- name: Create CA
  when: inventory_hostname in groups[patroni_cacert_ca_host_group]
  block:
    - name: CA and certs | Install cryptography library
      package:
        name: python3-cryptography
        state: present

    - name: CA and certs | Check if ssl gen dir exist
      file:
        name: "{{ patroni_ssl_path }}"
        state: directory

    - name: Generate an OpenSSL private CA key with the default values (4096 bits, RSA)
      community.crypto.openssl_privatekey:
        path: "{{ patroni_ssl_path }}/CA-{{ patroni_self_signed_cert_name }}.key"
      register: patroni_cacert_ca_key_gen

    - name: Generate an OpenSSL Certificate Signing Request
      community.crypto.openssl_csr:
        path: "{{ patroni_ssl_path }}/CA-{{ patroni_self_signed_cert_name }}.csr"
        privatekey_path: "{{ patroni_ssl_path }}/CA-{{ patroni_self_signed_cert_name }}.key"
        use_common_name_for_san: false
        basic_constraints:
          - 'CA:TRUE'
        basic_constraints_critical: yes
        key_usage:
          - keyCertSign
        key_usage_critical: true
        common_name: "CA-{{ patroni_self_signed_cert_name }}"
      register: patroni_cacert_ca_csr

    - name: Generate a Self Signed OpenSSL CA certificate
      community.crypto.x509_certificate:
        path: "{{ patroni_ssl_path }}/CA-{{ patroni_self_signed_cert_name }}.crt"
        csr_path: "{{ patroni_ssl_path }}/CA-{{ patroni_self_signed_cert_name }}.csr"
        privatekey_path: "{{ patroni_ssl_path }}/CA-{{ patroni_self_signed_cert_name }}.key"
        provider: selfsigned
      register: patroni_cacert_ca_cert_gen

    - name: Get CA cert content
      slurp:
        src: "{{ patroni_ssl_path }}/CA-{{ patroni_self_signed_cert_name }}.crt"
      register: patroni_cacert_ca_cert_b64

    - name: Get CA csr content
      slurp:
        src: "{{ patroni_ssl_path }}/CA-{{ patroni_self_signed_cert_name }}.csr"
      register: patroni_cacert_ca_csr_b64

    - name: Get CA key content
      slurp:
        src: "{{ patroni_ssl_path }}/CA-{{ patroni_self_signed_cert_name }}.key"
      register: patroni_cacert_ca_key_b64

    - name: Set facts about key and cert
      set_fact:
        patroni_cacert_ca_key: "{{ patroni_cacert_ca_key_b64.content | b64decode }}"
        patroni_cacert_ca_csr: "{{ patroni_cacert_ca_csr_b64.content | b64decode }}"
        patroni_cacert_ca_cert: "{{ patroni_cacert_ca_cert_b64.content | b64decode }}"
      delegate_to: "{{ fact_item }}"
      delegate_facts: true
      with_items: 
        - "{{ groups[patroni_cacert_ca_host_group] | default([]) }}"
        - "{{ groups[patroni_cacert_clients_group] | default([]) }}"
      loop_control:
        loop_var: fact_item

- name: Distribute CA certificates
  become: true
  block:
    - name: CA and cert | Check if dest dir exist on remote host
      file:
        name: "{{ patroni_ssl_path }}"
        state: directory
      loop:
        - "{{ groups[patroni_cacert_ca_host_group] | default([]) }}"
        - "{{ groups[patroni_cacert_clients_group] | default([]) }}"
      loop_control:
        loop_var: host_item

    - name: Put CA key
      copy:
        content: "{{ patroni_cacert_ca_key }}"
        dest: "{{ patroni_ssl_path }}/CA-{{ patroni_self_signed_cert_name }}.key"
        mode: 0600
        owner: "{{ patroni_user }}"
        group: "{{ patroni_group }}"
      loop:
        - "{{ groups[patroni_cacert_ca_host_group] | default([]) }}"
        - "{{ groups[patroni_cacert_clients_group] | default([]) }}"
      loop_control:
        loop_var: host_item

    - name: Put CA csr
      copy:
        content: "{{ patroni_cacert_ca_csr }}"
        dest: "{{ patroni_ssl_path }}/CA-{{ patroni_self_signed_cert_name }}.csr"
        mode: 0644
        owner: "{{ patroni_user }}"
        group: "{{ patroni_group }}"
      loop:
        - "{{ groups[patroni_cacert_ca_host_group] | default([]) }}"
        - "{{ groups[patroni_cacert_clients_group] | default([]) }}"
      loop_control:
        loop_var: host_item

    - name: Put CA cert
      copy:
        content: "{{ patroni_cacert_ca_cert }}"
        dest: "{{ patroni_ssl_path }}/CA-{{ patroni_self_signed_cert_name }}.crt"
        mode: 0644
        owner: "{{ patroni_user }}"
        group: "{{ patroni_group }}"
      loop:
        - "{{ groups[patroni_cacert_ca_host_group] | default([]) }}"
        - "{{ groups[patroni_cacert_clients_group] | default([]) }}"
      loop_control:
        loop_var: host_item

    - name: Put CA OpenSSL cert to PKI
      copy:
        content: "{{ patroni_cacert_ca_cert }}"
        dest: "{{ patroni_cacert_ca_trust_dir }}/CA-{{ patroni_self_signed_cert_name }}.crt"
        mode: 0644
      loop:
        - "{{ groups[patroni_cacert_ca_host_group] | default([]) }}"
        - "{{ groups[patroni_cacert_clients_group] | default([]) }}"
      loop_control:
        loop_var: host_item
      register: patroni_ca_trust_anchors

    - name: Update CA trust
      shell: "{{ patroni_cacert_update_ca_trust_command }}"
      loop:
        - "{{ groups[patroni_cacert_ca_host_group] | default([]) }}"
        - "{{ groups[patroni_cacert_clients_group] | default([]) }}"
      loop_control:
        loop_var: host_item
      when:
        - patroni_ca_trust_anchors.changed 
        - patroni_cacert_ca_trust_anchors_update