---
- name: create service configuration directories
  ansible.builtin.file:
    path: "/home/{{ podman_nginx_podman_rootless_user }}/{{ item }}"
    state: directory
    owner: "{{ podman_nginx_podman_rootless_user }}"
    group: "{{ podman_nginx_podman_rootless_user }}"
    mode: "0755"
  become: true
  with_items:
    - .config/systemd/user
    - certbot/conf
    - certbot/www
    - nginx

- name: install podman quadlet for rootless podman user
  ansible.builtin.template:
    src: "{{ item }}"
    dest: "/home/{{ podman_nginx_podman_rootless_user }}/.config/containers/systemd/{{ item }}"
    owner: "{{ podman_nginx_podman_rootless_user }}"
    mode: "0400"
  with_items:
    - certbot-renew.container
    - nginx.container
  notify:
    - "restart {{ item | split('.') | first }}"
  become: true

- name: install certbot renewal timer for rootless podman user
  ansible.builtin.template:
    src: "certbot-renew.timer"
    dest: "/home/{{ podman_nginx_podman_rootless_user }}/.config/systemd/user/certbot-renew.timer"
    owner: "{{ podman_nginx_podman_rootless_user }}"
    mode: "0400"
  become: true

- name: verify quadlets are correctly defined
  ansible.builtin.command: /usr/libexec/podman/quadlet -dryrun -user
  register: podman_nginx_quadlet_result
  ignore_errors: true
  changed_when: false
  become: true
  become_user: "{{ podman_nginx_podman_rootless_user }}"

- name: check if certificate exists
  stat:
    path: "/home/{{ podman_nginx_podman_rootless_user }}/certbot/conf/live/{{ podman_nginx_primary_hostname }}/fullchain.pem"
  register: podman_nginx_cert_stat
  become: yes
  become_user: "{{ podman_nginx_podman_rootless_user }}"

- name: create temporary nginx configuration (no https)
  ansible.builtin.template:
    src: nginx.conf
    dest: "/home/{{ podman_nginx_podman_rootless_user }}/nginx/nginx.conf"
    owner: "{{ podman_nginx_podman_rootless_user }}"
    group: "{{ podman_nginx_podman_rootless_user }}"
    mode: "0644"
  become: true
  when: podman_nginx_cert_stat.stat.exists == false

- name: start nginx
  ansible.builtin.systemd_service:
    name: nginx
    state: started
    scope: user
    daemon_reload: true
  become: true
  become_user: "{{ podman_nginx_podman_rootless_user }}"

- name: run certbot container to create certificate
  ansible.builtin.command:
    cmd: >
      podman run --name certbot-generate
      --rm
      --volume /home/{{ podman_nginx_podman_rootless_user }}/certbot/www:/var/www/certbot:rw
      --volume /home/{{ podman_nginx_podman_rootless_user }}/certbot/conf:/etc/letsencrypt:rw
      docker.io/certbot/certbot:latest
      certonly
      --register-unsafely-without-email
      --agree-tos
      --webroot
      --webroot-path /var/www/certbot/
      -d "{{ podman_nginx_primary_hostname }}"
      {% for hostname in podman_nginx_additional_hostnames %} -d "{{ hostname }}"{% endfor %}
      {% if podman_nginx_certbot_testing %} --test-cert{% endif %}
  when: podman_nginx_cert_stat.stat.exists == false
  become: yes
  become_user: "{{ podman_nginx_podman_rootless_user }}"

- name: check if certificate exists
  stat:
    path: "/home/{{ podman_nginx_podman_rootless_user }}/certbot/conf/live/{{ podman_nginx_primary_hostname }}/fullchain.pem"
  register: podman_nginx_cert_stat
  become: yes
  become_user: "{{ podman_nginx_podman_rootless_user }}"

- name: ensure certificate exists now
  ansible.builtin.assert:
    that:
      - podman_nginx_cert_stat.stat.exists
    fail_msg: "Failed to get a Lets Encrypt certificate."

- name: start certbot renewal timer
  ansible.builtin.systemd_service:
    name: "certbot-renew.timer"
    state: started
    scope: user
  become: true
  become_user: "{{ podman_nginx_podman_rootless_user }}"