---
- name: Get public IP
  ansible.builtin.uri:
    url: https://ipinfo.io/ip
    return_content: true
  register: local_public_ip

- name: Get tunuifranken.info public IP
  ansible.builtin.set_fact:
    target_public_ip: "{{ lookup('community.general.dig', 'tunuifranken.info', '@1.1.1.1') }}"

- name: Create needed directories
  become: true
  ansible.builtin.file:
    path: "{{ item.path }}"
    state: directory
    owner: root
    group: root
    mode: "{{ item.mode }}"
  with_items:
    - {path: '/etc/letsencrypt/live', mode: '0700'}
    - {path: '/etc/letsencrypt/live/tunuifranken.info', mode: '0755'}

- name: Create private key for account
  become: true
  community.crypto.openssl_privatekey_pipe:
  register: account_privkey

- name: Create private key for challenge
  become: true
  community.crypto.openssl_privatekey:
    path: /etc/letsencrypt/live/tunuifranken.info/privkey.pem
  register: challenge_privkey

- name: Create csr for letsencrypt
  become: true
  community.crypto.openssl_csr_pipe:
    privatekey_path: /etc/letsencrypt/live/tunuifranken.info/privkey.pem
    common_name: tunuifranken.info
  register: csr
  changed_when: challenge_privkey is changed

- name: Do http-01 challenge
  become: true
  when: local_public_ip.content == target_public_ip
  block:
    - name: Create acme challenge
      community.crypto.acme_certificate:
        acme_version: 2
        acme_directory: https://acme-v02.api.letsencrypt.org/directory
        account_key_content: "{{ account_privkey.privatekey }}"
        terms_agreed: true
        csr_content: "{{ csr.csr }}"
        challenge: http-01
        fullchain_dest: /etc/letsencrypt/live/tunuifranken.info/fullchain.pem
      register: letsencrypt_challenge
    - name: Copy http-01 resource
      ansible.builtin.copy:
        dest: "/var/www/acme/{{ letsencrypt_challenge['challenge_data']['tunuifranken.info']['http-01']['resource'] }}"
        content: "{{ letsencrypt_challenge['challenge_data']['tunuifranken.info']['http-01']['resource_value'] }}"
        mode: 0644
      when: letsencrypt_challenge is changed and 'tunuifranken.info' in letsencrypt_challenge.challenge_data
    - name: Validate the challenge and get the cert
      community.crypto.acme_certificate:
        acme_version: 2
        acme_directory: https://acme-v02.api.letsencrypt.org/directory
        account_key_content: "{{ account_privkey.privatekey }}"
        csr_content: "{{ csr.csr }}"
        challenge: http-01
        fullchain_dest: /etc/letsencrypt/live/tunuifranken.info/fullchain.pem
        data: "{{ letsencrypt_challenge }}"
      when: letsencrypt_challenge is changed and 'tunuifranken.info' in letsencrypt_challenge.challenge_data
    - name: Remove the http-01 resource
      ansible.builtin.file:
        path: "/var/www/acme/{{ letsencrypt_challenge['challenge_data']['tunuifranken.info']['http-01']['resource'] }}"
        state: absent

- name: Do dns-01 challenge
  become: true
  when: local_public_ip.content != target_public_ip
  block:
    - name: Create acme challenge
      community.crypto.acme_certificate:
        acme_version: 2
        acme_directory: https://acme-v02.api.letsencrypt.org/directory
        account_key_content: "{{ account_privkey.privatekey }}"
        terms_agreed: true
        csr_content: "{{ csr.csr }}"
        challenge: dns-01
        fullchain_dest: /etc/letsencrypt/live/tunuifranken.info/fullchain.pem
      register: letsencrypt_challenge
    - name: Create dns-01 record
      community.general.gandi_livedns:
        api_key: "{{ gandi_livedns_api_key }}"
        domain: tunuifranken.info
        record: "{{ letsencrypt_challenge.challenge_data['tunuifranken.info']['dns-01'].resource }}"
        values:
          - "{{ letsencrypt_challenge.challenge_data['tunuifranken.info']['dns-01'].resource_value }}"
        type: TXT
        state: present
        ttl: 300
      when: letsencrypt_challenge is changed and 'tunuifranken.info' in letsencrypt_challenge.challenge_data
    - name: Wait for DNS to propagate
      ansible.builtin.pause:
        seconds: 300
    - name: Validate the challenge and get the cert
      community.crypto.acme_certificate:
        acme_version: 2
        acme_directory: https://acme-v02.api.letsencrypt.org/directory
        account_key_content: "{{ account_privkey.privatekey }}"
        csr_content: "{{ csr.csr }}"
        challenge: dns-01
        fullchain_dest: /etc/letsencrypt/live/tunuifranken.info/fullchain.pem
        data: "{{ letsencrypt_challenge }}"
      when: letsencrypt_challenge is changed and 'tunuifranken.info' in letsencrypt_challenge.challenge_data
    - name: Remove dns-01 record
      community.general.gandi_livedns:
        api_key: "{{ gandi_livedns_api_key }}"
        domain: tunuifranken.info
        record: "{{ letsencrypt_challenge.challenge_data['tunuifranken.info']['dns-01'].resource }}"
        type: TXT
        state: absent