From 52c23c914f14792366e10aafa09e4970e9f09747 Mon Sep 17 00:00:00 2001
From: Timo Makinen <tmakinen@foo.sh>
Date: Fri, 24 May 2019 11:57:03 +0300
Subject: [PATCH] create hostkey group which has read access to host
 certificate key

---
 roles/pki/tasks/main.yml | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/roles/pki/tasks/main.yml b/roles/pki/tasks/main.yml
index 0021280..6606ba5 100644
--- a/roles/pki/tasks/main.yml
+++ b/roles/pki/tasks/main.yml
@@ -1,5 +1,10 @@
 ---
 
+- name: create hostkey group
+  group:
+    name: hostkey
+    system: true
+
 - name: copy ca certificate
   copy:
     src: "/srv/ca/certs/ca.crt"
@@ -20,6 +25,6 @@
   copy:
     src: "/srv/ca/private/{{ inventory_hostname }}.key"
     dest: "{{ tls_private }}/{{ inventory_hostname }}.key"
-    mode: 0600
+    mode: 0640
     owner: root
-    group: "{{ ansible_wheel }}"
+    group: hostkey