Add pydis-mtls role for distributing root CA

Adds a new role named pydis-mtls to distribute the mTLS certificate
authority data to all nodes in the inventory.

The defaults are sufficient here and are using the production CA that
will be used for service authentication (tls.pydis.wtf).

Other services can point to the value stored in pydis_mtls_location as
the source of truth for the certificate authority to validate against.

4 files changed, 64 insertions, 0 deletions

diff --git a/ansible/playbook.yml b/ansible/playbook.yml
index 0cb4cf6..f04fefe 100644
--- a/ansible/playbook.yml
+++ b/ansible/playbook.yml
@@ -1,6 +1,7 @@
 - name: Deploy common services
   hosts: all
   roles:
+    - pydis-mtls
     - certbot
     - common
     - pydis-users
diff --git a/ansible/roles/pydis-mtls/README.md b/ansible/roles/pydis-mtls/README.md
new file mode 100644
index 0000000..c72a340
--- /dev/null
+++ b/ansible/roles/pydis-mtls/README.md
@@ -0,0 +1,17 @@
+# Role "pydis-mtls"
+
+This role adds a copy of the Python Discord Root CA used for mutual TLS
+authentication to a specified location on all hosts.
+
+Services that need mutual TLS support should validate any incoming request
+against this client certificate, the default provided with this role will always
+be a subdomain of `tls.pydis.wtf` and the CN can be used for further
+authorization validation.
+
+## Variables
+
+`pydis_mtls_certificate`: The CA Certificate contents to be copied to the host.
+The default should be fine here and is the current production CA.
+
+`pydis_mtls_location`: The location to copy the CA file to, defaults to
+`/opt/pydis/ca.pem`.
diff --git a/ansible/roles/pydis-mtls/defaults/main.yml b/ansible/roles/pydis-mtls/defaults/main.yml
new file mode 100644
index 0000000..721a747
--- /dev/null
+++ b/ansible/roles/pydis-mtls/defaults/main.yml
@@ -0,0 +1,29 @@
+---
+pydis_mtls_certificate: |
+  -----BEGIN CERTIFICATE-----
+  MIIEPzCCAyegAwIBAgIUEJZIbODQ36KwtyMHrT/shF8Mci4wDQYJKoZIhvcNAQEL
+  BQAwgYcxCzAJBgNVBAYTAkdCMQ8wDQYDVQQIEwZMb25kb24xDzANBgNVBAcTBkxv
+  bmRvbjEeMBwGA1UEChMVUHl0aG9uIERpc2NvcmQgRGV2T3BzMR4wHAYDVQQLExVQ
+  eXRob24gRGlzY29yZCBEZXZPcHMxFjAUBgNVBAMTDXRscy5weWRpcy53dGYwHhcN
+  MjQwNTI2MjIzMTE5WhcNMjkwNTI1MjIzMTQ5WjCBhzELMAkGA1UEBhMCR0IxDzAN
+  BgNVBAgTBkxvbmRvbjEPMA0GA1UEBxMGTG9uZG9uMR4wHAYDVQQKExVQeXRob24g
+  RGlzY29yZCBEZXZPcHMxHjAcBgNVBAsTFVB5dGhvbiBEaXNjb3JkIERldk9wczEW
+  MBQGA1UEAxMNdGxzLnB5ZGlzLnd0ZjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+  AQoCggEBAN6kkXZQ+4pmgvexhKo9aavohMTiFQkgc0lcU6hjDxhoAHZkBTfIejBJ
+  yM0oRLsaHnyZwaCzK6qdoNqmKu/N3D9Y/JVlyyyVDnQ8Q78vCG6vLnMiLtmrI7J7
+  eZ+o5es80W0NowVNP1VSIA4G9gI6OtmUnepu5+1y9i5g0Uf9wncw8DmjXoxgkYcO
+  PYzGJpiSMcPugUvKIHVvZlDIUg4avlJi3c/ZheAB7V8nDIltlysakRC/dt6SOsRp
+  EHw/0dnU9jAGdvFqB1vGwL27CXTzhCz0kfnHRTVTp3LsuCl7KcNwDpqkg2rjt/Xa
+  NJKhBYMAypVPQIPgnvIiSotHfBkRVGcCAwEAAaOBoDCBnTAOBgNVHQ8BAf8EBAMC
+  AQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUq4RhzM8gg8XsoI62V/scgOC2
+  HHwwHwYDVR0jBBgwFoAUq4RhzM8gg8XsoI62V/scgOC2HHwwGAYDVR0RBBEwD4IN
+  dGxzLnB5ZGlzLnd0ZjAgBgNVHR4BAf8EFjAUoBIwEIIOLnRscy5weWRpcy53dGYw
+  DQYJKoZIhvcNAQELBQADggEBADDmik7m5+zCB5a3aEMNsudm8fq8sJOj/bGzL3bB
+  bEdq5ABw9ET0oecR37ow+QpO9haU+keUXdcUhkfo02jsIu78RXg+6+lQPPXQlRuJ
+  VpdhmBgYp8bosLOsuXJ714HS9dt42SRE2PmlX1si/genJfeAqn8iYjPqjO1wlLwD
+  QJrybnq0j4glaKDRb5Ve8iITrv3RXGLhJOs97KfDQ10QD3L82C5Q2T5KTZ75n9J3
+  p5jBHYLqwd80EoI5Z/w0bL887mKP9tI1N2QG30lHj7Bxw9J2/uwayQ8S9SVOIB4t
+  QxbEW5JQzaUahX8Kaw9s3BZSezLFC0BvOOLnbYCsXIuB84g=
+  -----END CERTIFICATE-----
+
+pydis_mtls_location: /opt/pydis/ca.pem
diff --git a/ansible/roles/pydis-mtls/tasks/main.yml b/ansible/roles/pydis-mtls/tasks/main.yml
new file mode 100644
index 0000000..70ea7b2
--- /dev/null
+++ b/ansible/roles/pydis-mtls/tasks/main.yml
@@ -0,0 +1,17 @@
+- name: Ensure directory to store mTLS CA in is created
+  file:
+    path: '{{ pydis_mtls_location | dirname }}'
+    state: directory
+    mode: '0755'
+  tags:
+    - role::pydis-mtls
+
+- name: Copy mTLS Certificate Authority to host
+  copy:
+    content: '{{ pydis_mtls_certificate }}'
+    dest: '{{ pydis_mtls_location }}'
+    owner: root
+    group: root
+    mode: '0744'
+  tags:
+    - role::pydis-mtls