---
- name: Create hostkey group
  ansible.builtin.group:
    name: hostkey
    system: true

- name: Copy ca certificate
  ansible.builtin.copy:
    src: "/srv/ca/certs/ca.crt"
    dest: "{{ tls_certs }}/ca.crt"
    mode: "0644"
    owner: root
    group: "{{ ansible_wheel }}"

- name: Get ca certificate hash
  ansible.builtin.command:
    argv:
      - openssl
      - x509
      - -in
      - /srv/ca/certs/ca.crt
      - -noout
      - -hash
  delegate_to: localhost
  register: result
  changed_when: false
  check_mode: false

- name: Store ca certificate hash
  ansible.builtin.set_fact:
    pki_cacert_hash: "{{ result.stdout }}"

- name: Patch mtree to set correct permissions on /etc/ssl/private
  ansible.posix.patch:
    dest: /etc/mtree/4.4BSD.dist
    src: mtree.patch
  when: ansible_system == "OpenBSD"

- name: Fix private key directory permissions
  ansible.builtin.file:
    path: "{{ tls_private }}"
    mode: "0750"
    owner: root
    group: hostkey
  when: ansible_system == "OpenBSD"

- name: Copy host certificate
  ansible.builtin.copy:
    src: "/srv/ca/certs/hosts/{{ inventory_hostname }}.crt"
    dest: "{{ tls_certs }}/{{ inventory_hostname }}.crt"
    mode: "0644"
    owner: root
    group: "{{ ansible_wheel }}"

- name: Add ansible certificate fact
  ansible.builtin.copy:
    content: |
      #!/bin/sh
      [ -f {{ tls_certs }}/{{ inventory_hostname }}.crt ] && awk '
        BEGIN { printf "\"" }
        { if (!/^-\-/) printf "%s",$0 }
        END { print "\"" }
        ' {{ tls_certs }}/{{ inventory_hostname }}.crt

    dest: /etc/ansible/facts.d/ansible_certificate.fact
    mode: "0755"
    owner: root
    group: "{{ ansible_wheel }}"

- name: Create full chain certificate contents
  ansible.builtin.command:
    argv:
      - cat
      - "{{ tls_certs }}/{{ inventory_hostname }}.crt"
      - "{{ tls_certs }}/ca.crt"
  changed_when: false
  check_mode: false
  register: pki_host_fullchain

- name: Copy full chain certificate file
  ansible.builtin.copy:
    dest: "{{ tls_certs }}/{{ inventory_hostname }}-fullchain.crt"
    content: "{{ pki_host_fullchain.stdout }}"
    mode: "0640"
    owner: root
    group: "{{ ansible_wheel }}"

- name: Copy host key
  ansible.builtin.copy:
    src: "/srv/ca/private/{{ inventory_hostname }}.key"
    dest: "{{ tls_private }}/{{ inventory_hostname }}.key"
    mode: "0640"
    owner: root
    group: hostkey