---
# Use acme.sh instead of certbot because they only support installation via
# snap now.
- block:
    - name: Remove certbot
      ansible.builtin.apt:
        name: certbot
        state: absent

    - name: Remove old certbot post and pre hooks for nginx
      ansible.builtin.file:
        dest: "{{ item }}"
        state: absent
      with_items:
        - /etc/letsencrypt/renewal-hooks/pre/stop-nginx.sh
        - /etc/letsencrypt/renewal-hooks/post/start-nginx.sh

    - name: Check if acme.sh is installed
      ansible.builtin.stat:
        path: "{{ letsencrypt_acme_home }}"
      register: acme_home

    - name: Download acme.sh
      ansible.builtin.get_url:
        url: https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh
        dest: "{{ letsencrypt_acme_script_temp }}"
        mode: "0700"
      register: acme_download
      when: not acme_home.stat.exists

    # Run the "install" for acme.sh so it creates the .acme.sh dir (currently I
    # have to chdir to the /root directory where the script exists or else it
    # fails. Ansible runs it, but the script can't find itself...).
    - name: Install acme.sh
      ansible.builtin.command:
        cmd: "{{ letsencrypt_acme_script_temp }} --install --no-profile --no-cron"
        creates: "{{ letsencrypt_acme_home }}/acme.sh"
        chdir: /root
      register: acme_install
      when: acme_download is changed

    - name: Remove temporary acme.sh script
      ansible.builtin.file:
        dest: "{{ letsencrypt_acme_script_temp }}"
        state: absent
      when:
        - acme_install.rc is defined
        - acme_install.rc == 0

    - name: Set default certificate authority for acme.sh
      ansible.builtin.command:
        cmd: "{{ letsencrypt_acme_home }}/acme.sh --set-default-ca --server letsencrypt"

    - name: Prepare Let's Encrypt well-known directory
      ansible.builtin.file:
        state: directory
        path: /var/lib/letsencrypt/.well-known
        owner: root
        group: nginx
        mode: g+s

    - name: Copy systemd service to renew Let's Encrypt certs
      ansible.builtin.template:
        src: renew-letsencrypt.service.j2
        dest: /etc/systemd/system/renew-letsencrypt.service
        mode: "0644"
        owner: root
        group: root

    - name: Copy systemd timer to renew Let's Encrypt certs
      ansible.builtin.copy:
        src: renew-letsencrypt.timer
        dest: /etc/systemd/system/renew-letsencrypt.timer
        mode: "0644"
        owner: root
        group: root

    # always issues daemon-reload just in case the service/timer changed
    - name: Start and enable systemd timer to renew Let's Encrypt certs
      ansible.builtin.systemd:
        name: renew-letsencrypt.timer
        state: started
        enabled: true
        daemon_reload: true

  when: (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')) or (ansible_distribution == 'Debian' and ansible_distribution_version
    is version('11', '>='))
  tags: letsencrypt

# vim: set ts=2 sw=2: