- name: check required variables
  fail:
    msg: "value of {{ item }} should no be FIXME!"
  with_items:
    - letsencrypt_domain
    - letsencrypt_email
    - letsencrypt_server
  when: item == "FIXME"

- name: install deploy_certs_haproxy
  template:
    src: deploy_certs_haproxy
    dest: /usr/local/sbin/deploy_certs_haproxy
    owner: root
    group: root
    mode: 0755
  when: letsencrypt

- name: install certbot
  apt:
    name: certbot
    default_release: stretch-backports
  when: letsencrypt

- name: install haproxy
  apt:
    name: haproxy

- name: install ssl-cert
  apt:
    name: ssl-cert
  when: not letsencrypt

- name: stop haproxy
  ignore_errors: true
  systemd:
    name: haproxy
    state: stopped

- name: install snakeoil certificate for haproxy
  shell:  |
    cat /etc/ssl/certs/ssl-cert-snakeoil.pem \
        /etc/ssl/private/ssl-cert-snakeoil.key \
        > /etc/haproxy/haproxy.pem
  when: not letsencrypt

- name: fetch new certificate
  command: >
    certbot certonly
    --standalone
    --noninteractive
    --domain "{{ letsencrypt_domain }}"
    --email "{{ letsencrypt_email }}"
    --agree-tos
  when: letsencrypt

- name: install new cert for haproxy
  command: /usr/local/sbin/deploy_certs_haproxy
  when: letsencrypt

- name: start haproxy
  ignore_errors: true
  systemd:
    name: haproxy
    state: started

- name: add cron job
  cron:
    name: letsencrypt
    hour: 23
    minute: 42
    user: root
    job: >
      certbot renew
      --standalone
      --quiet
      --pre-hook "systemctl stop haproxy"
      --post-hook "/usr/local/sbin/deploy_certs_haproxy && systemctl start haproxy"
  when: letsencrypt