---
# file: acmetool/tasks/main.yml

- name: ensure acmetool is installed
  apt:
    name: acmetool
    state: present
  tags:
    - acmetool
    - packages

- name: ensure we have our response file
  template:
    src: response-file.yml.j2
    dest: /var/lib/acme/quickstart-reponses.yml
    owner: root
    group: root
    mode: '0644'
  tags:
    - acmetool
    - config

- name: check if acmetool is configured
  command: acmetool status
  register: acmetool_status
  changed_when: false
  tags:
    - acmetool
    - config

- name: initially configure acmetool
  # yamllint disable-line rule:line-length
  command: acmetool quickstart --expert --batch --response-file /var/lib/acme/quickstart-reponses.yml
  when: not acmetool_status.stdout is search(acmetool_endpoint)
  tags:
    - acmetool
    - config

- name: ensure acmetool reloads the right service
  template:
    src: reload-config.j2
    dest: /etc/default/acme-reload
    owner: root
    group: root
    mode: '0644'
  tags:
    - acmetool
    - config

- name: ensure we can modify the systemd unit
  file:
    path: /etc/systemd/system/acmetool.service.d
    state: directory
    owner: root
    group: root
    mode: '0755'
  notify:
    - reload systemd service files
  when: "'nginx-proxy' in acmetool_services"
  tags:
    - acmetool
    - services

- name: ensure systemd waits for the right service
  copy:
    src: service-after.conf
    dest: /etc/systemd/system/acmetool.service.d/nginx-proxy.conf
    owner: root
    group: root
    mode: '0644'
  notify:
    - reload systemd service files
  when: "'nginx-proxy' in acmetool_services"
  tags:
    - acmetool
    - services

- name: ensure the desired certificates are configured
  template:
    src: desired.conf
    dest: "/var/lib/acme/desired/{{item.hostnames[0]}}"
    owner: root
    group: root
    mode: '0644'
  with_items: "{{acmetool_certificates}}"
  notify:
    - update certificates
  tags:
    - acmetool
    - certificates

- name: get activated certificates
  find:
    paths: /var/lib/acme/desired
    pattern: "*"
    file_type: file
  register: active_certificates
  tags:
    - acmetool
    - certificates

- name: deactivate unconfigured certificates
  file:
    path: "/var/lib/acme/desired/{{item}}"
    state: absent
  # yamllint disable-line rule:line-length
  loop: "{{active_certificates.files|map(attribute='path')|map('basename')|difference(acmetool_certificates|map(attribute='hostnames')|map('first'))|list}}"
  loop_control:
    label: "{{item}}"
  notify:
    - update certificates
  tags:
    - acmetool
    - certificates

- name: test if the desired certificates are present
  stat:
    path: "/var/lib/acme/live/{{item.hostnames[0]}}"
  register: live_stat
  changed_when: not live_stat.stat.exists
  with_items: "{{acmetool_certificates}}"
  notify:
    - update certificates
  tags:
    - acmetool
    - certificates

- name: ensure certificates are updated regularly
  systemd:
    name: acmetool.timer
    enabled: true
    state: started
  tags:
    - acmetool
    - services