- name: Install acme.sh client
  git:
    repo: https://github.com/Neilpang/acme.sh
    dest: /opt/acme.sh
    version: dev

- name: Install letsencrypt group
  group:
    name: letsencrypt
    state: present
    gid: "{{ letsencrypt_gid | default(omit) }}"

- name: Install driver script
  copy:
    src: driver.sh
    dest: /opt/acme.sh/driver.sh
    mode: 0755

- name: Setup log directory
  file:
    path: /var/log/acme.sh
    state: directory
    mode: 0755

- name: Setup log rotation
  include_role:
    name: logrotate
  vars:
    logrotate_file_name: /var/log/acme.sh/acme.sh.log

- name: Setup top level cert directory
  file:
    path: /etc/letsencrypt-certs
    state: directory
    owner: root
    group: letsencrypt
    mode: u=rwx,g=rx,o=,g+s

- name: Create acme.sh config directory
  file:
    path: /root/.acme.sh
    state: directory
    owner: root
    group: root
    mode: u=rwx,g=rx,o=

# An implementation note on accounts: We could share an account key
# across all our hosts and this would be the logical place to deploy
# it.  However, really the only thing you can do with an account key
# is revoke a certificate if you lose the private key.  It makes more
# sense to have an account per host with key material that never
# leaves the host rather than keeping a global secret that, if leaked,
# could revoke all keys simultaneously.

- name: Check for account email
  assert:
    that: letsencrypt_account_email is defined

- name: Configure account email
  lineinfile:
    path: /root/.acme.sh/account.conf
    regexp: '^ACCOUNT_EMAIL='
    line: 'ACCOUNT_EMAIL={{ letsencrypt_account_email }}'
    create: true
  register: account_email

# If we updated the email and we have existing accounts, we should
# update the address.

# NOTE(ianw) 2020-03-04 : acme.sh dumps the 200 response json from the
# ACME api when creating an account into this file to keep track of
# the account-id.  However, it doesn't actually then update it in
# response to --updateaccount although the details in the account
# *are* correctly updated.  It doesn't make a difference to ongoing
# operation since all that cares about is the unchanging id, but can
# be confusing if you check this and don't see an updated email
# address.  I have filed:
# https://github.com/acmesh-official/acme.sh/pull/2769
- name: Check for existing account setup
  stat:
    path: '{{ item }}'
  loop:
    - /root/.acme.sh/ca/acme-v02.api.letsencrypt.org/account.json
    - /root/.acme.sh/ca/acme-staging-v02.api.letsencrypt.org/account.json
  register: existing_accounts

- name: Run account update
  shell: |
    /opt/acme.sh/acme.sh --debug --updateaccount
  when: account_email.changed and (existing_accounts.results | selectattr('stat.exists') | map(attribute='item') | list | length > 0)