---
- name: Check if the CA private key exists
  delegate_to: localhost
  ansible.builtin.stat:
    path: "{{ cert_dir }}/{{ tls_ca_key }}"
  register: ca_key

- name: Generate CA private key
  delegate_to: localhost
  community.crypto.openssl_privatekey:
    path: "{{ cert_dir }}/{{ tls_ca_key }}"
    size: "{{ tls_ca_key_size }}"
  run_once: true
  when: not ca_key.stat.exists

- name: Check if the CA CSR exists
  delegate_to: localhost
  stat:
    path: "{{ cert_dir }}/{{ tls_ca_csr }}"
  register: ca_csr

- name: Create CSR for CA
  delegate_to: localhost
  community.crypto.openssl_csr:
    path: "{{ cert_dir }}/{{ tls_ca_csr }}"
    privatekey_path: "{{ cert_dir }}/{{ tls_ca_key }}"
    basic_constraints:
      - "CA:TRUE"
    common_name: "{{ tls_ca_commonname|default('') }}"
    country_name: "{{ tls_ca_country|default('') }}"
    state_or_province_name: "{{ tls_ca_state|default('') }}"
    locality_name: "{{ tls_ca_locality|default('') }}"
    organization_name: "{{ tls_ca_organization|default('') }}"
    organizational_unit_name: "{{ tls_ca_organizationalunit|default('') }}"
    email_address: "{{ tls_ca_email }}"
    use_common_name_for_san: no
  when: not ca_csr.stat.exists

- name: Check if the CA cert exists
  delegate_to: localhost
  stat:
    path: "{{ cert_dir }}/{{ tls_ca_cert }}"
  register: ca_cert

- name: Create and sign server cert for CA
  delegate_to: localhost
  community.crypto.x509_certificate:
    path: "{{ cert_dir }}/{{ tls_ca_cert }}"
    privatekey_path: "{{ cert_dir }}/{{ tls_ca_key }}"
    csr_path: "{{ cert_dir }}/{{ tls_ca_csr }}"
    selfsigned_not_after: "+{{ tls_ca_valid_days }}d"
    provider: selfsigned
  when: not ca_cert.stat.exists
  register: ca_cert_file

- name: Copy the CA certificate to the remote machine
  copy:
    src: "{{ cert_dir }}/{{ tls_ca_cert }}"
    dest: /etc/ssl/certs/
    mode: 0644
    owner: root
    group: root
    force: yes
    backup: yes
  when: ca_cert_file.changed