---
# SSL-Zertifikate mit Let's Encrypt

- name: Check if certificate exists
  stat:
    path: "/etc/letsencrypt/live/{{ cdn_domain }}/fullchain.pem"
  register: cert_exists

- name: Generate SSL certificate with certbot
  command: >
    certbot certonly --nginx
    -d {{ cdn_domain }}
    --non-interactive
    --agree-tos
    --email {{ ssl_email }}
  when: not cert_exists.stat.exists

- name: Setup SSL certificate renewal
  cron:
    name: "Renew SSL certificates"
    minute: "0"
    hour: "3"
    job: "certbot renew --quiet --deploy-hook 'systemctl reload nginx'"
    user: root

- name: Test SSL certificate renewal (dry-run)
  command: certbot renew --dry-run
  register: renewal_test
  failed_when: renewal_test.rc != 0
  changed_when: false