---
# Support HTTPS setup using Let's Encrypt

# TODO: Transition over to letsencrypt module once released for Ansible 2.2 - See http://docs.ansible.com/ansible/letsencrypt_module.html
- name: verify if rust is installed
  stat: path=/usr/local/bin/cargo
  register: cargo_binary

- name: fetch rust installer via site
  get_url: url=https://static.rust-lang.org/rustup.sh dest=/root/rustup.sh mode=0740
  when: cargo_binary.stat.exists == false

- name: install rust via installer
  shell: /root/rustup.sh
  when: cargo_binary.stat.exists == false

- name: verify if letsencrypt-rs is installed
  stat: path=/usr/local/bin/letsencrypt-rs
  register: letsencrypt_binary

- name: install the dev dependencies for letsencrypt-rs client
  apt: name=libssl-dev state=present
  when: letsencrypt_binary.stat.exists == false

- name: install the letsencrypt-rs client
  command: cargo install letsencrypt-rs --root /usr/local
  when: letsencrypt_binary.stat.exists == false

#- name: retrieve the certificate
#  command: letsencrypt certonly --webroot --email {{ nsbase_letsencrypt_email }} --agree-tos --non-interactive \
#    --domain {{ nsbase_app_hostname }} --webroot {{ nsbase_letsencrypt_challenges_dir }}/{{ nsbase_app_name }}
- name: setup webapp ssl challenges
  file: path={{ item }} state=directory
        owner={{ nsbase_web_server_group }} group={{ nsbase_web_server_group }} mode=0774
  with_items:
      - "{{ nsbase_letsencrypt_challenges_dir }}"
      - "{{ nsbase_letsencrypt_challenges_dir }}/{{ nsbase_app_name }}"
  when: nsbase_letsencrypt_enable_ssl

- name: retrieve the certificate
  command: sudo -u www-data letsencrypt-rs sign \
    --email {{ nsbase_letsencrypt_email }} \
    --domain {{ nsbase_app_hostname }} \
    --public-dir {{ nsbase_letsencrypt_challenges_dir }}/{{ nsbase_app_name }}

#- name: ensure nginx has basic ssl settings
#  lineinfile: dest=/etc/nginx/conf.d/ssl.conf state=present line={{ item }} insertafter="http {"
#  with_items:
#    - ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#    - ssl_prefer_server_ciphers on;
#    - ssl_session_cache shared:SSL:50m;
#    - ssl_session_timeout 5m;
#  notify: restart nginx

# TODO: Add in individual certificate for site setup.

# TODO: Add in supervisor configuration to renew the certificate every 2 days.