---
- name: install python-cryptoraphy
  apt:
    name: "{{ python_basename }}-cryptography"
    state: present

- name: create base directory
  file:
    path: "/etc/ssl/openvpn/{{ openvpn_zone.name }}"
    state: directory

- name: create CA directory
  file:
    path: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/ca"
    state: directory
    owner: root
    group: root
    mode: 0700

- name: create CA private key
  openssl_privatekey:
    path: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/ca/key.pem"
    type: RSA
    size: 4096
    owner: root
    group: root
    mode: 0600

- name: create signing request for CA certificate
  openssl_csr:
    path: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/ca/csr.pem"
    privatekey_path: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/ca/key.pem"
    CN: "CA for OpenVPN zone {{ openvpn_zone.name }}"
    useCommonNameForSAN: no
    key_usage:
    - cRLSign
    - keyCertSign
    key_usage_critical: yes
    basic_constraints:
    - 'CA:TRUE'
    - 'pathlen:0'
    basic_constraints_critical: yes

- name: create self-signed CA certificate
  openssl_certificate:
    path: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/ca-crt.pem"
    csr_path: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/ca/csr.pem"
    privatekey_path: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/ca/key.pem"
    provider: selfsigned
    selfsigned_digest: sha256
    selfsigned_not_after: "+18250d" ## 50 years
    selfsigned_create_subject_key_identifier: always_create