---

- name: Esnure certbot installed
  ansible.builtin.apt:
    name:
      - certbot
      - python3-certbot-nginx
    state: present

- name: Check if certificate exists
  ansible.builtin.stat:
    path: /etc/letsencrypt/live/{{ ansible_fqdn }}/cert.pem
  register: cert

- name: Get current certificate info
  community.crypto.x509_certificate_info:
    path: /etc/letsencrypt/live/{{ ansible_fqdn }}/cert.pem
  register: certinfo

- name: Set fact to regenerate certificates if new domains are added
  ansible.builtin.set_fact:
    certbot_regenerate: true
  when: item.name is defined and 'DNS:' + item.name not in certinfo.subject_alt_name
  loop: "{{ nginx_servers }}"

- name: Generate new certificate if one doesn't exist.
  ansible.builtin.command: >
    certbot --nginx certonly
    --non-interactive
    --email {{ certbot_admin_email }}
    --agree-tos
    --expand
    --domains {{ ansible_fqdn }}{% for server in nginx_servers %}{% if server.name is defined %},{{ server.name }}{% endif %}{% endfor %}
  when: not cert.stat.exists or certbot_regenerate
  notify: Reload nginx

- name: Ensure certificate configured for nginx
  ansible.builtin.template:
    src: letsencrypt.conf.j2
    dest: /etc/nginx/conf.d/letsencrypt.conf
    mode: 0644
  notify: Reload nginx

- name: Add ssl header config to the list of configs
  ansible.builtin.set_fact:
    nginx_confs: "{{ nginx_confs + ['ssl-headers'] }}"