---
- name: Sanity checks
  ansible.builtin.assert:
    that:
      - selfsignedcert_basename | default("") != ""


- name: Generate private key
  community.crypto.openssl_privatekey:
    path: '{{ selfsignedcert_basename }}.{{ selfsignedcert_suffix_key }}'
    size: '{{ selfsignedcert_keysize | default(2048) }}'
    mode: '0600'
  register: selfsignedcert_result_key


- name: Generate CSR
  community.crypto.openssl_csr:
    path: '{{ selfsignedcert_basename }}.{{ selfsignedcert_suffix_csr }}'
    privatekey_path: '{{ selfsignedcert_basename }}.{{ selfsignedcert_suffix_key }}'
    common_name: '{{ selfsigned_cn | default(ansible_hostname) }}'
    subject_alt_name: '{{ selfsigned_san | default([]) }}'


- name: Generate certificate
  community.crypto.x509_certificate:
    path: '{{ selfsignedcert_basename }}.{{ selfsignedcert_suffix_crt }}'
    privatekey_path: '{{ selfsignedcert_basename }}.{{ selfsignedcert_suffix_key }}'
    csr_path: '{{ selfsignedcert_basename }}.{{ selfsignedcert_suffix_csr }}'
    provider: selfsigned
  register: selfsignedcert_result_crt


- name: Combine key and certificate
  ansible.builtin.template:
    src: combined.j2
    dest: '{{ selfsignedcert_basename }}.{{ selfsignedcert_suffix_combined }}'
    mode: '0600'
    backup: true
  when: not selfsignedcert_suffix_combined