---
- name: Create certificates directory certs to current dir
  file:
    path: "{{ certificates_local_dir }}"
    state: directory

# Some of task are delegated to Ansible container because unavailable
# version of python-pyOpenSSL
- name: Generate root CA private key
  openssl_privatekey:
    path: "{{ certificates_local_dir }}/rootCA.key"
    size: 4096

- name: Generate an OpenSSL CSR.
  openssl_csr:
    path: "{{ certificates_local_dir }}/rootCA.csr"
    privatekey_path: "{{ certificates_local_dir }}/rootCA.key"
    organization_name: "{{ certificates.organization_name }}"
    state_or_province_name: "{{ certificates.state_or_province_name }}"
    country_name: "{{ certificates.country_name }}"
    locality_name: "{{ certificates.locality_name }}"
    basic_constraints:
      - CA:true
    basic_constraints_critical: true
    key_usage:
      - critical
      - digitalSignature
      - cRLSign
      - keyCertSign

- name: Generate root CA certificate
  openssl_certificate:
    provider: selfsigned
    path: "{{ certificates_local_dir }}/rootCA.crt"
    csr_path: "{{ certificates_local_dir }}/rootCA.csr"
    privatekey_path: "{{ certificates_local_dir }}/rootCA.key"
    key_usage:
      - critical
      - digitalSignature
      - cRLSign
      - keyCertSign
    force: true
  notify: Restart Docker

- name: Generate private Nexus key
  openssl_privatekey:
    path: "{{ certificates_local_dir }}/nexus_server.key"
    size: 4096
    force: false

- name: Generate Nexus CSR (certificate signing request)
  openssl_csr:
    path: "{{ certificates_local_dir }}/nexus_server.csr"
    privatekey_path: "{{ certificates_local_dir }}/nexus_server.key"
    organization_name: "{{ certificates.organization_name }}"
    state_or_province_name: "{{ certificates.state_or_province_name }}"
    country_name: "{{ certificates.country_name }}"
    locality_name: "{{ certificates.locality_name }}"
    common_name: registry-1.docker.io
    key_usage:
      - keyAgreement
      - nonRepudiation
      - digitalSignature
      - keyEncipherment
      - dataEncipherment
    extended_key_usage:
      - serverAuth
    subject_alt_name:
      "{{ all_simulated_hosts | map('regex_replace', '(.*)', 'DNS:\\1') | list }}"

- name: Sign Nexus certificate
  openssl_certificate:
    provider: ownca
    path: "{{ certificates_local_dir }}/nexus_server.crt"
    csr_path: "{{ certificates_local_dir }}/nexus_server.csr"
    ownca_path: "{{ certificates_local_dir }}/rootCA.crt"
    ownca_privatekey_path: "{{ certificates_local_dir }}/rootCA.key"
    key_usage:
      - digitalSignature
      - nonRepudiation
      - keyEncipherment
      - dataEncipherment
    subject_alt_name:
      "{{ all_simulated_hosts | map('regex_replace', '(.*)', 'DNS:\\1') | list }}"