- hosts: attitude-adjuster
  vars_files:
    - vars.yml.private
  become: yes
  tasks:

    - name: install dependencies
      package:
        name: "{{ item }}"
        state: present
      with_items:
        - certbot
        - nginx
        - python3-certbot-nginx

    - name: allow for long domain names
      lineinfile:
        path: /etc/nginx/nginx.conf
        regexp: '^(\s*)# server_names_hash_bucket_size 64;$'
        line: '\1server_names_hash_bucket_size 64;'
        backrefs: yes

    - name: obtain ssl certs
      command: >-
        certbot certonly --nginx
        -d {{ item }}
        -m alpha+lets.encrypt@kejadlen.dev
        --agree-tos
        --non-interactive
      args:
        creates: /etc/letsencrypt/live/{{ item }}
      with_items:
        - "{{ home.fqdn }}"
        - "{{ home_assistant.fqdn }}"
        - "{{ pihole.fqdn }}"

    - name: configure nginx
      copy:
        content: |
          server {

              server_name {{ fqdn }};

              # Redirect non-https traffic to https
              if ($scheme != "https") {
                  return 301 https://$host$request_uri;
              }

              location / {
                  proxy_pass http://{{ proxy }}/;
                  proxy_set_header Host $host;
                  proxy_set_header X-Real-IP $remote_addr;
                  proxy_set_header X-Forwarded-For nginx;
              }

              listen 80;

              listen 443 ssl;
              ssl_certificate /etc/letsencrypt/live/{{ fqdn }}/fullchain.pem;
              ssl_certificate_key /etc/letsencrypt/live/{{ fqdn }}/privkey.pem;
              include /etc/letsencrypt/options-ssl-nginx.conf;
              ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

          }
        dest: /etc/nginx/conf.d/{{ fqdn }}.conf
      vars:
        fqdn: "{{ item.fqdn }}"
        proxy: "{{ item.nginx.proxy }}"
      with_items:
        - "{{ home }}"
        - "{{ home_assistant }}"
        - "{{ pihole }}"