- name: set acme_cfg
  set_fact:
    acme_cfg: "{{ acme_default_config | d({}) |
      combine(acme_config | d({}), recursive=true) }}"


- name: determine host architecture
  include_tasks: tasks/get_host_arch.yml


- name: create user and group
  include_tasks: tasks/create_user.yml
  vars:
    user:
      name: "{{ lego_user }}"
      group: "{{ lego_group }}"
      create_home: no


- name: create lego working dir
  file:
    path: "{{ lego_dir }}"
    state: directory
    mode: 0700


- name: get and extract latest lego version
  include_tasks: tasks/get_lastversion.yml
  vars:
    package:
      name: go-acme/lego
      location: github
      assets: yes
      asset_filter: "{{ 'linux_' ~ host_architecture ~ '.tar.gz$' }}"
      file: "{{ lego_dir }}/last_version"
      extract: "{{ lego_dir }}"


- block:
    - name: remove unnecessary files
      file:
        path: "{{ (lego_dir, item) | path_join }}"
        state: absent
      loop:
        - LICENSE
        - CHANGELOG.md
  rescue:
    - meta: noop


- name: set lego parameters
  set_fact:
    lego_params: "{{
      [
        ([] | zip_longest(acme_domains | d([]) | select() | map('quote'), fillvalue='--domains ') | map('join') | list),
        '--server ' ~ ((acme_cfg.endpoint_staging if acme_cfg.staging else acme_cfg.endpoint_prod) | quote),
        '--accept-tos',
        '--email ' ~ (acme_cfg.email | d(maintainer_email) | quote),
        '--key-type ec384',
        '--path ' ~ (lego_dir | quote),
        '--dns acme-dns',
        '--dns.resolvers ' ~ (acme_cfg.resolver | d('1.1.1.1') | quote),
        '--dns.disable-cp'
      ] | flatten(levels=1) | select() | list | join(' ') }}"
    lego_renewal_params: "{{
      [
        (('--days ' ~ (acme_cfg.renew_at_days | quote)) if acme_cfg.renew_at_days is defined else ''),
        ('--reuse-key' if acme_cfg.reuse_key | d(false) == true else ''),
        ('--no-random-sleep' if acme_cfg.no_random_sleep | d(true) == true else '')
      ] | flatten(levels=1) | select() | list | join(' ') }}"
    lego_preferred_chain: "{{ '--preferred-chain ' ~ (acme_cfg.preferred_chain | quote) if acme_cfg.preferred_chain is defined else '' }}"


- name: check if lastrun file exists
  stat:
    path: "{{ lego_lastrun_file }}"
    get_checksum: no
    get_mime: no
  register: result


- name: set initial reissue value
  set_fact:
    lego_must_reissue: yes
    lego_full_command: "{{ (lego_dir, 'lego') | path_join }} {{ lego_params }} run {{ lego_preferred_chain }}"
    lego_renew_command: "{{ (lego_dir, 'lego') | path_join }} {{ lego_params }} renew {{ lego_preferred_chain }} {{ lego_renewal_params }}"


- block:
    - name: get lastrun file contents
      slurp:
        path: "{{ lego_lastrun_file }}"
      register: file_content
      no_log: yes

    - name: determine if cert should be reissued
      set_fact:
        lego_must_reissue: "{{ (file_content.content | b64decode) != lego_full_command }}"

  when: result.stat.exists


- block:
    - name: issue cert with dns mode
      shell:
        cmd: "{{ lego_full_command }}"
        chdir: "{{ lego_dir }}"
      environment:
        ACME_DNS_API_BASE: "{{ acme_cfg.server }}"
        ACME_DNS_STORAGE_PATH: "{{ lego_accounts_file | d((lego_dir, 'accounts.conf') | path_join) }}"
      register: result
      become: yes
      become_method: "{{ 'su' if ansible_distribution == 'Alpine' else 'sudo' }}"
      become_user: "{{ lego_user }}"

  when: lego_must_reissue
  rescue:
    - pause:
      when: interactive | d(false) == true

    - name: retry issuing cert with dns mode
      shell:
        cmd: "{{ lego_full_command }}"
        chdir: "{{ lego_dir }}"
      environment:
        ACME_DNS_API_BASE: "{{ acme_cfg.server }}"
        ACME_DNS_STORAGE_PATH: "{{ lego_accounts_file | d((lego_dir, 'accounts.conf') | path_join) }}"
      register: result
      become: yes
      become_method: "{{ 'su' if ansible_distribution == 'Alpine' else 'sudo' }}"
      become_user: "{{ lego_user }}"


- block:
    - name: save data to lastrun file
      copy:
        content: "{{ lego_full_command }}"
        dest: "{{ lego_lastrun_file }}"
        remote_src: yes


    - name: defer service restart
      debug:
        msg: deferring service restart
      changed_when: yes
      notify: "{{ lego_notify }}"
      when: lego_notify is defined

  when: lego_must_reissue


- block:
    - name: template systemd files
      template:
        src: "{{ item.src }}.j2"
        dest: "{{ ('/etc/systemd/system', item.dst) | path_join }}"
        force: yes
        lstrip_blocks: yes
      loop:
        - { src: 'lego_systemd', dst: 'lego.service' }
        - { src: 'lego_timer', dst: 'lego.timer' }
      notify: reload systemd daemons


    - name: enable lego timer
      systemd:
        name: lego.timer
        state: started
        enabled: yes

  when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'


# TODO: restart script