---
- name: Public Key Infrastructure
  hosts: debian_servers
  remote_user: bhays
  become: true
  become_user: root
  vars_files:
    - ../homelab-vault/secrets.yml
  vars:
    certbot_auto_renew: true
    certbot_auto_renew_user: root
    certbot_email: "ben@benhays.org"
    certbot_cloudflare_api_token: "{{ CF_API_TOKEN }}"
  roles:
    - geerlingguy.certbot
  pre_tasks:
    - name: Update apt cache if needed.
      ansible.builtin.apt:
        update_cache: true
        cache_valid_time: 3600
  tasks:
    - name: Update/install Certbot
      ansible.builtin.apt:
        name:
          - python3-certbot-dns-cloudflare
        state: latest
    - name: Create Certbot folder - /etc/letsencrypt
      ansible.builtin.file:
        path: /etc/letsencrypt
        state: directory
        owner: root
        group: root
        mode: "0700"
    - name: Certbot Template
      ansible.builtin.template:
        src: "{{ item.src }}"
        dest: "{{ item.dest }}"
        owner: root
        group: root
        mode: "0600"
      with_items:
        - { src: '../templates/dnscloudflare.ini.j2', dest: '/etc/letsencrypt/dnscloudflare.ini' }
    - name: Generate Certificate
      # yamllint disable rule:line-length
      ansible.builtin.command: certbot certonly --non-interactive --agree-tos --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/dnscloudflare.ini --dns-cloudflare-propagation-seconds 60 -m {{ certbot_email }} -d {{ ansible_host }}
      args:
        creates: /etc/letsencrypt/renewal/{{ ansible_host }}.conf