---
- name: "copy certificates from dns master's dehydrated"
  command: "rsync -a --info=NAME {{ dns_dehydratedpath }}/ {{ local_certpath }}"
  delegate_to: localhost
  run_once: yes
  register: dns_rsync
  changed_when: "dns_rsync.stdout != ''"

- name: "create cert directory"
  file:
    path: "/etc/ssl/{{ item }}"
    state: directory
  loop: "{{ certdistrib }}"

- name: "copy fullchain"
  copy:
    src: "{{ local_certpath }}/{{ item }}/fullchain.pem"
    dest: "/etc/ssl/{{ item }}/fullchain.pem"
  loop: "{{ certdistrib }}"
  register: copy_cert

- name: "copy key"
  copy:
    src: "{{ local_certpath }}/{{ item }}/privkey.pem"
    dest: "/etc/ssl/{{ item }}/privkey.pem"
  loop: "{{ certdistrib }}"
  register: copy_key

- name: "create privfull"
  copy:
    content: "{{ lookup('file', local_certpath +'/'+ item +'/privkey.pem') }}\n{{ lookup('file', local_certpath +'/'+ item +'/fullchain.pem') }}\n"
    dest: "/etc/ssl/{{ item }}/privfull.pem"
  loop: "{{ certdistrib }}"
  register: create_privfull

- name: reload services
  shell: "if systemctl is-active {{ item }}; then systemctl reload {{ item }}; fi"
  changed_when: no
  loop:
    - apache2
    - httpd
    - nginx
    - haproxy
  when: "copy_cert.changed or copy_key.changed or create_privfull.changed"

- name: extra reload command
  shell: "{{ certdistrib_reload }}"
  when:
    - "copy_cert.changed or copy_key.changed or create_privfull.changed"
    - certdistrib_reload is defined


# vim: set tabstop=2 shiftwidth=2 expandtab smarttab: