#install Let's Encrypt CA certificates
/etc/httpd/certs/:
  file.directory:
    - user: root
    - group: root
    - dir_mode: 500

/etc/httpd/certs/cacerts/:
  file.directory:
    - user: root
    - group: root
    - dir_mode: 500

/etc/httpd/certs/cacerts:
  file.recurse:
    - source: salt://roles/maintain/freeipa-server/cacerts
    - clean: true
    - user: root
    - group: root
    - file_mode: 400

"/etc/httpd/certs/ipa.actcur.com/":
  file.recurse:
    - source: salt://secure/certs/ipa.actcur.com/
    - user: root
    - group: root
    - dir_mode: 500
    - file_mode: 400
    - clean: true

install_cacerts:
  cmd.run:
    - name: 'cd /etc/httpd/certs/cacerts/;for cert in `ls ./`; do ipa-cacert-manage install $cert;done;ipa-certupdate -v'
    - onchanges:
      - file: /etc/httpd/certs/cacerts/*

set_dm_password:
  environ.setenv:
    - name: DM_PASSWORD
    - value: "{%- include 'secure/passwords/ipa_DM_password.txt' -%}"
    - onchanges:
      - file: /etc/httpd/certs/ipa.actcur.com/*

install_cert:
  cmd.run:
    - name: 'ipa-server-certinstall -p $DM_PASSWORD --pin="" -w -d /etc/httpd/certs/ipa.actcur.com/privkey.pem /etc/httpd/certs/ipa.actcur.com/cert.pem'
    - onchanges:
      - file: /etc/httpd/certs/ipa.actcur.com/*

unset_dm_password:
  environ.setenv:
    - name: DM_PASSWORD
    - value: "False"
    - false_unsets: true

restart_apache:
  service.running:
    - name: httpd
    - enable: false
    - watch:
      - cmd: install_cert