---
- name: Remove default nginx vhost config file (if configured).
  file:
    path: "{{ nginx_default_vhost_path }}"
    state: absent
  when: nginx_remove_default_vhost
  notify: reload nginx

- name: Ensure nginx_vhost_path exists.
  file:
    path: "{{ nginx_vhost_path }}"
    state: directory
  notify: reload nginx

- name: Create self-signed ssl certificates.
  x509_certificate:
    key_path: '/etc/ssl/private/{{vhost.server_name}}.key'
    cert_path: '/etc/ssl/certs/{{vhost.server_name}}.pem'
    common_name: '{{vhost.server_name}}'
    organization_name: '{{vhost.ssl_cert_organization_name|default(None)}}'
  when: vhost.ssl | default(false)
  loop_control:
    loop_var: vhost
  with_items: '{{nginx_vhosts|default([])}}'
  register: vhosts_x509
  # http://unix.stackexchange.com/questions/247418/do-i-need-to-restart-nginx-if-i-renew-my-security-certificates#comment548097_247460
  notify: reload nginx

- name: Download ssl certificates.
  fetch:
    src: '{{item.cert_path}}'
    flat: yes
    dest: '{{nginx_ssl_cert_download_path_prefix}}/{{item.subject_common_name}}'
    fail_on_missing: yes
    validate_checksum: yes
  when: item.subject_common_name is defined and nginx_ssl_cert_download_path_prefix is defined
  with_items: '{{vhosts_x509.results}}'

- name: Add managed vhost config file (if any vhosts are configured).
  template:
    src: vhosts.j2
    dest: "{{ nginx_vhost_path }}/{{ nginx_vhosts_filename }}"
    mode: 0644
  when: nginx_vhosts|length > 0
  notify: reload nginx

- name: Remove managed vhost config file (if no vhosts are configured).
  file:
    path: "{{ nginx_vhost_path }}/{{ nginx_vhosts_filename }}"
    state: absent
  when: nginx_vhosts|length == 0
  notify: reload nginx