---
- name: Nginx | Ensuring Nginx dependencies are installed.
  apk:
    name: "{{ pleroma_deps_nginx }}"
    state: present

- name: Nginx | Ensuring the Nginx configuration is present.
  template:
    src: etc_ngnix_confd_pleroma.conf.j2
    dest: "{{ pleroma_nginx_conf_file }}"
    owner: root
    group: root
    mode: '0600'

- name: Nginx | Ensuring that the server root directory is present.
  file:
    name: "{{ pleroma_nginx_root_dir }}"
    recurse: true
    state: directory
    mode: '0700'
    owner: nginx
    group: nginx

- name: Nginx | Ensuring the Keybase text file is present.
  copy:
    src: "{{ pleroma.keybase.proof.filepath }}"
    dest: "{{ pleroma_nginx_root_dir }}/keybase.txt"
    mode: '0644'
    owner: nginx
    group: nginx
  when: pleroma.keybase.enable

- name: Nginx | Ensuring that the SSL folder exists
  file:
    name: "{{ pleroma_ssl_folder }}"
    state: directory
    mode: '0700'
    owner: root
    group: root

- name: Nginx | Ensuring that the ssl private key is generated.
  openssl_privatekey:
    mode: '0400'
    group: root
    owner: root
    path: "{{ pleroma_ssl_privateKeyPath }}"
    size: 4096
    state: present
    type: RSA

- name: Nginx | Ensuring that the certificate signing request is generated.
  openssl_csr:
    common_name: "{{ pleroma.config.host }}"
    country_name: "{{ pleroma.ssl.csr.countryName }}"
    email_address: "{{ pleroma.ssl.csr.emailAddress }}"
    locality_name: "{{ pleroma.ssl.csr.localityName }}"
    organization_name: "{{ pleroma.ssl.csr.organizationName }}"
    organizational_unit_name:  "{{ pleroma.ssl.csr.organizationUnitName }}"
    state_or_province_name: "{{ pleroma.ssl.csr.stateOrProvinceName }}"
    mode: '0400'
    group: root
    owner: root
    path: "{{ pleroma_ssl_csrPath }}"
    privatekey_path: "{{ pleroma_ssl_privateKeyPath }}"

- name: Nginx | Ensuring the self-signed certificate is generated.
  openssl_certificate:
    path: "{{ pleroma_ssl_selfSignedCertPath }}"
    mode: '0400'
    group: root
    owner: root
    privatekey_path: "{{ pleroma_ssl_privateKeyPath }}"
    csr_path: "{{ pleroma_ssl_csrPath }}"
    provider: selfsigned

- name: Nginx | Ensuring Nginx configuration references the self signed certificate.
  lineinfile:
    path: "{{ pleroma_nginx_conf_file }}"
    owner: root
    group: root
    mode: '0600'
    regexp: '{{ pleroma_ssl_certificate_path_regexp }}'
    line: '    ssl_certificate           {{ pleroma_ssl_selfSignedCertPath }};'
    state: present
  when: not pleroma.ssl.letsEncrypt.enable

- name: Nginx | Ensuring that the Let's encrypt challenge directory is present.
  file:
    name: "{{ pleroma_letsEncrypt_baseDir }}/.well-known/acme-challenge"
    state: directory
    mode: '0700'
    owner: nginx
    group: nginx
    recurse: yes
  when: pleroma.ssl.letsEncrypt.enable

- name: Nginx | Ensuring that the private ACME account key is present.
  openssl_privatekey:
    mode: '0400'
    group: root
    owner: root
    path: "{{ pleroma_ssl_privateAcmeAccountKeyPath }}"
    size: 4096
    state: present
    type: RSA
  when: pleroma.ssl.letsEncrypt.enable

- name: Nginx | Checking if the full chain certificate exists.
  stat:
    path: "{{ pleroma_ssl_fullChainCert }}"
  register: certificate_file
  when: pleroma.ssl.letsEncrypt.enable

- name: Nginx | Temporarily adding the reference to the self signed certificate for ACME challenge.
  lineinfile:
    path: "{{ pleroma_nginx_conf_file }}"
    owner: root
    group: root
    mode: '0600'
    regexp: '{{ pleroma_ssl_certificate_path_regexp }}'
    line: '    ssl_certificate           {{ pleroma_ssl_selfSignedCertPath }};'
    state: present
  when: pleroma.ssl.letsEncrypt.enable and certificate_file.stat.exists == false

- name: Nginx | Ensuring the existing full chain certificate is referenced in the Nginx config.
  lineinfile:
    path: "{{ pleroma_nginx_conf_file }}"
    owner: root
    group: root
    mode: '0600'
    regexp: '{{ pleroma_ssl_certificate_path_regexp }}'
    line: '    ssl_certificate           {{ pleroma_ssl_fullChainCert }};'
    state: present
  when: pleroma.ssl.letsEncrypt.enable and certificate_file.stat.exists == true

- name: Nginx | Ensuring that Nginx is running for the ACME challenge.
  service:
    name: nginx
    state: started
  when: pleroma.ssl.letsEncrypt.enable

- name: Nginx -- Acme challenge part 1 - Creating Acme challenge.
  acme_certificate:
    account_key_src: "{{ pleroma_ssl_privateAcmeAccountKeyPath }}"
    account_email: "{{ pleroma.ssl.letsEncrypt.acmeAccountEmail }}"
    acme_directory: "{{ pleroma.ssl.letsEncrypt.acmeDirectory }}"
    acme_version: 2
    challenge: http-01
    csr: "{{ pleroma_ssl_csrPath }}"
    fullchain_dest: "{{ pleroma_ssl_fullChainCert }}"
    remaining_days: "{{ pleroma.ssl.letsEncrypt.remainingDays }}"
    select_crypto_backend: cryptography
    terms_agreed: "{{ pleroma.ssl.letsEncrypt.termsAgreed }}"
    validate_certs: "{{ pleroma.ssl.letsEncrypt.validateCerts }}"
  register: acme_challenge
  when: pleroma.ssl.letsEncrypt.enable

- name: Nginx | Creating the Acme challenge file
  copy:
    dest: "{{ pleroma_letsEncrypt_baseDir }}/{{ acme_challenge['challenge_data'][pleroma.config.host]['http-01']['resource'] }}"
    content: "{{ acme_challenge['challenge_data'][pleroma.config.host]['http-01']['resource_value'] }}"
  when: pleroma.ssl.letsEncrypt.enable and acme_challenge is changed

- name: Nginx | Acme challenge part 2 - Validating the Acme challenge to create the SSL certificate.
  acme_certificate:
    account_key_src: "{{ pleroma_ssl_privateAcmeAccountKeyPath }}"
    account_email: "{{ pleroma.ssl.letsEncrypt.acmeAccountEmail }}"
    acme_directory: "{{ pleroma.ssl.letsEncrypt.acmeDirectory }}"
    acme_version: 2
    challenge: http-01
    csr: "{{ pleroma_ssl_csrPath }}"
    fullchain_dest: "{{ pleroma_ssl_fullChainCert }}"
    remaining_days: "{{ pleroma.ssl.letsEncrypt.remainingDays }}"
    select_crypto_backend: cryptography
    terms_agreed: "{{ pleroma.ssl.letsEncrypt.termsAgreed }}"
    data: "{{ acme_challenge }}"
    validate_certs: "{{ pleroma.ssl.letsEncrypt.validateCerts }}"
  register: acme_challenge
  when: pleroma.ssl.letsEncrypt.enable

- name: Nginx | Updating file permissions of the SSL certificate.
  file:
    path: "{{ pleroma_ssl_fullChainCert }}"
    owner: root
    group: root
    mode: 0400
    state: file
  when: pleroma.ssl.letsEncrypt.enable

- name: Nginx | Ensuring the ssl_ceritificate option is up to date in the Nginx configuration.
  lineinfile:
    path: "{{ pleroma_nginx_conf_file }}"
    owner: root
    group: root
    mode: '0600'
    regexp: '{{ pleroma_ssl_certificate_path_regexp }}'
    line: '    ssl_certificate           {{ pleroma_ssl_fullChainCert }};'
    state: present
  when: pleroma.ssl.letsEncrypt.enable

- name: Nginx | Ensuring that Nginx is enabled and restarted.
  service:
    name: nginx
    enabled: yes
    state: restarted