- name: Setting up reverse proxy and load balancer
  hosts: hosts
  become: true
  vars:
    is_local: true
    passphrase: changeme
    cert_domain: "example.com"
    cert_email: "admin@example.com"

  tasks:
  - name: Install Certbot and Nginx
    block:
      - name: Installing Python3 and PIP 
        ansible.builtin.apt:
          state: present
          update_cache: yes
          pkg:
            - nginx
            - python3-pip
            - python3
            - python3-dev
            - python3-venv
            - libaugeas-dev
            - gcc

      - name: Installing Certbot
        ansible.builtin.pip:
          name:
            - certbot
            - certbox-nginx
        when: not ansible_check_mode

  # - name: Manage SSL certificate with community module
  - name: Obtain or renew SSL certificate for {{ cert_domain }}
    ansible.builtin.shell: |
      certbot --nginx -d {{ cert_domain }} --non-interactive --agree-tos --email {{ cert_email }}
    args:
      executable: /bin/bash
      creates: /etc/letsencrypt/live/{{ cert_domain }}/fullchain.pem
    register: certbot_result
    changed_when: "'Obtained a new certificate' in certbot_result.stdout or 'renewed' in certbot_result.stdout"
    failed_when: false  # Set to true if you want the playbook to fail immediately on error
    ignore_errors: true # Optional: Allows the playbook to continue if certbot isn't installed yet
    when: cert_domain is defined

  - name: Installing self-signed certificate
    when: is_local
    block:
      - name: Create private key (X25519) with password protection
        community.crypto.openssl_privatekey:
          path: /etc/ssl/private/nginx-selfsigned.key
          type: X25519
          passphrase: { passphrase }

      - name: Create self-signed certificate
        community.crypto.x509_certificate:
          path: /etc/ssl/certs/nginx-selfsigned.crt
          privatekey_path: /etc/ssl/private/nginx-selfsigned.key
          provider: selfsigned