---

# Inputs:

# - domain_name (e.g. freifunk.lu)

# - all_domain_names (e.g. -d freifunk.lu -d www.freifunk.lu)

# - reload_command (e.g. systemctl reload nginx)

- name: Make sure bogus certificate + group exists

  ansible.builtin.apt:

    name: ssl-cert

    state: present

- name: Check if certificate already exists

  ansible.builtin.stat:

    path: "/root/.acme.sh/{{ domain_name }}_ecc"

  register: acme_cert_dir

- name: Pre-copy cert files

  ansible.builtin.copy:

    src: "/etc/ssl/certs/ssl-cert-snakeoil.pem"

    dest: "/etc/ssl/certs/ssl-{{ item }}-{{ domain_name }}.pem"

    mode: '644'

    owner: 'root'

    group: 'root'

  become: true

  loop:

    - cert

    - ca

    - fullchain

  when: not acme_cert_dir.exists

- name: Pre-copy key file

  ansible.builtin.copy:

    src: "/etc/ssl/private/ssl-cert-snakeoil.key"

    dest: "/etc/ssl/private/ssl-cert-{{ domain_name }}.pem"

    mode: '640'

    owner: 'root'

    group: 'ssl-cert'

  become: true

  when: not acme_cert_dir.exists

- name: Issue certificate

  ansible.builtin.command:

    cmd: "/root/.acme.sh/acme.sh --issue --keylength ec-384

      -w /var/www/acme_root/ {{ all_domain_names }}"

  become: true

  when: not acme_cert_dir.exists

  register: cert_issued

  changed_when: cert_issued.rc == 0

- name: Deploy certs and keys

  ansible.builtin.command:

    cmd: "/root/.acme.sh/acme.sh --install-cert --ecc

      -d {{ domain_name }}

      --cert-file \"/etc/ssl/certs/ssl-cert-{{ domain_name }}.pem\"

      --key-file \"/etc/ssl/private/ssl-cert-{{ domain_name }}.pem\"

      --ca-file \"/etc/ssl/certs/ssl-ca-{{ domain_name }}.pem\"

      --fullchain-file \"/etc/ssl/certs/ssl-fullchain-{{ domain_name }}.pem\"

      --reloadcmd \"{{ reload_command }}\""

  become: true

  register: cert_deployed

  changed_when: cert_deployed.rc == 0