Replaced external certificates are not copied to host

[gaudenz]

If an external certificate expires and get's renewed and replaced on the controller, the new certificate does not get copied to the host. This is because the relevant copy task has force: False.

In the current role whether force: False is set on a copy task in the pki role is rather inconsistent. Or in other words it's not clear to me what the rules are.

IMHO all these tasks should either use force: True or at least have this configurable. Would you accept a pull request for this?

[drybjed]

Current debops.pki role is designed around Ansible inventory, specifically all host group, one custom group and specific hosts. My thinking at the time was this:

• if there's a set of certificates/keys for all hosts, copy them over, but don't override more specific case (force: False).
• if there's a set of certificates/keys for a group in which a given host is placed, copy them over but don't override more specific case,
• if there's a set of certificates/keys for a specific host, copy them over and overwrite existing certificates

So, if an user has a global set of certificates, and for some reason he/she wanted a per-host override, that would be possible. But I suppose the extra granularity isn't really that useful. You can easily create multiple PKI realms which should help with separate certificates for a group of hosts. Perhaps the "group level" should be removed and leave only global (all) and per-host case, both with force: True. Although that might result in role overwriting the global certificates by per-host which are overwritten by global, etc. So an indempotency. loop.

Any ideas how to solve this? I guess the per-host force: True could be conditional per PKI realm.