---
- name: haproxy | ensure certs directory
  file:
    path: '{{ item }}'
    state: directory
    mode: '0755'
    owner: root
    group: root
  with_items:
    - '/etc/haproxy/ssl/certs'
    - '/etc/haproxy/ssl/self'

- name: haproxy | create default self-signed certificate
  shell: |
    openssl req -newkey rsa:2048 -nodes -sha256 -x509 -subj "{{ haproxy_ssl_self_signed_subj }}/CN={{ item }}" -days {{ haproxy_ssl_self_signed_days }} -keyout "{{ item }}.key" -out "{{ item }}.crt" -extensions v3_ca
    cat {{ item }}.crt {{ item }}.key >> {{ haproxy_ssl_certs_dir }}/{{ item }}.pem
    chmod 0600 {{ item }}.crt {{ item }}.key {{ haproxy_ssl_certs_dir }}/{{ item }}.pem
  args:
    chdir: '{{ haproxy_ssl_self_dir }}'
    creates: '{{ haproxy_ssl_certs_dir }}/{{ item }}.pem'
  with_items: '{{ haproxy_ssl_self_signed_domains }}'
  notify:
    - haproxy restarted

- name: haproxy | copy configuration file
  template:
    src: haproxy.cfg.j2
    dest: '/etc/haproxy/haproxy.cfg'
    owner: root
    group: root
    mode: '0440'
    validate: 'haproxy -f %s -c {% if haproxy_accept_warnings %}-q{% endif %}'
  notify:
    - haproxy reloaded