---

- name: Certificates | Debian | LetsEncrypt Certbot | Checking config
  ansible.builtin.fail:
    msg: "The required configuration was not provided!
    Needed: 'certs.letsencrypt.certs', 'certs.letsencrypt.service',
    'certs.letsencrypt.email or certs.letsencrypt.email.certs.email'"
  when: >
    CERT_CONFIG.letsencrypt.certs | length == 0 or
    CERT_CONFIG.letsencrypt.service is none | default(none, true) or
    (CERT_CONFIG.letsencrypt.email | default(none, true) is none and not CERT_CONFIG.letsencrypt.certs|check_email)

- name: Certificates | Debian | LetsEncrypt Certbot | Checking service
  ansible.builtin.fail:
    msg: "You need to supply a supported LetsEncrypt Certbot service to use! (apache/nginx)"
  when: "CERT_CONFIG.letsencrypt.service | default(none, true) is none or CERT_CONFIG.letsencrypt.service not in ['apache', 'nginx']"

- name: Certificates | Debian | LetsEncrypt Certbot | Configure for Apache2
  ansible.builtin.import_tasks: apache.yml
  when: CERT_CONFIG.letsencrypt.service == 'apache'

- name: Certificates | Debian | LetsEncrypt Certbot | Configure for Nginx
  ansible.builtin.import_tasks: nginx.yml
  when: CERT_CONFIG.letsencrypt.service == 'nginx'

- name: Certificates | Debian | LetsEncrypt Certbot | Pulling existing certs
  ansible.builtin.shell: 'certbot certificates'
  register: existing_certs_raw
  changed_when: false

- name: Certificates | Debian | LetsEncrypt Certbot | Adding certificates
  ansible.builtin.include_tasks: cert.yml
  when:
    - le_cert.domains | length > 0
    - le_cert.state == 'present'
  vars:
    le_cert: "{{ default_le_certbot_cert_config | combine(cert_item.value, recursive=true) }}"
    le_name: "{{ cert_item.key | safe_key }}"
    le_path: "{{ CERT_CONFIG.letsencrypt.path }}/live/{{ name }}"
  loop_control:
    loop_var: cert_item
  no_log: true
  with_dict: "{{ CERT_CONFIG.letsencrypt.certs }}"


- name: Certificates | Debian | LetsEncrypt Certbot | Removing certificates
  ansible.builtin.command: "certbot revoke --cert-name {{ le_name }} && certbot delete --cert-name {{ le_name }}"
  when:
    - le_cert.state != 'present'
    - existing_certs_raw.stdout.find(le_name) != -1
  vars:
    le_cert: "{{ default_le_certbot_cert_config | combine(cert_item.value, recursive=true) }}"
    le_name: "{{ cert_item.key | safe_key }}"
  loop_control:
    loop_var: cert_item
  with_dict: "{{ CERT_CONFIG.letsencrypt.certs }}"

- name: Certificates | Debian | LetsEncrypt Certbot | Cleanup for Apache2
  ansible.builtin.import_tasks: apache_cleanup.yml
  when: CERT_CONFIG.letsencrypt.service == 'apache'

- name: Certificates | Debian | LetsEncrypt Certbot | Cleanup for Nginx
  ansible.builtin.import_tasks: nginx_cleanup.yml
  when: CERT_CONFIG.letsencrypt.service == 'nginx'

- name: Certificates | Debian | LetsEncrypt Certbot | Adding service for certbot renewal
  ansible.builtin.template:
    src: "templates/etc/systemd/system/{{ item }}.j2"
    dest: "/etc/systemd/system/{{ item }}"
    owner: 'root'
    group: 'root'
    mode: 0644
  with_items:
    - 'ansibleguy.infra_certs.LetsEncryptCertbot.service'
    - 'ansibleguy.infra_certs.LetsEncryptCertbot.timer'

- name: Certificates | Debian | LetsEncrypt Certbot | Enabling cert-renewal timer
  ansible.builtin.systemd:
    daemon_reload: yes
    name: 'ansibleguy.infra_certs.LetsEncryptCertbot.timer'
    enabled: yes
    state: started

- name: Certificates | Debian | LetsEncrypt Certbot | Running renewal
  ansible.builtin.command: 'certbot renew --force-renewal'
  when: CERT_CONFIG.letsencrypt.renew
  ignore_errors: true