path={{ pki_dir }}/{{ item }} state=directory owner=root group=root mode=0755
+  with_items: '{{ pki_subdirs }}'
+  tags: [ 'pki', 'ssl' ]
+