---
- name: generate TLS CA for openvpn
  hosts: ele-router
  connection: local
  gather_facts: no
  tasks:
  - name: generate CA key and certificate
    run_once: yes
    block:
    - name: generate CA keys
      community.crypto.openssl_privatekey_pipe:
        type: "Ed25519"
        content: "{{ vault_ovpn_ca_key | default(omit) }}"
        return_current_key: yes
      register: ovpn_ca_key_result
      no_log: true

    - name: create signing request for CA certificate
      community.crypto.openssl_csr_pipe:
        privatekey_content: "{{ ovpn_ca_key_result.privatekey }}"
        CN: "CA for ele-router vpn"
        useCommonNameForSAN: no
        key_usage:
        - cRLSign
        - keyCertSign
        key_usage_critical: yes
        basic_constraints:
        - 'CA:TRUE'
        - 'pathlen:0'
        basic_constraints_critical: yes
      register: ovpn_ca_csr_result
      changed_when: false

    - name: create self-signed CA certificate
      community.crypto.x509_certificate_pipe:
        content: "{{ vault_ovpn_ca_cert | default(omit) }}"
        csr_content: "{{ ovpn_ca_csr_result.csr }}"
        privatekey_content: "{{ ovpn_ca_key_result.privatekey }}"
        provider: selfsigned
        selfsigned_digest: sha256
        selfsigned_not_after: "+18250d" ## 50 years
        selfsigned_create_subject_key_identifier: always_create
      register: ovpn_ca_cert_result


  - name: generate key
    community.crypto.openssl_privatekey_pipe:
      type: "Ed25519"
      content: "{{ vault_ovpn_keys[inventory_hostname] | default(omit) }}"
      return_current_key: yes
    register: ovpn_key_result
    no_log: true

  - name: create signing request for certificate
    community.crypto.openssl_csr_pipe:
      privatekey_content: "{{ ovpn_key_result.privatekey }}"
      CN: "{{ inventory_hostname }}"
      key_usage:
      - digitalSignature
      - keyEncipherment
      key_usage_critical: yes
      extended_key_usage:
      - "{{ (inventory_hostname == 'ele-router-hmtsaal') | ternary('serverAuth', 'clientAuth') }}"
      extended_key_usage_critical: yes
      basic_constraints:
      - 'CA:FALSE'
      basic_constraints_critical: yes
    register: ovpn_csr_result
    changed_when: false

  - name: create certificate
    community.crypto.x509_certificate_pipe:
      content: "{{ vault_ovpn_certs[inventory_hostname] | default(omit) }}"
      csr_content: "{{ ovpn_csr_result.csr }}"
      privatekey_content: "{{ ovpn_key_result.privatekey }}"
      provider: ownca
      ownca_content: "{{ ovpn_ca_cert_result.certificate }}"
      ownca_privatekey_content: "{{ ovpn_ca_key_result.privatekey }}"
      ownca_digest: sha256
      ownca_not_after: "+18250d" ## 50 years
    register: ovpn_cert_result


  - run_once: yes
    set_fact:
      vault_content: |
        ---
        vault_ovpn_ca_key: |
          {{ ovpn_ca_key_result.privatekey | indent(2) }}
        vault_ovpn_ca_cert: |
          {{ ovpn_ca_cert_result.certificate | indent(2) }}
        vault_ovpn_keys:
        {% for host in play_hosts %}
          {{ host }}: |
            {{ hostvars[host].ovpn_key_result.privatekey | indent(4) }}
        {% endfor %}
        vault_ovpn_certs:
        {% for host in play_hosts %}
          {{ host }}: |
            {{ hostvars[host].ovpn_cert_result.certificate | indent(4) }}
        {% endfor %}

  - pause:
      prompt: "Please put this into a vault file: \n\n{{ vault_content }}"
      seconds: 1