- name: Install certbot package
  ansible.builtin.package:
    name:
      - '{{ item }}'
    state: present
  loop:
    - certbot

- name: Setup certbot directories
  ansible.builtin.file:
    path: '{{ item }}'
    state: directory
    owner: root
    group: root
    mode: u+rw,g+r,o+r
  loop:
    - /etc/letsencrypt/renewal-hooks
    - /etc/letsencrypt/renewal-hooks/deploy
    - /etc/letsencrypt/renewal-hooks/post
    - /etc/letsencrypt/renewal-hooks/pre

- name: Configure certbot systemd service
  ansible.builtin.copy:
    src: files/certbot.service
    dest: /usr/lib/systemd/system
    owner: root
    group: root
    mode: u+rw,g+r,o+r

- name: Configure certbot systemd timer
  ansible.builtin.copy:
    src: files/certbot.timer
    dest: /usr/lib/systemd/system
    owner: root
    group: root
    mode: u+rw,g+r,o+r

- name: Enable certbot systemd timer
  # `ansible.builtin.systemd_service` used here intentionally instead of
  # `ansible.builtin.service` to issue `systemctl daemon-reload` in case of
  # changes in Ansible managed unit file.
  ansible.builtin.systemd_service:
    name: certbot.timer
    enabled: true
    state: started
    daemon_reload: true