---

- name: install base apps
  apt:
    force_apt_get: yes
    name:
      - docker-compose-v2

- name: base path
  file:
    path: "/srv/certbot/{{item}}"
    state: directory
    recurse: true
  with_items:
    - www
    - etc

- name: copy docker-compose
  template:
    src: templates/docker-compose.yaml
    dest: /srv/certbot/docker-compose.yaml
  notify:
    - certbot up
    - certbot restart

- name: nginx options
  copy:
    dest: /srv/certbot/etc/options-ssl-nginx.conf
    content: |
      # https://ssl-config.mozilla.org/#server=nginx&version=1.25.3&config=modern&openssl=3.0.11&guideline=5.7
      ssl_session_timeout 1d;
      ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
      ssl_session_tickets off;
      
      # modern configuration
      ssl_protocols TLSv1.3;
      ssl_prefer_server_ciphers off;
      
      # HSTS (ngx_http_headers_module is required) (63072000 seconds)
      add_header Strict-Transport-Security "max-age=63072000" always;
      
      # OCSP stapling
      ssl_stapling on;
      ssl_stapling_verify on;
  notify:
    - certbot up
    - certbot restart


- name: create the dir for the cert if needed
  file:
    path: "/srv/certbot/etc/live/{{domain_name}}"
    state: directory
    recurse: true

- name: seed a cert if needed
  command: "docker run --volume /srv/certbot/etc:/etc/letsencrypt --volume /srv/certbot/www:/var/www/certbot -p 80:80 --rm -t certbot/certbot certonly --agree-tos --email {{admin_email}} --standalone --noninteractive --cert-name {{domain_name}} --domains {{domain_name}}"
  args:
    chdir: /srv/certbot
    creates: "/srv/certbot/etc/live/{{domain_name}}/fullchain.pem"
  notify:
    - certbot up
    - certbot restart

#- name: launch certbot
#  command: docker compose up -d
#  args:
#    chdir: /srv/certbot
#
#- name: restart certbot
#  command: docker compose restart
#  args:
#    chdir: /srv/certbot
#  when: dockercompose.changed or nginxconf.changed or  mkcert.changed