---
- name: create directories for selfsigned interim certificate
  loop:
  - path: private/.self-signed
    mode: "0700"
  - path: .self-signed
    mode: "0755"
  loop_control:
    label: "{{ item.path }}"
  file:
    path: "/var/lib/uacme.d/{{ item.path }}"
    state: directory
    mode: "{{ item.mode }}"

- name: generate private key for selfsigned interim certificate
  openssl_privatekey:
    path: /var/lib/uacme.d/private/.self-signed/key.pem
    mode: 0600

- name: generate csr for selfsigned interim certificate
  community.crypto.openssl_csr_pipe:
    privatekey_path: /var/lib/uacme.d/private/.self-signed/key.pem
    common_name: "{{ ansible_fqdn }}"
  register: selfsigned_interim_cert_req
  changed_when: false

### this is needed because strftime filter in ansible is exceptionally stupid
### see: https://github.com/ansible/ansible/issues/39835
- name: get remote date-time 10s ago
  command: date -d '10 seconds ago' -u '+%Y%m%d%H%M%SZ'
  register: remote_datetime_10sago
  changed_when: false

- name: get remote date-time now
  command: date -u '+%Y%m%d%H%M%SZ'
  register: remote_datetime_now
  changed_when: false

- name: generate selfsigned interim certificate
  community.crypto.x509_certificate:
    path: /var/lib/uacme.d/.self-signed/cert.pem
    privatekey_path: /var/lib/uacme.d/private/.self-signed/key.pem
    csr_content: "{{ selfsigned_interim_cert_req.csr }}"
    provider: selfsigned
    ## make sure the certificate is not valid anymore to force uacme to create a new cert
    selfsigned_not_before: "{{ remote_datetime_10sago.stdout }}"
    selfsigned_not_after: "{{ remote_datetime_now.stdout }}"