---
- name: "FreeIPA Certificates | PATCH | Install latest certbot"
  ansible.builtin.dnf:
    name: certbot
    state: latest
    update_cache: true

- name: "FreeIPA Certificates | AUDIT | Check for existing certificate expiry"
  community.crypto.x509_certificate_info:
    path: "/etc/letsencrypt/live/{{ inventory_hostname }}/cert.pem"
  register: freeipa_certs_existing_cert
  ignore_errors: true

- name: "FreeIPA Certificates | AUDIT | Calculate days until expiry"
  ansible.builtin.set_fact:
    freeipa_certs_days_until_expiry: "{{ ((freeipa_certs_existing_cert.not_after | to_datetime('%Y%m%d%H%M%SZ')) - now()).days }}"
  when: freeipa_certs_existing_cert.not_after is defined

- name: "FreeIPA Certificates | AUDIT | Print days until expiry"
  ansible.builtin.debug:
    msg: "{{ freeipa_certs_days_until_expiry }}"
  when: freeipa_certs_existing_cert.not_after is defined

- name: "FreeIPA Certificates | PATCH | Request a new or renewed certificate"
  when: (freeipa_certs_existing_cert.failed) or (freeipa_certs_days_until_expiry | int < 30)
  block:
    - name: "FreeIPA Certificates | PATCH | Download Let's Encrypt Root"
      ansible.builtin.get_url:
        url: "https://letsencrypt.org/certs/{{ item }}.pem"
        dest: /root/{{ item }}.pem
        owner: root
        group: root
        mode: "0600"
      with_items:
        - isrgrootx1
        - isrg-root-x2

    - name: "FreeIPA Certificates | PATCH | Download Let's Encrypt Intermediates"
      ansible.builtin.get_url:
        url: "https://letsencrypt.org/certs/2024/{{ item }}.pem"
        dest: "/root/{{ item }}.pem"
        owner: root
        group: root
        mode: "0600"
      with_items:
        - e7-cross
        - e8-cross
        - r12
        - r13

    - name: "FreeIPA Certificates | AUDIT | Check httpd"
      ansible.builtin.systemd_service:
        name: httpd
      register: freeipa_certs_httpd_status

    - name: "FreeIPA Certificates | PATCH | Stop httpd"
      ansible.builtin.systemd_service:
        name: httpd
        state: stopped
      when: freeipa_certs_httpd_status.status.ActiveState == "active"

    - name: "FreeIPA Certificates | PATCH | Add http service to firewall (in case freeipa service is not yet configured)"
      ansible.posix.firewalld:
        service: http
        state: enabled

    - name: "FreeIPA Certificates | PATCH | Request new certificate"
      ansible.builtin.command:
        cmd: certbot certonly --standalone --preferred-challenges http --agree-tos -n -d {{ inventory_hostname }} --register-unsafely-without-email
      when: freeipa_certs_existing_cert.failed

    - name: "FreeIPA Certificates | PATCH | Renew existing certificate"
      ansible.builtin.command:
        cmd: certbot renew
      when: not freeipa_certs_existing_cert.failed

    - name: "FreeIPA Certificates | PATCH | Remove http service from firewall"
      ansible.posix.firewalld:
        service: http
        state: disabled

    - name: "FreeIPA Certificates | PATCH | Start httpd"
      ansible.builtin.systemd_service:
        name: httpd
        state: started
      when: freeipa_certs_httpd_status.status.ActiveState == "active"

- name: "FreeIPA Certificates | PATCH | Create PKCS#12 encoded certificate"
  community.crypto.openssl_pkcs12:
    action: export
    path: /root/server.p12
    friendly_name: "{{ inventory_hostname }}"
    privatekey_path: "/etc/letsencrypt/live/{{ inventory_hostname }}/privkey.pem"
    certificate_path: "/etc/letsencrypt/live/{{ inventory_hostname }}/cert.pem"
    other_certificates: "/etc/letsencrypt/live/{{ inventory_hostname }}/chain.pem"
    other_certificates_parse_all: true
    owner: root
    group: root
    mode: "0600"