# Create key and certificate files for a ocserv client. Run with:
#
# ansible-playbook playbooks/ocserv-create-user-cert.yml -euser=<username> -egroup=<group> [-edays=<days>]
#
# Default certificate lifetime is 365 days.

- hosts: vrata
  gather_facts: false
  tasks:
    - name: Set certificate filename
      set_fact:
        filename: "{{ inventory_hostname }}-{{ user }}-{{ now(utc=true, fmt='%s.%f') }}"

    - name: Create client key and signing request
      delegate_to: localhost
      shell:
        cmd: |
          openssl genpkey -algorithm rsa -out {{ filename }}.key
          openssl req -new -subj /O=fri/OU={{ group }}/CN={{ user }} -key {{ filename }}.key -out {{ filename }}.csr
        chdir: "{{ inventory_dir }}"

    # create certificate and store a copy on the server
    - name: Sign certificate request
      shell:
        cmd: >
          openssl x509 -req -sha256 -CA /etc/ocserv/ca.crt -CAkey /etc/ocserv/ca.key -days "{{ days | default(365) }}"
          | tee "{{ filename }}.crt"
        stdin: "{{ lookup('file', inventory_dir+'/'+filename+'.csr') }}"
        chdir: /var/lib/ocserv/certs
      register: user_certificate

    - name: Store client certificate
      delegate_to: localhost
      copy:
        dest: "{{ inventory_dir }}/{{ filename }}.crt"
        content: "{{ user_certificate.stdout }}"