---

- name: create hostkey group
  group:
    name: hostkey
    system: true

- name: copy ca certificate
  copy:
    src: "/srv/ca/certs/ca.crt"
    dest: "{{ tls_certs }}/ca.crt"
    mode: 0644
    owner: root
    group: "{{ ansible_wheel }}"

- name: get ca certificate hash
  command: "openssl x509 -in /srv/ca/certs/ca.crt -noout -hash"
  delegate_to: localhost
  register: result
  changed_when: false
- name: store ca certificate hash
  set_fact:
    pki_cacert_hash: "{{ result.stdout }}"

- name: copy host certificate
  copy:
    src: "/srv/ca/certs/{{ inventory_hostname }}.crt"
    dest: "{{ tls_certs }}/{{ inventory_hostname }}.crt"
    mode: 0644
    owner: root
    group: "{{ ansible_wheel }}"

- name: add ansible certificate fact
  copy:
    content: |
      #!/bin/sh
      [ -f {{ tls_certs }}/{{ inventory_hostname }}.crt ] && awk '
        BEGIN { printf "\"" }
        { if (!/^-\-/) printf "%s",$0 }
        END { print "\"" }
        ' {{ tls_certs }}/{{ inventory_hostname }}.crt

    dest: /etc/ansible/facts.d/ansible_certificate.fact
    mode: 0755
    owner: root
    group: "{{ ansible_wheel }}"

- name: create full chain of host certficate and ca
  shell: "cat {{ tls_certs }}/{{ inventory_hostname }}.crt \
   {{ tls_certs }}/ca.crt > \
   {{ tls_certs }}/{{ inventory_hostname }}-fullchain.crt"
  args:
    creates: "{{ tls_certs }}/{{ inventory_hostname }}-fullchain.crt"

- name: copy host key
  copy:
    src: "/srv/ca/private/{{ inventory_hostname }}.key"
    dest: "{{ tls_private }}/{{ inventory_hostname }}.key"
    mode: 0640
    owner: root
    group: hostkey