---

- set_fact:
    matrix_ssl_certificate_csr_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/csr.csr"
    matrix_ssl_certificate_cert_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/fullchain.pem"
    matrix_ssl_certificate_cert_key_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/privkey.pem"

- name: Check if SSL certificate file exists
  stat:
    path: "{{ matrix_ssl_certificate_cert_path }}"
  register: matrix_ssl_certificate_cert_path_stat_result

# In order to do any sort of generation (below), we need to ensure the directory exists first
- name: Ensure SSL certificate directory exists
  file:
    path: "{{ matrix_ssl_certificate_csr_path|dirname }}"
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
  when: "not matrix_ssl_certificate_cert_path_stat_result.stat.exists"

# The proper way to do this is by using a sequence of
# `openssl_privatekey`, `openssl_csr` and `openssl_certificate`.
#
# Unfortunately, `openssl_csr` and `openssl_certificate` require `PyOpenSSL>=0.15` to work,
# which is not available on CentOS 7 (at least).
#
# We'll do it in a more manual way.
- name: Generate SSL certificate
  command: |
    openssl req -x509 \
    -sha256 \
    -newkey rsa:4096 \
    -nodes \
    -subj "/CN={{ domain_name }}" \
    -keyout {{ matrix_ssl_certificate_cert_key_path }} \
    -out {{ matrix_ssl_certificate_cert_path }} \
    -days 3650
  when: "not matrix_ssl_certificate_cert_path_stat_result.stat.exists"