- name: generate root ca
  command: openssl req \
                    -x509 \
                    -new \
                    -nodes \
                    -newkey rsa:2048 \
                    -keyout "{{ playbook_dir }}/roles/nginx/files/rootca.key" \
                    -out "{{ playbook_dir }}/roles/nginx/files/rootca.pem" \
                    -sha256 \
                    -days 3650 \
                    -subj "/C=CZ/L=Prague/CN=Homelab/emailAddress={{ admin_email }}"
  when: generate_cert.root
- name: generate wildcard csr
  command: openssl req \
                    -new \
                    -nodes \
                    -newkey rsa:2048 \
                    -keyout "{{ playbook_dir }}/roles/nginx/files/{{ base_domain }}.key" \
                    -out "{{ playbook_dir }}/roles/nginx/files/{{ base_domain }}.csr" \
                    -subj "/C=CZ/L=Prague/CN=*.{{ base_domain }}/emailAddress={{ admin_email }}"
  when: generate_cert.wildcard
- name: sign wildcard csr with root ca
  command: openssl x509 \
                    -req \
                    -in "{{ playbook_dir }}/roles/nginx/files/{{ base_domain }}.csr" \
                    -CA "{{ playbook_dir }}/roles/nginx/files/rootca.pem" \
                    -CAkey "{{ playbook_dir }}/roles/nginx/files/rootca.key" \
                    -CAcreateserial \
                    -out "{{ playbook_dir }}/roles/nginx/files/{{ base_domain }}.crt" \
                    -days 3650 \
                    -sha256
  when: generate_cert.wildcard
- name: copy wildcard certificate and key
  copy:
    src: "{{ item }}"
    dest: "{{ data_folder }}/nginx/{{ item }}"
    mode: '0700'
  loop:
    - "{{ base_domain }}.crt"
    - "{{ base_domain }}.key"