---
- name: Install certbot packages
  ansible.builtin.apt:
    name: "{{ certbot_packages }}"
    state: present
    update_cache: true

- name: Ensure ACME webroot exists
  ansible.builtin.file:
    path: /var/www/letsencrypt
    state: directory
    owner: www-data
    group: www-data
    mode: "0755"

- name: Enable certbot timer
  ansible.builtin.service:
    name: certbot.timer
    enabled: true
    state: started

- name: Request managed certificates
  ansible.builtin.command:
    cmd: >-
      certbot certonly --non-interactive --agree-tos
      --email {{ certbot_email }}
      --webroot -w /var/www/letsencrypt
      --cert-name {{ item.name }}
      {% for domain in item.domains %}-d {{ domain }} {% endfor %}
  args:
    creates: "/etc/letsencrypt/live/{{ item.name }}/fullchain.pem"
  when: certbot_manage_certificates | bool
  loop: "{{ certbot_certificates }}"
  loop_control:
    label: "{{ item.name }}"