From 4d4b61d5d025e4279d148f8ffe7d021ff2ef81fe Mon Sep 17 00:00:00 2001
From: Timo Makinen <tmakinen@foo.sh>
Date: Mon, 30 Aug 2021 19:46:14 +0000
Subject: [PATCH] zoneminder: Add TLS when connecting to remote mysql

---
 roles/zoneminder/tasks/main.yml    | 7 +++++++
 roles/zoneminder/templates/zm.conf | 5 +++++
 2 files changed, 12 insertions(+)

diff --git a/roles/zoneminder/tasks/main.yml b/roles/zoneminder/tasks/main.yml
index 2e1e96f..ebdfde4 100644
--- a/roles/zoneminder/tasks/main.yml
+++ b/roles/zoneminder/tasks/main.yml
@@ -51,6 +51,13 @@
   notify: restart zoneminder
   when: zm_mysql_host != "localhost"
 
+- name: allow zoneminder to read host private key
+  user:
+    name: apache
+    groups: hostkey
+    append: true
+  when: zm_mysql_host != "localhost"
+
 # selinux doesn't allow create this
 - name: create stub web log
   file:
diff --git a/roles/zoneminder/templates/zm.conf b/roles/zoneminder/templates/zm.conf
index a692f6b..9e29854 100644
--- a/roles/zoneminder/templates/zm.conf
+++ b/roles/zoneminder/templates/zm.conf
@@ -6,3 +6,8 @@ ZM_DB_HOST={{ zm_mysql_host }}
 ZM_DB_NAME={{ zm_mysql_db}}
 ZM_DB_USER={{ zm_mysql_user }}
 ZM_DB_PASS={{ zm_mysql_pass }}
+{% if zm_mysql_host != "localhost" %}
+ZM_DB_SSL_CA_CERT={{ tls_certs }}/ca.crt
+ZM_DB_SSL_CLIENT_KEY={{ tls_private }}/{{ inventory_hostname }}.key
+ZM_DB_SSL_CLIENT_CERT={{ tls_certs }}/{{ inventory_hostname }}.crt
+{% endif %}