---
# tasks/main.yml
# Creates and sets CAA records (issue, issuewild, iodef) for all base domains

- name: "Define CAA entries"
  set_fact:
    caa_entries:
      - tag: issue
        value: "letsencrypt.org"
      - tag: issuewild
        value: "letsencrypt.org"
      - tag: iodef
        value: "mailto:{{ users.administrator.email }}"

- name: "Ensure all CAA records are present"
  community.general.cloudflare_dns:
    api_token: "{{ certbot_dns_api_token }}"
    zone:     "{{ item.0 }}"
    record:   "@"
    type:     CAA
    flag:     0
    tag:      "{{ item.1.tag }}"
    value:    "{{ item.1.value }}"
    ttl:      1
    state:    present
  loop: "{{ base_sld_domains | product(caa_entries) | list }}"
  loop_control:
    label: "{{ item.0 }} → {{ item.1.tag }}"