# This needs to happen in order.  letsencrypt hosts export their TXT
# authentication records which is installed onto adns1, and then the
# hosts verify to issue/renew keys
- hosts: "certcheck:!disabled"
  roles:
    - install-certcheck
- hosts: "letsencrypt:!disabled"
  name: "Deploy and renew certificates"
  roles:
    - letsencrypt-acme-sh-install
    - letsencrypt-request-certs
- hosts: "adns-primary:!disabled"
  name: "Install txt records"
  roles:
    - letsencrypt-install-txt-record
- hosts: "letsencrypt:!disabled"
  name: "Create certs"
  roles:
    - letsencrypt-create-certs
- hosts: "certcheck:!disabled"
  roles:
    - letsencrypt-config-certcheck