---

- name: "System compatibility checks"
  assert:
    that:
      - ansible_distribution == "Debian"
      - ansible_distribution_major_version is version('8', '>=')
    msg: only compatible with Debian 9+

- name: Install legacy script on Debian 8 and 9
  include: install-legacy.yml
  when:
    - ansible_distribution == "Debian"
    - ansible_distribution_major_version is version('10', '<')

- name: Install package on Debian 10+
  include: install-package.yml
  when:
    - ansible_distribution == "Debian"
    - ansible_distribution_major_version is version('10', '>=')

- include: acme-challenge.yml

- name: Deploy hooks are present
  copy:
    src: hooks/
    dest: /etc/letsencrypt/renewal-hooks/deploy/
    mode: "0700"
    owner: root
    group: root

- name: Move commit-etc.sh to z-commit-etc.sh if present
  command: "mv /etc/letsencrypt/renewal-hooks/deploy/commit-etc.sh /etc/letsencrypt/renewal-hooks/deploy/z-commit-etc.sh"
  args:
    removes: /etc/letsencrypt/renewal-hooks/deploy/commit-etc.sh
    creates: /etc/letsencrypt/renewal-hooks/deploy/z-commit-etc.sh

- name: "certbot lock is ignored by Git"
  lineinfile:
    dest: /etc/.gitignore
    line: letsencrypt/.certbot.lock
    create: yes
    owner: root
    mode: "0600"