---
- name: check if acme certs already exist
  loop: "{{ acmetool_cert_hostnames }}"
  loop_control:
    loop_var: acme_hostname
  stat:
    path: "/var/lib/acme/live/{{ acme_hostname }}"
  register: acme_cert_stat

- name: set acmecert_missing_hostnames variable
  set_fact:
    acmecert_missing_hostnames: "{{ acme_cert_stat.results | acme_cert_nonexistent(acmetool_cert_hostnames) }}"

- name: link nonexistent hostnames to self-signed interim cert
  when: acmecert_missing_hostnames | length > 0
  block:
  - name: get id of existing selfsigned interim certificate
    command: cat /var/lib/acme/.selfsigned-interim-cert
    changed_when: false
    check_mode: false
    register: selfsigned_interim_cert_id

  - name: set selfsigned_interim_cert_id variable
    set_fact:
      selfsigned_interim_cert_id: "{{ selfsigned_interim_cert_id.stdout }}"

  - name: link to snakeoil cert for nonexistent hostnames
    loop: "{{ acmecert_missing_hostnames }}"
    loop_control:
      loop_var: acme_missing_hostname
    file:
      src: "../certs/{{ selfsigned_interim_cert_id }}"
      dest: "/var/lib/acme/live/{{ acme_missing_hostname }}"
      state: link
    notify: reload services for x509 certificates

- name: export paths to certificate files
  set_fact:
    x509_certificate_path_key: "/var/lib/acme/live/{{ acmetool_cert_hostnames[0] }}/privkey"
    x509_certificate_path_cert: "/var/lib/acme/live/{{ acmetool_cert_hostnames[0] }}/cert"
    x509_certificate_path_chain: "/var/lib/acme/live/{{ acmetool_cert_hostnames[0] }}/chain"
    x509_certificate_path_fullchain: "/var/lib/acme/live/{{ acmetool_cert_hostnames[0] }}/fullchain"

- name: setup custom renewal script
  when: x509_certificate_renewal is defined
  block:
  - name: install custom hook script
    template:
      src: reload.sh.j2
      dest: "/etc/acme/hooks/{{ acmetool_cert_name }}"
      mode: 0755

  - name: install acmetool systemd unit snippet
    when: "'install' in x509_certificate_renewal"
    copy:
      dest: "/etc/systemd/system/acmetool.service.d/{{ acmetool_cert_name }}.conf"
      content: |
        [Service]
        {% for path in (x509_certificate_renewal.install | map(attribute='dest') | map('dirname') | unique | list) %}
        ReadWritePaths={{ path }}
        {% endfor %}
    notify: reload systemd

  - name: remove acmetool systemd unit snippet
    when: "'install' not in x509_certificate_renewal"
    file:
      path: "/etc/systemd/system/acmetool.service.d/{{ acmetool_cert_name }}.conf"
      state: absent
    notify: reload systemd

- name: remove custom renewal script
  when: x509_certificate_renewal is not defined
  loop:
  - "/etc/systemd/system/acmetool.service.d/{{ acmetool_cert_name }}.conf"
  - "/etc/acme/hooks/{{ acmetool_cert_name }}"
  loop_control:
    loop_var: acme_renewal_script_files
  file:
    path: "{{ acme_renewal_script_files }}"
    state: absent
  notify: reload systemd