From 1e4d8a0426a6198d65308285dd7a4177225f21da Mon Sep 17 00:00:00 2001
From: Jean-Marie Mineau <jean-marie.mineau@protonmail.com>
Date: Thu, 14 Oct 2021 23:08:06 +0200
Subject: [PATCH] store certs and keys in a store directory and use links
 [UNTESTED]

---
 roles/generate-cert/defaults/main.yml |  1 +
 roles/generate-cert/tasks/main.yml    | 39 +++++++++++++++++++++++----
 2 files changed, 35 insertions(+), 5 deletions(-)

diff --git a/roles/generate-cert/defaults/main.yml b/roles/generate-cert/defaults/main.yml
index db793c5..b104186 100644
--- a/roles/generate-cert/defaults/main.yml
+++ b/roles/generate-cert/defaults/main.yml
@@ -5,3 +5,4 @@ key_usage:
 validity_duration: "+365d"
 time_before_expiration_for_renewal: "+30d" # need a better name
 force_renewal: no
+store_directory: /etc/hackypky
diff --git a/roles/generate-cert/tasks/main.yml b/roles/generate-cert/tasks/main.yml
index 8850257..afd91c7 100644
--- a/roles/generate-cert/tasks/main.yml
+++ b/roles/generate-cert/tasks/main.yml
@@ -1,4 +1,16 @@
 ---
+- name: Ensure the directories used to store certs exist
+  file:
+    path: "{{ item }}"
+    state: directory
+    group: root
+    owner: root
+    mode: u=rwx,g=rx,o=rx
+  loop:
+    - "{{ store_directory }}"
+    - "{{ store_directory }}/crts"
+    - "{{ store_directory }}/keys"
+
 - name: Ensure the directory containing the cert exist
   file:
     path: "{{ directory }}"
@@ -6,17 +18,17 @@
 
 - name: Test if the key already exist
   stat:
-    path: "{{ directory }}/{{ cname }}.key"
+    path: "{{ store_directory}}/keys/{{ cname }}.key"
   register: key_file
 
 - name: Test if the cert already exist
   stat:
-    path: "{{ directory }}/{{ cname }}.crt"
+    path: "{{ store_directory}}/crts/{{ cname }}.crt"
   register: cert_file
 
 - name: Test if we need to renew the certificate
   openssl_certificate_info:
-    path: "{{ directory }}/{{ cname }}.crt"
+    path: "{{ store_directory }}/crts/{{ cname }}.crt"
     valid_at:
       renewal: "{{ time_before_expiration_for_renewal }}"
   register: validity
@@ -84,7 +96,7 @@
     - name: Send private key to the server
       copy:
         src: "/tmp/ansible_hacky_pki_{{ cname }}.key"
-        dest: "{{ directory }}/{{ cname }}.key"
+        dest: "{{ store_directory }}/keys/{{ cname }}.key"
         owner: "{{ owner | default('root') }}"
         group: "{{ group | default('root') }}"
         mode: "{{ key_mode | default('u=rw,g=,o=') }}"
@@ -93,7 +105,7 @@
     - name: Send certificate to the server
       copy:
         src: "/tmp/ansible_hacky_pki_{{ cname }}.crt"
-        dest: "{{ directory }}/{{ cname }}.crt"
+        dest: "{{ store_directory }}/crts/{{ cname }}.crt"
         owner: "{{ owner | default('root') }}"
         group: "{{ group | default('root') }}"
         mode: "{{ key_mode | default('u=rw,g=r,o=r') }}"
@@ -134,3 +146,20 @@
         state: absent
       delegate_to: localhost
   when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal)
+
+- name: Create the link to cert
+  file:
+    src: "{{ store_directory }}/crts/{{ cname }}.crt"
+    dest: "{{ directory }}/{{ cname }}.crt"
+    owner: "{{ owner | default('root') }}"
+    group: "{{ group | default('root') }}"
+    state: link
+
+- name: Create the link to key
+  file:
+    src: "{{ store_directory }}/keys/{{ cname }}.key"
+    dest: "{{ directory }}/{{ cname }}.key"
+    owner: "{{ owner | default('root') }}"
+    group: "{{ group | default('root') }}"
+    state: link
+