---
- fail:
    msg: Missing quasselcore_cert_email
  when: not quasselcore_cert_email
  tags: all

- fail:
    msg: Missing quasselcore_cert_domain
  when: not quasselcore_cert_domain
  tags: all

- name: Ensure quassel-core is present
  tags: all
  apt:
    name:
      - quassel-core
      - certbot
    state: present

- name: Check if certificate already exists.
  tags: all
  stat:
    path: /etc/letsencrypt/live/{{ quasselcore_cert_domain }}/cert.pem
  register: letsencrypt_cert

- name: Create the certificates
  tags: all
  command: "certbot certonly --standalone --noninteractive --agree-tos --email {{ quasselcore_cert_email }} -d {{ quasselcore_cert_domain }}"
  when: not letsencrypt_cert.stat.exists

- name: Renew certificates
  tags: renew
  command: "certbot renew"
  when: letsencrypt_cert.stat.exists
  register: renewed

- name: Compose the certs
  tags: all
  block:
    - name: Remove the old cert
      file:
        path: /var/lib/quassel/quasselCert.pem
        state: absent
    - name: Assemble the files
      assemble:
        src: /etc/letsencrypt/live/{{ quasselcore_cert_domain }}/
        dest: /var/lib/quassel/quasselCert.pem
        regexp: "^(fullchain|privkey).pem$"
        owner: quasselcore
        group: quassel
        mode: 0640
        remote_src: yes
  when: not letsencrypt_cert.stat.exists or renewed is defined and renewed.changed

- name: Ensure the service is enabled and started
  tags: all
  systemd:
    name: quasselcore.service
    state: started
    enabled: yes