#install Let's Encrypt CA certificates
/etc/httpd/certs/:
  file.directory:
    - user: root
    - group: root
    - dir_mode: 500

/etc/httpd/certs/DSTRootCAX3.pem:
  file.managed:
    - source: salt://roles/maintain/freeipa-server/DSTRootCAX3.pem
    - user: root
    - group: root
    - mode: 400

/etc/httpd/certs/LetsEncryptAuthorityX3.pem:
  file.managed:
    - source: salt://roles/maintain/freeipa-server/LetsEncryptAuthorityX3.pem
    - user: root
    - group: root
    - mode: 400

"/etc/httpd/certs/ipa.actcur.com/":
  file.recurse:
    - source: salt://secure/certs/ipa.actcur.com/
    - user: root
    - group: root
    - dir_mode: 500
    - file_mode: 400
    - clean: true

install_cacerts:
  cmd.run:
    - name: 'ipa-cacert-manage install "/etc/httpd/certs/DSTRootCAX3.pem" -n DSTRootCAX3 -t C,,;ipa-cacert-manage install "/etc/httpd/certs/LetsEncryptAuthorityX3.pem" -n letsencryptx3 -t C,,;ipa-certupdate -v'
    - onchanges:
      - file: /etc/httpd/certs/DSTRootCAX3.pem
      - file: /etc/httpd/certs/LetsEncryptAuthorityX3.pem

set_dm_password:
  environ.setenv:
    - name: DM_PASSWORD
    - value: "{%- include 'secure/passwords/ipa_DM_password.txt' -%}"
    - onchanges:
      - file: /etc/httpd/certs/ipa.actcur.com/*

install_cert:
  cmd.run:
    - name: 'ipa-server-certinstall -p $DM_PASSWORD --pin="" -w -d /etc/httpd/certs/ipa.actcur.com/privkey.pem /etc/httpd/certs/ipa.actcur.com/fullchain.pem'
    - onchanges:
      - file: /etc/httpd/certs/ipa.actcur.com/*

unset_dm_password:
  environ.setenv:
    - name: DM_PASSWORD
    - value: "False"
    - false_unsets: true

restart_apache:
  service.running:
    - name: httpd
    - enable: false
    - watch:
      - cmd: install_cert