- name: Ensure opendev-ca directory exists
  delegate_to: localhost
  file:
    path: "{{ opendev_ca_root }}"
    state: directory

# Run this in flock so that we can run it in plays for multiple target
# hosts in parallel while serializing access to the CA files.
- name: Run opendev-ca.sh
  delegate_to: localhost
  script: "opendev-ca.sh {{ opendev_ca_root }} {{ opendev_ca_server }}"
  args:
    executable: "flock {{ opendev_ca_root }}/lock"

- name: Ensure cert dir exists
  file:
    path: "{{ opendev_ca_cert_dir }}/certs"
    state: directory
    owner: "{{ opendev_ca_cert_dir_owner }}"
    group: "{{ opendev_ca_cert_dir_group }}"
    mode: '0755'

- name: Ensure keys dir exists
  file:
    path: "{{ opendev_ca_cert_dir }}/keys"
    state: directory
    owner: "{{ opendev_ca_cert_dir_owner }}"
    group: "{{ opendev_ca_cert_dir_group }}"
    mode: '0700'

- name: Copy TLS cacert into place
  copy:
    src: "{{ opendev_ca_root }}/certs/cacert.pem"
    dest: "{{ opendev_ca_cert_dir }}/certs/cacert.pem"

- name: Copy TLS cert into place
  copy:
    src: "{{ opendev_ca_root }}/certs/{{ opendev_ca_server }}.pem"
    dest: "{{ opendev_ca_cert_dir }}/certs/cert.pem"

- name: Copy TLS key into place
  copy:
    src: "{{ opendev_ca_root }}/keys/{{ opendev_ca_server }}key.pem"
    dest: "{{ opendev_ca_cert_dir }}/keys/key.pem"

- name: Copy TLS keystore into place
  copy:
    src: "{{ opendev_ca_root }}/keystores/{{ opendev_ca_server }}.pem"
    dest: "{{ opendev_ca_cert_dir }}/keys/keystore.pem"