---

- name: Default certificate is present
  when: evobsd_default_ssl_cert | bool
  block:
    - name: Ensure /etc/ssl/certs exists
      ansible.builtin.file:
        path: /etc/ssl/certs/
        owner: root
        group: wheel
        mode: "0755"
        state: directory
      ignore_errors: '{{ ansible_check_mode }}'

    - name: Create private key and csr for default site ({{ evobsd_ssl_cert_hostname }})
      ansible.builtin.command:
        cmd: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ evobsd_ssl_cert_hostname }}.key -out /etc/ssl/{{ evobsd_ssl_cert_hostname }}.csr -batch -subj "/CN={{ evobsd_ssl_cert_hostname }}"
      args:
        creates: "/etc/ssl/private/{{ evobsd_ssl_cert_hostname }}.key"

    - name: Create certificate for default site
      ansible.builtin.command:
        cmd: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ evobsd_ssl_cert_hostname }}.csr -signkey /etc/ssl/private/{{ evobsd_ssl_cert_hostname }}.key -out /etc/ssl/certs/{{ evobsd_ssl_cert_hostname }}.crt
      args:
        creates: "/etc/ssl/certs/{{ evobsd_ssl_cert_hostname }}.crt"