---
- name: create directory for uacme-controlled certificate
  file:
    path: "/var/lib/uacme.d/{{ uacme_cert_name }}"
    state: directory

- name: generate key for uacme-controlled certificate
  openssl_privatekey:
    path: "/var/lib/uacme.d/{{ uacme_cert_name }}/key.pem"
    mode: "{{ uacme_cert_config.key.mode | default('0600') }}"
    owner: "{{ uacme_cert_config.key.owner | default(omit) }}"
    group: "{{ uacme_cert_config.key.group | default(omit) }}"
    type: "{{ uacme_cert_config.key.type | default(omit) }}"
    size: "{{ uacme_cert_config.key.size | default(omit) }}"
  notify:
  - reload services for x509 certificates
  - restart services for x509 certificates

- name: generate csr for uacme-controlled certificate
  community.crypto.openssl_csr:
    path: "/var/lib/uacme.d/{{ uacme_cert_name }}/{{ uacme_cert_name }}.csr"
    mode: "{{ uacme_cert_config.cert.mode | default('0644') }}"
    owner: "{{ uacme_cert_config.cert.owner | default(omit) }}"
    group: "{{ uacme_cert_config.cert.group | default(omit) }}"
    privatekey_path: "/var/lib/uacme.d/{{ uacme_cert_name }}/key.pem"
    common_name: "{{ uacme_cert_hostnames[0] }}"
    subject_alt_name: "{{ ['DNS:'] | product(uacme_cert_hostnames) | map('join') | list }}"
    subject_alt_name_critical: yes
    use_common_name_for_san: no

- name: test if uacme-controlled certificate already exists
  stat:
    path: "/var/lib/uacme.d/{{ uacme_cert_name }}/{{ uacme_cert_name }}-cert.pem"
  register: uacme_cert_file

- name: generate selfsigned interim certificate
  when: not uacme_cert_file.stat.exists
  block:
  ### this is needed because strftime filter in ansible is exceptionally stupid
  ### see: https://github.com/ansible/ansible/issues/39835
  - name: get remote date-time 10s ago
    command: date -d '10 seconds ago' -u '+%Y%m%d%H%M%SZ'
    register: remote_datetime_10sago
    changed_when: false

  - name: get remote date-time now
    command: date -u '+%Y%m%d%H%M%SZ'
    register: remote_datetime_now
    changed_when: false

  - name: generate selfsigned interim certificate
    community.crypto.x509_certificate:
      path: "/var/lib/uacme.d/{{ uacme_cert_name }}/{{ uacme_cert_name }}-cert.pem"
      mode: "{{ uacme_cert_config.cert.mode | default('0644') }}"
      owner: "{{ uacme_cert_config.cert.owner | default(omit) }}"
      group: "{{ uacme_cert_config.cert.group | default(omit) }}"
      privatekey_path: "/var/lib/uacme.d/{{ uacme_cert_name }}/key.pem"
      csr_path: "/var/lib/uacme.d/{{ uacme_cert_name }}/{{ uacme_cert_name }}.csr"
      provider: selfsigned
      ## make sure the certificate is not valid anymore to force uacme to create a new cert
      selfsigned_not_before: "{{ remote_datetime_10sago.stdout }}"
      selfsigned_not_after: "{{ remote_datetime_now.stdout }}"
      return_content: yes
    register: uacme_cert_selfsigned
    notify:
    - reload services for x509 certificates
    - restart services for x509 certificates

  - name: make sure cert-only file exists
    copy:
      content: "{{ uacme_cert_selfsigned.certificate }}"
      dest: "/var/lib/uacme.d/{{ uacme_cert_name }}/crt.pem"
      mode: "{{ uacme_cert_config.cert.mode | default('0644') }}"
      owner: "{{ uacme_cert_config.cert.owner | default(omit) }}"
      group: "{{ uacme_cert_config.cert.group | default(omit) }}"
    notify:
    - reload services for x509 certificates
    - restart services for x509 certificates

  - name: make sure the chain file exists
    copy:
      content: ""
      dest: "/var/lib/uacme.d/{{ uacme_cert_name }}/chain.pem"
      mode: "{{ uacme_cert_config.cert.mode | default('0644') }}"
      owner: "{{ uacme_cert_config.cert.owner | default(omit) }}"
      group: "{{ uacme_cert_config.cert.group | default(omit) }}"
    notify:
    - reload services for x509 certificates
    - restart services for x509 certificates

- name: export paths to certificate files
  set_fact:
    x509_certificate_path_key: "/var/lib/uacme.d/{{ uacme_cert_name }}/key.pem"
    x509_certificate_path_cert: "/var/lib/uacme.d/{{ uacme_cert_name }}/crt.pem"
    x509_certificate_path_chain: "/var/lib/uacme.d/{{ uacme_cert_name }}/chain.pem"
    x509_certificate_path_fullchain: "/var/lib/uacme.d/{{ uacme_cert_name }}/{{ uacme_cert_name }}-cert.pem"

- name: install script to be called when new certificate is generated
  template:
    src: updated.sh.j2
    dest: "/var/lib/uacme.d/{{ uacme_cert_name }}/updated.sh"
    mode: 0755

- name: install systemd unit snippet
  when: "x509_certificate_renewal is defined and 'install' in x509_certificate_renewal"
  copy:
    dest: "/etc/systemd/system/uacme-reconcile.service.d/{{ uacme_cert_name }}.conf"
    content: |
      [Service]
      {% for path in (x509_certificate_renewal.install | map(attribute='dest') | map('dirname') | unique | list) %}
      ReadWritePaths={{ path }}
      {% endfor %}
  notify: reload systemd

- name: remove systemd unit snippet
  when: "x509_certificate_renewal is undefined or 'install' not in x509_certificate_renewal"
  file:
    path: "/etc/systemd/system/uacme-reconcile.service.d/{{ uacme_cert_name }}.conf"
    state: absent
  notify: reload systemd