---
- name: Request and INstall Certs from Red Hat IdM
  hosts: webservers
  become: true

  tasks:
    - name: Ensure the IPA client and OpenSSL are installed
      ansible.builtin.package:
        name:
          - ipa-client
          - openssl
        state: present

    - name: Generate private key
      community.crypto.openssl_privatekey:
        path: "{{ key_path }}"
        size: 2048

    - name: Generate CSR
      community.crypto.openssl_csr:
        path: "{{ csr_path }}"
        privatekey_path: "{{ key_path }}"
        common_name: "{{ ansible_fqdn }}"
        subject: "{{ cert_subject }}"
        key_usage:
          - digitalSignature
          - keyEncipherment
        extended_key_usage:
          - serverAuth

    - name: Request a certificate from IdM
      redhat.rhel_idm.ipacert:
        ipaadmin_password: "{{ ipa_admin_password }}"
        csr_path: "{{ csr_path }}"
        principal: "HTTP/{{ ansible_fqdn }}@{{ ipa_domain }}"
        cert_profile: "HTTP_Server"
        cert_out_path: "{{ cert_path }}"
      register: cert_result

    - name: Install the certificate
      ansible.builtin.copy:
        content: "{{ cert_result.certificate }}"
        dest: "{{ cert_path }}"
      notify:
        - restart web server

  handlers:
    - name: restart web server
      ansible.builtin.service:
        name: httpd
        state: restarted