---
- name: Déploiement application PHP avec Nginx + SSL via Certbot
  hosts: workManager
  become: true

  vars:
    web_root: /var/www/html
    php_version: "8.3"
    domain: workmanager.aurianeschmitt.fr
    email_ssl: auriane.geaischmitt@viacesi.fr

  tasks:
    # ---------------------------------------------------
    # 1️⃣ Système : mise à jour et packages
    # ---------------------------------------------------
    - name: Mise à jour du cache APT
      apt:
        update_cache: yes
        cache_valid_time: 3600

    - name: Installer Nginx et PHP
      apt:
        name:
          - nginx
          - php{{ php_version }}
          - php{{ php_version }}-fpm
          - php{{ php_version }}-cli
          - php{{ php_version }}-common
          - php{{ php_version }}-curl
          - php{{ php_version }}-mbstring
          - php{{ php_version }}-xml
          - php{{ php_version }}-zip
          - php{{ php_version }}-mysql
          - certbot
          - python3-certbot-nginx
        state: present

    - name: S'assurer que PHP-FPM est démarré
      service:
        name: php{{ php_version }}-fpm
        state: started
        enabled: yes

    # ---------------------------------------------------
    # 2️⃣ Nginx HTTP seulement (pré-Certbot)
    # ---------------------------------------------------
    - name: Supprimer le site nginx par défaut
      file:
        path: /etc/nginx/sites-enabled/default
        state: absent
      notify: reload nginx

    - name: Configurer Nginx HTTP temporaire
      copy:
        dest: '/etc/nginx/sites-available/{{ domain }}'
        content: |
          server {
              listen 80;
              server_name {{ domain }};
              root {{ web_root }};

              index index.php index.html;

              location / {
                  try_files $uri $uri/ /index.php?$query_string;
              }

              location ~ \.php$ {
                  include snippets/fastcgi-php.conf;
                  fastcgi_pass unix:/run/php/php{{ php_version }}-fpm.sock;
              }

              location ~ /\.ht {
                  deny all;
              }
          }
      notify: reload nginx

    - name: Activer le site
      file:
        src: '/etc/nginx/sites-available/{{ domain }}'
        dest: '/etc/nginx/sites-enabled/{{ domain }}'
        state: link
      notify: reload nginx

    # ---------------------------------------------------
    # 3️⃣ Contenu Web
    # ---------------------------------------------------
    - name: Supprimer l'ancien contenu web
      file:
        path: "{{ web_root }}"
        state: absent

    - name: Recréer le dossier web
      file:
        path: "{{ web_root }}"
        state: directory
        owner: www-data
        group: www-data
        mode: '0755'

    - name: Copier le dossier out vers le serveur
      copy:
        src: out/
        dest: "{{ web_root }}"
        owner: www-data
        group: www-data
        mode: '0755'

    # ---------------------------------------------------
    # 4️⃣ Certificat SSL via plugin Nginx
    # ---------------------------------------------------
    - name: Générer SSL et configurer HTTPS avec Certbot
      command: >
        certbot --nginx
        -d {{ domain }}
        --non-interactive 
        --agree-tos
        --redirect
        --email {{ email_ssl }}
      args:
        creates: /etc/letsencrypt/live/{{ domain }}/fullchain.pem
      notify: reload nginx

    # # ---------------------------------------------------
    # # 5️⃣ Renouvellement automatique
    # # ---------------------------------------------------
    - name: Activer le timer Certbot pour renouvellement automatique
      systemd:
        name: certbot.timer
        enabled: yes
        state: started

  handlers:
    - name: reload nginx
      service:
        name: nginx
        state: reloaded