#
# Create SSL certificates using Letsencrypt
#

bundle agent certbot
{
vars:
	"webroot" string => "$(wr)";
	"renew" string => "$(rn)";

	freebsd::
		"certbot_dir" string => "/usr/local/etc/letsencrypt";
		"exe" string => "/usr/local/bin/certbot";
		"pkg" string => "py39-certbot";
	debian::
		"certbot_dir" string => "/etc/letsencrypt";
		"exe" string => "/usr/bin/certbot";
		"pkg" string => "certbot";

defaults:
	 "wr" string => "standalone";
	 "rn" string => "";

reports:

}

bundle agent install_certbot
{

packages:

	freebsd::
		"$(certbot.pkg)"
			policy => "present",
			package_module => pkg,
			handle => "certbot_installed";
	debian::
		"$(certbot.pkg)"
			policy => "present",
			package_module => apt_get,
			handle => "certbot_installed";
files:
	freebsd::
		"/etc/cron.d/certbot"
			create => "true",
			copy_from => local_cp("$(sys.workdir)/inputs/$(def.wmde_libdir)/templates/certbot-cron.mustache");
	
#			content => '# 
# Managed by CFEngine
#
#SHELL=/bin/sh
#PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

#0 */12 * * * root certbot -q renew --no-random-sleep-on-renew

#';
}

bundle agent certbot_cert(site,webroot)
{

vars:

	"domain" string => "$(site[domain])";

	"site_json" string => storejson(@(site));
	"args" string => string_mustache(
			"-d {{domain}} {{#aliases}} -d {{.}} {{/aliases}}",
			@(site)
			);

	"webroot_arg" string => ifelse( strcmp("$(webroot)","standalone"), 
			"--standalone",
                        "--webroot -w $(webroot)");

files:
	"$(sys.workdir)/data/certbot/$(site[domain])-cert-created"
		create => "true",
		content => "$(args)",
		classes => if_repaired(certbot_repaired);

classes:
	"no_cert_file"
	comment => "run certbot because no cert dir exists",
	not => fileexists("$(certbot.certbot_dir)/live/$(site[domain])");

	"run_certbot"
	or => {no_cert_file, certbot_repaired};

defaults:
	"webroot" string => "standalone";
	"domain" string => "$(site[domain])";

methods:
	"any" usebundle => install_certbot;

commands:
	run_certbot::
		"$(certbot.exe)"
		depends_on => {"certbot_installed"},
		handle => "certbot_dry_run_ok",
		args => "certonly --dry-run --agree-tos -n $(webroot_arg) --expand --email $(site[email]) $(args)";

	run_certbot::
		"$(certbot.exe)"
		depends_on => {"certbot_installed","certbot_dry_run_ok"},
		args => "certonly --agree-tos -n $(webroot_arg) --expand --email $(site[email]) $(args)";

reports:
}