---
- name: Create acme user
  user:
    name: '{{acmesh_user.name}}'
    state: present
    home: '{{acmesh_user.home}}'
    shell: '{{acmesh_user.shell}}'
    system: '{{acmesh_user.system}}'
- name: Set homedir permissions
  file:
    path: '{{acmesh_user.home}}'
    state: directory
    mode: '0710'
    owner: '{{acmesh_user.name}}'
- name: Create install directory
  file:
    state: directory
    owner: '{{acmesh_user.name}}'
    path: '{{acmesh_user.home}}/install'
- name: Get acme.sh tarball
  get_url:
    url: '{{acmesh_url}}'
    dest: '{{acmesh_user.home}}/install/acme.sh-{{acmesh_commit}}.tar.gz'
    mode: '0755'
    checksum: '{{acmesh_checksum}}'
    owner: '{{acmesh_user.name}}'
  register: tarball
- name: Write install script
  copy:
    content: |
      #!/bin/sh
      set -e
      set -x
      cd '{{acmesh_user.home}}/install'
      if ! [ -d 'acme.sh-{{acmesh_commit}}' ] ; then
        tar -xzf 'acme.sh-{{acmesh_commit}}.tar.gz'
      fi
      cd 'acme.sh-{{acmesh_commit}}'
      sh ./acme.sh  --install \
        --home $HOME/install \
        --config-home $HOME/conf \
        --cert-home  $HOME/certs \
        --accountemail  "{{acmesh_email}}" \
        --accountkey $HOME/account.key \
        --accountconf $HOME/account.conf
    dest: /tmp/acme_install.sh
    mode: 0755
- name: Run acme.sh install script
  shell: |
    #!/bin/sh
    echo '/tmp/acme_install.sh' | su -s /bin/sh '{{acmesh_user.name}}'
  when: tarball.changed
- name: Set cert directory permissions
  file:
    path: '{{acmesh_user.home}}/certs'
    state: directory
    mode: 'u=rwX,g=rX,o-rwx'
    owner: '{{acmesh_user.name}}'
    recurse: true
- name: Write issue script
  copy:
    content: |
      #!/bin/sh
      set -e
      set -x
      cd '{{acmesh_user.home}}'
      {{acmesh_env}}

      . $HOME/install/acme.sh.env

      force=""
      if [ "{{acmesh_force}}" -eq 1 ] ; then
        force="--force"
      fi

      {% for item in acmesh_domains %}
      if ! [ -f "certs/{{item}}/{{item}}.cer" ] || ! [ -z "$force" ] ; then
      acme.sh {{acmesh_flags | replace('\n', ' ')}} \
          $force \
          --issue \
          --dns dns_aws \
          --challenge-alias "{{acmesh_delegation_domain}}" \
          -d "{{item}}" -d "*.{{item}}"
      fi
      {% endfor %}

    dest: '{{acmesh_user.home}}/issue.sh'
    mode: 0500
    owner: '{{acmesh_user.name}}'
  register: issue_script
- name: Run issue script
  shell: |
    #!/bin/sh
    echo '{{acmesh_user.home}}/issue.sh' | su -s /bin/sh '{{acmesh_user.name}}'
  when: issue_script.changed
# acme.sh should install a cron job automatically, in the event it does not
# you should be able to use a task like this
# - name: Install cron job for renewals
#   cron:
#     name: "letsencrypt / acme cron"
#     job: '{{acmesh_user.home}}/install/acme.sh --cron >> {{acmesh_user.home}}/conf {{acmesh_user.home}}/renewals.log'
#     hour: '0'
#     minute: '0'
#     user: '{{acmesh_user.name}}'