- name: Install python3-cryptography as dependence
  dnf:
    name: python3-cryptography
    state: present
  when: ansible_facts['os_family'] == 'RedHat'

- name: Check if ssl dir exist
  file: 
    name: "{{ consul_ssl_path }}"
    state: directory
    owner: consul
    group: consul
  when: consul_ssl

- name: Add predefined ssl cert for Consul
  copy:
    src: "{{ consul_cert_name }}"
    dest: "{{ consul_ssl_path }}/{{ consul_cert_name }}"
    owner: consul
    group: consul
  notify: Restart consul
  when: consul_cert is defined

- name: Generate OpenSSL key and cert for Consul
  when: "inventory_hostname == groups[consul_server_group]|first"
  block:
    - name: Generate an OpenSSL private CA key with the default values (4096 bits, RSA)
      community.crypto.openssl_privatekey:
        path: "{{ consul_ssl_path }}/CA-{{ consul_self_signed_cert_name }}.key"
        owner: consul
        group: consul
      when: consul_cert is not defined
      register: consul_ca_key_gen

    - name: Generate an OpenSSL Certificate Signing Request
      community.crypto.openssl_csr:
        path: "{{ consul_ssl_path }}/CA-{{ consul_self_signed_cert_name }}.csr"
        privatekey_path: "{{ consul_ssl_path }}/CA-{{ consul_self_signed_cert_name }}.key"
        use_common_name_for_san: false
        basic_constraints:
          - 'CA:TRUE'
        basic_constraints_critical: yes
        key_usage:
          - keyCertSign
        key_usage_critical: true
        common_name: "CA-{{ consul_self_signed_cert_name }}"
        owner: consul
        group: consul
      register: consul_ca_csr
    
    - name: Generate a Self Signed OpenSSL CA certificate
      community.crypto.x509_certificate:
        path: "{{ consul_ssl_path }}/CA-{{ consul_self_signed_cert_name }}.crt"
        csr_path: "{{ consul_ssl_path }}/CA-{{ consul_self_signed_cert_name }}.csr"
        privatekey_path: "{{ consul_ssl_path }}/CA-{{ consul_self_signed_cert_name }}.key"
        provider: selfsigned
        owner: consul
        group: consul
      when: consul_cert is not defined
      register: consul_ca_cert_gen

    - name: Generate an OpenSSL private client key with the default values (4096 bits, RSA)
      community.crypto.openssl_privatekey:
        path: "{{ consul_ssl_path }}/{{ consul_self_signed_cert_name }}.key"
        owner: consul
        group: consul
      when: consul_cert is not defined
      register: consul_key_gen

    - name: Generate consul server subject_alt_ips from ansible_host
      set_fact:
        consul_server_subject_alt_ips_from_ansible_host: "{{ groups[consul_server_group] | default([]) | map('extract', hostvars, ['ansible_host']) | map('regex_replace', '^', 'IP:') | list }}"
      when: hostvars[inventory_hostname]['ansible_host'] is defined

    - name: Generate consul server subject_alt_ips from default ipv4 address
      set_fact:
        consul_server_subject_alt_ips: "{{ groups[consul_server_group] | default([]) | map('extract', hostvars, ['ansible_default_ipv4', 'address']) | map('regex_replace', '^', 'IP:') | list }}"
      when:
        - hostvars[inventory_hostname]['ansible_default_ipv4']['address'] is defined
        - not consul_cacert_multiple_default_gw_workaround

    - name: Generate consul server subject_alt_names
      set_fact:
        consul_server_subject_alt_names: "{{ groups[consul_server_group] | default([]) | map('extract', hostvars, ['inventory_hostname']) | map('regex_replace', '^', 'DNS:') | list }}"

    - name: Generate consul server subject_alt_ips from ansible_all_ipv4_addresses
      set_fact:
        consul_server_subject_alt_ips_all_ipv4: "{{ groups[consul_server_group] | default([]) | map('extract', hostvars, ['ansible_all_ipv4_addresses']) | flatten | map('regex_replace', '^', 'IP:') | list }}"
      when: hostvars[inventory_hostname]['ansible_all_ipv4_addresses'] is defined

    - name: Generate consul agent subject_alt_ips from ansible_host
      set_fact:
        consul_agent_subject_alt_ips_from_ansible_host: "{{ groups[consul_agent_group] | default([]) | map('extract', hostvars, ['ansible_host']) | map('regex_replace', '^', 'IP:') | list }}"
      when: hostvars[inventory_hostname]['ansible_host'] is defined

    - name: Generate consul agent subject_alt_ips from default ipv4 address
      set_fact:
        consul_agent_subject_alt_ips: "{{ groups[consul_agent_group] | default([]) | map('extract', hostvars, ['ansible_default_ipv4', 'address']) | map('regex_replace', '^', 'IP:') | list }}"
      when:
        - hostvars[inventory_hostname]['ansible_default_ipv4']['address'] is defined
        - not consul_cacert_multiple_default_gw_workaround

    - name: Generate consul agent subject_alt_ips from ansible_all_ipv4_addresses
      set_fact:
        consul_agent_subject_alt_ips_all_ipv4: "{{ groups[consul_agent_group] | default([]) | map('extract', hostvars, ['ansible_all_ipv4_addresses']) | flatten | map('regex_replace', '^', 'IP:') | list }}"
      when: hostvars[inventory_hostname]['ansible_all_ipv4_addresses'] is defined

    - name: Generate consul agent subject_alt_ips from cacert_force_append_ips
      set_fact:
        consul_agent_subject_alt_ips_force_append: "{{ cacert_force_append_ips | map('regex_replace', '^', 'IP:') | list }}"
      when: cacert_force_append_ips is defined

    - name: Generate consul agent subject_alt_names from cacert_force_append_names
      set_fact:
        consul_agent_subject_alt_names_force_append: "{{ cacert_force_append_names | map('regex_replace', '^', 'DNS:') | list }}"
      when: cacert_force_append_names is defined

    - name: Generate consul agent subject_alt_names
      set_fact:
        consul_agent_subject_alt_names: "{{ groups[consul_agent_group] | default([]) | map('extract', hostvars, ['inventory_hostname']) | map('regex_replace', '^', 'DNS:') | list }}"

    - name: Generate an OpenSSL Certificate Signing Request for client
      community.crypto.openssl_csr:
        path: "{{ consul_ssl_path }}/{{ consul_self_signed_cert_name }}.csr"
        privatekey_path: "{{ consul_ssl_path }}/{{ consul_self_signed_cert_name }}.key"
        common_name: "{{ consul_self_signed_cert_name }}"
        subject_alt_name: "{{ consul_server_subject_alt_ips | default([]) + consul_server_subject_alt_names | default([]) + consul_agent_subject_alt_ips | default([]) + consul_agent_subject_alt_names | default([]) + consul_server_subject_alt_ips_from_ansible_host | default([]) + consul_server_subject_alt_ips_all_ipv4 | default([]) + consul_agent_subject_alt_ips_from_ansible_host | default([]) + consul_agent_subject_alt_ips_all_ipv4 | default([]) + consul_agent_subject_alt_ips_force_append | default([]) + consul_agent_subject_alt_names_force_append | default([])}}"
        owner: consul
        group: consul
      register: consul_csr

    - name: Generate an OpenSSL certificate for client signed with your own CA certificate
      community.crypto.x509_certificate:
        path: "{{ consul_ssl_path }}/{{ consul_self_signed_cert_name }}.crt"
        csr_path: "{{ consul_ssl_path }}/{{ consul_self_signed_cert_name }}.csr"
        ownca_path: "{{ consul_ssl_path }}/CA-{{ consul_self_signed_cert_name }}.crt"
        ownca_privatekey_path: "{{ consul_ssl_path }}/CA-{{ consul_self_signed_cert_name }}.key"
        provider: ownca
        owner: consul
        group: consul
      register: consul_cert

    - name: Get CA cert content
      slurp:
        src: "{{ consul_ssl_path }}/CA-{{ consul_self_signed_cert_name }}.crt"
      register: consul_ca_cert_b64

    - name: Get CA key content
      slurp:
        src: "{{ consul_ssl_path }}/CA-{{ consul_self_signed_cert_name }}.key"
      register: consul_ca_key_b64

    - name: Get client cert content
      slurp:
        src: "{{ consul_ssl_path }}/{{ consul_self_signed_cert_name }}.crt"
      register: consul_cert_b64

    - name: Get client key content
      slurp:
        src: "{{ consul_ssl_path }}/{{ consul_self_signed_cert_name }}.key"
      register: consul_key_b64

    - name: Set facts about key and cert
      set_fact:
        consul_ca_key: "{{ consul_ca_key_b64.content | b64decode }}"
        consul_ca_cert: "{{ consul_ca_cert_b64.content | b64decode }}"
        consul_key: "{{ consul_key_b64.content | b64decode }}"
        consul_cert: "{{ consul_cert_b64.content | b64decode }}"
      delegate_to: "{{ item }}"
      delegate_facts: true
      run_once: true
      with_items: 
        - "{{ groups[consul_server_group] | default([]) }}"
        - "{{ groups[consul_agent_group] | default([]) }}"

- name: Put Consul CA OpenSSL key
  copy:
    content: "{{ consul_ca_key }}"
    dest: "{{ consul_ssl_path }}/CA-{{ consul_self_signed_cert_name }}.key"
    owner: consul
    group: consul
    mode: 0600
  notify: Restart consul

- name: Put Consul CA OpenSSL cert
  copy:
    content: "{{ consul_ca_cert }}"
    dest: "{{ consul_ssl_path }}/CA-{{ consul_self_signed_cert_name }}.crt"
    owner: consul
    group: consul
  notify: Restart consul

- name: Put Consul CA OpenSSL cert to PKI
  copy:
    content: "{{ consul_ca_cert }}"
    dest: "{{ consul_ssl_ca_trust_dir }}/CA-{{ consul_self_signed_cert_name }}.crt"
  register: consul_ca_trust
  notify: Restart consul

- name: Update CA trust
  shell: "{{ consul_ssl_update_ca_command }}"
  when: consul_ca_trust.changed

- name: Put Consul OpenSSL key
  copy:
    content: "{{ consul_key }}"
    dest: "{{ consul_ssl_path }}/{{ consul_self_signed_cert_name }}.key"
    owner: consul
    group: consul
    mode: 0600
  notify: Restart consul

- name: Put Consul OpenSSL cert
  copy:
    content: "{{ consul_cert }}"
    dest: "{{ consul_ssl_path }}/{{ consul_self_signed_cert_name }}.crt"
    owner: consul
    group: consul
  notify: Restart consul