From 1996ec8f1aebc7551be8bc201f02288749e0c223 Mon Sep 17 00:00:00 2001
From: Timo Makinen <tmakinen@foo.sh>
Date: Thu, 6 Oct 2022 15:25:00 +0000
Subject: [PATCH] pki: Use FQCN and general cleanup

---
 roles/pki/tasks/main.yml | 45 +++++++++++++++++++++++++++-------------
 1 file changed, 31 insertions(+), 14 deletions(-)

diff --git a/roles/pki/tasks/main.yml b/roles/pki/tasks/main.yml
index ac5c510..8943497 100644
--- a/roles/pki/tasks/main.yml
+++ b/roles/pki/tasks/main.yml
@@ -1,12 +1,11 @@
 ---
-
 - name: create hostkey group
-  group:
+  ansible.builtin.group:
     name: hostkey
     system: true
 
 - name: copy ca certificate
-  copy:
+  ansible.builtin.copy:
     src: "/srv/ca/certs/ca.crt"
     dest: "{{ tls_certs }}/ca.crt"
     mode: 0644
@@ -14,16 +13,24 @@
     group: "{{ ansible_wheel }}"
 
 - name: get ca certificate hash
-  command: "openssl x509 -in /srv/ca/certs/ca.crt -noout -hash"
+  ansible.builtin.command:
+    argv:
+      - openssl
+      - x509
+      - -in
+      - /srv/ca/certs/ca.crt
+      - -noout
+      - -hash
   delegate_to: localhost
   register: result
   changed_when: false
+
 - name: store ca certificate hash
-  set_fact:
+  ansible.builtin.set_fact:
     pki_cacert_hash: "{{ result.stdout }}"
 
 - name: copy host certificate
-  copy:
+  ansible.builtin.copy:
     src: "/srv/ca/certs/hosts/{{ inventory_hostname }}.crt"
     dest: "{{ tls_certs }}/{{ inventory_hostname }}.crt"
     mode: 0644
@@ -31,7 +38,7 @@
     group: "{{ ansible_wheel }}"
 
 - name: add ansible certificate fact
-  copy:
+  ansible.builtin.copy:
     content: |
       #!/bin/sh
       [ -f {{ tls_certs }}/{{ inventory_hostname }}.crt ] && awk '
@@ -45,15 +52,25 @@
     owner: root
     group: "{{ ansible_wheel }}"
 
-- name: create full chain of host certficate and ca
-  shell: "cat {{ tls_certs }}/{{ inventory_hostname }}.crt \
-   {{ tls_certs }}/ca.crt > \
-   {{ tls_certs }}/{{ inventory_hostname }}-fullchain.crt"
-  args:
-    creates: "{{ tls_certs }}/{{ inventory_hostname }}-fullchain.crt"
+- name: create full chain certificate contents
+  ansible.builtin.command:
+    argv:
+      - cat
+      - "{{ tls_certs }}/{{ inventory_hostname }}.crt"
+      - "{{ tls_certs }}/ca.crt"
+  changed_when: false
+  register: pki_host_fullchain
+
+- name: copy full chain certificate file
+  ansible.builtin.copy:
+    dest: "{{ tls_certs }}/{{ inventory_hostname }}-fullchain.crt"
+    content: "{{ pki_host_fullchain }}"
+    mode: 0640
+    owner: root
+    group: "{{ ansible_wheel }}"
 
 - name: copy host key
-  copy:
+  ansible.builtin.copy:
     src: "/srv/ca/private/{{ inventory_hostname }}.key"
     dest: "{{ tls_private }}/{{ inventory_hostname }}.key"
     mode: 0640