---

- block:
  - name: install jessie-backports
    include_role:
      name: apt-repositories
    vars:
      apt_repositories_install_backports: True

  - name: Add exceptions for certbot dependances
    copy:
      src: backports-certbot
      dest: /etc/apt/preferences.d/z-backports-certbot
    notify: apt update

  - meta: flush_handlers
  when: ansible_distribution_release == "jessie"

- name: Install certbot with apt
  apt:
    name: certbot
    state: latest

- name: Check if /usr is a partition
  shell: "mount | grep 'on /usr type'"
  args:
    warn: no
  changed_when: False
  failed_when: False
  check_mode: no

  register: usr_partition

- name: Mount /usr in rw
  command: mount -o remount,rw /usr
  args:
    warn: no
  changed_when: False
  when: usr_partition.rc == 0

- name: Remove certbot symlink for apt install
  file:
    path: /usr/local/bin/certbot
    state: absent

- name: Remove certbot dpkg cron
  file:
    path: /etc/cron.d/certbot
    state: absent

- name: Install certbot custom cron
  copy:
    src: certbot.cron
    dest: /etc/cron.daily/certbot
    mode: "0755"

- name: Find squid3 config whitelist
  shell: find /etc/squid3/whitelist-custom.conf /etc/squid3/whitelist.conf 2> /dev/null
  failed_when: false
  changed_when: false
  check_mode: no
  register: squid3_whitelist_files

- name: Let's Encrypt OCSP server is authorized by squid
  lineinfile:
    dest: "{{ squid3_whitelist_files.stdout_lines | first }}"
    line: "{{ item }}"
    state: present
  notify: reload squid3
  with-items:
  - "http://acme-staging.api.letsencrypt.org/.*"
  - "http://ocsp.int-x1.letsencrypt.org/.*"
  - "http://ocsp.int-x2.letsencrypt.org/.*"
  - "http://ocsp.int-x3.letsencrypt.org/.*"
  - "http://ocsp.int-x4.letsencrypt.org/.*"
  - "http://ocsp.root-x1.letsencrypt.org/.*"
  - "http://ocsp.staging-x1.letsencrypt.org/.*"
  when: squid3_whitelist_files.stdout != ""