# vim: set ft=yaml.jinja :
- name: ensure lego webroot exists
  file:
    path: /var/www/lego
    owner: lego
    group: lego
    mode: u=rwx,go=rx
    setype: httpd_sys_content_t
    state: directory
  tags:
  - webroot

- name: ensure lego is allowed to reload nginx
  lineinfile:
    dest: /etc/doas.conf
    line: permit nopass lego cmd /usr/sbin/nginx args -s reload
  tags:
  - doas

- name: ensure lego renew script exists
  copy:
    content: >+
      lego
      --path /var/lib/lego
      --accept-tos
      {% if lego_acme_server %}
      --server {{ lego_acme_server }}
      {% endif %}
      --http --http.webroot /var/www/lego
      {% for domain in lego_domains %}
      --domains {{ domain }}
      {% endfor %}
      --email {{ lego_acme_email }}
      run
      --run-hook 'doas /usr/sbin/nginx -s reload'
    dest: /var/lib/lego/renew.sh
    owner: lego
    group: lego
    mode: u=rwx,go=rx
  tags:
  - lego-renew

- name: ensure server certificate exists
  become: true
  become_user: lego
  command: /bin/sh /var/lib/lego/renew.sh
  args:
    creates: /var/lib/lego/certificates/{{ lego_domains[0] }}.json
  tags:
  - cert