- name: Check if SSL cert already exists for domain
  stat:
    path: "/root/.lego/certificates/{{ inventory_hostname | default(cert_domain) }}.crt"
  register: existing_cert_check

- name: Generate initial cert (http)
  command:
    cmd: /usr/local/bin/lego -a --email="{{ letsencrypt_email }}" --domains="{{ inventory_hostname | default(cert_domain) }}" --key-type {{ cert_key_type | default('rsa4096') }} --http run
    chdir: /root
    creates: "/root/.lego/certificates/{{ inventory_hostname | default(cert_domain) }}.crt"
  when: lego_method == 'http'

- name: Generate initial cert (dns)
  command:
    cmd: /usr/local/bin/lego -a --email="{{ letsencrypt_email }}" --dns linode --domains="{{ inventory_hostname | default(cert_domain) }}" --key-type {{ cert_key_type | default('rsa4096') }} run
    chdir: /root
    creates: "/root/.lego/certificates/{{ inventory_hostname | default(cert_domain) }}.crt"
  environment:
    LINODE_POLLING_INTERVAL: 120
    LINODE_PROPAGATION_TIMEOUT: 600
    LINODE_TOKEN: "{{ linode_dns_token }}"
  when: lego_method == 'dns'

- name: Renew cert (dns)
  command:
    cmd: /usr/local/bin/lego -a --email="{{ letsencrypt_email }}" --dns linode --domains="{{ inventory_hostname | default(cert_domain) }}" --key-type {{ cert_key_type | default('rsa4096') }} --dns.resolvers 8.8.8.8 renew
    chdir: /root
  environment:
    LINODE_POLLING_INTERVAL: 120
    LINODE_PROPAGATION_TIMEOUT: 600
    LINODE_TOKEN: "{{ linode_dns_token }}"
  when: lego_method == 'dns' and existing_cert_check.stat.exists