---
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

- name: Install certbot from distro package
  package:
    name: "{{ haproxy_distro_certbot_packages }}"
    state: present

- name: Create first time ssl cert with certbot
  throttle: 1
  shell: >
    {% if haproxy_ssl_letsencrypt_certbot_challenge == 'http-01' %}
    timeout {{ haproxy_ssl_letsencrypt_pre_hook_timeout }}
    python3 -m http.server {{ haproxy_ssl_letsencrypt_certbot_backend_port }}
    --bind {{ haproxy_ssl_letsencrypt_certbot_bind_address }} || true &&
    {% endif %}
    {{ haproxy_ssl_letsencrypt_certbot_binary }} certonly
    --agree-tos
    --non-interactive
    --text
    --rsa-key-size 4096
    --email {{ haproxy_ssl_letsencrypt_email }}
    --domains {{ haproxy_ssl_letsencrypt_domains | join(',') }}
    {% if haproxy_ssl_letsencrypt_certbot_server is defined %}
    --server {{ haproxy_ssl_letsencrypt_certbot_server }}
    {% endif %}
    {% if haproxy_ssl_letsencrypt_certbot_challenge == 'http-01' %}
    --standalone
    --http-01-port {{ haproxy_ssl_letsencrypt_certbot_backend_port }}
    --http-01-address {{ haproxy_ssl_letsencrypt_certbot_bind_address }}
    {% endif %}
    {{ haproxy_ssl_letsencrypt_setup_extra_params }}
  args:
    creates: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ haproxy_ssl_letsencrypt_domains | first }}/fullchain.pem"

# Certbot automatically installs its systemd timer responsible for renewals
- name: Create certbot pre hook
  template:
    src: letsencrypt_pre_hook_certbot_distro.j2
    dest: /etc/letsencrypt/renewal-hooks/pre/haproxy-pre
    mode: "0755"
  when:
    - haproxy_ssl_letsencrypt_certbot_challenge == 'http-01'

- name: Create certbot post renewal hook
  template:
    src: letsencrypt_renew_certbot_distro.j2
    dest: /etc/letsencrypt/renewal-hooks/post/haproxy-renew
    mode: "0755"

- name: Create new pem file for haproxy
  assemble:
    src: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ haproxy_ssl_letsencrypt_domains | first }}"
    dest: >-
      {{
        haproxy_ssl_cert_path ~ '/haproxy_' ~ ansible_facts['hostname'] ~ '-' ~ (item.get('interface')) | ternary(
          item.get('address') ~ '-' ~ item['interface'], item['address'])  ~ '.pem'
      }}
    regexp: '(privkey|fullchain).pem$'
    owner: haproxy
    group: haproxy
    mode: "0640"
  with_items:
    - "{{ haproxy_vip_binds | selectattr('type', 'defined') |  selectattr('type', 'eq', 'external') }}"
  notify:
    - Reload haproxy