- name: ensure required packages are installed
  package:
    name:
    - certbot
    state: present
  tags:
  - install

- name: ensure http port is allowed in firewall (for acme challenge)
  firewalld:
    service: http
    state: enabled
    permanent: true
    immediate: true
  when: host_uses_firewalld|d(true)
  tags:
  - firewalld

- name: ensure postgresql server certificate exists
  command:
    certbot certonly -n
    --standalone
    -d {{ postgresql_cert_domain }}
    --server {{ postgresql_cert_acme_server }}
    --agree-tos
    --email {{ postgresql_cert_acme_email }}
  args:
    creates: /etc/letsencrypt/live/{{ postgresql_cert_domain }}/fullchain.pem
  tags:
  - cert

- name: ensure certbot deploy renewal hook script is installed
  template:
    src: deploy-hook.sh.j2
    dest: /etc/letsencrypt/renewal-hooks/deploy/postgresql.sh
    owner: root
    group: root
    mode: u=rwx,go=rx
  tags:
  - deploy-hook

- name: ensure certbot renewal period is configured for postgresql cert
  lineinfile:
    line: renew_before_expiry = 8 hours
    regexp: '^#?\s*renew_before_expiry\s*='
    path: /etc/letsencrypt/renewal/{{ postgresql_cert_domain }}.conf
    state: present
  tags:
  - config

- name: ensure certbot-renew timer unit drop-in directory exists
  file:
    path: /etc/systemd/system/certbot-renew.timer.d
    owner: root
    group: root
    mode: u=rwx,go=rx
    state: directory
  tags:
  - systemd
- name: ensure certbot-renew timer schedule is configured
  template:
    src: certbot-renew.timer.j2
    dest: /etc/systemd/system/certbot-renew.timer.d/schedule.conf
    owner: root
    group: root
    mode: u=rw,go=r
  notify:
  - reload systemd
  - restart certbot-renew timer
  tags:
  - systemd

- name: ensure certbot-renew timer is enabled
  systemd:
    name: certbot-renew.timer
    enabled: true
  tags:
  - service
- name: flush handlers
  meta: flush_handlers
- name: ensure certbot-renew timer is running
  systemd:
    name: certbot-renew.timer
    state: started
  tags:
  - service

- name: ensure postgresql config directory exists
  file:
    path: /etc/postgresql
    state: directory
- name: ensure initial copy of postgresql certificate is in place
  copy:
    src: /etc/letsencrypt/live/{{ postgresql_cert_domain }}/fullchain.pem
    dest: /etc/postgresql/server.cer
    remote_src: true
    owner: root
    group: root
    mode: u=rw,go=r
    force: false
  tags:
  - cert
- name: ensure initial copy of postgresql private key is in place
  copy:
    src: /etc/letsencrypt/live/{{ postgresql_cert_domain }}/privkey.pem
    dest: /etc/postgresql/server.key
    remote_src: true
    owner: root
    group: postgres
    mode: u=rw,g=r,o=
    force: false
  tags:
  - cert