---

- name: "System compatibility checks"
  ansible.builtin.assert:
    that:
      - ansible_distribution == "Debian"
      - ansible_distribution_major_version is version('8', '>=')
    msg: only compatible with Debian 9+

- name: Install legacy script on Debian 8
  ansible.builtin.include: install-legacy.yml
  when:
    - ansible_distribution == "Debian"
    - ansible_distribution_major_version is version('9', '<')

- name: Install package on Debian 9+
  ansible.builtin.include: install-package.yml
  when:
    - ansible_distribution == "Debian"
    - ansible_distribution_major_version is version('9', '>=')

- ansible.builtin.include: acme-challenge.yml

# This is always going to mark a "change".
# Couldn't figure out why !
- name: Deploy hooks are present
  ansible.builtin.copy:
    src: hooks/deploy/
    dest: /etc/letsencrypt/renewal-hooks/deploy/
    mode: "0700"
    owner: root
    group: root

- name: Manual deploy hook is present
  ansible.builtin.copy:
    src: hooks/manual-deploy.sh
    dest: /etc/letsencrypt/renewal-hooks/manual-deploy.sh
    mode: "0700"
    owner: root
    group: root

- name: "sync_remote is configured with servers"
  ansible.builtin.lineinfile:
    dest: /etc/letsencrypt/renewal-hooks/deploy/sync_remote.cf
    regexp: "^servers="
    line: "servers=\"{{ certbot_hooks_sync_remote_servers | join(' ') }}\""
    create: yes

# begining of backward compatibility tasks
- name: Move deploy/commit-etc.sh to deploy/z-commit-etc.sh if present
  ansible.builtin.command:
    cmd: "mv /etc/letsencrypt/renewal-hooks/deploy/commit-etc.sh /etc/letsencrypt/renewal-hooks/deploy/z-commit-etc.sh"
  args:
    removes: /etc/letsencrypt/renewal-hooks/deploy/commit-etc.sh
    creates: /etc/letsencrypt/renewal-hooks/deploy/z-commit-etc.sh
# end of backward compatibility tasks

- name: "certbot lock is ignored by Git"
  ansible.builtin.lineinfile:
    dest: /etc/.gitignore
    line: letsencrypt/.certbot.lock
    create: yes
    owner: root
    mode: "0600"