- debug:
    msg: "Dealing with SSL certificate retrieval for domain: {{ domain_name }}"

- set_fact:
    domain_name_certificate_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/fullchain.pem"

- name: Check if a certificate for the domain already exists
  stat:
    path: "{{ domain_name_certificate_path }}"
  register: domain_name_certificate_path_stat

- set_fact:
    domain_name_needs_cert: "{{ not domain_name_certificate_path_stat.stat.exists }}"

- name: Ensure dynamic dns has ran
  service:
    name: "dynamic-dns"
    state: started
  register: dynamic_dns_service_update
  when: "domain_name_needs_cert|bool and matrix_dynamic_dns_enabled|bool" 

- name: Sleep for 60 seconds so that DNS records can be updated
  wait_for:
    timeout: 60
  when: dynamic_dns_service_update.changed

# This will fail if there is something running on port 80 (like matrix-nginx-proxy).
# We suppress the error, as we'll try another method below.
- name: Attempt initial SSL certificate retrieval with standalone authenticator (directly)
  shell: >-
    {{ matrix_host_command_docker }} run
    --rm
    --name=matrix-certbot
    --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
    --cap-drop=ALL
    -p {{ matrix_ssl_lets_encrypt_container_standalone_http_host_bind_port }}:8080
    -v {{ matrix_ssl_config_dir_path }}:/etc/letsencrypt
    -v {{ matrix_ssl_log_dir_path }}:/var/log/letsencrypt
    {{ matrix_ssl_lets_encrypt_certbot_docker_image }}
    certonly
    --non-interactive
    --work-dir=/tmp
    --http-01-port 8080
    {% if matrix_ssl_lets_encrypt_staging %}--staging{% endif %}
    --standalone
    --preferred-challenges http
    --agree-tos
    --email={{ matrix_ssl_lets_encrypt_support_email }}
    -d {{ domain_name }}
  when: domain_name_needs_cert|bool
  register: result_certbot_direct
  ignore_errors: true

# If matrix-nginx-proxy is configured from a previous run of this playbook,
# and it's running now, it may be able to proxy requests to `matrix_ssl_lets_encrypt_certbot_standalone_http_port`.
- name: Attempt initial SSL certificate retrieval with standalone authenticator (via proxy)
  shell: >-
    {{ matrix_host_command_docker }} run
    --rm
    --name=matrix-certbot
    --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
    --cap-drop=ALL
    -p 127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}:8080
    --network={{ matrix_docker_network }}
    -v {{ matrix_ssl_config_dir_path }}:/etc/letsencrypt
    -v {{ matrix_ssl_log_dir_path }}:/var/log/letsencrypt
    {{ matrix_ssl_lets_encrypt_certbot_docker_image }}
    certonly
    --non-interactive
    --work-dir=/tmp
    --http-01-port 8080
    {% if matrix_ssl_lets_encrypt_staging %}--staging{% endif %}
    --standalone
    --preferred-challenges http
    --agree-tos
    --email={{ matrix_ssl_lets_encrypt_support_email }}
    -d {{ domain_name }}
  when: "domain_name_needs_cert and result_certbot_direct.failed"
  register: result_certbot_proxy
  ignore_errors: true

- name: Fail if all SSL certificate retrieval attempts failed
  fail:
    msg: |
      Failed to obtain a certificate directly (by listening on port 80)
      and also failed to obtain by relying on the server at port 80 to proxy the request.
      See above for details.
      You may wish to set up proxying of /.well-known/acme-challenge to {{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }} or,
      more easily, stop the server on port 80 while this playbook runs.
  when: "domain_name_needs_cert and result_certbot_direct.failed and result_certbot_proxy.failed"