atlas_recipe :ssl do

prior_to "atlas:nginx:configure", "atlas:ssl:generate_dh"
prior_to "atlas:nginx:configure", "atlas:ssl:configure_lets_encrypt"

end

namespace :atlas do

namespace :ssl do
  desc "Setup Let's Encrypt and get a free certificate"
  task :configure_lets_encrypt do
    privileged_on roles(:web) do
      unless test("sudo [ -f /etc/ssl/#{application_basename}.crt ]")
        execute :sudo, "mkdir -p /opt/certbot"
        execute :sudo, "wget https://dl.eff.org/certbot-auto -O /opt/certbot/certbot-auto && chmod a+x /opt/certbot/certbot-auto"
        execute :sudo, "/opt/certbot/certbot-auto certonly --agree-tos "\
                       "--email #{fetch(:atlas_lets_encrypt_email)} "\
                       "--webroot -w /var/www/html "\
                       "-d #{fetch(:atlas_lets_encrypt_domain_name)}"

        execute :sudo, "ln -s /etc/letsencrypt/live/#{fetch(:atlas_lets_encrypt_domain_name)}/fullchain.pem /etc/ssl/#{application_basename}.crt"
        execute :sudo, "ln -s /etc/letsencrypt/live/#{fetch(:atlas_lets_encrypt_domain_name)}/privkey.pem /etc/ssl/#{application_basename}.key"                         
      end
    end
  end

  desc "Generate unique DH group"
  task :generate_dh do
    privileged_on roles(:web) do
      unless test("sudo [ -f /etc/ssl/dhparams.pem ]")
        execute :sudo, "openssl dhparam -out /etc/ssl/dhparams.pem 2048 > /dev/null 2>&1"
        execute :sudo, "chmod 600 /etc/ssl/dhparams.pem"
      end
    end
  end
end

end