---
- name: Install certbot
  become: true
  ansible.builtin.apt:
    name: certbot
    state: present
    update_cache: true

- name: Create acme directories
  become: true
  ansible.builtin.file:
    path: "{{ item }}"
    state: directory
    mode: 0755
  with_items:
    - /var/www/acme
    - /var/www/acme/.well-known
    - /var/www/acme/.well-known/acme-challenge

- name: Enable modules
  become: true
  community.general.apache2_module:
    name: "{{ item }}"
    state: present
  with_items:
    - rewrite
    - ssl
  notify: Reload apache2 service

- name: Copy apache confs
  become: true
  ansible.builtin.copy:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
    mode: 0644
  with_items:
    - {src: 'acme.conf', dest: '/etc/apache2/conf-available/acme.conf'}
    - {src: 'ssl-options.conf', dest: '/etc/apache2/conf-available/ssl-options.conf'}

- name: Enable apache confs
  become: true
  ansible.builtin.command: a2enconf {{ item }}
  with_items:
    - acme
    - ssl-options
  register: result
  changed_when: "'already enabled' not in result.stdout"
  notify: Reload apache2 service

- name: Allow certbot renewal
  become: true
  ansible.builtin.copy:
    src: http-certbot.conf
    dest: /etc/nftables/input.d/http-certbot.conf
    mode: 0640
  notify: Reload nftables service

- name: Allow incoming HTTPS
  become: true
  ansible.builtin.copy:
    src: https.conf
    dest: /etc/nftables/input.d/https.conf
    mode: 0640
  notify: Reload nftables service