---

# todo: test revoking

- name: Converge Internal
  hosts: test-ag-certs-internal
  roles:
    - role: oxlorg.certs
      vars:
        certs:
          mode: 'selfsigned'
          path: '/etc/ssl/test1'

          cert:
            name: 'self_srv'
            domains: ['cert.test.oxl.at']
            ips: ['192.168.0.1']
            cn: 'SelfSigned Server Cert'
            org: 'AnsibleGuy Test'
            email: 'testmaster@oxl.at'
            ou: 'Test'
            country: 'AT'
            state: 'Styria'
            locality: 'Unknown'
            valid_days: 5
            key_usage: 'serverAuth'
            crl_distribution:
              crl_issuer: 'URI:https://ca.template.oxl.at/'
              full_name: 'URI:https://ca.template.oxl.at/revocations.crl'
              reasons: ['key_compromise', 'ca_compromise']

    - role: oxlorg.certs
      vars:
        certs:
          mode: 'selfsigned'
          path: '/etc/ssl/test2'

          cert:
            name: 'self_cli'
            cn: 'SelfSigned Client Cert'
            key_usage: 'clientAuth'

    - role: oxlorg.certs
      vars:
        certs:
          mode: 'selfsigned'
          path: '/etc/ssl/test3'

          cert:
            name: 'self_other'
            san_other: 'DNS:cert.templates.oxl.at,email:other@cert.template.oxl.at'
            cn: 'SelfSigned Other Cert'

    - role: oxlorg.certs
      vars:
        certs:
          mode: 'ca'
          path: '/etc/ssl/test3'

          cert:
            name: 'self_minca_srv'
            domains: ['cert.test.oxl.at']
            ips: ['192.168.0.1']
            cn: 'CA-Signed Server Cert'
            org: 'AnsibleGuy Test'
            email: 'testmaster@oxl.at'
            ou: 'Test'
            country: 'AT'
            state: 'Styria'
            locality: 'Unknown'
            valid_days: 5
            key_usage: 'serverAuth'
            crl_distribution:
              crl_issuer: 'URI:https://ca.template.oxl.at/'
              full_name: 'URI:https://ca.template.oxl.at/revocations.crl'
              reasons: ['key_compromise', 'ca_compromise']

    - role: oxlorg.certs
      vars:
        certs:
          mode: 'ca'
          path: '/etc/ssl/test4'

          cert:
            name: 'self_minca_cli'
            cn: 'CA-Signed Client Cert'
            key_usage: 'clientAuth'

    - role: oxlorg.certs
      vars:
        certs:
          mode: 'ca'
          path: '/etc/ssl/test5'

          cert:
            name: 'self_minca_pwd'
            domains: ['cert.test.oxl.at']
            ips: ['192.168.0.1']
            cn: 'CA-Signed Server Cert'
            pwd: 'Nope.'
            key_usage: 'serverAuth'
            crl_distribution:
              crl_issuer: 'URI:https://ca.template.oxl.at/'
              full_name: 'URI:https://ca.template.oxl.at/revocations.crl'
              reasons: ['key_compromise', 'ca_compromise']

          ca:
            path: '/etc/ssl/test5/ca'
            pwd: 'YouWantMyTreasure?YouCanHaveIt!SearchForIt-SomewhereOutThere-Hidden-IsTheBiggestTreasureOfTheWorld.'
            cn: 'SelfSigned CA Cert'
            org: 'AnsibleGuy Test'
            email: 'testmaster@oxl.at'
            ou: 'Test'
            country: 'AT'
            state: 'Styria'
            locality: 'Unknown'
            valid_days: 5

- name: Converge LetsEncrypt
  hosts: test-ag-certs-letsencrypt
  vars:
    testing: true  # target letsencrypt-staging
    certs:
      mode: 'le_certbot'
      letsencrypt:
        certs:
          test:
            domains: ['infra-certs.test.oxl.at']
            email: 'testmaster@oxl.at'

        path: '/etc/ssl/le_test'
        renew_timer: 'Mon *-*-* 03:00:00'
        service: 'nginx'

  roles:
    - oxlorg.certs