---
- name: Create CNAME dns record
  community.general.ipa_dnsrecord:
    ipa_user: "{{ ansible_user }}"
    ipa_pass: "{{ ansible_password }}"
    zone_name: "{{ ansible_facts['domain'] }}"
    record_name: "{{  rproxy_service_name  }}"
    record_type: 'CNAME'
    record_value: "{{ ansible_facts['hostname'] }}"
    state: present
  ignore_errors: true

- name: Kinit
  ansible.builtin.shell:
    cmd: "echo '{{ ansible_password }}' | kinit"
  become: false
  become_user: "{{ ansible_user }}"

- name: Create fake host for certificate
  ansible.builtin.shell:
    cmd: "ipa host-add {{ rproxy_service_name }}.{{ ansible_facts['domain'] }} --force --desc=\"Fake host for SPN\""
  become: false
  become_user: "{{ ansible_user }}"
  ignore_errors: true

- name: Create SPN for HTTP
  ansible.builtin.shell:
    cmd: "ipa service-add HTTP/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }} --skip-host-check --force"
  become: false
  become_user: "{{ ansible_user }}"
  ignore_errors: true

- name: "Allow {{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }} to get certificates for HTTP/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }} SPN"
  ansible.builtin.shell:
    cmd: "ipa service-add-host --hosts={{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }} HTTP/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}"
  become: false
  become_user: "{{ ansible_user }}"
  ignore_errors: true

- name: Kdestroy
  ansible.builtin.shell:
    cmd: kdestroy
  become: false
  become_user: "{{ ansible_user }}"

- name: Get all tracking certificates
  ansible.builtin.shell:
    cmd: "ipa-getcert list | grep -m1 -B5 \"{{ rproxy_dir }}/certs/{{ rproxy_service_name }}\" | grep Request | awk '{print $NF}' | tr -d \"'\\|:\""
  register: tracking_list

- name: Remove certificates from IPA tracking
  ansible.builtin.shell:
    cmd: "ipa-getcert stop-tracking -i {{ item }}"
  loop: "{{ tracking_list.stdout_lines }}"
  ignore_errors: true

- name: Request certificate via ipa-getcert
  ansible.builtin.command: >
    ipa-getcert request
    -f {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.crt
    -k {{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.key
    -K HTTP/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}
    -N CN={{ rproxy_service_name }}.{{ ansible_facts['domain'] }}

- name: Wait for certificate to appear
  ansible.builtin.wait_for:
    path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.crt"
    timeout: 60

- name: Change certificate permissions
  ansible.builtin.file:
    path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.crt"
    mode: "0744"

- name: Wait for certificate key to appear
  ansible.builtin.wait_for:
    path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.key"
    timeout: 60

- name: Change certificate key permissions
  ansible.builtin.file:
    path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.key"
    mode: "0744"