infrastructure/roles/certbot/tasks/main.yml

---

- name: install certbot
  pacman: name=certbot state=present

- name: install letsencrypt hook
  copy: src=hook.sh dest=/etc/letsencrypt/hook.sh owner=root group=root mode=0755

- name: create letsencrypt hook dir
  file: state=directory path=/etc/letsencrypt/hook.d owner=root group=root mode=0755

- name: install letsencrypt renewal service
  copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
  with_items:
    - certbot-renewal.service
    - certbot-renewal.timer

- name: activate letsencrypt renewal service
  systemd:
    name: certbot-renewal.timer
    enabled: true
    state: started
    daemon_reload: true

- name: open firewall holes for certbot standalone authenticator
  ansible.posix.firewalld: service={{ item }} permanent=true state=enabled immediate=yes
  with_items:
    - http
  when: configure_firewall
  tags:
    - firewall