---

# For public credentials, we always generate self-signed certificates
# and store them in /etc/credentials/public. These are good for
# testing, and as a fallback. In production, some sort of automation
# will manage these credentials and the services will use those
# instead.

- file:
    path: "/etc/credentials/selfsigned/{{ cn }}"
    state: directory

- name: "Create a self-signed certificate for {{ cn }}"
  shell: "openssl req -x509 -newkey rsa:2048 -keyout privkey.pem -nodes -out fullchain.pem -days 3650 -subj '/CN={{ cn }}'"
  args:
    chdir: "/etc/credentials/selfsigned/{{ cn }}"
    creates: "/etc/credentials/selfsigned/{{ cn }}/fullchain.pem"

- file:
    path: "/etc/credentials/selfsigned/{{ cn }}/privkey.pem"
    owner: root
    group: public-credentials
    mode: 0440