---
- name: Install certbot
  ansible.builtin.apt:
    name:
      - certbot
    state: present

- name: Ensure webroot directory exists
  ansible.builtin.file:
    path: /var/www/html/.well-known/acme-challenge
    state: directory
    owner: www-data
    group: www-data
    mode: '0755'

- name: Obtain or renew TLS certificate (non-destructive)
  ansible.builtin.command:
    cmd: >
      certbot certonly
      --webroot
      -w /var/www/html
      -d {{ gitea_domain }}
      --agree-tos
      --email {{ gitea_certbot_email }}
      --non-interactive
      --keep-until-expiring
  register: certbot_result
  changed_when: "'Congratulations' in certbot_result.stdout"
  notify: Reload_nginx