---

- name: SET_FACT | Assign default...
  ansible.builtin.set_fact:
    acme_create: []

- name: STAT | Check if certificates are already installed
  ansible.builtin.stat:
    path: "{{ item | nginx_cert_path(nginx_ssl_dir) }}"
  loop: "{{ nginx_ssl_pairs }}"
  when: item.acme is defined and item.acme
  register: acme_installed_certs

- name: SET_FACT | Assign var with certificates to create
  ansible.builtin.set_fact:
    acme_create: "{{ acme_create | default([]) + [(item.item)] }}"
  loop: "{{ acme_installed_certs.results }}"
  when: item.skipped is not defined and (not item.stat.exists or item.stat.size == 0)

- name: BLOCK | Start acme
  block:

    - name: TEMPLATE | Create fake site
      ansible.builtin.template:
        src: "etc/nginx/conf.d/FAKESITE.conf.j2"
        dest: "{{ nginx_etc_dir }}/conf.d/FAKESITE_{{ item | nginx_site_name }}.conf"
        mode: 0644
        owner: root
        group: root
      loop: "{{ acme_create }}"
      register: fake_site
      notify: Restart nginx

    - name: TEMPLATE | Create fake site
      ansible.builtin.template:
        src: "etc/nginx/conf.d/FAKESITE.conf.j2"
        dest: "/tmp/FAKESITE_{{ item | nginx_site_name }}.conf"
        mode: 0644
        owner: root
        group: root
      loop: "{{ acme_create }}"

    - name: FILE | Delete current site if needed  # noqa: no-handler
      ansible.builtin.file:
        path: "{{ nginx_etc_dir }}/sites-enabled/{{ item | nginx_site_name }}"
        state: absent
      loop: "{{ acme_create }}"
      when: fake_site.changed
      notify: Restart nginx

    - name: META | Ensure nginx is restarted if needed
      ansible.builtin.meta: flush_handlers

    - name: COMMAND | Get certificates
      ansible.builtin.command: |
        {{ nginx_acmesh_bin }}
          --home {{ nginx_acmesh_dir }}
          --issue{% for s in nginx_sites | nginx_search_by_ssl_name(item.name) | nginx_all_site_names %} -d {{ s }}{% endfor %}
          --nginx
          {% if nginx_acmesh_test %}--test --log{% endif %}
      args:
        creates: "{{ nginx_acmesh_dir }}/{{ item | nginx_site_name }}/fullchain.cer"
      loop: "{{ acme_create }}"
      register: acme_get
      failed_when: acme_get.rc != 0 and acme_get.rc != 2
      no_log: "{{ not nginx_debug_role }}"

    - name: FILE | Create SSL dir per site
      ansible.builtin.file:
        path: "{{ nginx_ssl_dir }}/{{ item | nginx_site_name }}"
      loop: "{{ acme_create }}"

    - name: COMMAND | Install certificates
      ansible.builtin.command: |
        {{ nginx_acmesh_bin }}
          --home {{ nginx_acmesh_dir }}
          --install-cert -d {{ nginx_sites | nginx_search_by_ssl_name(item | nginx_site_name) | nginx_site_name }}
          --fullchain-file {{ item | nginx_cert_path(nginx_ssl_dir) }}
          --key-file {{ item | nginx_key_path(nginx_ssl_dir) }}
          --reloadcmd "service nginx reload"
      args:
        creates: "{{ item | nginx_cert_path(nginx_ssl_dir) }}"
      loop: "{{ nginx_ssl_pairs }}"
      when: item.acme is defined and item.acme
      notify: Restart nginx

  rescue:

    - name: FAIL | Explicit
      ansible.builtin.fail:
        msg: "Something is bad... Auto crash!"

  always:

    - name: FILE | Delete fake sites
      ansible.builtin.file:
        path: "{{ nginx_etc_dir }}/conf.d/FAKESITE_{{ item | nginx_site_name }}.conf"
        state: absent
      loop: "{{ acme_create }}"
      notify: Restart nginx

    - name: META | Flush handlers
      ansible.builtin.meta: flush_handlers