---
# Copyright 2015, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# Note(andymccr):
# This uses local connection for the initial key setup
# as no key is setup to allow a connection to localhost
# as a remote host.
- name: Playbook for establishing ssh keys
  hosts: localhost
  gather_facts: false
  any_errors_fatal: true
  connection: local
  become: yes
  tasks:
    - name: Ensure root has a .ssh directory
      file:
        path: /root/.ssh
        state: directory
        owner: root
        group: root
        mode: "0700"

    - name: Create ssh key pair for root
      user:
        name: root
        generate_ssh_key: yes
        ssh_key_bits: 2048
        ssh_key_file: /root/.ssh/id_rsa

    - name: Get root private key
      slurp:
        src: /root/.ssh/id_rsa
      register: private_key_get
      changed_when: false

    - name: Get root public key
      slurp:
        src: /root/.ssh/id_rsa.pub
      register: public_key_get
      changed_when: false

    - name: Set key facts
      set_fact:
        root_public_key: "{{ public_key_get.content | b64decode }}"
        root_private_key: "{{ private_key_get.content | b64decode }}"
        lxc_container_ssh_key: "{{ public_key_get.content | b64decode }}"

    - name: Ensure root can ssh to localhost
      authorized_key:
        user: "root"
        key: "{{ root_public_key }}"


# Note(hwoarang):
# This uses local connection for the initial key setup
# as no key is setup to allow a connection to localhost
# as a remote host.
- name: Playbook for establishing user ssh keys
  hosts: localhost
  connection: local
  become: no
  any_errors_fatal: true
  tasks:
    # Shell used because facts may not be ready yet
    - name: Get user home directory
      shell: |
        set -o pipefail
        getent passwd '{{ ansible_user_id }}' | cut -d':' -f6
      args:
        executable: /bin/bash
      register: user_home
      changed_when: false

    - name: Set local user home fact
      set_fact:
        calling_user_home: "{{ user_home.stdout }}"

    - name: Ensure user has a .ssh directory
      file:
        path: "{{ calling_user_home }}/.ssh"
        state: directory
        owner: "{{ ansible_user_id }}"
        group: "{{ ansible_user_gid }}"
        mode: "0700"
      when: ansible_user_id != 'root'

    - name: Ensure user has the known private key
      copy:
        content: "{{ root_private_key }}"
        dest: "{{ calling_user_home }}/.ssh/id_rsa"
        owner: "{{ ansible_user_id }}"
        group: "{{ ansible_user_gid }}"
        mode: "0600"
      when: ansible_user_id != 'root'

    - name: Ensure user has the known public key
      copy:
        content: "{{ root_public_key }}"
        dest: "{{ calling_user_home }}/.ssh/id_rsa.pub"
        owner: "{{ ansible_user_id }}"
        group: "{{ ansible_user_gid }}"
        mode: "0600"
      when: ansible_user_id != 'root'

    - name: Ensure local user can ssh to localhost
      authorized_key:
        user: "{{ ansible_user_id }}"
        key: "{{ root_public_key }}"
      when: ansible_user_id != 'root'

- name: Create SSHD CA
  hosts: "{{ openstack_ssh_keypairs_setup_host | default('localhost') }}"
  gather_facts: false
  become: yes
  tasks:
    - name: "Create SSHD certificate authority"
      include_role:
        name: openstack.osa.ssh_keypairs
      vars:
        ssh_keypairs_setup_host: localhost
        ssh_keypairs_dir: "/etc/openstack_deploy/ssh_keypairs"
        ssh_keypairs:
          - name: "OpenStack-Ansible-SSH-Signing-Key"
        ssh_keypairs_install_authorities: false
        ssh_keypairs_install_keypairs: false
        ssh_keypairs_install_authorized_keys: false

- name: Create CA certificates
  hosts: "{{ openstack_pki_setup_host | default('localhost') }}"
  gather_facts: "false"
  become: true
  tasks:
    - name: "Create CA certificates"
      include_role:
        name: pki
        tasks_from: main_ca.yml
      vars:
        pki_dir: "/etc/openstack_deploy/pki"
        pki_create_ca: true
        pki_authorities:
          - name: "ExampleCorpRoot"
            provider: selfsigned
            basic_constraints: "CA:TRUE"
            cn: "Example Corp Root CA"
            email_address: "pki@example.com"
            country_name: "GB"
            state_or_province_name: "England"
            organization_name: "Example Corporation"
            organizational_unit_name: "IT Security"
            key_usage:
              - digitalSignature
              - cRLSign
              - keyCertSign
            not_after: "+3650d"
          - name: "ExampleCorpIntermediate"
            provider: ownca
            basic_constraints: "CA:TRUE,pathlen:0"
            cn: "Example Corp Openstack Infrastructure Intermediate CA"
            email_address: "pki@example.com"
            country_name: "GB"
            state_or_province_name: "England"
            organization_name: "Example Corporation"
            organizational_unit_name: "IT Security"
            key_usage:
              - digitalSignature
              - cRLSign
              - keyCertSign
            not_after: "+3650d"
            signed_by: "ExampleCorpRoot"