---
# file: roles/mariadb_cluster/tasks/certificates-server.yml 


- name: "{{ hostvars[item]['ansible_hostname'] }} - Create private key"
  community.crypto.openssl_privatekey:
    path: /etc/ssl/galera/server.key

- name: "{{ hostvars[item]['ansible_hostname'] }} - Check if server certificate exists"
  stat:
    path: "/etc/ssl/galera/server.pem"
  register: serverCertCheck

- name: "{{ hostvars[item]['ansible_hostname'] }} - CSR"
  block:
  - name: "{{ hostvars[item]['ansible_hostname'] }} - Create CSR for new certificate"
    community.crypto.openssl_csr_pipe:
      privatekey_path: /etc/ssl/galera/server.key
      common_name: "{{ hostvars[item]['ansible_hostname'] }}"
      subject_alt_name:
        - "DNS:{{ mariadb_cluster_wsrep_cluster_name }}"
    register: csr

  - name: "{{ hostvars[item]['ansible_hostname'] }} - Sign certificate with CA"
    community.crypto.x509_certificate_pipe:
      csr_content: "{{ csr.csr }}"
      provider: ownca
      ownca_path: /etc/ssl/galera/ca-certificate.pem
      ownca_privatekey_path: /etc/ssl/galera/ca-certificate.key
      ownca_not_after: "{{ mariadb_cluster_cert_length }}"
      ownca_not_before: "-1d"
    delegate_to: "{{ mariadb_cluster_master }}"
    register: certificate

  - name: "{{ hostvars[item]['ansible_hostname'] }} - Write certificate file"
    copy:
      dest: /etc/ssl/galera/server.pem
      content: "{{ certificate.certificate }}"
  when: not serverCertCheck.stat.exists