---
- name: Install www directory
  ansible.builtin.file:
    path: /etc/pki/www.konchin.com
    state: directory
    mode: '0700'
    owner: root
    group: root

- name: Create private key for www
  community.crypto.openssl_privatekey:
    path: /etc/pki/www.konchin.com/cert.key

- name: Create CSR for www
  community.crypto.openssl_csr_pipe:
    privatekey_path: /etc/pki/www.konchin.com/cert.key
    subject_alt_name:
      - 'DNS:www.konchin.com'
      - 'DNS:*.konchin.com'
  register: csr

- name: Sign with root ca
  community.crypto.x509_certificate:
    path: /etc/pki/www.konchin.com/cert.pem
    csr_content: "{{ csr.csr }}"
    provider: ownca
    ownca_path: /etc/pki/konchin.com/rootca.pem
    ownca_privatekey_path: /etc/pki/konchin.com/rootca.key
    ownca_privatekey_passphrase: "{{ secret_ca_passphrase }}"
    ownca_not_after: +365d  # valid for one year
    ownca_not_before: -1d   # valid since yesterday
    return_content: true
  register: cert

- name: Create full chain
  block:
    - name: Slurp root ca
      ansible.builtin.slurp:
        src: /etc/pki/konchin.com/rootca.pem
      register: rootca
    - name: Create full chain cert
      ansible.builtin.copy:
        content: |
          {{ cert.certificate | trim }}
          {{ rootca['content'] | b64decode | trim }}
        dest: /etc/pki/www.konchin.com/full-chain.pem
        mode: '0600'
        owner: root
        group: root