- name: add acme CA
  hosts: ca
  become: yes
  roles:
    - role: maxhoesel.smallstep.step_ca
  tasks:
    - name: add an acme provisioner to the ca
      maxhoesel.smallstep.step_ca_provisioner:
        name: ACME
        type: ACME
      become_user: step-ca
    - name: restart step-ca
      ansible.builtin.systemd_service: 
        name: step-ca
        state: restarted 
        enabled: true 
    - name: allow step-ca port traffic on vpn
      ufw:
        rule: allow
        from: 100.64.0.0/10
        port: "{{ step_ca_port }}" 
    - name: restart ufw
      ansible.builtin.systemd_service: 
        name: ufw
        state: restarted 
        enabled: true 

- name: configure trust to internal ca on all hosts
  hosts: all
  roles:
    - ca