---

- name: install base apps
  apt:
    force_apt_get: yes
    name:
      - docker-compose-v2

- name: base path
  file:
    path: "/srv/certbot/{{item}}"
    state: directory
    recurse: true
  with_items:
    - www
    - etc

- name: copy docker-compose
  template:
    src: templates/docker-compose.yaml
    dest: /srv/certbot/docker-compose.yaml
  register: dockercompose

#- name: nginx config
#  template:
#    src: templates/nginx.conf
#    dest: /srv/nginx/conf.d/certbot.conf
#  register: nginxconf

- name: nginx options
  copy:
    dest: /srv/certbot/etc/options-ssl-nginx.conf
    content: |
      # https://ssl-config.mozilla.org/#server=nginx&version=1.25.3&config=modern&openssl=3.0.11&guideline=5.7
      ssl_session_timeout 1d;
      ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
      ssl_session_tickets off;
      
      # modern configuration
      ssl_protocols TLSv1.3;
      ssl_prefer_server_ciphers off;
      
      # HSTS (ngx_http_headers_module is required) (63072000 seconds)
      add_header Strict-Transport-Security "max-age=63072000" always;
      
      # OCSP stapling
      ssl_stapling on;
      ssl_stapling_verify on;

- name: create the dir for the cert if needed
  file:
    path: "/srv/certbot/etc/live/{{domain_name}}"
    state: directory
    recurse: true

- name: launch certbot
  command: docker compose up -d
  args:
    chdir: /srv/certbot

- name: seed a fake cert if needed
  command: "docker exec -t certbot openssl req -nodes -new -x509 -subj '/CN=localhost' -out /etc/letsencrypt/live/{{domain_name}}/fullchain.pem -keyout /etc/letsencrypt/live/{{domain_name}}/privkey.pem"
  args:
    chdir: /srv/certbot
    creates: "/srv/certbot/etc/live/{{domain_name}}/fullchain.pem"
  register: mkcert

- name: restart certbot
  command: docker compose restart
  args:
    chdir: /srv/certbot
  when: mkcert.changed

- name: restart certbot
  command: docker compose restart
  args:
    chdir: /srv/certbot
  when: dockercompose.changed or nginxconf.changed