---
- name: install python-cryptography
  apt:
    name: "{{ python_basename }}-cryptography"
    state: present

- name: create base directory
  file:
    path: "/etc/ssl/openvpn/{{ openvpn_zone.name }}"
    state: directory

- name: create client cert/key directory
  file:
    path: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/client"
    state: directory
    owner: root
    group: root
    mode: 0750

- name: create private key for client certificate
  openssl_privatekey:
    path: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/client/key.pem"
    type: RSA
    size: 4096
    owner: root
    group: root
    mode: 0400
  notify: restart openvpn-client

- name: create signing request for client certificate
  openssl_csr:
    path: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/client/csr.pem"
    privatekey_path: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/client/key.pem"
    CN: "{{ inventory_hostname }}"
    key_usage:
    - digitalSignature
    key_usage_critical: yes
    extended_key_usage:
    - clientAuth
    extended_key_usage_critical: yes
    basic_constraints:
    - 'CA:FALSE'
    basic_constraints_critical: yes

- name: slurp CSR
  slurp:
    src: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/client/csr.pem"
  register: openvpn_client_csr

- name: check if client certificate exists
  stat:
    path: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/client/crt.pem"
  register: openvpn_client_cert

- name: read client certificate validity
  when: openvpn_client_cert.stat.exists
  openssl_certificate_info:
    path: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/client/crt.pem"
    valid_at:
      ten_years: '+3650d' ## 10 years
  register: openvpn_client_cert_info

- name: slurp existing client certificate
  when: openvpn_client_cert.stat.exists
  slurp:
    src: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/client/crt.pem"
  register: openvpn_client_cert_current

- name: generate client certificate
  delegate_to: "{{ openvpn_zone.ca_host }}"
  community.crypto.x509_certificate_pipe:
    content: "{{ openvpn_client_cert_current.content | default('') | b64decode }}"
    csr_content: "{{ openvpn_client_csr.content | b64decode }}"
    provider: ownca
    ownca_path: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/ca-crt.pem"
    ownca_privatekey_path: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/ca/key.pem"
    ownca_digest: sha256
    ownca_not_after: "+18250d" ## 50 years
    force: "{{ openvpn_client_cert.stat.exists and (not openvpn_client_cert_info.valid_at.ten_years) }}"
  register: openvpn_client_cert

- name: store client certificate
  copy:
    content: "{{ openvpn_client_cert.certificate }}"
    dest: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/client/crt.pem"
  notify: restart openvpn-client

- name: slurp CA certificate
  delegate_to: "{{ openvpn_zone.ca_host }}"
  slurp:
    src: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/ca-crt.pem"
  register: openvpn_client_ca_certificate

- name: install CA certificate
  copy:
    content: "{{ openvpn_client_ca_certificate.content | b64decode }}"
    dest: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/ca-crt.pem"