- name: Add group name ssl-cert for SSL certificates
  group:
    name: ssl-cert
    state: present

- name: add stretch-backport for Certbot
  apt_repository: repo='deb http://deb.debian.org/debian stretch-backports main' state=present update_cache=yes
  tags:
    - dependencies
  when: ansible_distribution_version == '9'

- name: Install Certbot
  apt:
    name: "certbot"
    state: present
    default_release: stretch-backports
  tags:
    - dependencies
  when: ansible_distribution_version == '9'

- name: Install Certbot
  apt:
    name: "certbot"
    state: present
  tags:
    - dependencies
  when: ansible_distribution_version == '10'

- name: Install Certbot
  apt:
    name: "certbot"
    state: present
  tags:
    - dependencies
  when: ansible_distribution_version == '11'

- name: Create directory for LetsEncrypt configuration and certificates
  file: state=directory path=/etc/letsencrypt group=root owner=root

- name: Configure LetsEncrypt
  template:
    src=etc_letsencrypt_cli.conf.j2
    dest=/etc/letsencrypt/cli.conf
    owner=root
    group=root

- name: Create directory for pre-renewal scripts
  file: state=directory path=/etc/letsencrypt/prerenew group=root owner=root

- name: Create directory for post-renewal scripts
  file: state=directory path=/etc/letsencrypt/postrenew group=root owner=root

- name: Create pre-renew hook to stop apache
  copy:
    content: "#!/bin/bash\n\nservice apache2 stop\n"
    dest: /etc/letsencrypt/prerenew/apache
    owner: root
    group: root
    mode: 0755

- name: Create post-renew hook to start apache
  copy:
    content: "#!/bin/bash\n\nservice apache2 start\n"
    dest: /etc/letsencrypt/postrenew/apache
    owner: root
    group: root
    mode: 0755

- name: Install crontab entry for LetsEncrypt
  copy:
    src: etc_cron-daily_letsencrypt-renew
    dest: /etc/cron.daily/letsencrypt-renew
    owner: root
    group: root
    mode: 0755

- name: Create live directory for LetsEncrypt cron job
  file: state=directory path=/etc/letsencrypt/live group=ssl-cert owner=root

- name: Copy script to generate initial certificate
  template:
    src=root_letsencrypt_gencert.j2
    dest=/root/letsencrypt-gencert
    owner=root
    group=root
    mode=0755

- name: Get an SSL certificate for all specified domains and subdomains from Let's Encrypt
  command: /root/letsencrypt-gencert creates=/etc/letsencrypt/live/{{ domain }}/privkey.pem

- name: Remove certificate script
  file: path=/root/letsencrypt-gencert state=absent

- name: Modify permissions to allow ssl-cert group access to archive
  file: path=/etc/letsencrypt/archive owner=root group=ssl-cert mode=0750 recurse=yes

- name: Modify permissions to allow ssl-cert group access to live
  file: path=/etc/letsencrypt/live owner=root group=ssl-cert mode=0750 recurse=yes