- name: Install certbot package (Archlinux)
  when: ansible_facts['os_family'] == "Archlinux"
  community.general.pacman:
    name:
      - certbot
      - certbot-dns-{{ certbot_dns_plugin }}
    state: present
    update_cache: true

- name: Install certbot webserver plugin (Archlinux)
  when:
    - ansible_facts['os_family'] == "Archlinux"
    - certbot_webserver_type == 'nginx'
  community.general.pacman:
    name:
      - certbot-nginx
    state: present
    update_cache: true

- name: Template out the rfc2136 credentials file
  when: certbot_dns_plugin == 'rfc2136'
  ansible.builtin.template:
    src: "{{ certbot_dns_plugin }}.conf.j2"
    dest: "/etc/letsencrypt/{{ certbot_dns_plugin }}.conf"
    owner: root
    group: root
    mode: '0600'

- name: Template out the certbot default config
  ansible.builtin.template:
    src: cli.ini.j2
    dest: /etc/letsencrypt/cli.ini
    owner: root
    group: root
    mode: '0644'

- name: Request and install certificates
  ansible.builtin.command:
    argv:
      - certbot
      - certonly
      - -n
      - --dns-{{ certbot_dns_plugin }}
      - --dns-{{ certbot_dns_plugin }}-credentials
      - /etc/letsencrypt/{{ certbot_dns_plugin }}.conf
      - --dns-rfc2136-propagation-seconds
      - "{{ certbot_rfc2136_propagation_seconds | default(5) }}"
      - -d
      - "{{ item }}"
    creates: /etc/letsencrypt/live/{{ item }}/fullchain.pem
  loop: "{{ certbot_domains }}"
  notify: "{{ certbot_notify | default(omit) }}"

- name: Enable certbot renewal
  ansible.builtin.service:
    name: certbot-renew.timer
    state: started
    enabled: true