# https://discourse.pi-hole.net/t/enabling-https-for-your-pi-hole-web-interface/5771

- hosts: attitude-adjuster
  vars_files:
    - vars.yml.private
  tasks:

    - name: install certbot
      package:
        name: certbot
        state: present
      become: yes

    - name: clone the pi-hole repo
      git:
        repo: https://github.com/pi-hole/pi-hole.git
        dest: ~/src/pi-hole
        depth: 1

    - name: obtain ssl certificates
      command: >-
        certbot certonly
        --webroot --webroot-path /var/www/html
        -d {{ fqdn }}
        -m alpha+lets.encrypt@kejadlen.dev
        --agree-tos
        --non-interactive
      args:
        creates: /etc/letsencrypt/live/{{ fqdn }}
      become: yes

    - name: create combined pemfile
      shell: >-
        cat /etc/letsencrypt/live/{{ fqdn }}/privkey.pem
        /etc/letsencrypt/live/{{ fqdn }}/cert.pem >
        /etc/letsencrypt/live/{{ fqdn }}/combined.pem
      args:
        creates: /etc/letsencrypt/live/{{ fqdn }}/combined.pem
      become: yes

    - name: let lighttpd read the pemfile
      file:
        path: /etc/letsencrypt/live/{{ fqdn }}
        state: directory
        recurse: yes
        owner: www-data
      become: yes

    - name: update lighttpd configuration
      template:
        src: external.conf
        dest: /etc/lighttpd/external.conf
      become: yes
      notify: restart lighttpd

  handlers:
    - name: restart lighttpd
      service:
        name: lighttpd
        state: restarted
      become: yes