---
- name: trusted_ca | Manage optional CA files on EL
  tags: [pki, trusted_ca, letsencrypt_ca]
  block:
    - name: trusted_ca | Get the CA files that we want to trust on EL
      ansible.builtin.get_url:
        url: "{{ item.ca_url }}"
        dest: /etc/pki/ca-trust/source/anchors/{{ item.ca }}
        owner: root
        group: root
        mode: "0444"
      loop: "{{ trusted_ca_additional_ca_files }}"
      register: ca_files_installation

    - name: trusted_ca | Trust the CA files on EL
      ansible.builtin.command: /bin/update-ca-trust extract
      when: ca_files_installation is changed # noqa: no-handler
      changed_when: false

  when: ansible_distribution_file_variety == "RedHat"

- name: trusted_ca | Manage the Letsencrypt CA files on EL
  when:
    - trusted_ca_letsencrypt_install
    - ansible_distribution_file_variety == "RedHat"
  tags: [pki, trusted_ca, letsencrypt_ca]
  block:
    - name: trusted_ca | Download the letsencrypt CA files on EL
      ansible.builtin.get_url:
        url: "{{ trusted_ca_letsencrypt_ca_certificates_url }}/{{ item.ca_src }}"
        dest: /etc/pki/ca-trust/source/anchors/{{ item.ca }}
        owner: root
        group: root
        mode: "0444"
      loop: "{{ trusted_ca_letsencrypt_ca_files }}"
      register: letsencrypt_ca_files_installation

    - name: trusted_ca | Rebuild the trust CA files on EL
      ansible.builtin.command: /bin/update-ca-trust extract
      when: letsencrypt_ca_files_installation is changed # noqa: no-handler
      changed_when: false

    - name: trusted_ca | Ensure that the expired CA files are not present
      ansible.builtin.file:
        dest: /etc/pki/ca-trust/source/anchors/{{ item }}
        state: absent
      loop: "{{ expired_ca_letsencrypt_ca_files }}"
      register: letsencrypt_ca_files_removal

    - name: trusted_ca | Rebuild the trust CA files on EL
      ansible.builtin.command: /bin/update-ca-trust extract
      when: letsencrypt_ca_files_removal is changed # noqa: no-handler
      changed_when: false

- name: trusted_ca | Manage optional CA files on deb
  when: ansible_distribution_file_variety == "Debian"
  tags: [pki, trusted_ca, letsencrypt_ca]
  block:
    - name: trusted_ca | Ensure that ca-certificates is installed and up to date
      ansible.builtin.apt:
        pkg: ca-certificates
        state: present
        cache_valid_time: 1800

    - name: trusted_ca | Get the CA files that we want to trust on deb
      ansible.builtin.get_url:
        url: "{{ item.ca_url }}"
        dest: "{{ trusted_ca_deb_path }}/{{ item.ca }}"
        owner: root
        group: root
        mode: "0444"
      loop: "{{ trusted_ca_additional_ca_files }}"
      register: ca_files_installation

    - name: trusted_ca | Trust the CA files on deb
      ansible.builtin.command: /usr/sbin/update-ca-certificates
      when: ca_files_installation is changed # noqa: no-handler
      changed_when: false

- name: trusted_ca | Distrust the DST Root CA X3 in Ubuntu Trusty
  when:
    - ansible_distribution_file_variety == "Debian"
    - ansible_distribution_version is version_compare('14.04', '==')
  tags: [pki, obsolete_ca]
  block:
    - name: trusted_ca | Comment the mozilla/DST_Root_CA_X3.crt entry
      ansible.builtin.lineinfile:
        path: /etc/ca-certificates.conf
        regexp: ^mozilla/DST_Root_CA_X3.crt
        line: "!mozilla/DST_Root_CA_X3.crt"
      register: dst_x3_distrust

    - name: trusted_ca | Trust the CA files on deb
      ansible.builtin.command: /usr/sbin/update-ca-certificates
      when: dst_x3_distrust is changed # noqa: no-handler
      changed_when: false

- name: trusted_ca | Manage the Letsencrypt CA files on deb
  when:
    - trusted_ca_letsencrypt_install
    - ansible_distribution_file_variety == "Debian"
  tags: [pki, trusted_ca, letsencrypt_ca]
  block:
    - name: trusted_ca | Download the letsencrypt CA files on deb
      ansible.builtin.get_url:
        url: "{{ trusted_ca_letsencrypt_ca_certificates_url }}/{{ item.ca_src }}"
        dest: "{{ trusted_ca_deb_path }}/{{ item.ca }}"
        owner: root
        group: root
        mode: "0444"
      loop: "{{ trusted_ca_letsencrypt_ca_files }}"
      register: letsencrypt_ca_files_installation

    - name: trusted_ca | Trust the CA files on deb
      ansible.builtin.command: /usr/sbin/update-ca-certificates
      when: letsencrypt_ca_files_installation is changed # noqa: no-handler
      changed_when: false

    - name: trusted_ca | Ensure that the expired CA files are not present
      ansible.builtin.file:
        dest: /etc/ssl/certs/{{ item }}
        state: absent
      loop: "{{ expired_ca_letsencrypt_ca_files }}"
      register: letsencrypt_ca_files_removal

    - name: trusted_ca | Ensure that the expired CA files are not present
      ansible.builtin.file:
        dest: "{{ trusted_ca_deb_path }}/{{ item }}"
        state: absent
      loop: "{{ expired_ca_letsencrypt_ca_files }}"
      register: letsencrypt_ca_files_removal

    - name: trusted_ca | Trust the CA files on deb
      ansible.builtin.command: /usr/sbin/update-ca-certificates
      when: letsencrypt_ca_files_removal is changed # noqa: no-handler
      changed_when: false