---

- name: Determine domains to obtain certificates for (Matrix)
  set_fact:
    domains_to_obtain_certificate_for: "['{{ hostname_matrix }}']"

- name: Determine domains to obtain certificates for (Riot)
  set_fact:
    domains_to_obtain_certificate_for: "{{ domains_to_obtain_certificate_for + [hostname_riot] }}"
  when: matrix_riot_web_enabled

- name: Allow access to HTTP/HTTPS in firewalld
  firewalld:
    service: "{{ item }}"
    state: enabled
    immediate: yes
    permanent: yes
  with_items:
    - http
    - https
  when: ansible_os_family == 'RedHat'

- name: Ensure acmetool Docker image is pulled
  docker_image:
    name: willwill/acme-docker

# Granting +rx to others as well, because the `nginx` user from within
# matrix-nginx-proxy needs to be able to read the acme-challenge files inside
# for renewal purposes.
#
# This should not be causing security trouble outside of the container,
# as the parent directory (/matrix) does not allow "others" to access it or any of its children.
# Still, it works when the /ssl subtree is mounted in the container.
- name: Ensure SSL certificates path exists
  file:
    path: "{{ matrix_ssl_certs_path }}"
    state: directory
    mode: 0775
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"

- name: Check matrix-nginx-proxy state
  service: name=matrix-nginx-proxy
  register: matrix_nginx_proxy_state

- name: Ensure matrix-nginx-proxy is stopped (if previously installed & started)
  service: name=matrix-nginx-proxy state=stopped
  when: "matrix_nginx_proxy_state.status.ActiveState|default('missing') == 'active'"

- name: Ensure SSL certificates are marked as wanted in acmetool
  shell: >-
    /usr/bin/docker run --rm --name acmetool-host-grab -p 80:80
    -v {{ matrix_ssl_certs_path }}:/certs
    -e ACME_EMAIL={{ matrix_ssl_support_email }}
    willwill/acme-docker
    acmetool want {{ item }} --xlog.severity=debug
  with_items: "{{ domains_to_obtain_certificate_for }}"

- name: Ensure matrix-nginx-proxy is started (if previously installed & started)
  service: name=matrix-nginx-proxy state=started
  when: "matrix_nginx_proxy_state.status.ActiveState|default('missing') == 'active'"

- name: Ensure periodic SSL renewal cronjob configured
  template:
    src: "{{ role_path }}/templates/cron.d/matrix-ssl-certificate-renewal.j2"
    dest: "/etc/cron.d/matrix-ssl-certificate-renewal"
    mode: 0600