- name: setup dehydrated
  gather_facts: yes
  hosts: "{{target}}"
  become: "{{become}}"
  vars:

  tasks:

  - name: assert per-host/cluster target
    ansible.builtin.assert:
      that: target != 'servers'

  - name: check dehydrated is installed
    ansible.builtin.shell:
      executable: /bin/bash
      cmd: "[[ -x `which dehydrated` ]]"
    changed_when: false
    check_mode: false

  - name: site-specific dehydrated config
    ansible.builtin.template:
      src: templates/config.{{inventory_hostname_short}}.j2
      dest: /etc/dehydrated/config
    diff: true

  - name: site-specific dehydrated domains
    ansible.builtin.copy:
      src: templates/domains-http01.{{inventory_hostname_short}}
      dest: /etc/dehydrated/domains-http01
    diff: true

  - name: site-specific weekly script
    ansible.builtin.copy:
      src: templates/WEEKLY.{{inventory_hostname_short}}
      dest: /root/WEEKLY
      mode: 755
    diff: true

  # todo use system outbound email instead of log file
  # todo randomize hour minute so that our hosts don't flood acme at the same time
  - name: weekly cron job w/o email
    ansible.builtin.cron:
      name: "check/renew ssl certificates weekly"
      minute: "52"
      hour: "06"
      weekday: "0"
      job: "/root/WEEKLY >> /var/log/WEEKLY.log 2>&1"
    diff: true
    when: email_ready != 'yes'

  - name: weekly cron job w/ email
    ansible.builtin.cron:
      name: "check/renew ssl certificates weekly"
      minute: "25"
      hour: "05"
      weekday: "0"
      job: "/root/WEEKLY 2>&1"
    diff: true
    when: email_ready == 'yes'