---
- name: 'install openvpn-openssl package'
  opkg:
    name: 'openvpn-openssl'
    state: 'present'
  tags:
    - 'packages'

- name: 'create openvpn private key'
  shell:
    cmd: >
      openssl genpkey
      -algorithm ed25519
      -out /etc/openvpn/openvpn.key
  args:
    creates: '/etc/openvpn/openvpn.key'
  notify: 'reload openvpn'
  tags:
    - 'tls_int'

# Shouldn't be required for TLSv1.3
#
#- name: create openvpn dh2048
#  shell: 'openssl dhparam -out /etc/openvpn/dh2048.pem 2048'
#  args:
#    creates: /etc/openvpn/dh2048.pem
#  notify: reload openvpn

- name: 'upload server ca'
  copy:
    content: '{{ tls_vpn_server_ca }}{{ tls_root_ca }}'
    dest: '/etc/openvpn/server_ca.crt'
  tags:
    - 'tls_int'

- name: 'upload user ca'
  copy:
    content: '{{ tls_vpn_user_ca }}{{ tls_root_ca }}'
    dest: '/etc/openvpn/user_ca.crt'
  notify: 'reload openvpn'
  tags:
    - 'tls_int'

- name: 'check openvpn cert status'
  command: >-
    openssl verify
    -CAfile /etc/openvpn/server_ca.crt
    /etc/openvpn/openvpn.crt
  register: openvpn_cert_is_valid
  changed_when: false
  failed_when: false
  tags:
    - 'tls_int'

- name: 'create openvpn cert request'
  shell: >
    openssl req
    -new
    -subj "{{ x509_subject_prefix }}/OU=Server/CN={{ server_fqdn }}"
    -key /etc/openvpn/openvpn.key
    -out /etc/openvpn/openvpn.csr
  when: openvpn_cert_is_valid.rc != 0
  tags:
    - 'tls_int'

- import_tasks: 'ca-signing-request.yaml'
  vars:
    host: '{{ server_fqdn }}'
    request_path: '/etc/openvpn/openvpn.csr'
    output_path: '/etc/openvpn/openvpn.crt'
  when: openvpn_cert_is_valid.rc != 0
  notify: 'reload openvpn'
  tags:
    - 'tls_int'

- name: 'write openvpn configuration'
  template:
    dest: '/etc/config/openvpn'
    src: 'openvpn.j2'
    owner: 'root'
    group: 'root'
    mode: '0400'
  register: config_updated
  notify: 'reload openvpn'

- name: 'commit openvpn configuration to uci'
  shell: 'uci commit openvpn'
  notify: 'reload openvpn'
  when: config_updated.changed