---

- ansible.builtin.set_fact:
    matrix_ssl_certificate_csr_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/csr.csr"
    matrix_ssl_certificate_cert_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/fullchain.pem"
    matrix_ssl_certificate_cert_key_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/privkey.pem"

- name: Check if SSL certificate file exists
  ansible.builtin.stat:
    path: "{{ matrix_ssl_certificate_cert_path }}"
  register: matrix_ssl_certificate_cert_path_stat_result

# In order to do any sort of generation (below), we need to ensure the directory exists first
- name: Ensure SSL certificate directory exists
  ansible.builtin.file:
    path: "{{ matrix_ssl_certificate_csr_path | dirname }}"
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
  when: "not matrix_ssl_certificate_cert_path_stat_result.stat.exists"

# The proper way to do this is by using a sequence of
# `openssl_privatekey`, `openssl_csr` and `openssl_certificate`.
#
# Unfortunately, `openssl_csr` and `openssl_certificate` require `PyOpenSSL>=0.15` to work,
# which is not available on CentOS 7 (at least).
#
# We'll do it in a more manual way.
- name: Generate SSL certificate
  when: "not matrix_ssl_certificate_cert_path_stat_result.stat.exists"
  ansible.builtin.command:
    cmd: |
      openssl req -x509 \
      -sha256 \
      -newkey rsa:4096 \
      -nodes \
      -subj "/CN={{ domain_name }}" \
      -keyout {{ matrix_ssl_certificate_cert_key_path }} \
      -out {{ matrix_ssl_certificate_cert_path }} \
      -days 3650
    # Well, this creates 2 files, but Ansible can only check 1.
    creates: "{{ matrix_ssl_certificate_cert_path }}"

- name: Adjust SSL certificate file ownership
  ansible.builtin.file:
    path: "{{ item }}"
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
  with_items:
    - "{{ matrix_ssl_certificate_cert_key_path }}"
    - "{{ matrix_ssl_certificate_cert_path }}"