---

 - name: SSL packages
   become: yes
   package:
     name:
      - certbot
      - openssl

 - name: LetsEncrypt directories
   become: yes
   file:
     path: "{{ item }}"
     owner: root
     group: ssl
     mode: 0750
   loop:
     - /etc/letsencrypt
     - /etc/certbot

 - name: Service timer
   become: yes
   register: services
   copy:
     src: "certbot.timer"
     dest: /usr/lib/systemd/system/certbot.timer
     owner: root
     group: root
     mode: 0644

 # per https://www.cloudns.net/wiki/article/448/
 - name: ClouDNS configuration
   become: yes
   template:
     src: "certbot.conf.j2"
     dest: /etc/certbot/certbot.conf
     owner: root
     group: root
     mode: 0600

 - name: Create virtual environment and install package
   become: yes
   command:
     cmd: "python3 -m venv /etc/certbot/venv && /etc/certbot/venv/bin/pip3 install certbot-dns-cloudns"
     creates: /etc/certbot/venv

 - name: Service
   become: yes
   template:
     src: "certbot.service.j2"
     dest: /usr/lib/systemd/system/certbot.service
     owner: root
     group: root
     mode: 0600

 - name: Enable timer
   when: services.changed
   become: yes
   systemd:
     daemon_reload: yes
     name: certbot.timer
     enabled: yes
     state: started

 - name: Create letsencrypt folder
   become: yes
   file:
     path: /var/lib/letsencrypt
     owner: root
     group: http
     mode: 2755

 - name: Remove old TLSA script
   become: yes
   file:
     path: /usr/local/sbin/tlsa-generation.bash
     state: absent

 - name: Copy record generator script
   become: yes
   template:
     src: record-generation.bash.j2
     dest: /usr/local/sbin/record-generation.bash
     owner: root
     group: root
     mode: 0700

 - debug:
     msg: 'Run `sudo /usr/local/sbin/record-generation.bash` to generate a zonefile for import into a DNS provider.'