---
# CA certificate
- name: Check whether CA certificate exists
  stat:
    path: "{{ pki_ca_crt }}"
  delegate_to: "{{ pki_ca_host | mandatory }}"
  run_once: true
  register: ca_certificate_exists

- name: Fail if CA doesn't exists
  fail:
    msg: "CA '{{ pki_ca_crt }}' on host '{{ pki_ca_host }}' doesn't exists! You need to create one before continuing."
  when: not ca_certificate_exists.stat.exists

- name: Read existing CA certificate if exists
  slurp:
    src: "{{ pki_ca_crt }}"
  when: ca_certificate_exists.stat.exists
  delegate_to: "{{ pki_ca_host | mandatory }}"
  run_once: true
  register: ca_certificate

- name: Write CA certificate file
  copy:
    dest: "{{ pki_ca_crt }}"
    content: "{{ ca_certificate.content | b64decode }}"
  run_once: true
  register: ca_certificate


# Create new signed certificate
- name: Create private key for new certificate
  community.crypto.openssl_privatekey:
    path: "{{ pki_certificate_key }}"
  run_once: true

- name: Create certificate signing request (CSR) for new certificate
  community.crypto.openssl_csr_pipe:
    privatekey_path: "{{ pki_certificate_key }}"
    common_name: "{{ ansible_fqdn }}"
  run_once: true
  register: csr

- name: Check whether certificate exists
  stat:
    path: "{{ pki_certificate_crt }}"
  run_once: true
  register: certificate_exists

- name: Read existing certificate if exists
  slurp:
    src: "{{ pki_certificate_crt }}"
  when: certificate_exists.stat.exists
  run_once: true
  register: certificate

- name: Sign certificate with CA
  community.crypto.x509_certificate_pipe:
    content: "{{ (certificate.content | b64decode) if certificate_exists.stat.exists else omit }}"
    csr_content: "{{ csr.csr }}"
    provider: ownca
    ownca_path: "{{ pki_ca_crt }}"
    ownca_privatekey_path: "{{ pki_ca_key }}"
    ownca_privatekey_passphrase: "{{ pki_ca_password | mandatory}}"
  delegate_to: "{{ pki_ca_host | mandatory }}"
  run_once: true
  register: certificate
  when: not ansible_check_mode

- name: Write certificate file
  copy:
    dest: "{{ pki_certificate_crt }}"
    content: "{{ certificate.certificate }}"
  run_once: true
  when: certificate is changed and not ansible_check_mode

- name: Write certificate file on the CA host
  copy:
    dest: "{{ pki_certificate_crt }}"
    content: "{{ certificate.certificate }}"
  delegate_to: "{{ pki_ca_host | mandatory }}"
  run_once: true
  when: certificate is changed and not ansible_check_mode


# Allow other roles to know if some certifiates has changed
- name: Set fact, pki_changed
  when: certificate is changed or ca_certificate is changed
  set_fact:
    pki_changed: True