---

 - name: SSL packages
   become: yes
   package:
     name:
      - certbot
      - openssl

 - name: Services
   become: yes
   register: services
   copy:
     src: "{{ item }}"
     dest: /usr/lib/systemd/system
     owner: root
     group: root
     mode: 0644
   loop:
     - "certbot.service"
     - "certbot.timer"

 - name: Enable timer
   when: services.changed
   become: yes
   systemd:
     daemon_reload: yes
     name: certbot.timer
     enabled: yes
     state: started

 - name: Create letsencrypt folder
   become: yes
   file:
     path: /var/lib/letsencrypt
     owner: root
     group: http
     mode: 2755

 - name: Copy TLSA script
   become: yes
   template:
     src: tlsa-generation.bash.j2
     dest: /usr/local/sbin/tlsa-generation.bash
     owner: root
     group: root
     mode: 0700

 - name: Get proposed TLSA records
   become: yes
   command: /usr/local/sbin/tlsa-generation.bash
   register: tlsa_records

 - name: Show proposed TLSA records
   debug:
     msg: "{{ tlsa_records.stdout_lines }}"

 - name: Get TLSA records
   delegate_to: localhost
   run_once: yes
   command: "/bin/bash -c 'printf _443._tcp\\ ; dig _443._tcp.{{ external_domain }} TLSA +short; printf _6697._tcp\\ ; dig _6697._tcp.{{ external_domain }} TLSA +short'"
   register: ext_tlsa_records

 - name: Show TLSA records
   debug:
     msg: "{{ ext_tlsa_records.stdout_lines }}"