---
- name: 'install openvpn-openssl package'
  opkg:
    name: 'openvpn-openssl'
    state: 'present'
  tags:
    - 'packages'

# Shouldn't be required for TLSv1.3
#
#- name: create openvpn dh2048
#  shell: 'openssl dhparam -out /etc/openvpn/dh2048.pem 2048'
#  args:
#    creates: /etc/openvpn/dh2048.pem
#  notify: reload openvpn

- name: 'upload server ca'
  copy:
    content: '{{ openvpn_tls_server_ca }}{{ tls_root_ca }}'
    dest: '/etc/openvpn/server_ca.crt'
  tags:
    - 'tls_int'

- name: 'upload user ca'
  copy:
    content: '{{ openvpn_tls_user_ca }}{{ tls_root_ca }}'
    dest: '/etc/openvpn/user_ca.crt'
  notify: 'reload openvpn'
  tags:
    - 'tls_int'

- name: 'generate and sign server certificate'
  import_role: name='ca_cert'
  vars:
    ca_cert_common_name: '{{ host_fqdn }}'
    ca_cert_proto: 'tls'
    ca_cert_tls_ca_path: '/etc/openvpn/server_ca.crt'
    ca_cert_tls_key_path: '/etc/openvpn/openvpn.key'
    ca_cert_tls_csr_path: '/etc/openvpn/openvpn.csr'
    ca_cert_tls_cert_path: '/etc/openvpn/openvpn.crt'

- name: 'write openvpn configuration'
  template:
    dest: '/etc/config/openvpn'
    src: 'openvpn.j2'
    owner: 'root'
    group: 'root'
    mode: '0400'
  register: config_updated
  notify: 'reload openvpn'

- name: 'commit openvpn configuration to uci'
  shell: 'uci commit openvpn'
  notify: 'reload openvpn'
  when: config_updated.changed
...