---
- name: (local) acme - check domain private key existence
  become: false
  stat:
    path: "{{ playbook_dir }}/private/acme/{{ domain }}.pem"
  delegate_to: localhost
  register: stat_result

- name: (local) acme - generate domain private key (4096 bit)
  become: false
  command: >
    openssl genrsa 
    -out "{{ playbook_dir }}/private/acme/{{ domain }}.pem" 4096
  delegate_to: localhost
  when: not stat_result.stat.exists

- name: acme - copy domain private key
  copy:
    src: "{{ playbook_dir }}/private/acme/{{ domain }}.pem"
    dest: /usr/local/etc/ssl/acme/private/{{ domain }}.pem
    mode: 0400