ca-easy-rsa-maint:
  pkg.installed:
    - name: easy-rsa

#temporary - easy-rsa package is broken and uses wrong working direcotry
easy-rsa-vars-maint:
  file.managed:
    - name: "/etc/easy-rsa/vars"
    - source: salt://roles/maintain/ca/vars

#initialize ca if necessary
#--vars=./vars is temporary until package is fixed
gen-ca-key:
  cmd.run:
    - name: "easyrsa --vars=./vars init-pki;easyrsa --batch --vars=./vars build-ca nopass batch"
    - cwd: "/etc/easy-rsa"
    - onlyif: 'test ! -e /etc/easy-rsa/pki/ca.crt'

#generate keys if needed
#--vars=./vars is temporary until package is fixed
{%- if pillar['ca'] is defined -%}
{%- for name in pillar['ca'] %}
gen-{{name}}-cert:
  cmd.run:
    - name: "easyrsa --batch --vars=./vars --req-cn={{name}} gen-req {{name}} nopass;easyrsa --batch --vars=./vars  sign-req {{pillar['ca'][name]['type']}} {{name}};"
    - cwd: "/etc/easy-rsa"
    - onlyif: 'test ! -e /etc/easy-rsa/pki/reqs/{{name}}.req'
#set ownership to root:ca and mod to 640
{{name}}-cert-perms:
  file.managed:
    - name: /etc/easy-rsa/pki/issued/{{name}}.crt
    - group: ca
    - mode: 640
    - replace: false
{{name}}-key-perms:
  file.managed:
    - name: /etc/easy-rsa/pki/private/{{name}}.key
    - group: ca
    - mode: 640
    - replace: false
{%- endfor %}
{%- endif %}
#set directory perms
pki-perms:
  file.directory:
    - name: /etc/easy-rsa/pki/
    - group: ca
    - mode: 750
issued-perms:
  file.directory:
    - name: /etc/easy-rsa/pki/issued/
    - group: ca
    - mode: 750
private-perms:
  file.directory:
    - name: /etc/easy-rsa/pki/private
    - group: ca
    - mode: 750
ca-cert-perms:
  file.managed:
    - name: /etc/easy-rsa/pki/ca.crt
    - group: ca
    - mode: 640
    - replace: false