zoneminder: Add TLS when connecting to remote mysql

roles/zoneminder/tasks/main.yml

@@ -51,6 +51,13 @@
   notify: restart zoneminder
   when: zm_mysql_host != "localhost"
 
+- name: allow zoneminder to read host private key
+  user:
+    name: apache
+    groups: hostkey
+    append: true
+  when: zm_mysql_host != "localhost"
+
 # selinux doesn't allow create this
 - name: create stub web log
   file:

roles/zoneminder/templates/zm.conf

@@ -6,3 +6,8 @@ ZM_DB_HOST={{ zm_mysql_host }}
 ZM_DB_NAME={{ zm_mysql_db}}
 ZM_DB_USER={{ zm_mysql_user }}
 ZM_DB_PASS={{ zm_mysql_pass }}
+{% if zm_mysql_host != "localhost" %}
+ZM_DB_SSL_CA_CERT={{ tls_certs }}/ca.crt
+ZM_DB_SSL_CLIENT_KEY={{ tls_private }}/{{ inventory_hostname }}.key
+ZM_DB_SSL_CLIENT_CERT={{ tls_certs }}/{{ inventory_hostname }}.crt
+{% endif %}