---
- name: Create certificates directory certs to current dir
  file:
    path: "{{ certificates_local_dir }}"
    state: directory

# Some of task are delegated to Ansible container because unavailable
# version of python-pyOpenSSL
- name: Generate root CA private key
  openssl_privatekey:
    path: "{{ certificates_local_dir }}/rootCA.key"
    size: 4096

- name: Generate an OpenSSL CSR.
  openssl_csr:
    path: "{{ certificates_local_dir }}/rootCA.csr"
    privatekey_path: "{{ certificates_local_dir }}/rootCA.key"
    organization_name: "{{ certificates.organization_name }}"
    state_or_province_name: "{{ certificates.state_or_province_name }}"
    country_name: "{{ certificates.country_name }}"
    locality_name: "{{ certificates.locality_name }}"
    basic_constraints:
      - CA:true
    basic_constraints_critical: true
    key_usage:
      - critical
      - digitalSignature
      - cRLSign
      - keyCertSign

- name: Generate root CA certificate
  openssl_certificate:
    provider: selfsigned
    path: "{{ certificates_local_dir }}/rootCA.crt"
    csr_path: "{{ certificates_local_dir }}/rootCA.csr"
    privatekey_path: "{{ certificates_local_dir }}/rootCA.key"
    key_usage:
      - critical
      - digitalSignature
      - cRLSign
      - keyCertSign
    force: true
  notify: Restart Docker

- name: Generate private Nexus key
  openssl_privatekey:
    path: "{{ certificates_local_dir }}/nexus_server.key"
    size: 4096
    force: false

- name: Generate Nexus CSR (certificate signing request)
  openssl_csr:
    path: "{{ certificates_local_dir }}/nexus_server.csr"
    privatekey_path: "{{ certificates_local_dir }}/nexus_server.key"
    organization_name: "{{ certificates.organization_name }}"
    state_or_province_name: "{{ certificates.state_or_province_name }}"
    country_name: "{{ certificates.country_name }}"
    locality_name: "{{ certificates.locality_name }}"
    common_name: registry-1.docker.io
    key_usage:
      - keyAgreement
      - nonRepudiation
      - digitalSignature
      - keyEncipherment
      - dataEncipherment
    extended_key_usage:
      - serverAuth
    subject_alt_name:
      "{{ simulated_hosts | map('regex_replace', '(.*)', 'DNS:\\1') | list }}"

- name: Generate v3 extension config file
  template:
    src: v3.ext.j2
    dest: "{{ certificates_local_dir }}/v3.ext"

# Signing certificate is added to Ansible in version 2.7 (release date 04.10.2018)
# Currently using 2.6.3
- name: Sign Nexus certificate
  command: >
    openssl
    x509
    -req
    -in "{{ certificates_local_dir }}/nexus_server.csr"
    -extfile "{{ certificates_local_dir }}/v3.ext"
    -CA "{{ certificates_local_dir }}/rootCA.crt"
    -CAkey "{{ certificates_local_dir }}/rootCA.key"
    -CAcreateserial
    -out "{{ certificates_local_dir }}/nexus_server.crt"
    -days 3650
    -sha256