- name: define some acme parameters
  set_fact:
    acme_staging: "{{ (ca_options | d({}) | combine(item)).acme_staging | d(false) }}"
    acme_upgrade_int_ca: "{{ cert_info is defined and ((cert_info.ocsp_uri is not defined) or (cert_info.ocsp_uri == None)) }}"


- name: determine if acme cert generation will be forced
  set_fact:
    acme_forced: "{{ acme_upgrade_int_ca or (always_update_acme is defined) }}"


- name: slurp account key from ca
  slurp:
    src: "{{ ca_dir ~ '/acme-' ~ ('staging' if acme_staging == true else 'main') ~ '.' ~ ca_key_ext }}"
  register: acme_account_key
  delegate_to: "{{ services.ca.hostname }}"


- name: define args for acme certificate generation
  set_fact:
    acme_common_args:
      account_key_content: "{{ acme_account_key.content | b64decode }}"
      account_key_passphrase: "{{ ca_acme_account_key_password }}"
      acme_directory: "{%- if (acme_staging == false) or (acme_staging == None) -%}{{ ca_acme_endpoint | d('https://acme-v02.api.letsencrypt.org/directory') }}\
                       {%- else -%}{{ ca_acme_staging_endpoint | d('https://acme-staging-v02.api.letsencrypt.org/directory') }}\
                       {%- endif -%}"
      acme_version: "{{ ca_acme_version | d(2) }}"
    acme_extra_args:
      challenge: dns-01
      csr_content: "{{ csr.csr }}"
      fullchain_dest: "{{ cert_path if ((ca_options | d({}) | combine(item)).concat_inter | d(true) == true) else omit }}"
      dest: "{{ cert_path if ((ca_options | d({}) | combine(item)).concat_inter | d(true) == false) else omit }}"
      modify_account: no
      remaining_days: 45
      force: "{{ acme_forced }}"
      terms_agreed: yes


- name: generate acme challenge request
  community.crypto.acme_certificate:
  args: "{{ acme_common_args | combine(acme_extra_args) }}"
  register: challenge
  changed_when: no


- block:
  - name: unset challenge_records
    set_fact:
      challenge_records: "{{ [] }}"


  - name: fill challenge records
    set_fact:
      challenge_records: "{{ challenge_records + [{
        'name': item2.key | regex_search('(.*).' ~ (tld | regex_escape()), '\\1') | first,
        'type': 'TXT',
        'value': item2.value[0]
      }] }}"
    loop: "{{ challenge['challenge_data_dns'] | dict2items }}"
    loop_control:
      loop_var: item2


  - include_tasks: gen_acme_include.yml


  - block:
      - name: revoke cert if it already exists
        community.crypto.acme_certificate_revoke:
          certificate: "{{ cert_path }}"
          revoke_reason: 4
        args: "{{ acme_common_args }}"
        when: (cert_exists is defined) and cert_exists.stat.exists and not acme_upgrade_int_ca

    rescue:
      - debug:
          msg: failed to revoke certificate, ignoring


  - name: finalize acme challenge request
    community.crypto.acme_certificate:
      data: "{{ challenge }}"
    args: "{{ acme_common_args | combine(acme_extra_args) }}"
    notify: "{{ ca_options.notify | d(omit) }}"

  when: (challenge.cert_days is not defined) or (challenge.cert_days < 45) or acme_forced