---
- name: certificate_from_private_ca | Create the certificate using the private CA
  tags: [pki, tls, tls_certificate]
  block:
    - name: certificate_from_private_ca | Set the common group between mkcert-ca and ansible
      ansible.builtin.set_fact:
        ansible_common_remote_group: ansible

    - name: certificate_from_private_ca | Create the certificate (delegate to the CA vm)
      ansible.builtin.command:
        cmd: mkcert -cert-file /srv/mkcert-ca/{{ mkcert_cert_name }} -key-file /srv/mkcert-ca/{{ mkcert_key_name }} {{ mkcert_dsn_and_ip_list }}
      args:
        chdir: /srv/mkcert-ca
        creates: "/srv/mkcert-ca/{{ mkcert_cert_name }}"
      environment:
        CAROOT: /srv/mkcert-ca/.local/share/mkcert
      delegate_to: "{{ mkcert_ca_host }}"

- name: certificate_from_private_ca | Manage the certificate installation
  tags: [pki, tls, tls_certificate]
  block:
    - name: certificate_from_private_ca | Get the certificate and its key from the CA server
      ansible.builtin.fetch:
        src: "/srv/mkcert-ca/{{ item }}"
        dest: "files/"
        flat: true
      loop:
        - "{{ mkcert_cert_name }}"
        - "{{ mkcert_key_name }}"
      delegate_to: "{{ mkcert_ca_host }}"

    - name: certificate_from_private_ca | Copy the certificate to the destination server
      ansible.builtin.copy:
        src: "files/{{ mkcert_cert_name }}"
        dest: "{{ mkcert_cert_dest_path }}"
        owner: root
        group: root
        mode: 0444

    - name: certificate_from_private_ca | Copy the certificate to the destination server
      ansible.builtin.copy:
        src: "files/{{ mkcert_key_name }}"
        dest: "{{ mkcert_key_dest_path }}"
        owner: root
        group: root
        mode: 0440