---
- name: Get external IP of the node
  uri:
    url: http://checkip.dyndns.org
    return_content: true
  register: checkip_url

- name: Extract IP from URL content
  set_fact:
    node_external_ip: "{{ checkip_url | regex_search('[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}') }}"

- name: Set fact for mail server FQDN
  set_fact:
    mail_server_fqdn_ip: "{{ lookup('dig', mail_server_fqdn, '@1.1.1.1') }}"
    
- name: Ensure server certificate exists
  shell: "certbot certonly --agree-tos --email {{ admin_email }} -n --webroot -d {{ mail_server_fqdn }} --webroot-path /var/www/html"
  args:
    creates: "/etc/letsencrypt/live/{{ mail_server_fqdn }}"
  when: mail_server_fqdn_ip == node_external_ip

- name: Show check for main mail server
  debug:
    msg: "mail_server_fqdn_ip {{ mail_server_fqdn_ip }} != node_external_ip {{ node_external_ip}}"
  when: mail_server_fqdn_ip != node_external_ip

- name: Ensure dbmail certificate is configured
  ini_file:
    path: /etc/dbmail/dbmail.conf
    create: true
    section: DBMAIL
    option: tls_cert
    value: "/etc/letsencrypt/live/{{ mail_server_fqdn }}/cert.pem"

- name: Ensure dbmail certificate's private key is configured
  ini_file:
    path: /etc/dbmail/dbmail.conf
    create: true
    section: DBMAIL
    option: tls_key
    value: "/etc/letsencrypt/live/{{ mail_server_fqdn }}/privkey.pem"

- name: Ensure dbmail certificate's certificate authority certificate is configured
  ini_file:
    path: /etc/dbmail/dbmail.conf
    create: true
    section: DBMAIL
    option: tls_cafile
    value: "/etc/letsencrypt/live/{{ mail_server_fqdn }}/chain.pem"

- name: Check if there is a public key
  stat:
    path: /root/.ssh/id_ed25519.pub
  register: pubkey

- name: Generate new key if it doesn't exist already
  shell: ssh-keygen -t ed25519 -f /root/.ssh/id_ed25519 -N ''
  when: not pubkey.stat.exists

- name: Get SSH public key content
  shell: cat /root/.ssh/id_ed25519.pub
  register: ssh_pubkey

- name: Add SSH public key to local (Ansible control node) file
  lineinfile:
    path: /tmp/pubkeys
    regexp: "^{{ ssh_pubkey.stdout }}$"
    line: "{{ ssh_pubkey.stdout }}"
    create: true
  delegate_to: 127.0.0.1

- name: Add SSH public keys to authorized_keys
  authorized_key:
    user: root
    state: present
    key: "{{ item }}"
  loop: "{{ lookup('file', '/tmp/pubkeys') | split('\n') }}"

- name: Synchronize live certificates mail name
  shell: "rsync -ar -e 'ssh -p 7227 -o StrictHostKeyChecking=no' {{ mail_server_fqdn_ip }}:/etc/letsencrypt/live/{{ mail_server_fqdn }} /etc/letsencrypt/live/"
  when: mail_server_fqdn_ip != node_external_ip

- name: Synchronize archive certificates mail name
  shell: "rsync -ar -e 'ssh -p 7227 -o StrictHostKeyChecking=no' {{ mail_server_fqdn_ip }}:/etc/letsencrypt/archive/{{ mail_server_fqdn }} /etc/letsencrypt/archive/"
  when: mail_server_fqdn_ip != node_external_ip

- name: Synchronize live certificate web admin
  shell: "rsync -ar -e 'ssh -p 7227 -o StrictHostKeyChecking=no' {{ dbmail_web_admin_hostname }}:/etc/letsencrypt/live/{{ dbmail_web_admin_hostname }} /etc/letsencrypt/live/"
  when: mail_server_fqdn_ip != node_external_ip

- name: Synchronize archive certificates web admin
  shell: "rsync -ar -e 'ssh -p 7227 -o StrictHostKeyChecking=no' {{ dbmail_web_admin_hostname }}:/etc/letsencrypt/archive/{{ dbmail_web_admin_hostname }} /etc/letsencrypt/archive/"
  when: mail_server_fqdn_ip != node_external_ip