---
- name: Install uacme rpm package
  hosts: all

  tasks:
    - name: ping host
      ansible.builtin.ping:

    - name: Install nginx uacme config
      ansible.builtin.copy:
        src: uacme.nginx
        dest: /etc/nginx/default.d/uacme.conf
        owner: root
        group: root
      become: yes

    - name: Check uacme account
      ansible.builtin.stat:
        path: "/etc/uacme.d/private/key.pem"
      register: uacme_account
      become: yes

    - name: Create uacme account
      ansible.builtin.command: uacme -v -y -c /etc/uacme.d new
      when: not uacme_account.stat.exists
      become: yes

    - name: Create acme-challenge directory
      ansible.builtin.file:
        path: /var/www/html/.well-known/acme-challenge
        state: directory
        mode: '0755'
        owner: root
        group: root
      become: yes

    - name: Touch ssl-hosts file
      ansible.builtin.file:
        path: /root/ssl-hosts.txt
        state: touch
        mode: '0644'
        owner: root
        group: root
      become: yes

    - name: Add uacme job to crontab
      ansible.builtin.cron:
        name: "uacme"
        minute: "0"
        hour: "3"
        job: /root/bin/uacme-certs.sh
      become: yes

    - name: Allow nginx access to acme-challenge
      community.general.sefcontext:
        target: /var/www/html/.well-known/acme-challenge
        setype: httpd_sys_content_t
      become: yes

    - name: Apply new SELinux file context to filesystem
      ansible.builtin.command: restorecon -irv /var/www/html/.well-known/acme-challenge
      become: yes