---
- name: show ansible_architecture
  ansible.builtin.debug:
    var: ansible_architecture

- name: set package-names for aarch64
  set_fact:
    step: https://github.com/smallstep/cli/releases/download/v0.24.2-rc.6/step-cli_0.24.2-rc.6_arm64.deb
    stepca: https://github.com/smallstep/certificates/releases/download/v0.24.3-rc.2/step-ca_0.24.3-rc.2_arm64.deb
  when: 'ansible_architecture == "aarch64"'

- name: set package-names for amd64
  set_fact:
    step: https://github.com/smallstep/certificates/releases/download/v0.24.3-rc.2/step-ca_0.24.3-rc.2_amd64.deb
    stepca: https://github.com/smallstep/certificates/releases/download/v0.24.3-rc.2/step-ca_0.24.3-rc.2_amd64.deb
  when: ansible_architecture == "amd64"

- name: stop when facts not set to download Packages
  meta: end_play
  when: step is not defined or stepca is not defined

- name: Install step-cli
  apt:
    deb: "{{ step }}"

- name: Install step-ca
  apt:
    deb: "{{ stepca }}"

- name: create user for step-ca
  user:
    name: step
    state: present
    shell: /bin/false
    system: yes
    createhome: yes
    home: /etc/step-ca

- name: generate /etc/step-ca/password.txt
  template:
    src: password.txt.j2
    dest: /etc/step-ca/password.txt
    owner: step
    group: step
    mode: "0770"

- name: init step-ca
  command: sudo -u step step ca init --name="{{ pki_name }}" --dns {{ ansible_hostname }} --issuer="{{ pki_name }}" --address=:4343 --provisioner="{{ pki_name }}" --password-file=/etc/step-ca/password.txt --provisioner-password-file=/etc/step-ca/password.txt
  args:
    creates: /etc/step-ca/.step/config

- name: set permissions correct
  file:
    dest: /etc/step-ca
    owner: step
    group: step
    mode: "0770"
    recurse: yes

- name: generate /etc/systemd/system/step-ca.service
  template:
    src: step-ca.service.j2
    dest: /etc/systemd/system/step-ca.service
    owner: root
    group: root
    mode: "0644"
  notify:
    - reload systemd

#- name: correct ca.json step 1
#  lineinfile:
#    path: /etc/step-ca/.step/config/ca.json
#    line: "{{'\t'}}{{'\t'}}\"type\": \"badgerV2\","
#    state: present
#    regexp: "^{{'\t'}}{{'\t'}}\"type\": \"badger"
#  notify:
#    - restart step-ca

#- name: correct ca.json step 2
#  lineinfile:
#    path: /etc/step-ca/.step/config/ca.json
#    line: "{{'\t'}}{{'\t'}}\"badgerFileLoadingMode\": \"FileIO\""
#    state: present
#    regexp: "^{{'\t'}}{{'\t'}}\"badgerFileLoadingMode\":"
#  notify:
#    - restart step-ca

- name: Flush handlers
  meta: flush_handlers

- name: enable step-ca
  systemd:
    name: step-ca
    enabled: yes
    masked: no
  notify:
    restart step-ca

- name: Flush handlers
  meta: flush_handlers

- name: check for acme privisioner
  lineinfile:
    path: /etc/step-ca/.step/config/ca.json
    regexp: '.*"type": "ACME",.*'
    line: "{{'\t'}}{{'\t'}}{{'\t'}}{{'\t'}}\"type\": \"ACME\","
    state: present
  check_mode: yes
  register: acmepresent

- name: add acme provisioner
  command: sudo -u step step ca provisioner add acme --type ACME
  when: acmepresent is changed
  notify:
    - restart step-ca

- name: check for default JWK privisioner
  lineinfile:
    path: /etc/step-ca/.step/config/ca.json
    regexp: '.*"type": "JWK",.*'
    line: "{{'\t'}}{{'\t'}}{{'\t'}}{{'\t'}}\"type\": \"JWK\","
    state: absent
  check_mode: yes
  register: jwkabsent

- name: remove jwk provisioner
  command: sudo -u step step ca provisioner remove "{{ pki_name }}"
  when: jwkabsent is changed
  notify:
    - restart step-ca