---
- name: domaincontroller | certs | ensure step-ca root cert is trusted
  include_role:
    name: base
    tasks_from: system_setup/import_stepca.yml

- name: domaincontroller | certs | obtain certificate from step-ca via certbot
  command: >
    certbot certonly --standalone -n
    -d {{ ansible_fqdn }}
    --server {{ samba_stepca_server_url }}/acme/acme/directory
    --agree-tos
    --email admin@{{ samba_realm | lower }}
  args:
    creates: /etc/letsencrypt/live/{{ ansible_fqdn }}/fullchain.pem
  notify: restart samba-ad-dc

- name: domaincontroller | certs | create certbot.service override directory
  file:
    path: /etc/systemd/system/certbot.service.d
    state: directory
    mode: '0755'

- name: domaincontroller | certs | create service override for step-ca
  copy:
    dest: /etc/systemd/system/certbot.service.d/override.conf
    content: |
      [Service]
      Environment="REQUESTS_CA_BUNDLE=/root/root_ca.crt"
    mode: '0644'
  notify: systemd daemon-reload

- name: domaincontroller | certs | enable and start certbot timer
  systemd:
    name: certbot.timer
    state: started
    enabled: true