- name: Update certbot certs
  hosts: colors
  serial: 1
  become: true
  become_user: root
  become_method: sudo
  vars_files:
    - vars.yaml
  tasks:
  - name: Ensure nginx, certbot, and nginx-mod-stream are installed
    ansible.builtin.dnf:
      name:
        - certbot
      state: present
  - name: Get certs for all internal domains
    ansible.builtin.shell: /usr/bin/certbot certonly --dns-route53 -d '{{ item.external.domain }}{{ internal_tld }}' -n
    # Loops over every external.domains sub list
    loop: "{{ http }}"
  - name: Get certs for all external domains
    ansible.builtin.shell: /usr/bin/certbot certonly --dns-route53 -d '{{ item.external.domain }}{{ expose_tld }}' -n
    # Loops over every external.domains sub list
    loop: "{{ http }}"
    when: item.external.expose
  - name: Create certbot renew service
    template:
      src: service/certbot-renew.service
      dest: /etc/systemd/system/certbot-renew.service
      owner: root
      group: root
      mode: '0644'
  - name: Create certbot renew timer
    template:
      src: service/certbot-renew.timer
      dest: /etc/systemd/system/certbot-renew.timer
      owner: root
      group: root
      mode: '0644'
  - name: Reload certbot-renew timer service
    ansible.builtin.systemd_service:
      daemon_reload: true
      enabled: true
      state: restarted
      name: certbot-renew.timer