---
# Inputs:
# - domain_name (e.g. freifunk.lu)
# - all_domain_names (e.g. -d freifunk.lu -d www.freifunk.lu)
# - reload_command (e.g. systemctl reload nginx)
- name: Make sure bogus certificate + group exists
  ansible.builtin.apt:
    name: ssl-cert
    state: present
  become: true
- name: Check if certificate already exists
  ansible.builtin.stat:
    path: "/root/.acme.sh/{{ domain_name }}_ecc"
  become: true
  register: acme_cert_dir
- name: Pre-copy cert files
  ansible.builtin.copy:
    remote_src: true
    src: "/etc/ssl/certs/ssl-cert-snakeoil.pem"
    dest: "/etc/ssl/certs/ssl-{{ item }}-{{ domain_name }}.pem"
    mode: '644'
    owner: 'root'
    group: 'root'
  become: true
  loop:
    - cert
    - ca
    - fullchain
  when: not acme_cert_dir.stat.exists
- name: Pre-copy key file
  ansible.builtin.copy:
    remote_src: true
    src: "/etc/ssl/private/ssl-cert-snakeoil.key"
    dest: "/etc/ssl/private/ssl-cert-{{ domain_name }}.pem"
    mode: '640'
    owner: 'root'
    group: 'ssl-cert'
  become: true
  when: not acme_cert_dir.stat.exists
- name: Issue certificate
  ansible.builtin.command:
    cmd: "/root/.acme.sh/acme.sh --issue --keylength ec-384
      -w /var/www/acme_root/ {{ all_domain_names }}"
  become: true
  when: not acme_cert_dir.stat.exists
  register: cert_issued
  changed_when: cert_issued.rc == 0
- name: Deploy certs and keys
  ansible.builtin.command:
    cmd: "/root/.acme.sh/acme.sh --install-cert --ecc
      -d {{ domain_name }}
      --cert-file \"/etc/ssl/certs/ssl-cert-{{ domain_name }}.pem\"
      --key-file \"/etc/ssl/private/ssl-cert-{{ domain_name }}.pem\"
      --ca-file \"/etc/ssl/certs/ssl-ca-{{ domain_name }}.pem\"
      --fullchain-file \"/etc/ssl/certs/ssl-fullchain-{{ domain_name }}.pem\"
      --reloadcmd \"{{ reload_command }}\""
  become: true
  register: cert_deployed
  changed_when: cert_deployed.rc == 0