---
- name: Stop Nginx before Certbot (if it is running)
  ansible.builtin.service:
    name: nginx
    state: stopped
  ignore_errors: true

- name: Generate Certbot certificates
  ansible.builtin.command: >
    certbot certonly --standalone
    --non-interactive
    --agree-tos
    {{ '--dry-run' if bool_cert_dry_run | default(true) else '' }}
    --email {{ certbot_email | default("admin@" + mydomain) }}
    -d {{ item.key + "." + mydomain if not item.value.internal else item.key + ".internal." + mydomain }}
  loop: "{{ servernames | dict2items }}"
  args:
    creates: "/etc/letsencrypt/live/{{ (item.key ~ '.' ~ mydomain) if not item.value.internal else (item.key ~ '.internal.' ~ mydomain) }}/fullchain.pem"

- name: Start Nginx after Certbot
  ansible.builtin.service:
    name: nginx
    state: started