---
- name: install openvpn-openssl package
  opkg:
    name: openvpn-openssl
    state: present

- name: create openvpn KEY
  shell: 'openssl genrsa -out {{ openvpn_key }} 2047'
  args:
    creates: "{{ openvpn_key }}"
  notify: reload openvpn


- name: create openvpn dh2048
  shell: 'openssl dhparam -out /etc/openvpn/dh2048.pem 2048'
  args:
    creates: /etc/openvpn/dh2048.pem
  notify: reload openvpn


- name: create CSR
  shell: 'openssl req -new -sha256 -subj "/C=IT/ST=ITALY/L=TUSCANY/O=IT/CN={{ ansible_hostname }}.lilik.it" -key /etc/openvpn/openvpn.key -out /etc/openvpn/openvpn.csr'
  args:
    creates: "{{ openvpn_csr }}"
  notify: reload openvpn

- name: check if openvpn cert key exist
  stat:
    path: "{{ openvpn_crt }}"
  register: openvpn_cert_key

- block:
    - name: get pub key
      shell: "cat /etc/openvpn/openvpn.csr"
      register: pub_key

    - debug:
        var: pub_key
        verbosity: 2

    - name: generate host request
      set_fact:
        ca_request:
          type: 'sign_request'
          request:
            keyType: 'ssl_host'
            hostName: '{{ inventory_hostname }}.lilik.it'
            keyData: '{{ pub_key.stdout }}'

    - debug:
        var: cert_request
        verbosity: 2

    - name: start sign request
      include: ca-dialog.yaml

    - set_fact:
        request_output: "{{ request_result.stdout | string | from_json }}"

    - debug:
        var: request_output

    - name: generate get request
      set_fact:
        ca_request:
          type: 'get_certificate'
          requestID: '{{ request_output.requestID }}'

    - debug:
        msg: "Please manualy confirm sign request with id {{ request_output.requestID }}"

    - name: wait for cert
      include: ca-dialog.yaml

    - set_fact:
          cert_key: "{{ request_result.stdout | string | from_json }}"

    - debug:
        var: request_result
        verbosity: 2

    - name: set pub key
      copy:
        content: "{{ cert_key.result }}"
        dest: "{{ openvpn_crt }}"
      register: set_pub_key
  when: not openvpn_cert_key.stat.exists

- set_fact:
    certificates:
      - files/lilik_ca_x1.pub
      - files/lilik_ca_v1.pub

- name: create vpn fullchain
  template:
    src: fullchain.j2
    dest: /etc/openvpn/fullchain.crt
  notify: reload openvpn

- name: write openvpn configuration
  template:
    dest: /etc/config/openvpn
    src: openvpn.j2
    owner: root
    group: root
    mode: 0400
  register: new_vpn_config
  notify: reload openvpn

- name: commit openvpn configuration to uci
  shell: 'uci commit openvpn'
  notify: reload openvpn
  when: new_vpn_config.changed