---

- name: Determine domains to obtain certificates for (Matrix)
  set_fact:
    domains_to_obtain_certificate_for: "['{{ hostname_matrix }}']"

- name: Determine domains to obtain certificates for (Riot)
  set_fact:
    domains_to_obtain_certificate_for: "{{ domains_to_obtain_certificate_for + [hostname_riot] }}"
  when: matrix_riot_web_enabled

- name: Allow access to HTTP/HTTPS in firewalld
  firewalld:
    service: "{{ item }}"
    state: enabled
    immediate: yes
    permanent: yes
  with_items:
    - http
    - https
  when: ansible_os_family == 'RedHat'

- name: Ensure certbot Docker image is pulled
  docker_image:
    name: "{{ matrix_ssl_certbot_docker_image }}"

- name: Ensure SSL certificate paths exists
  file:
    path: "{{ item }}"
    state: directory
    mode: 0770
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
  with_items:
    - "{{ matrix_ssl_log_dir_path }}"
    - "{{ matrix_ssl_config_dir_path }}"

- name: Obtain initial certificates
  include_tasks: "setup_ssl_for_domain.yml"
  with_items: "{{ domains_to_obtain_certificate_for }}"
  loop_control:
    loop_var: domain_name

- name: Ensure SSL renewal script installed
  template:
    src: "{{ role_path }}/templates/usr-local-bin/matrix-ssl-certificates-renew.j2"
    dest: "/usr/local/bin/matrix-ssl-certificates-renew"
    mode: 0750

- name: Ensure periodic SSL renewal cronjob configured
  template:
    src: "{{ role_path }}/templates/cron.d/matrix-ssl-certificate-renewal.j2"
    dest: "/etc/cron.d/matrix-ssl-certificate-renewal"
    mode: 0600