---
- name: check if acme certs already exist
  loop: "{{ acmetool_cert_hostnames }}"
  loop_control:
    loop_var: acme_hostname
  stat:
    path: "/var/lib/acme/live/{{ acme_hostname }}"
  register: acme_cert_stat

- name: set acmecert_missing_hostnames variable
  set_fact:
    acmecert_missing_hostnames: "{{ acme_cert_stat.results | acme_cert_nonexistent(acmetool_cert_hostnames) }}"

- name: link nonexistent hostnames to self-signed interim cert
  when: acmecert_missing_hostnames | length > 0
  block:
  - name: get id of existing selfsigned interim certificate
    command: cat /var/lib/acme/.selfsigned-interim-cert
    changed_when: false
    check_mode: false
    register: selfsigned_interim_cert_id

  - name: set selfsigned_interim_cert_id variable
    set_fact:
      selfsigned_interim_cert_id: "{{ selfsigned_interim_cert_id.stdout }}"

  - name: link to snakeoil cert for nonexistent hostnames
    loop: "{{ acmecert_missing_hostnames }}"
    loop_control:
      loop_var: acme_missing_hostname
    file:
      src: "../certs/{{ selfsigned_interim_cert_id }}"
      dest: "/var/lib/acme/live/{{ acme_missing_hostname }}"
      state: link
    notify: reload services for x509 certificates

- name: export paths to certificate files
  set_fact:
    x509_certificate_path_key: "/var/lib/acme/live/{{ acmetool_cert_hostnames[0] }}/privkey"
    x509_certificate_path_cert: "/var/lib/acme/live/{{ acmetool_cert_hostnames[0] }}/cert"
    x509_certificate_path_chain: "/var/lib/acme/live/{{ acmetool_cert_hostnames[0] }}/chain"
    x509_certificate_path_fullchain: "/var/lib/acme/live/{{ acmetool_cert_hostnames[0] }}/fullchain"