---
- name: install python-cryptoraphy
  apt:
    name: "{{ python_basename }}-cryptography"
    state: present

- name: create base directory
  file:
    path: /etc/ssl/prometheus
    state: directory

- name: create exporter cert/key directory
  file:
    path: /etc/ssl/prometheus/exporter
    state: directory
    owner: root
    group: prometheus-exporter
    mode: 0750

- name: create exporter private key
  openssl_privatekey:
    path: /etc/ssl/prometheus/exporter/key.pem
    type: RSA
    size: 4096
    owner: prometheus-exporter
    group: prometheus-exporter
    mode: 0400
  notify: restart prometheus-exporter-exporter

- name: create signing request for exporter certificate
  openssl_csr:
    path: /etc/ssl/prometheus/exporter/csr.pem
    privatekey_path: /etc/ssl/prometheus/exporter/key.pem
    CN: "{{ inventory_hostname }}"
    subject_alt_name:
    - "DNS:{{ host_name }}.{{ host_domain }}"
    - "IP:{{ ansible_default_ipv4.address }}"
    key_usage:
    - digitalSignature
    key_usage_critical: yes
    extended_key_usage:
    - serverAuth
    extended_key_usage_critical: yes
    basic_constraints:
    - 'CA:FALSE'
    basic_constraints_critical: yes

## TODO: implement remote singing using server

- name: create exporter certificate
  openssl_certificate:
    path: /etc/ssl/prometheus/exporter/crt.pem
    csr_path: /etc/ssl/prometheus/exporter/csr.pem
    provider: ownca
    ownca_path: /etc/ssl/prometheus/ca-crt.pem
    ownca_privatekey_path: /etc/ssl/prometheus/ca/key.pem
    ownca_digest: sha256
    ownca_not_after: "+18250d" ## 50 years
  notify: restart prometheus-exporter-exporter

## TODO: install /etc/ssl/prometheus/ca-crt.pem from server