---
- name: certificate_from_private_ca | Create the certificate using the private CA
  tags: [pki, tls, tls_certificate]
  block:
    - name: certificate_from_private_ca | Set the common group between mkcert-ca and ansible
      ansible.builtin.set_fact:
        ansible_common_remote_group: ansible

    - name: certificate_from_private_ca | Remove the already existing certificates from the CA archive (delegate to the CA server)
      ansible.builtin.file:
        path: /srv/mkcert-ca/{{ item }}
        state: absent
      loop:
        - "{{ mkcert_cert_name }}"
        - "{{ mkcert_key_name }}"
        - client-{{ mkcert_cert_name }}
        - client-{{ mkcert_key_name }}
      delegate_to: "{{ mkcert_ca_host }}"

    - name: certificate_from_private_ca | Create the certificate (delegate to the CA server)
      ansible.builtin.command:
        cmd: mkcert -cert-file /srv/mkcert-ca/{{ mkcert_cert_name }} -key-file /srv/mkcert-ca/{{ mkcert_key_name }} {{ mkcert_dsn_and_ip_list }}
      args:
        chdir: /srv/mkcert-ca
        creates: /srv/mkcert-ca/{{ mkcert_cert_name }}
      environment:
        CAROOT: /srv/mkcert-ca/.local/share/mkcert
      delegate_to: "{{ mkcert_ca_host }}"

    - name: certificate_from_private_ca | Create a certificate able to do client authentication (delegate to the CA server)
      ansible.builtin.command:
        cmd: mkcert -client -cert-file /srv/mkcert-ca/client-{{ mkcert_cert_name }} -key-file /srv/mkcert-ca/client-{{ mkcert_key_name }} {{ mkcert_dsn_and_ip_list
          }} # yamllint disable-line rule:line-length
      args:
        chdir: /srv/mkcert-ca
        creates: /srv/mkcert-ca/client-{{ mkcert_cert_name }}
      environment:
        CAROOT: /srv/mkcert-ca/.local/share/mkcert
      delegate_to: "{{ mkcert_ca_host }}"

- name: certificate_from_private_ca | Manage the certificate installation
  tags: [pki, tls, tls_certificate]
  block:
    - name: certificate_from_private_ca | Get the certificate and its key from the CA server
      ansible.builtin.fetch:
        src: /srv/mkcert-ca/{{ item }}
        dest: files/
        flat: true
      loop:
        - "{{ mkcert_cert_name }}"
        - "{{ mkcert_key_name }}"
        - client-{{ mkcert_cert_name }}
        - client-{{ mkcert_key_name }}
      delegate_to: "{{ mkcert_ca_host }}"

    - name: certificate_from_private_ca | Copy the certificate to the destination server
      ansible.builtin.copy:
        src: files/{{ item }}
        dest: "{{ mkcert_cert_dest_path }}"
        owner: root
        group: root
        mode: "0444"
      loop:
        - "{{ mkcert_cert_name }}"
        - client-{{ mkcert_cert_name }}

    - name: certificate_from_private_ca | Copy the certificate to the destination server
      ansible.builtin.copy:
        src: files/{{ item }}
        dest: "{{ mkcert_key_dest_path }}"
        owner: root
        group: root
        mode: "0440"
      loop:
        - "{{ mkcert_key_name }}"
        - client-{{ mkcert_key_name }}