---
- name: install certbot packages
  ansible.builtin.package:
    name: certbot
    state: installed

- name: create certbot group
  ansible.builtin.group:
    name: certbot
    gid: 1002

- name: create certbot user
  ansible.builtin.user:
    name: certbot
    comment: Service Certbot
    createhome: false
    group: certbot
    home: /var/empty
    shell: /sbin/nologin
    uid: 1002

- name: add certbot nginx site
  ansible.builtin.include_role:
    name: nginx/site
  vars:
    site: certbot.home.foo.sh

- name: create certbot .well-known directory
  ansible.builtin.file:
    path: /srv/web/certbot.home.foo.sh/.well-known
    owner: root
    group: "{{ ansible_wheel }}"
    mode: 0755
    state: directory

- name: create certbot directories
  ansible.builtin.file:
    path: "{{ item }}"
    owner: root
    group: certbot
    mode: 0775
    state: directory
  with_items:
    - /srv/web/certbot.home.foo.sh/.well-known/acme-challenge
    - /export/letsencrypt

- name: link certbot datadirectory
  ansible.builtin.file:
    src: /export/letsencrypt
    dest: /srv/letsencrypt
    owner: root
    group: "{{ ansible_wheel }}"
    state: link
    follow: false

- name: create certbot config
  ansible.builtin.copy:
    dest: /etc/letsencrypt/cli.ini
    src: cli.ini
    mode: 0644
    owner: root
    group: "{{ ansible_wheel }}"

- name: disable timer
  ansible.builtin.systemd:
    name: certbot-renew.timer
    enabled: false