- apt:
    pkg: 'openssl'
    state: 'present'
  tags:
    - 'packages'

- name: 'create slapd private key'
  shell:
    cmd: >
      openssl genpkey
      -algorithm ED25519
      -out /etc/ldap/slapd.key
    creates: '/etc/ldap/slapd.key'
  tags:
    - 'tls_int'

- name: 'set private key ownership'
  file:
    path: '/etc/ldap/slapd.key'
    owner: 'openldap'
    group: 'openldap'
    mode: '600'

- name: 'update tls ca'
  copy:
    content: '{{ tls_root_ca }}'
    dest: '/etc/ldap/root_ca.crt'
  tags:
    - 'tls_int'

- name: 'check slapd cert status'
  command: >
    openssl verify
    -CAfile /etc/ldap/root_ca.crt
    -untrusted /etc/ldap/slapd.crt
    /etc/ldap/slapd.crt
  register: slapd_cert_is_valid
  changed_when: false
  failed_when: false
  tags:
    - 'tls_int'

- name: 'create slapd cert request'
  shell:
    cmd: >
      openssl req
      -new
      -subj "{{ x509_subject_prefix }}/OU=Server/CN={{ server_fqdn }}"
      -key /etc/ldap/slapd.key
      -out /etc/ldap/slapd.csr
  when: slapd_cert_is_valid.rc != 0
  tags:
    - 'tls_int'

- import_tasks: 'ca-signing-request.yaml'
  vars:
    host: '{{ server_fqdn }}'
    request_path: '/etc/ldap/slapd.csr'
    output_path: '/etc/ldap/slapd.crt'
  when: slapd_cert_is_valid.rc != 0
  tags:
    - 'tls_int'

# !BUG! Fixed in Ansible dev using ldap_attrs instead of ldap_attr
# Setting the parameters twice in a row fix the problem.
# Ref: https://github.com/ansible/ansible/issues/25665
# **ToDO: Find the right combination, is still failing at the first run
# but works on the second iteration
- name: 'configuring TLS options (workaround)'
  ldap_attr:
    dn: 'cn=config'
    name: '{{ item.name }}'
    values: '{{ item.value }}'
  loop:
    - { name: 'olcTLSCertificateFile', value: '/etc/ldap/slapd.crt' }
    - { name: 'olcTLSCertificateKeyFile', value: '/etc/ldap/slapd.key' }
    - { name: 'olcTLSCACertificateFile', value: '/etc/ldap/root_ca.crt' }
  failed_when: false
  tags:
    - 'tls_int'

- name: 'configuring TLS options'
  ldap_attr:
    dn: 'cn=config'
    name: '{{ item.name }}'
    values: '{{ item.value }}'
    state: 'exact'
  loop:
    - { name: 'olcTLSCACertificateFile', value: '/etc/ldap/root_ca.crt' }
    - { name: 'olcTLSCertificateFile', value: '/etc/ldap/slapd.crt' }
    - { name: 'olcTLSCertificateKeyFile', value: '/etc/ldap/slapd.key' }
    - { name: 'olcTLSVerifyClient', value: 'try' }  # TLS Client Auth
    - { name: 'olcTLSCipherSuite', value: 'SECURE:-VERS-ALL:+VERS-TLS1.3' } # TLSv1.3 Only
  tags:
    - 'tls_int'

- name: 'configuring slapd service'
  lineinfile:
    line: 'SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"'
    regexp: '^SLAPD_SERVICES='
    path: '/etc/default/slapd'
  notify: 'restart slapd'
  tags:
    - 'tls_int'