- name: Request SSL certificate from Let's Encrypt
  ansible.builtin.shell: |
    # Make task independent: if nginx is already running, stop it and then
    # start back on exit.
    [ -f /var/run/nginx.pid ] && systemctl stop nginx
    trap "systemctl start nginx" EXIT
    certbot certonly \
        --standalone \
        --agree-tos \
        --renew-by-default \
        --email webmaster@ilvokhin.com \
        --rsa-key-size 4096 \
        -d {{ domains | join(' -d ') }}
  args:
    creates: /etc/letsencrypt/live/{{ domains | first }}/fullchain.pem

# TODO: rewrite this role or make it more generic.
#
# Currently we reuse certificate role for web and mail servers, but they
# are actually quite different.
# * We can't start nginx without valid certificate, but can start postfix (and
# dovecot?).
# * We can serve acme challenge with nginx itself on renewal, but we need
# `--standalone` mode for mail server (or need to bring nginx).
# * It is undesirable to bring down nginx any time we are updating
# SSL certificates.