---
# Some of task are delegated to Ansible container because unavailable
# version of python-pyOpenSSL
- name: Generate root CA private key
  openssl_privatekey:
    path: /certs/rootCA.key
    size: 4096
  delegate_to: localhost

- name: Generate an OpenSSL CSR.
  openssl_csr:
    path: /certs/rootCA.csr
    privatekey_path: /certs/rootCA.key
    organization_name: "{{ certificates.organization_name }}"
    state_or_province_name: "{{ certificates.state_or_province_name }}"
    country_name: "{{ certificates.country_name }}"
    locality_name: "{{ certificates.locality_name }}"
    basic_constraints:
      - CA:true
    basic_constraints_critical: yes
    key_usage:
      - critical
      - digitalSignature
      - cRLSign
      - keyCertSign
  delegate_to: localhost

- name: Generate root CA certificate
  openssl_certificate:
    provider: selfsigned
    path: /certs/rootCA.crt
    csr_path: /certs/rootCA.csr
    privatekey_path: /certs/rootCA.key
    key_usage:
      - critical
      - digitalSignature
      - cRLSign
      - keyCertSign
    force: yes
  delegate_to: localhost
  notify: Restart Docker

- name: Generate private Nexus key
  openssl_privatekey:
    path: /certs/nexus_server.key
    size: 4096
    force: False
  delegate_to: localhost

- name: Generate Nexus CSR (certificate signing request)
  openssl_csr:
    path: /certs/nexus_server.csr
    privatekey_path: /certs/nexus_server.key
    organization_name: "{{ certificates.organization_name }}"
    state_or_province_name: "{{ certificates.state_or_province_name }}"
    country_name: "{{ certificates.country_name }}"
    locality_name: "{{ certificates.locality_name }}"
    common_name: registry-1.docker.io
    key_usage:
      - keyAgreement
      - nonRepudiation
      - digitalSignature
      - keyEncipherment
      - dataEncipherment
    extended_key_usage:
      - serverAuth
    subject_alt_name:
      "{{ simulated_hosts | map('regex_replace', '(.*)', 'DNS:\\1') | list }}"
  delegate_to: localhost

- name: Generate v3 extension config file
  template:
    src: v3.ext.j2
    dest: /certs/v3.ext
  delegate_to: localhost

# Signing certificate is added to Ansible in version 2.7 (release date 04.10.2018)
# Currently using 2.6.3
- name: Sign Nexus certificate
  command: >
    openssl
    x509
    -req
    -in /certs/nexus_server.csr
    -extfile /certs/v3.ext
    -CA /certs/rootCA.crt
    -CAkey /certs/rootCA.key
    -CAcreateserial
    -out /certs/nexus_server.crt
    -days 3650
    -sha256
  delegate_to: localhost

- name: Upload certificates to infrastructure server
  copy:
    src: /certs
    directory_mode: yes
    dest: "{{ app_data_path }}/"

- import_tasks: upload_root_ca.yml