- include_tasks: common_cert.yml

- set_fact:
    capath: "{{ cert_backend.basepath }}/{{ cert_backend.name }}"
- set_fact:
    cacertpath: "{{ capath }}/ca.crt"
    cakeypath: "{{ capath }}/ca.key"
    cacsrpath: "{{ capath }}/ca.csr"
    casignedpath: "{{ capath }}/signed"
    remotecrtpath: "{{ capath }}/signed/{{ certname }}.crt"
    remotecsrpath: "{{ capath }}/signed/{{ certname }}.csr"

- name: slurp csr for {{ certname }}
  slurp:
    src: "{{ cert.csrpath }}"
  register: csrfile

- name: setup ca
  delegate_to: "{{ cert_backend.remote|default(inventory_hostname, true) }}"
  block:
  - name: "setup base path for {{ cert_backend.name }} ({{ certname }})"
    file:
      path: "{{ cert_backend.basepath }}"
      state: directory
      mode: 755
      owner: root
      group: root
  - name: "setup ca path for {{ cert_backend.name }} ({{ certname }})"
    file:
      path: "{{ capath }}"
      state: directory
      mode: 0755
      owner: root
      group: root
  - name: "setup ca signed path for {{ cert_backend.name }} ({{ certname }})"
    file:
      path: "{{ casignedpath }}"
      state: directory
      mode: 0755
      owner: root
      group: root
  - name: "setup ca key {{ cert_backend.name }} ({{ certname }})"
    openssl_privatekey:
      path: "{{ cakeypath }}"
      size: 4096
      type: RSA
      mode: 0640
      owner: root
      group: root
  - name: "setup ca csr for {{ cert_backend.name }} ({{ certname }})"
    openssl_csr:
      path: "{{ cacsrpath }}"
      privatekey_path: "{{ cakeypath }}"
  - name: "self sign ca crt for {{ cert_backend.name }} ({{ certname }})"
    openssl_certificate:
      path: "{{ cacertpath }}"
      privatekey_path: "{{ cakeypath }}"
      csr_path: "{{ cacsrpath }}"
      provider: selfsigned
      selfsigned_not_after: "{{ cert_backend.ca_not_after }}"
  - name: slurp ca crt for {{ cert_backend.name }} ({{ certname }})"
    slurp:
      src: "{{ cacertpath }}"
    register: cafile
  - name: "write csr to ca folder ({{ certname }})"
    copy:
      content: "{{ csrfile['content'] | b64decode }}"
      dest: "{{ remotecsrpath }}"
  - name: "sign certificate for {{ certname }}"
    register: casignedsign
    openssl_certificate:
      path: "{{ remotecrtpath }}"
      csr_path: "{{ remotecsrpath }}"
      ownca_path: "{{ cacertpath }}"
      ownca_privatekey_path: "{{ cakeypath }}"
      provider: ownca
      ownca_not_after: "{{ cert_backend.not_after }}"
  - name: "copy crt from ca for {{ certname }}"
    slurp:
      src: "{{ remotecrtpath }}"
    register: crtfile

- name: "write crt ({{ certname }})"
  copy:
    content: "{{ crtfile['content'] | b64decode }}"
    dest: "{{ cert.certpath }}"
- name: "write ca ({{ certname }})"
  copy:
    content: "{{ cafile['content'] | b64decode }}"
    dest: "{{ cert.capath }}"
- name: "generate concatinated versions (chain) for {{ certname }}"
  shell: "umask 0137; cat {{ cert.certpath }} {{ cert.capath }} > {{ cert.chainpath }}"
  args:
    creates: "{{ cert.chainpath }}"

- name: "set permission for concatinated versions (chain) for {{ certname }}"
  file:
    path: "{{ cert.chainpath }}"
    mode: 0644
    owner: root
    group: ssl-cert

- name: "generate concatinated versions (full) for {{ certname }}"
  shell: "umask 0137; cat {{ cert.chainpath }} {{ cert.keypath }} > {{ cert.fullpath }}"
  args:
    creates: "{{ cert.fullpath }}"

- name: "set permissions for concatinated versions (full) for {{ certname }}"
  file:
    path: "{{ cert.fullpath }}"
    mode: 0640
    owner: root
    group: ssl-cert

- set_fact:
    certchanged: "{{ casignedsign is changed }}"
- name: handle postflight
  include: common_post.yml