---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.

### UPSTREAM BEGIN ⇒ ###
- name: pull prerequisites from upstream
  include_role: name=etckeeper.inc allow_duplicates=true tasks_from=upstream.yml
  vars:
    msg: ACME
### ⇐ UPSTREAM BEGIN ###

- name: install software (dev)
  package:
    # for Ansible crypto
    name: python-cryptography
  when: (env == 'dev')

- name: install dehydrated (Let’s Encrypt)
  include_role:
    name: aur.inc
    allow_duplicates: true
  vars:
    packages:
      - dehydrated-git
    aur_user: git

### UPSTREAM END ⇒ ###
- name: merge upstream
  include_role: name=etckeeper.inc allow_duplicates=true tasks_from=merge.yml
  vars:
    msg: ACME
### ⇐ UPSTREAM END ###

- name: set Let’s Encrypt domains
  copy:
    content: |
      {{acme_domains}}
    dest: /etc/dehydrated/domains.txt
    mode: 0644

- name: create Let’s Encrypt top directory
  file:
    path: /var/lib/acme
    state: directory
    mode: 0711

- name: create Let’s Encrypt accounts directory
  file:
    path: /var/lib/acme/accounts
    state: directory
    mode: 0700

- name: create Let’s Encrypt certs directory
  file:
    path: /var/lib/acme/certs
    state: directory
    mode: 0755

- name: set dehydrated settings
  template:
    src: templates/dehydrated.config.j2
    dest: /etc/dehydrated/config
    mode: 0600

- name: set dehydrated hooks
  template:
    src: templates/hook.sh.j2
    dest: "/etc/dehydrated/{{nickname}}-hook.sh"
    mode: 0700

- name: create dehydrated timer
  copy:
    src: files/dehydrated.timer
    dest: /etc/systemd/system/dehydrated.timer
    mode: 0644
  when: (env == 'prod')
  notify:
    - restart dehydrated.service

- name: enable dehydrated
  systemd:
    daemon_reload: true
    name: dehydrated.timer
    enabled: true
  when: (env == 'prod')

## DEV

#https://docs.ansible.com/ansible/latest/collections/community/crypto/docsite/guide_selfsigned.html

- name: create private key (dev)
  community.crypto.openssl_privatekey:
    path: /var/lib/acme/self-signed.key
  when: (env == 'dev')

- name: create CSR (dev)
  community.crypto.openssl_csr:
    path: /var/lib/acme/self-signed.csr
    privatekey_path: /var/lib/acme/self-signed.key
    common_name: "{{net_soa}}"
    organization_name: "{{nickname}}"
    subject_alt_name: "{{acme_domains | split | map('regex_replace','^','DNS:')}}"
    subject_alt_name_critical: true
  when: (env == 'dev')

- name: create self-signed certificate (dev)
  community.crypto.x509_certificate:
    path: /var/lib/acme/self-signed.pem
    privatekey_path: /var/lib/acme/self-signed.key
    csr_path: /var/lib/acme/self-signed.csr
    provider: selfsigned
  when: (env == 'dev')

- name: deploy self-signed certificate (dev)
  command: >
    /etc/dehydrated/{{nickname}}-hook.sh deploy_cert
    {{net_soa}}
    /var/lib/acme/self-signed.key
    /var/lib/acme/self-signed.pem
    /var/lib/acme/self-signed.pem
    /dev/null
    {{ansible_date_time.epoch}}
  when: (env == 'dev')

### LOCAL COMMIT ⇒ ###
- name: commit local changes
  include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml
  vars:
    msg: ACME
### ⇐ LOCAL COMMIT ###
- meta: flush_handlers