---
- name: ensure lego group
  group:
    name: lego
    state: present
    system: True

- name: ensure lego user
  user:
    name: lego
    state: present
    group: lego
    system: True
    home: /etc/lego
    shell: /bin/bash

- name: check lego version
  shell:
    cmd: "/usr/local/bin/lego --version | cut -d ' ' -f3"
  args:
    executable: /bin/bash
  changed_when: False
  register: installed_lego_version
  check_mode: False

- name: get lego
  unarchive:
    src: "https://github.com/go-acme/lego/releases/download/v{{ lego_version }}/lego_v{{ lego_version }}_linux_amd64.tar.gz"
    dest: /usr/local/bin/
    mode: 0755
    owner: root
    group: root
    remote_src: True
  when: installed_lego_version.stdout != lego_version
  register: installed_lego

- name: remove LICENSE/CHANGELOG
  file:
    path: "{{ item }}"
    state: absent
  loop:
    - /usr/local/bin/CHANGELOG.md
    - /usr/local/bin/LICENSE
  changed_when: False
  when: installed_lego.changed

- name: ensure lego account directory exists
  file:
    path: /etc/lego/accounts/acme-v02.api.letsencrypt.org/{{ lego_email_address }}/keys/
    state: directory
    owner: lego
    group: lego
    mode: 0700

- name: ensure account.json exists
  template:
    src: templates/account.json.j2
    dest: /etc/lego/accounts/acme-v02.api.letsencrypt.org/{{ lego_email_address }}/account.json
    owner: lego
    group: lego
    mode: 0600

- name: ensure account private key exists
  template:
    src: templates/{{ lego_email_address }}.key.j2
    dest: /etc/lego/accounts/acme-v02.api.letsencrypt.org/{{ lego_email_address }}/keys/{{ lego_email_address }}.key
    owner: lego
    group: lego
    mode: 0600

- name: ensure namecheap api info exists
  template:
    src: templates/defaults
    dest: /etc/default/lego
    owner: lego
    group: lego
    mode: 0400

- name: check if certs exist
  stat:
    path: /etc/lego/certificates/{{ item.name }}.pem
  loop: "{{ lego_certs }}"
  register: statted

- name: create new certs
  shell:
    cmd: 'source /etc/default/lego && /usr/local/bin/lego --pem --path {{ lego_path }} --email {{ lego_email_address }} --dns {{ item.item.dns }} --domains "{{ item.item.domain }}" run'
  args:
    executable: /bin/bash
  when: item.stat.exists == False
  loop: "{{ statted.results }}"
  check_mode: False

- name: create reload hook for domain
  template:
    src: templates/lego_reload.sh.j2
    dest: /usr/local/bin/lego_reload_{{ item.name }}.sh
    owner: lego
    group: lego
    mode: 0700
  loop: "{{ lego_certs }}"

- name: create renewal crontabs
  cron:
    name: "{{ item.name }} renewal"
    hour: "4"
    user: lego
    job: 'source /etc/default/lego && /usr/local/bin/lego --pem --path {{ lego_path }} --email {{ lego_email_address }} --dns {{ item.dns }} --domains "{{ item.domain }}" renew --days 45'
  loop: "{{ lego_certs }}"

- name: create haproxy reload crontab
  cron:
    name: "{{ item.name }} haproxy reload"
    hour: "5"
    user: root
    job: '/usr/local/bin/lego_reload_{{ item.name }}.sh'
  loop: "{{ lego_certs }}"