---
- name: Install certbot
  apt:
    update_cache: true
    name: certbot
    state: latest

- name: Add LE proxy to /etc/host
  lineinfile:
    path: /etc/hosts
    line: "{{ ip_LE_proxy }}    {{ item }}"
    insertafter: "# Ansible managed:"
    search_string: "{{ item }}"
  when: ip_LE_proxy is defined
  loop:
    - "acme-v02.api.letsencrypt.org"
    - "r3.o.lencr.org"

- name: Collect certificate
  set_fact:
    all_certbot_certs: "{{ certbot_certs | default({}) }}"

- name: Collect certificate for nginx website
  set_fact:
    all_certbot_certs: "{{ all_certbot_certs | combine({item: {'links': ['/etc/nginx/certs/'+item],'hooks': ['systemctl reload nginx']}}) }}"
  loop: "{{ http_sites | default({}) | dict2items | selectattr('value.use_cerbot', 'defined') | selectattr('value.use_cerbot', '==', True) | map(attribute='key')}}"

- name: Create certificate links
  file:
    src: "/etc/letsencrypt/live/{{ item.0.key }}/fullchain.pem"
    dest: "{{ item.1 }}.crt"
    state: link
    force: yes
  loop: "{{ all_certbot_certs | dict2items | subelements('value.links', skip_missing=True) }}"

- name: Create key links
  file:
    src: "/etc/letsencrypt/live/{{ item.0.key }}/privkey.pem"
    dest: "{{ item.1 }}.key"
    state: link
    force: yes
  loop: "{{ all_certbot_certs | dict2items | subelements('value.links', skip_missing=True) }}"

- name: Generate Certificate for Domains
  shell: "certbot certonly --agree-tos --register-unsafely-without-email --domain {{ item.key }} --non-interactive --webroot --webroot-path /var/www/well-known/acme-challenge {% if item.value.hooks is defined %}--post-hook '{{ item.value.hooks | join('; ') }}'{% endif %}"
  args:
    creates: "/etc/letsencrypt/live/{{ item.key }}/cert.pem"
  loop: "{{ all_certbot_certs | dict2items }}"