---
# These tasks run in a loop for each domain so that we can check for existing certificates
# and only order new ones if they don't already exist.

- name: "Check for an existing certificate for {{ acme_domain.domain }}"
  ansible.builtin.stat:
    path: "{{ lego_path }}/certificates/{{ acme_domain.domain }}.crt"
  register: lego_cert
  delegate_to: localhost
  tags: lego

- name: Instruct lego to register an account and order a new certificate if one doesn't already exist.
  set_fact:
    lego_command:  "{{ 'renew' if lego_cert.stat.exists else 'run'}}"
  delegate_to: localhost
  tags: lego

- name: Order acme certificates without waiting for propogation of TXT record to all authoritative name servers.
  ansible.builtin.command: 
    cmd: >
        lego --path {{ lego_path }} --dns {{ acme_domain.provider }} --domains {{ acme_domain.domain }} --email {{ acme_email }} --dns.disable-cp --accept-tos {{ lego_command }}
  register: lego_result
  delegate_to: localhost
  changed_when: False
  ignore_errors: true
  tags: lego
  environment:
#   EASYDNS_TOKEN: "{{ EASYDNS_TOKEN }}"
#   EASYDNS_KEY: "{{ EASYDNS_KEY }}"
    NAMECHEAP_API_USER: "{{ NAMECHEAP_API_USER }}"
    NAMECHEAP_API_KEY: "{{ NAMECHEAP_API_KEY }}"
  
- name: Print lego output with dns.disable-cp
  ansible.builtin.debug:
    var: lego_result
  delegate_to: localhost
  tags: lego

  # --dns.disable-cp: disables the need to wait the propagation of the TXT record to all authoritative name servers.
  # I haven't yet figured out why it only works sporadically with or without this option.
- name: Retry the last command if necessary, but wait for propogation of TXT record to all authoritative name servers.
  ansible.builtin.command: 
    cmd: >
        lego --path {{ lego_path }} --dns {{ acme_domain.provider }} --domains {{ acme_domain.domain }} --email {{ acme_email }} --accept-tos {{ lego_command }}
  when: lego_result.failed
  register: lego_result
  delegate_to: localhost
  changed_when: False
  tags: lego
  environment:
#   EASYDNS_TOKEN: "{{ EASYDNS_TOKEN }}"
#   EASYDNS_KEY: "{{ EASYDNS_KEY }}"
    NAMECHEAP_API_USER: "{{ NAMECHEAP_API_USER }}"
    NAMECHEAP_API_KEY: "{{ NAMECHEAP_API_KEY }}"
  
- name: Print lego output without dns.disable-cp
  ansible.builtin.debug:
    var: lego_result
  delegate_to: localhost
  tags: lego

- name: "Copy certificate files for {{ acme_domain.domain }}."
  ansible.builtin.copy:
    src: "{{ lego_path }}/certificates/{{ acme_domain.domain }}.{{ file_extension }}"
    dest: "{{ acme_path }}/certificates/"
    owner: "{{ acme_system_user }}"
    group: "{{ acme_system_group }}"
    mode: '0640'
  tags: lego
  loop:
    - crt
    - key
    - issuer.crt
  loop_control:
    loop_var: file_extension