# create_cert.yml
---
- name: Create certificate directory for domain if it doesn't exist
  file:
    path: /etc/nginx/certs/{{ item.domain }}
    state: directory

- name: check if privkey exists
  ansible.builtin.command: '[ -f "/etc/nginx/certs/{{ item.domain }}/privkey.pem" ]'
  register: result
  ignore_errors: true

- name: Create private key (RSA, 4096 bits)
  community.crypto.openssl_privatekey:
    path: /etc/nginx/certs/{{ item.domain }}/privkey.pem
  when: result is failure

- name: check if certificate exists
  ansible.builtin.command: '[ -f "/etc/nginx/certs/{{ item.domain }}/fullchain.pem" ]'
  register: result
  ignore_errors: true

- name: Create simple self-signed certificate
  community.crypto.x509_certificate:
    path: /etc/nginx/certs/{{ item.domain }}/fullchain.pem
    privatekey_path: /etc/nginx/certs/{{ item.domain }}/privkey.pem
    provider: selfsigned
  when: result is failure
  notify: restart nginx