drybjed
commented
8 years ago The realm creation dependent on the existence of default.key might indeed not be necessary, I did that mainly to avoid adding changed_when: False to this task. I suppose that it could be tweaked to find better condition detection, perhaps the pki-realm and pki-authority scripts could be more verbose and that would help Ansible detect various things.
The internal: True parameter should be implied automatically. Specifically you can set internal: False and have a set of selfsigned certificates, which should then allow you to switch seamlessly to ACME certificates later. I'll check in a bit if internal: True really is necessary, although it shouldn't be at this point.
htgoebel
The 'Create PKI realms' task runs only on creation of realm., this is due to the "creates: '/etc/pki/realms/{{ item.name }}/default.key'" line. Is it necessary? I mean running the "pki-realm new-realm -n" command doesn't really change anything, only updates configs which is handy if it comes to reconfiguration, otherwise you have to delete the default.key link in each realm. Also I think it would be helpful to include in the docs that the 'Create PKI realms' task needs "internal: True" on the realm in order to run. Otherwise variables crucial to ACME certs wont be included. Am I missing something?