https://github.com/pixelart/ansible-role-nssdb
Ansible Role: NSS Shared DB
https://github.com/pixelart/ansible-role-nssdb
Last synced: over 1 year ago
JSON representation
Ansible Role: NSS Shared DB
- Host: GitHub
- URL: https://github.com/pixelart/ansible-role-nssdb
- Owner: pixelart
- Created: 2017-02-03T15:09:19.000Z (over 9 years ago)
- Default Branch: master
- Last Pushed: 2020-03-06T19:29:59.000Z (over 6 years ago)
- Last Synced: 2025-01-21T09:31:21.794Z (over 1 year ago)
- Size: 16.6 KB
- Stars: 4
- Watchers: 3
- Forks: 2
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- Contributing: CONTRIBUTING.md
- Code of conduct: CODE_OF_CONDUCT.md
Awesome Lists containing this project
README
# Ansible Role: NSS Shared DB
[](https://travis-ci.org/pixelart/ansible-role-nssdb)
Installs CA certificates into NSS Shared DB on Ubuntu or Debian, like Google Chrome uses it.
## Requirements
- The CA certificate should be already installed on the target host. You can use `bdellegrazie.ca-certificates` for that as you still need that for curl and for PHP.
## Role Variables
Available variables are listed below, along with default values (see `defaults/main.yml`):
certutils_package_state: installed
By default, this is set to 'installed'. You can override this variable to 'latest' if you want to upgrade or have switched to a different repo.
nssdb_users: []
Add a list of user account names for which the certificates should be managed too, beside system-wide `/etc/pki/nssdb`. This is needed, e.g for Google Chrome which only opens the users nssdb :sob:
nssdb_certificates: []
Add a list of certificates to install into `/etc/pki/nssdb` with a `name`, `path` and `trust` trust attributes (See `certutil -H -A` for help of the `-t trustargs` parameter), e.g. `CT,c,c` for trust on signing websites (like Chrome need it), or `CT,C,C` to trust on signing websites, S/MIME (mail) certificates and code signing.
Organize your cert name as `cert common name - cert organization` so Chrome can show it neatly
nssdb_certificates:
# Install CAcert CA and trust on websites, S/MIME and code signing.
- name: CA Cert Signing Authority - Root CA
path: /usr/local/share/ca-certificates/cacert.crt
trust: CT,C,C
# Install corporate CA and trust only on websites
- name: Acme CA - Acme Corp
path: /usr/local/share/ca-certificates/acme.crt
trust: CT,c,c
## Dependencies
None, but you can use `bdellegrazie.ca-certificates` to transfer the certificates on the target host and install them for curl, php and so on too.
## Example Playbook
- hosts: phpdevs
pre_tasks:
- name: Download CA Cert Signing Authority
uri:
url: 'http://www.cacert.org/certs/root.crt'
return_content: true
register: cacert_pem
vars_files:
- vars/main.yml
roles:
- bdellegrazie.ca-certificates
- pixelart.nssdb
*Inside `vars/main.yml`*:
ca_certificates_trusted:
- { pem: "{{ cacert_pem.content }}", name: cacert }
- { pem: "{{ lookup('file', 'files/ssl/acme-ca.pem') }}", name: acme }
nssdb_users: ['username']
nssdb_certificates:
- name: CA Cert Signing Authority - Root CA
path: '{{ ca_certificates_local_dir }}/cacert.crt'
trust: CT,C,C
- name: Acme CA - Acme Corp
path: /usr/local/share/ca-certificates/acme.crt
trust: CT,c,c
After the playbook runs the certificates are installed in the system-wide and users nssdb and also concatenated into the `ca-certficates.crt` for curl, php and so on.
## Code of Conduct
Please note that this project is released with a [Contributor Code of Conduct](CODE_OF_CONDUCT.md). By participating in this project you agree to abide by its terms.
## License
MIT, see the [LICENSE](LICENSE) file.
## Author Information
This role was created in 2017 by [pixelart GmbH](https://www.pixelart.at/).