- name: "recieve dedicated certificate for {{ domain }}"
  command: >-
    certbot certonly --agree-tos --email {{ administrator_email }}
    --non-interactive --webroot -w /var/lib/letsencrypt/ -d {{ domain }}
    {{ '--test-cert' if mode_test | bool else '' }}
  when: 
    - not enable_wildcard_certificate | bool  
      # Wildcard certificate should not be used
    - not (domain.split('.') | length == (primary_domain.split('.') | length + 1) and domain.endswith(primary_domain))
      # OR: The domain is not a first-level subdomain of the primary domain

- name: "recieve wildcard certificate for *{{ primary_domain }}"
  command: >-
    certbot certonly --agree-tos --email {{ administrator_email }}                                          
    --non-interactive --webroot -w /var/lib/letsencrypt/ -d {{ primary_domain }} -d *.{{ primary_domain }}
    {{ '--test-cert' if mode_test | bool else '' }}
  when: 
    - enable_wildcard_certificate | bool  
      # Wildcard certificate is enabled
    - domain.split('.') | length == (primary_domain.split('.') | length + 1) and domain.endswith(primary_domain)
      # AND: The domain is a direct first-level subdomain of the primary domain
    - run_once_recieve_certificate is not defined  
      # Ensure this task runs only once for the wildcard certificate

- name: "Cleanup dedicated cert for {{ domain }}"
  command: >-
    certbot delete --cert-name {{ domain }} --non-interactive
  when: 
    - mode_cleanup | bool  
      # Cleanup mode is enabled
    - enable_wildcard_certificate | bool  
      # Wildcard certificate is enabled
    - domain.split('.') | length == (primary_domain.split('.') | length + 1) and domain.endswith(primary_domain)
      # AND: The domain is a direct first-level subdomain of the primary domain
    - domain != primary_domain  
      # The domain is not the primary domain
  ignore_errors: true

- name: run the recieve_certificate tasks once
  set_fact:
    run_once_recieve_certificate: true
  when: run_once_recieve_certificate is not defined