---

 - name: SSL packages
   become: yes
   package:
     name:
      - certbot
      - openssl

 - name: Services
   become: yes
   register: services
   copy:
     src: "{{ item }}"
     dest: /usr/lib/systemd/system
     owner: root
     group: root
     mode: 0644
   loop:
     - "certbot.service"
     - "certbot.timer"

 - name: Enable timer
   when: services.changed
   become: yes
   systemd:
     daemon_reload: yes
     name: certbot.timer
     enabled: yes
     state: started

 - name: Create letsencrypt folder
   become: yes
   file:
     path: /var/lib/letsencrypt
     owner: root
     group: http
     mode: 2755

 - name: Remove old TLSA script
   become: yes
   file:
     path: /usr/local/sbin/tlsa-generation.bash
     state: absent

 - name: Copy record generator script
   become: yes
   template:
     src: record-generation.bash.j2
     dest: /usr/local/sbin/record-generation.bash
     owner: root
     group: root
     mode: 0700

 - debug:
     msg: 'Run `sudo /usr/local/sbin/record-generation.bash` to generate a zonefile for import into a DNS provider.'