---

- name: Generate DH if needed
  when: nginx_dh is not string
  block:

    - name: STAT | Get info about DH file
      ansible.builtin.stat:
        path: "{{ nginx_dh_path }}"
        get_checksum: false
      register: stat_dh_file

    - name: SHELL | Get info about DH file
      ansible.builtin.shell: |
        set -o pipefail &&
        openssl dhparam -in {{ nginx_dh_path }} -text -noout 2>&1 | awk '/DH Parameters/ { print substr($3, 2) }'
      args:
        executable: /bin/bash
      changed_when: false
      register: dh_info
      when: stat_dh_file.stat.exists

    - name: COMMAND | Generate DH file  # noqa: no-changed-when
      ansible.builtin.command: openssl dhparam -out {{ nginx_dh_path }} {{ nginx_dh_length }}
      when: not stat_dh_file.stat.exists or (dh_info.stdout | int != nginx_dh_length | int)
      notify: Restart nginx

- name: COPY | Deploy DH file from vars
  ansible.builtin.copy:
    content: "{{ nginx_dh }}"
    dest: "{{ nginx_dh_path }}"
    owner: root
    group: root
    mode: 0640
  when: nginx_dh is string
  notify: Restart nginx

- name: FILE | Create SSL directories
  ansible.builtin.file:
    path: "{{ item | nginx_ssl_dir(nginx_ssl_dir) }}"
    state: directory
    owner: root
    group: root
    mode: 0750
  loop: "{{ nginx_ssl_pairs }}"
  when: item.dest_key is not defined or item.dest_cert is not defined
  no_log: "{{ not nginx_debug_role }}"

- name: COPY | Deploy SSL keys
  ansible.builtin.copy:
    content: "{{ item.key }}"
    dest: "{{ item | nginx_key_path(nginx_ssl_dir) }}"
    owner: root
    group: root
    mode: 0640
  loop: "{{ nginx_ssl_pairs }}"
  when: item.key is defined
  notify: Restart nginx
  no_log: "{{ not nginx_debug_role }}"

- name: COPY | Deploy SSL certs
  ansible.builtin.copy:
    content: "{{ item.cert }}"
    dest: "{{ item | nginx_cert_path(nginx_ssl_dir) }}"
    owner: root
    group: root
    mode: 0644
  loop: "{{ nginx_ssl_pairs }}"
  when: item.cert is defined
  notify: Restart nginx
  no_log: "{{ not nginx_debug_role }}"

- name: COMMAND | Create self-signed certificates
  ansible.builtin.command: |
    openssl req
      -new -newkey rsa:2048 -sha256 -days 3650 -nodes -x509
      -subj '/CN={{ item | nginx_site_name }}'
      -keyout {{ item | nginx_key_path(nginx_ssl_dir) }}
      -out {{ item | nginx_cert_path(nginx_ssl_dir) }}
  args:
    chdir: "{{ item | nginx_ssl_dir(nginx_ssl_dir) }}"
    creates: "{{ '/tmp/dummy' if item.force is defined and item.force else item | nginx_cert_path(nginx_ssl_dir) }}"
  loop: "{{ nginx_ssl_pairs }}"
  when: item.self_signed is defined
  notify: Restart nginx
  no_log: "{{ not nginx_debug_role }}"