flatten the "playbooks" directory for better structure

Because of how Ansible local relative search paths work, the global
"files" and "templates" directories need to be next to the playbooks.
However its not intuitive to look into the playbooks directory to find
the files and templates for a host.
Therefore flatten the playbooks directory to get rid of this confusing
structure.

Also see:
https://docs.ansible.com/ansible/latest/playbook_guide/playbook_pathing.html#resolving-local-relative-paths

roles/certbot/tasks/main/cert.yaml

@@ -0,0 +1,24 @@
+- name: get expiry date before
+  ansible.builtin.command: /usr/bin/openssl x509 -enddate -noout -in /etc/letsencrypt/live/{{ item }}/fullchain.pem
+  ignore_errors: true
+  become: true
+  changed_when: false
+  register: certbot__cert_expiry_before
+
+- name: obtain the certificate using certbot
+  ansible.builtin.command: /usr/bin/certbot certonly --keep-until-expiring --agree-tos --non-interactive --email "{{ certbot__acme_account_email_address }}" --no-eff-email --standalone --http-01-port "{{ certbot__http_01_port }}" -d "{{ item }}"
+  become: true
+  changed_when: false
+
+- name: get expiry date after
+  ansible.builtin.command: /usr/bin/openssl x509 -enddate -noout -in /etc/letsencrypt/live/{{ item }}/fullchain.pem
+  become: true
+  changed_when: false
+  register: certbot__cert_expiry_after
+
+# Doesn't work anymore. Dunno why.
+# TODO: Fix
+# - name: potentially report changed
+#   ansible.builtin.debug:
+#     msg: "If this reports changed, then the certificate expiry date and therefore the certificate changed."
+#   changed_when: certbot__cert_expiry_before.stdout != certbot__cert_expiry_after.stdout

roles/certbot/tasks/main/certs.yaml

@@ -0,0 +1,4 @@
+- name: obtain certificates
+  loop: "{{ certbot__certificate_domains }}"
+  ansible.builtin.include_tasks:
+    file: main/cert.yaml

roles/certbot/tasks/main/install.yaml

@@ -0,0 +1,19 @@
+- name: make sure the `openssl` package is installed
+  ansible.builtin.apt:
+    name: openssl
+    state: present
+  become: true
+
+- name: make sure the `certbot` package is installed
+  ansible.builtin.apt:
+    name: certbot={{ certbot__version_spec }}*
+    state: present
+    allow_change_held_packages: true
+    update_cache: true
+  become: true
+
+- name: apt-mark hold `certbot`
+  ansible.builtin.dpkg_selections:
+    name: certbot
+    selection: hold
+  become: true

roles/certbot/tasks/main/new_cert_commands.yaml

@@ -0,0 +1,17 @@
+- name: ensure existence of renewal deploy hooks directory
+  ansible.builtin.file:
+    path: /etc/letsencrypt/renewal-hooks/deploy
+    state: directory
+    owner: root
+    group: root
+    mode: "0755"
+  become: true
+
+- name: ensure renewal deploy hook commands
+  ansible.builtin.template:
+    src: renewal_deploy_hook_commands.sh.j2
+    dest: /etc/letsencrypt/renewal-hooks/deploy/ansible_commands.sh
+    owner: root
+    group: root
+    mode: "0770"
+  become: true