From 7b261e2119b8922128d17f0da4daece90501f07d Mon Sep 17 00:00:00 2001
From: Dmitriy Rabotyagov <dmitriy.rabotyagov@citynetwork.eu>
Date: Wed, 14 Dec 2022 11:27:28 +0100
Subject: [PATCH] Allow to define mode and ownership for CA private keys

By default private keys mode is 0600. However, in cases when pki dir
is stored in git, file mode is not being preserved there. At the same
time changing mode of private key will trigger CA certs re-generation
which may lead to unexpected side-effects.

Change-Id: I4a90479261b2721c08e9034fbae0d56de9308676
---
 tasks/standalone/create_ca.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/tasks/standalone/create_ca.yml b/tasks/standalone/create_ca.yml
index 19e84ff..64fd4d5 100644
--- a/tasks/standalone/create_ca.yml
+++ b/tasks/standalone/create_ca.yml
@@ -59,6 +59,9 @@
         passphrase: "{{ ca.key_passphrase | default(omit) }}"
         cipher: "{{ ('key_passphrase' in ca and ca.key_passphrase) | ternary('auto', omit) }}"
         backup: "{{ ca.backup | default(True) }}"
+        mode: "{{ ca.key_mode | default('0600') }}"
+        owner: "{{ ca.key_owner | default('root') }}"
+        group: "{{ ca.key_group | default('root') }}"
       register: ca_privkey
 
     - name: Read the serial number for {{ ca.name }}