- name: ensure certbot is installed
  package:
    name=certbot
    state=present
  tags:
  - install

- name: ensure certbot group exists
  group:
    name=certbot
    system=yes
  tags:
  - group
  - user
- name: ensure certbot user exists
  user:
    name=certbot
    group=certbot
    system=yes
    home=/var/lib/letsencrypt
    createhome=no
    state=present
  tags:
  - user

- name: ensure certbot data directory exists
  file:
    path=/var/lib/letsencrypt
    mode=0755
    owner=certbot
    group=certbot
    state=directory
- name: ensure certbot accounts directory exists
  file:
    path=/var/lib/letsencrypt/accounts
    mode=0700
    owner=certbot
    group=certbot
    state=directory
- name: ensure certbot log directory exists
  file:
    path=/var/log/letsencrypt
    mode=0755
    owner=certbot
    group=certbot
    state=directory

- name: ensure certbot webroot directory exits
  file:
    path=/var/www/certbot
    mode=0755
    owner=certbot
    group=certbot
    state=directory
- name: ensure apache is configured for certbot
  copy:
    src=certbot.httpd.conf
    dest=/etc/httpd/conf.d/01_certbot.conf
    mode=0644
  notify: reload httpd
- name: ensure old certbot apache config file is removed
  file:
    path=/etc/httpd/conf.d/certbot.conf
    state=absent
  notify: reload httpd
- meta: flush_handlers

- name: ensure letsencrypt account data are installed
  become: true
  become_user: certbot
  unarchive:
    src={{ item }}
    dest=/var/lib/letsencrypt/accounts/
  with_fileglob: accounts/{{ inventory_hostname }}.tar.xz
- name: ensure letsencrypt account is registered
  become: true
  become_user: certbot
  command:
    certbot register --config-dir /var/lib/letsencrypt
    --agree-tos --email {{ certbot_account_email }}
    creates=/var/lib/letsencrypt/accounts/acme-v01.api.letsencrypt.org

- name: ensure certbot certificate exists
  become: true
  become_user: certbot
  command:
    certbot certonly --config-dir /var/lib/letsencrypt
    --webroot --webroot-path /var/www/certbot
    {% for domain in certbot_domains %}
    -d {{ domain }}
    {% endfor %}
    creates=/var/lib/letsencrypt/live/{{ certbot_domains[0] }}/fullchain.pem

- name: ensure certbot service is configured
  template:
    src=certbot.sysconfig.j2
    dest=/etc/sysconfig/certbot
    mode=0644

- name: ensure certbot renew service extension directory exists
  file:
    path=/etc/systemd/system/certbot-renew.service.d
    mode=0755
    state=directory
- name: ensure certbot renew runs as certbot user
  copy:
    src=certbot-renew-runas.service
    dest=/etc/systemd/system/certbot-renew.service.d/run-as-certbot.conf
    mode=0644
  notify: reload systemd
- name: ensure certbot timer is enabled
  service:
    name=certbot-renew.timer
    enabled=yes
- name: ensure certbot timer is started
  service:
    name=certbot-renew.timer
    state=started