---
- name: Install dependencies
  become: yes
  apt:
    pkg:
      - oathtool

- name: Determine if acme.sh is installed
  become: yes
  stat:
    path: "~/.acme.sh/acme.sh"
  register: is_acme_sh_installed

- name: Get acme.sh Installer
  become: yes
  get_url:
    url: https://get.acme.sh
    dest: /tmp/acme.sh
    mode: "0700"
  when: not is_acme_sh_installed.stat.exists

- name: Install acme.sh
  become: yes
  command: "sh /tmp/acme.sh email={{ acme_email }}"
  when: not is_acme_sh_installed.stat.exists

- name: Upgrade acme.sh
  become: yes
  command:
    cmd: ./acme.sh --upgrade
    chdir: ~/.acme.sh
  when: is_acme_sh_installed.stat.exists
  register: upgrade_result
  changed_when: upgrade_result.rc == 0 and "Upgrade success" in upgrade_result.stdout and not "Already uptodate" in upgrade_result.stdout

- name: Hash config file
  become: yes
  command:
    chdir: ~/.acme.sh
    cmd: sha1sum account.conf
  register: _account_conf_hash_before
  changed_when: false

- name: Make sure ACME is registered
  become: yes
  command: 
    chdir: ~/.acme.sh
    cmd: acme.sh --register-account
  changed_when: false

- name: Enable acme.sh logs
  become: yes
  shell:
    cmd: ./acme.sh --update-account --log /root/.acme.sh/acme.sh.log && sha1sum account.conf
    chdir: ~/.acme.sh
  register: _account_conf_update
  changed_when: '_account_conf_hash_before.stdout not in _account_conf_update.stdout'

- name: Set letsencrypt as default CA
  become: yes
  command: 
    cmd: ./acme.sh --set-default-ca --server letsencrypt
    chdir: ~/.acme.sh
  register: _account_conf_update
  changed_when: '_account_conf_hash_before.stdout not in _account_conf_update.stdout'

- name: Issue certificates
  become: yes
  command:
    cmd: ./acme.sh --issue -d {{ item.name }} -d '*.{{ item.name }}' --dns dns_{{ item.dns_provider }}
    chdir: ~/.acme.sh
  environment:
    INWX_User: "{{ inwx_user | default('') }}"
    INWX_Password: "{{ inwx_pass | default('') }}"
    GANDI_LIVEDNS_KEY: "{{ gandi_livedns_key | default('') }}"
  loop: "{{ domains }}"
  register: cert_result
  changed_when: cert_result.rc == 0 and "Cert success." in cert_result.stdout
  failed_when:
    - "'Domains not changed' not in cert_result.stdout"
    - "'Cert success.' not in cert_result.stdout"

- name: Make sure certs dir exists
  become: yes
  file:
    path: "{{ certs_dir }}/{{ item.name }}"
    state: directory
    mode: "0755"
  loop: "{{ domains }}"

- name: Place nginx reload command to cert reload script
  become: yes
  lineinfile:
    path: "/usr/local/bin/cert_reload_{{ item.name }}.sh"
    line: "systemctl reload nginx"
    create: yes
    owner: root
    group: root
    mode: 0700
  loop: "{{ domains }}"

- name: Install certificates
  become: yes
  command:
    cmd: ./acme.sh --install-cert -d "{{ item.name }}" --key-file "{{ certs_dir }}/{{ item.name }}/key.pem" --fullchain-file "{{ certs_dir }}/{{ item.name }}/cert.pem" --reloadcmd "/usr/local/bin/cert_reload_{{ item.name }}.sh"
    chdir: ~/.acme.sh
  loop: "{{ domains }}"
  loop_control:
    index_var: domains_index
  register: install_cert_result
  changed_when: cert_result.results[domains_index].changed
  failed_when: install_cert_result.rc != 0 and "Reload error for" not in install_cert_result.stderr

- name: Place monitoring script
  become: yes
  copy:
    src: files/certificate-validity.sh
    dest: /root/.acme.sh/certificate-validity.sh
    mode: 0700

- name: Ensure monitoring data is updated
  become: yes
  cron:
    name: "Update acme.sh monitoring data each minute"
    minute: "*/10"
    hour: "*"
    job: "/root/.acme.sh/certificate-validity.sh"