# -*- coding: utf-8 -*-
# vim: ft=yaml
---

/etc/pki/private.key:
  x509.private_key_managed:
    - bits: 4096
    - backup: True
    - require:
      - file: /etc/pki

/etc/pki/public.crt:
  x509.certificate_managed:
    - ca_server: tumor.chaos 
    - signing_policy: host
    - public_key: /etc/pki/private.key
    - CN: {{ grains['fqdn'] }}
    - subjectAltName: 'DNS:{{ grains['fqdn'] }}'
    - days_remaining: 5
    - backup: True
    - require:
      - x509: /etc/pki/private.key
      
{% for cn in salt['pillar.get']('pki:cns',{}) %}

/etc/pki/{{ cn }}.crt:
  x509.certificate_managed:
    - ca_server: tumor.chaos 
    - signing_policy: host
    - public_key: /etc/pki/private.key
    - days_remaining: 5
    - backup: False
    - CN: {{ grains['fqdn'] }}
    - subjectAltName: 'DNS:{{ cn }}'
    - require:
      - x509: /etc/pki/private.key

/etc/pki/chain/{{ cn }}.pem:
  file:
    - append
    - sources:
      - /etc/pki/{{ cn }}.crt
      - /etc/pki/intca.crt
      - /etc/pki/private.key
    - require:
      - file: /etc/pki/chain
    
{% endfor %}