---
- name: Test host certificates
  hosts: ipaserver
  become: true

  tasks:
  - name: Get Domain from server name
    ansible.builtin.set_fact:
      ipaserver_domain: "{{ ansible_facts['fqdn'].split('.')[1:] | join('.') }}"
    when: ipaserver_domain is not defined

  - name: Generate self-signed certificates.
    ansible.builtin.shell:
      cmd: |
        openssl req -x509 -newkey rsa:2048 -days 365 -nodes -keyout "private{{ item }}.key" -out "cert{{ item }}.pem" -subj '/CN=test'
        openssl x509 -outform der -in "cert{{ item }}.pem" -out "cert{{ item }}.der"
        base64 "cert{{ item }}.der" -w5000 > "cert{{ item }}.b64"
    with_items: [1, 2, 3]
    become: no
    delegate_to: localhost

  - name: Host test absent
    ipahost:
      ipaadmin_password: SomeADMINpassword
      name: "{{ 'test.' + ipaserver_domain }}"
      state: absent

  - name: Host test present
    ipahost:
      ipaadmin_password: SomeADMINpassword
      name: "{{ 'test.' + ipaserver_domain }}"
      force: yes
    register: result
    failed_when: not result.changed or result.failed

  - name: Host test cert members present
    ipahost:
      ipaadmin_password: SomeADMINpassword
      name: "{{ 'test.' + ipaserver_domain }}"
      certificate:
        - "{{ lookup('file', 'cert1.b64', rstrip=False) }}"
        - "{{ lookup('file', 'cert2.b64', rstrip=False) }}"
        - "{{ lookup('file', 'cert3.b64', rstrip=False) }}"
      action: member
    register: result
    failed_when: not result.changed or result.failed

  - name: Host test cert members present again
    ipahost:
      ipaadmin_password: SomeADMINpassword
      name: "{{ 'test.' + ipaserver_domain }}"
      certificate:
        - "{{ lookup('file', 'cert1.b64', rstrip=False) }}"
        - "{{ lookup('file', 'cert2.b64', rstrip=False) }}"
        - "{{ lookup('file', 'cert3.b64', rstrip=False) }}"
      action: member
    register: result
    failed_when: result.changed or result.failed

  - name: Host test cert members absent
    ipahost:
      ipaadmin_password: SomeADMINpassword
      name: "{{ 'test.' + ipaserver_domain }}"
      certificate:
        - "{{ lookup('file', 'cert1.b64', rstrip=False) }}"
        - "{{ lookup('file', 'cert2.b64', rstrip=False) }}"
        - "{{ lookup('file', 'cert3.b64', rstrip=False) }}"
      state: absent
      action: member
    register: result
    failed_when: not result.changed or result.failed

  - name: Host test cert members absent again
    ipahost:
      ipaadmin_password: SomeADMINpassword
      name: "{{ 'test.' + ipaserver_domain }}"
      certificate:
        - "{{ lookup('file', 'cert1.b64', rstrip=False) }}"
        - "{{ lookup('file', 'cert2.b64', rstrip=False) }}"
        - "{{ lookup('file', 'cert3.b64', rstrip=False) }}"
      state: absent
      action: member
    register: result
    failed_when: result.changed or result.failed

  - name: Host test absent
    ipahost:
      ipaadmin_password: SomeADMINpassword
      name: "{{ 'test.' + ipaserver_domain }}"
      state: absent
    register: result
    failed_when: not result.changed or result.failed

  - name: Host test absent again
    ipahost:
      ipaadmin_password: SomeADMINpassword
      name: "{{ 'test.' + ipaserver_domain }}"
      state: absent
    register: result
    failed_when: result.changed or result.failed

  - name: Remove certificate files.
    ansible.builtin.shell:
      cmd: rm -f "private{{ item }}.key" "cert{{ item }}.pem" "cert{{ item }}.der" "cert{{ item }}.b64"
    with_items: [1, 2, 3]
    become: no
    delegate_to: localhost