# https://discourse.pi-hole.net/t/enabling-https-for-your-pi-hole-web-interface/5771

- hosts: attitude-adjuster
  vars_files:
    - vars.yml.private
  become: yes
  tasks:

    - name: install certbot
      package:
        name: certbot
        state: present

    - name: obtain ssl certificates
      command: >-
        certbot certonly
        --webroot --webroot-path /var/www/html
        -d {{ item.fqdn }}
        -m alpha+lets.encrypt@kejadlen.dev
        --agree-tos
        --non-interactive
      args:
        creates: /etc/letsencrypt/live/{{ item.fqdn }}
      with_items:
        - "{{ home }}"
        - "{{ home_assistant }}"
        - "{{ homebridge }}"
        - "{{ pihole }}"

    - name: create combined pemfile
      shell: >-
        cat /etc/letsencrypt/live/{{ item.fqdn }}/privkey.pem
        /etc/letsencrypt/live/{{ item.fqdn }}/cert.pem >
        /etc/letsencrypt/live/{{ item.fqdn }}/combined.pem
      args:
        creates: /etc/letsencrypt/live/{{ item.fqdn }}/combined.pem
      with_items:
        - "{{ home }}"
        - "{{ home_assistant }}"
        - "{{ homebridge }}"
        - "{{ pihole }}"

    - name: let lighttpd read the pemfile
      file:
        path: /etc/letsencrypt/live/{{ item.fqdn }}
        state: directory
        recurse: yes
        owner: www-data
      with_items:
        - "{{ home }}"
        - "{{ home_assistant }}"
        - "{{ homebridge }}"
        - "{{ pihole }}"

    - name: enable mod_proxy
      command: lighttpd-enable-mod proxy
      ignore_errors: yes

    - name: update lighttpd configuration
      template:
        src: external.conf.private
        dest: /etc/lighttpd/external.conf
      notify: restart lighttpd

  handlers:
    - name: restart lighttpd
      service:
        name: lighttpd
        state: restarted