---

- name: issue certificates
  ansible.builtin.command: >-
    /usr/bin/certbot certonly
    --server {{ cert.server | default(certbot_acme_server) }}
    --agree-tos
    {% if cert.email | default(certbot_email) is none %}
    --register-unsafely-without-email
    {% else %}
    --email {{ cert.email | default(certbot_email) }}
    {% endif %}
    --cert-name {{ name }}
    --rsa-key-size {{ cert.rsa_key_size | default(certbot_rsa_key_size) }}

    {% if cert.challenge | default(certbot_challenge) == 'webroot' %}

    --webroot
    {% if cert.webroot_map is defined %}
    --webroot-map '{{ cert.webroot_map | to_json }}'
    {% else %}
    --webroot {{ cert.webroot }}
    {% for domain in cert.domains | default([name]) %}
    --domain {{ domain }}
    {% endfor %}
    {% endif %}
    
    {% else %}
    
    --{{ cert.challenge | default(certbot_challenge) }}
    {{ cert.challenge_freeform_arguments }}
    
    {% endif %}
  args:
    creates: "/etc/letsencrypt/live/{{ name }}/fullchain.pem"
  vars:
    name: "{{ item.key }}"
    cert: "{{ item.value }}"
  loop: "{{ certbot_certificates | dict2items }}"