---

- name: "Certificates | Debian | LetsEncrypt Certbot | {{ le_name }} | Showing debug info"
  ansible.builtin.debug:
    var: le_cert
  when:
    - debug is defined
    - debug

# ToDo: path validation
- name: "Certificates | Debian | LetsEncrypt Certbot | {{ le_name }} | Checking config"
  ansible.builtin.assert:
    that:
      - CERT_CONFIG.letsencrypt.service in CERT_HC.letsencrypt.options.service
      - CERT_CONFIG.letsencrypt.verbosity in CERT_HC.letsencrypt.options.verbosity
      - le_cert.key_size in CERT_HC.options.key_size.cert
      - le_cert.domains | length > 0
      - le_cert.email | validate_email or CERT_CONFIG.cert.email | validate_email

- name: "Certificates | Debian | LetsEncrypt Certbot | {{ le_name }} | Creating directory"
  ansible.builtin.file:
    path: "{{ item }}"
    state: directory
    owner: 'root'
    group: 'root'
    mode: 0755
  loop:
    - "{{ CERT_CONFIG.path }}"
    - "{{ le_path }}"
  changed_when: false

- name: "Certificates | Debian | LetsEncrypt Certbot | {{ le_name }} | Certbot command (FYI)"
  ansible.builtin.debug:
    msg: "certbot certonly --non-interactive --agree-tos --no-redirect{% if debug or testing %} --staging{% endif %}
    --{{ CERT_CONFIG.letsencrypt.service }} --cert-name {{ le_name }}
    -{{ CERT_CONFIG.letsencrypt.verbosity }}
    --rsa-key-size {{ le_cert.key_size }}
    --config-dir {{ CERT_CONFIG.letsencrypt.path }}
    {% for domain in le_cert.domains %}{% if domain | valid_hostname %}--domain {{ domain }} {% endif %}{% endfor %}
    {% if le_cert.email is not none %}--email {{ le_cert.email }} {% else %}--email {{ CERT_CONFIG.cert.email }} {% endif %}"
  when: le_changed

- name: "Certificates | Debian | LetsEncrypt Certbot | {{ le_name }} | Running certbot"
  ansible.builtin.command: "certbot certonly --non-interactive --agree-tos --no-redirect{% if debug or testing %} --staging{% endif %}
    --{{ CERT_CONFIG.letsencrypt.service }} --cert-name {{ le_name }}
    -{{ CERT_CONFIG.letsencrypt.verbosity }}
    --rsa-key-size {{ le_cert.key_size }}
    --config-dir {{ CERT_CONFIG.letsencrypt.path }}
    {% for domain in le_cert.domains %}{% if domain | valid_hostname %}--domain {{ domain }} {% endif %}{% endfor %}
    {% if le_cert.email is not none %}--email {{ le_cert.email }} {% else %}--email {{ CERT_CONFIG.cert.email }} {% endif %}"
  when: le_changed

- name: "Certificates | Debian | LetsEncrypt Certbot | {{ le_name }} | Adding dummy certs"
  ansible.builtin.include_tasks: test.yml
  when: testing

- name: "Certificates | Debian | LetsEncrypt Certbot | {{ le_name }} | Linking cert"
  ansible.builtin.file:
    state: link
    src: "{{ item.src }}"
    dest: "{{ item.dst }}"
    mode: "{{ CERT_CONFIG.mode_cert }}"
    owner: "{{ CERT_CONFIG.owner_cert }}"
    group: "{{ CERT_CONFIG.group_cert }}"
    follow: true
    force: true
  loop:
    - {'dst': "{{ CERT_CONFIG.path }}/{{ le_name }}.{{ CERT_CONFIG.extension_cert }}", 'src': "{{ le_path }}/cert.pem"}
    - {'dst': "{{ CERT_CONFIG.path }}/{{ le_name }}.chain.{{ CERT_CONFIG.extension_cert }}", 'src': "{{ le_path }}/chain.pem"}
    - {'dst': "{{ CERT_CONFIG.path }}/{{ le_name }}.fullchain.{{ CERT_CONFIG.extension_cert }}", 'src': "{{ le_path }}/fullchain.pem"}

- name: "Certificates | Debian | LetsEncrypt Certbot | {{ le_name }} | Linking key"
  ansible.builtin.file:
    state: link
    src: "{{ le_path }}/privkey.pem"
    dest: "{{ CERT_CONFIG.path }}/{{ le_name }}.{{ CERT_CONFIG.extension_key }}"
    mode: "{{ CERT_CONFIG.mode_key }}"
    owner: "{{ CERT_CONFIG.owner_key }}"
    group: "{{ CERT_CONFIG.group_key }}"
    follow: true
    force: true