---
- name: Install the Easy RSA suite on EL
  block:
  - name: Install the easyRSA package
    yum: pkg={{ easy_rsa_package }} state=present

  when:
    - easy_rsa_install | bool
    - ansible_distribution_file_variety == "RedHat"
  tags: [ 'easyrsa', 'easy_rsa', 'ca' ]

- name: Install the Easy RSA suite on Deb
  block:
  - name: Create the easy rsa base directory
    file: dest={{ easy_rsa_base_dir_path }} state=directory owner=root group=root

  - name: Download the easy-rsa distribution from github
    unarchive: remote_src=yes src={{ easy_rsa_github_distribution }} dest={{ easy_rsa_github_install_dir }} owner=root group=root

  - name: Link to the downloaded distribution
    file: src={{ easy_rsa_github_install_dir }}/{{ easy_rsa_github_name }} dest={{ easy_rsa_base_dir }} state=link

  when:
    - easy_rsa_install | bool
    - ansible_distribution_file_variety == "Debian"
  tags: [ 'easyrsa', 'easy_rsa', 'ca' ]

- name: Configure the pki directory and install the helper scripts
  block:
  - name: Create the PKI directory
    file: dest={{ easy_rsa_pki_basedir }} state=directory owner=root group=root mode=0750

  - name: Link the executable
    file: src={{ easy_rsa_executable }} dest={{ easy_rsa_pki_basedir }}/easyrsa state=link

  - name: Link the x509 directory
    file: src={{ easy_rsa_base_dir }}/x509-types dest={{ easy_rsa_pki_basedir }}/x509-types state=link

  - name: Install the vars file
    template: src=vars.j2 dest={{ easy_rsa_pki_basedir }}/vars owner=root group=root mode=0640

  - name: Install the helper scripts
    template: src={{ item }}.sh.j2 dest=/usr/local/bin/{{ item }} owner=root group=root mode=0544
    with_items: '{{ easy_rsa_helper_scripts }}'
    tags: [ 'easyrsa', 'easy_rsa', 'ca', 'easy_rsa_helper_scripts' ]

  - name: Fix the CA:False constraint
    lineinfile:
      path: '{{ easy_rsa_base_dir }}/x509-types/{{ item  }}'
      regexp: '^basicConstraints\ =\ CA:FALSE'
      line: 'basicConstraints = critical,CA:FALSE'
    loop:
      - client
      - code-signing
      - email
      - kdc
      - server
      - serverClient
    when: easy_rsa_critical_ca_false

  - name: Add a CRL distribution URI
    lineinfile:
      path: '{{ easy_rsa_base_dir }}/x509-types/COMMON'
      regexp: '^crlDistributionPoints.*'
      line: 'crlDistributionPoints = URI:{{ easy_rsa_crl_url }}'
    when: easy_rsa_add_crl_url

  - name: Check if the CA has been initialized yet
    stat: path={{ easy_rsa_pki_basedir }}/pki/private/ca.key
    register: easy_rsa_ca_key_file

  - name: Display the easyrsa initialization commands if the CA has not been
    debug:
      msg: "Run the '{{ easy_rsa_pki_basedir }}/easyrsa init-pki' and '{{ easy_rsa_pki_basedir }}/easyrsa build-ca' commands"
    when: not easy_rsa_ca_key_file.stat.exists

  when: easy_rsa_install | bool
  tags: [ 'easyrsa', 'easy_rsa', 'ca' ]

- name: Expiration check
  block:
  - name: Install the mailx package on EL
    ansible.builtin.yum:
      pkg: mailx
      state: present
    when:
      - easy_rsa_install | bool
      - ansible_distribution_file_variety == "RedHat"
      - easy_rsa_alert_on_cert_expiration

  - name: Install the mailx package on deb systems
    ansible.builtin.apt:
      pkg: bsd-mailx
      state: present
      cache_valid_time: 1800
    when:
      - easy_rsa_install | bool
      - ansible_distribution_file_variety == "Debian"
      - easy_rsa_alert_on_cert_expiration

  - name: Install a cron job that runs the expiry check, daily
    ansible.builtin.cron:
      name: "Check on the certificate expiration"
      job: "/usr/local/bin/check-x509-certs-expiration-date >/dev/null 2>&1"
      state: present
      special_time: daily
      user: root
      cron_file: check-certificates-expiration-date

  when:
    - easy_rsa_install | bool
    - easy_rsa_alert_on_cert_expiration
  tags: [ 'easyrsa', 'easy_rsa', 'ca', 'easy_rsa_expiry_check' ]