class certbot(
  $script_base  = '/usr/bin',
  $basedir      = '/var/spool/certbot',
  $owner        = 'www-data',
  $pre_hook     = '',
  $post_hook    = '',
  $pre_command  = '',
  $post_command = '',
  $plugin       = 'webroot',
) {

  $tool = $::lsbdistcodename ? {
    'xenial' => 'letsencrypt',
    default  => 'certbot',
  }

  if $pre_hook != '' {
    $real_pre_hook = "--pre-hook \"${pre_hook}\""
  }
  else {
    $real_pre_hook = ''
  }

  if $post_hook != '' {
    $real_post_hook = "--post-hook \"${post_hook}\""
  }
  else {
    $real_post_hook = ''
  }

  if $pre_command != '' {
    $real_pre_command = "${pre_command} &&"
  }
  else {
    $real_pre_command = ''
  }

  if $post_command != '' {
    $real_post_command = "&& ${post_command}"
  }
  else {
    $real_post_command = ''
  }

  # Certbot support
  file { $basedir:
    ensure  => directory,
    owner   => 'root',
    group   => $owner,
    mode    => '0750',
  }

  package { $tool:
    ensure  => $::lsbdistcodename ? {
      trusty  => absent,
      default => present,
    },
    require => File[$basedir],
  }

  # Chosing an arbitrary minute within the hour in the hope that won't overload Let's Encrypt servers
  cron { 'certbot-renew':
    command => "${real_pre_command}${script_base}/${tool} renew --${plugin} --quiet -n ${real_pre_hook} ${real_post_hook} ${real_post_command}",
    user    => 'root',
    hour    => [ 5, 23 ],
    minute  => "28",
    ensure  => present,
    require => Package[$tool],
  }
}