- name: CA and certs | Generate CN certs and keys
  when: inventory_hostname in groups[patroni_cacert_ca_host_group]
  block:
    - name: Generate an OpenSSL private client key {{ item }} with the default values (4096 bits, RSA)
      community.crypto.openssl_privatekey:
        path: "{{ patroni_ssl_path }}/{{ item }}.key"
      register: patroni_cacert_client_key_gen

    - name: Generate Patroni subject_alt_ips from ansible_host
      set_fact:
        patroni_server_subject_alt_ips_from_ansible_host: "{{ hostvars[item]['ansible_host'] | regex_replace('^', 'IP:') }}"
      when: hostvars[item]['ansible_host'] is defined

    - name: Generate Patroni subject_alt_ips from default ipv4 address
      set_fact:
        patroni_server_subject_alt_ips: "{{ hostvars[item]['ansible_default_ipv4']['address'] | regex_replace('^', 'IP:') }}"
      when:
        - hostvars[item]['ansible_default_ipv4']['address'] is defined
        - not patroni_cacert_multiple_default_gw_workaround

    - name: Generate Patroni subject_alt_names from inventory_hostname
      set_fact:
        patroni_server_subject_alt_names: "{{ item | regex_replace('^', 'DNS:') }}"

    - name: Generate Patroni subject_alt_ips from ansible_all_ipv4_addresses
      set_fact:
        patroni_server_subject_alt_ips_all_ipv4: "{{ hostvars[item]['ansible_all_ipv4_addresses'] | map('regex_replace', '^', 'IP:') | join(',') }}"
      when: hostvars[item]['ansible_all_ipv4_addresses'] is defined

    - name: Generate Patroni subject_alt_ips from patroni_cacert_force_append_ips
      set_fact:
        patroni_server_subject_alt_ips_force_append: "{{ patroni_cacert_force_append_ips | map('regex_replace', '^', 'IP:') | join(',') }}"
      when: 
        - patroni_cacert_force_append_ips is defined
        - patroni_cacert_force_append_ips | length > 0

    - name: Generate Patroni subject_alt_names from patroni_cacert_force_append_names
      set_fact:
        patroni_server_subject_alt_names_force_append: "{{ patroni_cacert_force_append_names | map('regex_replace', '^', 'DNS:') | join(',') }}"
      when: 
        - patroni_cacert_force_append_names is defined
        - patroni_cacert_force_append_names | length > 0

    - name: Construct subject_alt_name
      set_fact:
        subject_alt_name:
          - "{{ patroni_server_subject_alt_names }}"
          - "{{ patroni_server_subject_alt_ips_from_ansible_host }}"
          - "{{ patroni_server_subject_alt_ips_all_ipv4 }}"

    - name: Construct base subject_alt_name
      set_fact:
        subject_alt_name:
          - "{{ subject_alt_name | join(',') }}"
          - "{{ patroni_server_subject_alt_ips }}"
      when: patroni_server_subject_alt_ips is defined

    - name: Construct subject_alt_name with patroni_server_subject_alt_ips_force_append
      set_fact:
        subject_alt_name:
          - "{{ subject_alt_name | join(',') }}"
          - "{{ patroni_server_subject_alt_ips_force_append }}"
      when: patroni_server_subject_alt_ips_force_append is defined

    - name: Construct subject_alt_name with patroni_server_subject_alt_names_force_append
      set_fact:
        subject_alt_name:
          - "{{ subject_alt_name | join(',') }}"
          - "{{ patroni_server_subject_alt_names_force_append }}"
      when: patroni_server_subject_alt_names_force_append is defined

    - debug:
        msg: "{{ subject_alt_name }}"

    - name: Generate an OpenSSL Certificate Signing Request for client
      community.crypto.openssl_csr:
        path: "{{ patroni_ssl_path }}/{{ item }}.csr"
        privatekey_path: "{{ patroni_ssl_path }}/{{ item }}.key"
        common_name: "{{ item }}"
        subject_alt_name: "{{ subject_alt_name | join(',') }}"
        owner: "{{ patroni_user }}"
        group: "{{ patroni_group }}"
      register: patroni_csr

    - name: Generate an OpenSSL certificate for client signed with your own CA certificate
      community.crypto.x509_certificate:
        path: "{{ patroni_ssl_path }}/{{ item }}.crt"
        csr_path: "{{ patroni_ssl_path }}/{{ item }}.csr"
        ownca_path: "{{ patroni_ssl_path }}/CA-{{ patroni_self_signed_cert_name }}.crt"
        ownca_privatekey_path: "{{ patroni_ssl_path }}/CA-{{ patroni_self_signed_cert_name }}.key"
        provider: ownca
        owner: "{{ patroni_user }}"
        group: "{{ patroni_group }}"
      register: patroni_cert

    - name: Get {{ item }} OpenSSL crt and key content
      ansible.builtin.shell: |
        cat {{ patroni_ssl_path }}/{{ item }}.crt {{ patroni_ssl_path }}/{{ item }}.key
      register: concated_crt_key
      changed_when: false

    - name: Concatenate and save {{ item }} OpenSSL crt and key to single file
      copy:
        content: "{{ concated_crt_key.stdout }}"
        dest: "{{ patroni_ssl_path }}/{{ item }}.pem"

    - name: Get CN key {{ item }} content
      slurp:
        src: "{{ patroni_ssl_path }}/{{ item }}.key"
      register: patroni_cacert_cn_certs_key_b64

    - name: Get CN csr {{ item }} content
      slurp:
        src: "{{ patroni_ssl_path }}/{{ item }}.csr"
      register: patroni_cacert_cn_certs_csr_b64

    - name: Get CN cert {{ item }} content
      slurp:
        src: "{{ patroni_ssl_path }}/{{ item }}.crt"
      register: patroni_cacert_cn_certs_cert_b64

    - name: Get CN cert and key concat {{ item }} content
      slurp:
        src: "{{ patroni_ssl_path }}/{{ item }}.pem"
      register: patroni_cacert_cn_certs_concat_b64

    - name: Set facts about {{ item }} key and cert and delegate
      set_fact:
        patroni_cacert_cn_certs_key: "{{ patroni_cacert_cn_certs_key_b64.content | b64decode }}"
        patroni_cacert_cn_certs_csr: "{{ patroni_cacert_cn_certs_csr_b64.content | b64decode }}"
        patroni_cacert_cn_certs_cert: "{{ patroni_cacert_cn_certs_cert_b64.content | b64decode }}"
        patroni_cacert_cn_certs_concat: "{{ patroni_cacert_cn_certs_concat_b64.content | b64decode }}"
      delegate_to: "{{ fact_item }}"
      delegate_facts: true
      with_items:
        - "{{ groups[patroni_cacert_ca_host_group] | default([]) }}"
        - "{{ groups[patroni_cacert_clients_group] | default([]) }}"
      loop_control:
        loop_var: fact_item

- name: Distribute CN certificates
  become: true
  when:
    - inventory_hostname in groups[patroni_cacert_clients_group]
  block:
    - name: CA and cert | Check if dest dir exist on remote host
      file:
        name: "{{ patroni_ssl_path }}"
        state: directory

    - name: Put CN key
      copy:
        content: "{{ patroni_cacert_cn_certs_key }}"
        dest: "{{ patroni_ssl_path }}/{{ item }}.key"
        mode: 0600
        owner: "{{ patroni_user }}"
        group: "{{ patroni_group }}"

    - name: Put CN csr
      copy:
        content: "{{ patroni_cacert_cn_certs_csr }}"
        dest: "{{ patroni_ssl_path }}/{{ item }}.csr"
        mode: 0644
        owner: "{{ patroni_user }}"
        group: "{{ patroni_group }}"

    - name: Put CN cert
      copy:
        content: "{{ patroni_cacert_cn_certs_cert }}"
        dest: "{{ patroni_ssl_path }}/{{ item }}.crt"
        mode: 0644
        owner: "{{ patroni_user }}"
        group: "{{ patroni_group }}"

    - name: Put CN key and cert concat
      copy:
        content: "{{ patroni_cacert_cn_certs_concat }}"
        dest: "{{ patroni_ssl_path }}/{{ item }}.pem"
        mode: 0644
        owner: "{{ patroni_user }}"
        group: "{{ patroni_group }}"