---

- block:
  - name: install jessie-backports
    include_role:
      name: apt
      tasks_from: backports.yml

  - name: Add exceptions for certbot dependances
    copy:
      src: backports-certbot
      dest: /etc/apt/preferences.d/z-backports-certbot
    notify: apt update

  - meta: flush_handlers
  when: ansible_distribution_release == "jessie"

- name: Install certbot with apt
  apt:
    name: certbot
    state: latest

- name: Check if /usr is a partition
  shell: "mount | grep 'on /usr type'"
  args:
    warn: no
  changed_when: False
  failed_when: False
  check_mode: no

  register: usr_partition

- name: Mount /usr in rw
  command: mount -o remount,rw /usr
  args:
    warn: no
  changed_when: False
  when: usr_partition.rc == 0

- name: Remove certbot symlink for apt install
  file:
    path: /usr/local/bin/certbot
    state: absent

- name: Remove certbot dpkg cron
  file:
    path: /etc/cron.d/certbot
    state: absent

- name: Install certbot custom cron
  copy:
    src: certbot.cron
    dest: /etc/cron.daily/certbot
    mode: "0755"

- name: Find squid config whitelist
  shell: find /etc/squid/whitelist-custom.conf /etc/squid3/whitelist-custom.conf /etc/squid/whitelist.conf /etc/squid3/whitelist.conf 2> /dev/null
  failed_when: false
  changed_when: false
  check_mode: no
  register: squid_whitelist_files

- name: set squid_service_name=squid3 for Debian < 9
  set_fact:
    squid_service_name: squid3
  when:
  - ansible_distribution == "Debian"
  - ansible_distribution_major_version | version_compare('9', '<')

- name: Let's Encrypt OCSP server is authorized by squid
  lineinfile:
    dest: "{{ squid_whitelist_files.stdout_lines | first }}"
    line: "http://.*.letsencrypt.org/.*"
    state: present
  notify: "reload {{ squid_service_name | default('squid') }}"
  when: squid_whitelist_files.stdout != ""