{% import 'globals.jinja' as globals %}

include:
  - constant_state
  - generic_packages.m2crypto

/data/admin/pki/cacerts:
  file.directory:
    - mode: 755
    - require:
      - file: /data/admin/pki

# Root CA

/data/admin/pki/root:
  file.directory:
    - mode: 700
    - require:
      - file: /data/admin/pki

/data/admin/pki/root/issued_certs:
  file.directory:
    - mode: 700
    - require:
      - file: /data/admin/pki/root

{% if grains['id'] == globals.primary_admin_host %}

/data/admin/pki/root/ca.key:
  x509.private_key_managed:
    - bits: 4096
    - backup: True
    - require:
      - file: /data/admin/pki/root

/data/admin/pki/root/ca.crt:
  x509.certificate_managed:
    - signing_private_key: /data/admin/pki/root/ca.key
    - basicConstraints: "critical CA:true"
    - keyUsage: "critical cRLSign, keyCertSign"
    - subjectKeyIdentifier: hash
    - authorityKeyIdentifier: keyid,issuer:always
    - days_valid: 3650
    - days_remaining: 0
    - backup: True
{%- for attr, value in pillar['global']['certificate_attributes']['root'].items() %}
    - {{ attr }}: {{ value }}
{%- endfor %}
    - CN: Root Certificate Authority
    - require:
      - file: /data/admin/pki/cacerts
      - x509: /data/admin/pki/root/ca.key

/data/admin/pki/cacerts/ca_root.crt:
  file.managed:
    - source: /data/admin/pki/root/ca.crt
    - require:
      - x509: /data/admin/pki/root/ca.crt
    - onchanges_in:
      - module: mine_send_cacerts

{% endif %}

# Deployment CA

/data/admin/pki/deployment:
  file.directory:
    - mode: 700
    - require:
      - file: /data/admin/pki

/data/admin/pki/deployment/issued_certs:
  file.directory:
    - mode: 700
    - require:
      - file: /data/admin/pki/deployment

{% if grains['id'] == globals.primary_admin_host %}

/data/admin/pki/deployment/ca.key:
  x509.private_key_managed:
    - bits: 4096
    - backup: True
    - require:
      - file: /data/admin/pki/deployment

/data/admin/pki/deployment/ca.crt:
  x509.certificate_managed:
    - signing_cert: /data/admin/pki/root/ca.crt
    - signing_private_key: /data/admin/pki/root/ca.key
    - public_key: /data/admin/pki/deployment/ca.key
    - basicConstraints: "critical CA:true"
    - keyUsage: "critical cRLSign, keyCertSign"
    - subjectKeyIdentifier: hash
    - authorityKeyIdentifier: keyid,issuer:always
    - days_valid: 3650
    - days_remaining: 0
    - backup: True
{%- for attr, value in pillar['global']['certificate_attributes']['deployment'].items() %}
    - {{ attr }}: {{ value }}
{%- endfor %}
    - CN: Deployment Certificate Authority
    - require:
      - file: /data/admin/pki/cacerts
      - x509: /data/admin/pki/root/ca.key
      - x509: /data/admin/pki/root/ca.crt
      - x509: /data/admin/pki/deployment/ca.key

/data/admin/pki/cacerts/ca_deployment.crt:
  file.managed:
    - source: /data/admin/pki/deployment/ca.crt
    - require:
      - x509: /data/admin/pki/deployment/ca.crt
    - onchanges_in:
      - module: mine_send_cacerts

/etc/salt/minion.d/signing_policies.conf:
  file.managed:
    - source: salt://admin/files/signing_policies.conf
    - template: jinja
    - watch_in:
      - service: salt_minion

{% else %}

/etc/salt/minion.d/signing_policies.conf:
  file.absent:
    - watch_in:
      - service: salt_minion

{% endif %}

mine_send_cacerts:
  module.run:
    - name: mine.send
    - func: x509.get_pem_entries
    - kwargs:
        glob_path: /data/admin/pki/cacerts/*.crt
    - onchanges:
      - test: constant_state