---
- name: Create the certificate using the private CA
  tags: [pki, tls, tls_certificate]
  block:
    - name: Set the common group between mkcert-ca and ansible
      ansible.builtin.set_fact:
        ansible_common_remote_group: ansible

    - name: Create the certificate (delegate to the CA vm)
      ansible.builtin.shell:
        cmd: su - mkcert-ca -s /bin/bash mkcert -cert-file {{ mkcert_cert_name }} -key-file {{ mkcert_key_name }} {{ mkcert_dsn_and_ip_list }}
      args:
        chdir: /srv/mkcert-ca
        creates: "/srv/mkcert-ca/{{ mkcert_cert_name }}"
      delegate_to: "{{ mkcert_ca_host }}"

- name: Manage the certificate installation
  tags: [pki, tls, tls_certificate]
  block:
    - name: Get the certificate and its key from the CA server
      ansible.builtin.fetch:
        src: "/srv/mkcert-ca/{{ item }}"
        dest: "files/{{ item }}"
      loop:
        - "{{ mkcert_cert_name }}"
        - "{{ mkcert_key_name }}"
      delegate_to: "{{ mkcert_ca_host }}"

    - name: Copy the certificate to the destination server
      ansible.builtin.copy:
        src: "files/{{ mkcert_cert_name }}"
        dest: "{{ pki_dir }}/certs/{{ mkcert_cert_name }}"
        owner: root
        group: root
        mode: 0444

    - name: Copy the certificate to the destination server
      ansible.builtin.copy:
        src: "files/{{ mkcert_key_name }}"
        dest: "{{ pki_dir }}/keys/{{ mkcert_key_name }}"
        owner: root
        group: root
        mode: 0440