---
- name: Set up a local easy-rsa certificates directory
  command: make-cadir /etc/nginx/easy-rsa/
  args:
    creates: /etc/nginx/easy-rsa/
- name: Editing vars in-place
  lineinfile: dest=/etc/nginx/easy-rsa/vars
  args:
    regexp: '^export KEY_{{ item.key }}="'
    line: 'export KEY_{{ item.key }}="{{ item.value }}"'
  with_items: '{{ munin_ca_vars }}'
- name: Running clean-all
  shell: . ./vars && ./clean-all
  args:
    chdir: /etc/nginx/easy-rsa/
    creates: /etc/nginx/easy-rsa/keys/index.txt
- name: Running build-ca
  shell: . ./vars && ./build-ca --batch
  args:
    chdir: /etc/nginx/easy-rsa/
    creates: /etc/nginx/easy-rsa/keys/ca.key
  notify:
    - restart nginx
- name: Running build-key-server
  shell: . ./vars && ./build-key-server --batch munin.{{ hostname }}
  args:
    chdir: /etc/nginx/easy-rsa/
    creates: /etc/nginx/easy-rsa/keys/munin.{{ hostname }}.key
  notify:
    - restart nginx
- name: Running build-key
  shell: . ./vars && ./build-key --batch munin.{{ hostname }}.{{ item }}
  args:
    chdir: /etc/nginx/easy-rsa/
    creates: /etc/nginx/easy-rsa/keys/munin.{{ hostname }}.{{ item }}.key
  with_items: '{{ munin_clients }}'
- name: Export client certificate as a PKCS#12 file
  command: >
    openssl pkcs12
    -export
    -out /etc/nginx/easy-rsa/keys/munin.{{ hostname }}.{{ item }}.p12
    -inkey /etc/nginx/easy-rsa/keys/munin.{{ hostname }}.{{ item }}.key
    -in /etc/nginx/easy-rsa/keys/munin.{{ hostname }}.{{ item }}.crt
    -certfile /etc/nginx/easy-rsa/keys/ca.crt
    -passout 'pass:{{ munin_pkcs12_pass }}'
  args:
    creates: /etc/nginx/easy-rsa/keys/munin.{{ hostname }}.{{ item }}.p12
  with_items: '{{ munin_clients }}'
- name: Fetch the resulting PKCS#12 file
  fetch: src=/etc/nginx/easy-rsa/keys/munin.{{ hostname }}.{{ item }}.p12 dest=./pkcs12/ flat=yes fail_on_missing=yes
  with_items: '{{ munin_clients }}'
...