---
- name: Get external IP of the node
  uri:
    url: http://checkip.dyndns.org
    return_content: true
  register: node_external_ip

- name: Set fact for mail server FQDN
  set_fact:
    mail_server_fqdn_ip: "{{ lookup('dig', mail_server_fqdn, '@1.1.1.1') }}"
    
- name: Ensure server certificate exists
  shell: "certbot certonly --agree-tos --email {{ admin_email }} -n --webroot -d {{ mail_server_fqdn }} --webroot-path /var/www/html"
  args:
    creates: "/etc/letsencrypt/live/{{ mail_server_fqdn }}"
  when: mail_server_fqdn_ip == node_external_ip

- name: Ensure dbmail certificate is configured
  ini_file:
    path: /etc/dbmail/dbmail.conf
    create: true
    section: DBMAIL
    option: tls_cert
    value: "/etc/letsencrypt/live/{{ mail_server_fqdn }}/cert.pem"

- name: Ensure dbmail certificate's private key is configured
  ini_file:
    path: /etc/dbmail/dbmail.conf
    create: true
    section: DBMAIL
    option: tls_key
    value: "/etc/letsencrypt/live/{{ mail_server_fqdn }}/privkey.pem"

- name: Ensure dbmail certificate's certificate authority certificate is configured
  ini_file:
    path: /etc/dbmail/dbmail.conf
    create: true
    section: DBMAIL
    option: tls_cafile
    value: "/etc/letsencrypt/live/{{ mail_server_fqdn }}/chain.pem"

- name: Check if there is a public key
  stat:
    path: /root/.ssh/id_rsa.pub
  register: pubkey

- name: Generate new key if it doesn't exist already
  shell: ssh-keygen -t rsa -b 4096 -f /root/.ssh/id_rsa -N ''
  when: not pubkey.stat.exists

- name: Get SSH public key content
  shell: cat /root/.ssh/id_rsa.pub
  register: ssh_pubkey

- name: Add SSH public key to local (Ansible control node) file
  lineinfile:
    path: /tmp/pubkeys
    regexp: "^{{ ssh_pubkey.stdout }}$"
    line: "{{ ssh_pubkey.stdout }}"
    create: true
  delegate_to: 127.0.0.1

- name: Add SSH public keys to authorized_keys
  authorized_key:
    user: root
    state: present
    key: "{{ item }}"
  loop: "{{ lookup('file', '/tmp/pubkeys') | split('\n') }}"

- name: Synchronize certificates
  shell: "rsync -ar -e 'ssh -p 7227 -o StrictHostKeyChecking=no' {{ ansible_play_hosts[0] }}:/etc/letsencrypt /etc/letsencrypt"
  when: inventory_hostname != ansible_play_hosts[0]