- name: Install Certbot and Nginx
  block:
    - name: Installing Python3 and PIP 
      ansible.builtin.apt:
        state: present
        update_cache: yes
        pkg:
          - nginx
          - python3-pip
          - python3
          - python3-dev
          - python3-venv
          - libaugeas-dev
          - gcc

    - name: Installing Certbot
      ansible.builtin.pip:
        break_system_packages: true
        extra_args: --upgrade
        virtualenv: /tmp/.venv/
        virtualenv_command: python3 -m venv
        name:
          - certbot
          - certbot-nginx
      when: not ansible_check_mode

- name: Obtain or renew SSL certificate for {{ cert_domain }}
  ansible.builtin.shell: |
    source /tmp/.venv/activate && certbot --nginx -d {{ cert_domain }} --non-interactive --agree-tos --email {{ cert_email }}
  args:
    executable: /bin/bash
    creates: /etc/letsencrypt/live/{{ cert_domain }}/fullchain.pem
  register: certbot_result
  changed_when: "'Obtained a new certificate' in certbot_result.stdout or 'renewed' in certbot_result.stdout"
  when: not is_local

- name: Installing self-signed certificate
  when: is_local
  block:
    - name: Create private key (RSA) with password protection
      community.crypto.openssl_privatekey:
        path: /etc/ssl/private/nginx-selfsigned.key
        type: RSA
        passphrase: "{{ passphrase }}"

    - name: Create self-signed certificate
      community.crypto.x509_certificate:
        path: /etc/ssl/certs/nginx-selfsigned.crt
        privatekey_path: /etc/ssl/private/nginx-selfsigned.key
        provider: selfsigned
        privatekey_passphrase: "{{ passphrase }}"
      when: not ansible_check_mode