class certbot(
  $script_base = '/usr/bin',
  $basedir   = '/var/spool/certbot',
  $owner     = 'www-data',
  $pre_hook  = '',
  $post_hook = '',
  $plugin    = 'standalone',
) {

  $tool = $::lsbdistcodename ? {
    'xenial' => 'letsencrypt',
    default  => 'certbot',
  }

  if $pre_hook != '' {
    $real_pre_hook = "--pre-hook \"${pre_hook}\""
  }

  if $post_hook != '' {
    $real_post_hook = "--post-hook \"${post_hook}\""
  }

  # Certbot support
  file { $basedir:
    ensure  => directory,
    owner   => 'root',
    group   => $owner,
    mode    => '0750',
  }

  package { $tool:
    ensure  => $::lsbdistcodename ? {
      trusty  => absent,
      default => present,
    },
    require => File[$basedir],
  }

  # Chosing an arbitrary minute within the hour in the hope that won't overload Let's Encrypt servers
  cron { 'certbot-renew':
    command => "${script_base}/${tool} renew --${plugin} --quiet -n ${real_pre_hook} ${real_post_hook}",
    user    => 'root',
    hour    => [ 5, 23 ],
    minute  => "28",
    ensure  => present,
    require => Package[$tool],
  }
}