---
- name: Create /etc/pki/koji directory
  ansible.builtin.file:
    path: /etc/pki/koji
    state: directory
    owner: root
    group: root
    mode: 0755

- name: Initialize Koji SSL CA
  ansible.builtin.command:
    argv:
      - /usr/local/koji-tools/src/bin/koji-ssl-admin
      - new-ca
      - --common-name
      - "{{ koji_server_ca_fqdn }}"
    chdir: /etc/pki/koji
    creates: /etc/pki/koji/koji-ca.crt

- name: Generate Koji server key and CSR
  ansible.builtin.command:
    argv:
      - /usr/local/koji-tools/src/bin/koji-ssl-admin
      - server-csr
      - "{{ koji_server_ca_fqdn }}"
    chdir: /etc/pki/koji
    creates: "/etc/pki/koji/{{ koji_server_ca_fqdn }}.csr"

- name: Sign Koji server CSR
  ansible.builtin.command:
    argv:
      - /usr/local/koji-tools/src/bin/koji-ssl-admin
      - sign
      - "/etc/pki/koji/{{ koji_server_ca_fqdn }}.csr"
    chdir: /etc/pki/koji
    creates: "/etc/pki/koji/{{ koji_server_ca_fqdn }}.chain.crt"

- name: Add Koji SSL CA certificate to system
  ansible.builtin.file:
    src: /etc/pki/koji/koji-ca.crt
    dest: /etc/pki/ca-trust/source/anchors/koji-ca.crt
    state: link
  register: koji_server_ca_anchor

- name: Trust Koji SSL CA certificate
  command: update-ca-trust extract
  when: koji_server_ca_anchor.changed