---

- name: Install certbot deps
  ansible.builtin.apt:
    name:
      - python3-certbot
      - python3-certbot-dns-cloudflare
    state: present

- name: Install
  ansible.builtin.template:
    src: cloudflare-credentials.ini.j2
    dest: "{{ cloudflare_credentials_destination }}"
    mode: 0700

- name: Ensure existance of {{ certbot_post_hook_dir }}
  ansible.builtin.file:
    path: "{{ certbot_post_hook_dir }}"
    state: directory
    mode: o=rw,g=r,a+x

- name: Add renewal_post_upgrade hook
  ansible.builtin.copy:
    src: renewal_post_upgrade.sh
    dest: "{{ certbot_post_hook_dir }}/renewal_post_upgrade.sh"
    mode: a+x
    owner: root
    group: root

- name: Check for existence of certificates
  ansible.builtin.stat:
    path: "{{ certbot_live_dir }}/{{ item }}/fullchain.pem"
  loop: "{{ host_domains[inventory_hostname] }}"
  register: cert_check
- name: Construct domains needing ACME requests list
  ansible.builtin.set_fact:
    domain_request_list: >
      {% for domain in host_domains[inventory_hostname] %}
      {% set domain_index = loop.index0 %}
      {% if not cert_check.results[domain_index].stat.exists %}
      {{ domain }}
      {% endif %}
      {% endfor %}

- name: Request acmedns challenges if there are such domains that need certs
  ansible.builtin.shell: >
    certbot certonly --dns-cloudflare \
      --dns-cloudflare-credentials {{ cloudflare_credentials_destination }} \
      --non-interactive \
      --manual-public-ip-logging-ok \
      --agree-tos -m {{ certbot_email }} \
      --preferred-challenges dns --debug-challenges \
      --dns-cloudflare-propagation-seconds 20 \
      -d {{ item }}
  loop: "{{ domain_request_list.split() }}"
  changed_when: domain_request_list | trim != ''

- name: Certbot daily renewal cron job
  ansible.builtin.cron:
    name: "letsencrypt_daily_renewal"
    special_time: "daily"
    job: "certbot renew --non-interactive"
    cron_file: "certbot_renewal"
    user: root