---
- name: Stop Nginx before Certbot (if it is running)
  ansible.builtin.service:
    name: nginx
    state: stopped
  ignore_errors: true

- name: Generate Certbot certificates
  ansible.builtin.command: >
    certbot certonly --standalone
    --non-interactive
    --agree-tos
    --email {{ certbot_email | default("admin@" + mydomain) }}
    -d {{ item.key + "." + mydomain if not item.value.internal else item.key + ".internal." + mydomain }}
  loop: "{{ servernames | dict2items }}"
  when: not item.value.internal
  args:
    creates: "/etc/letsencrypt/live/{{ item.key + "." + mydomain if not item.value.internal else item.key + ".internal." + mydomain }}/fullchain.pem"

- name: Start Nginx after Certbot
  ansible.builtin.service:
    name: nginx
    state: started