refator role

.drone.jsonnet

@@ -111,6 +111,7 @@ local PipelineDocumentation = {
   },
   depends_on: [
     'testing-centos7',
+    'testing-centos8',
   ],
 };
 
@@ -149,6 +150,7 @@ local PipelineNotification = {
 [
   PipelineLinting,
   PipelineDeployment(scenario='centos7'),
+  PipelineDeployment(scenario='centos8'),
   PipelineDocumentation,
   PipelineNotification,
 ]

defaults/main.yml

@@ -1,17 +1,12 @@
 ---
 certbot_packages_extra: []
 
+certbot_user: root
 certbot_initial_run_enabled: False
+
 certbot_work_dir: /var/lib/letsencrypt
 certbot_config_dir: /etc/letsencrypt
 certbot_log_dir: /var/log/letsencrypt
-certbot_plugin_dir: /etc/letsencrypt/plugins
-certbot_environment:
-  - { name: "{{ certbot_work_dir }}", mode: '0755' }
-  - { name: "{{ certbot_config_dir }}", mode: '0755' }
-  - { name: "{{ certbot_log_dir }}", mode: '0700' }
-  - { name: "{{ certbot_plugin_dir }}",  mode: '0755' }
-certbot_user: root
 
 certbot_preferred_challenges: dns
 certbot_server: https://acme-v02.api.letsencrypt.org/directory
@@ -20,30 +15,25 @@ certbot_rsa_key_size: 4096
 certbot_domains:
   - example.com
 
+# @var certbot_credentials:description: >
+# Specify key value parairs for your credentials (e.g. plugin credentials).
+# The credentials will be saved to `{{ certbot_config_dir }}/credentials.ini and you
+# could add the path to `certbot_command_arguments` if required.
+# @end
+certbot_credentials: []
+
 certbot_command_arguments:
   - "certonly"
-  - "--agree-tos"
-  - "--manual"
-  - "--manual-auth-hook /path/to/authenticator.py"
-  - "--manual-cleanup-hook /path/to/cleanup.py"
-  - "--manual-public-ip-logging-ok"
-  - "-n"
-  - "-d {{ certbot_domains | join(',') }}"
+  - "-n -d {{ certbot_domains | join(',') }}"
 
-# enable scheduling via cron
+# @var certbot_scheduler_enabled:description: Enable scheduling via cron.
 certbot_scheduler_enabled: True
 
-# Use a file under /etc/cron.d
-# Works onyl if certbot_user is root
-# certbot_cronfile: certbot-letsencrypt
+certbot_cron_minute: 30
+certbot_cron_hour: 3
 
-# Setup manual auth for core-networks api
-certbot_core_networks_plugin_enabled: False
-certbot_core_networks_plugin_repo: https://git.rknet.org/xoxys/certbot_dns_corenetworks.git
-certbot_core_networks_base_dir: "{{ certbot_plugin_dir }}/certbot_dns_corenetworks"
-certbot_core_networks_plugin_version: master
-certbot_core_networks_api_host: https://beta.api.core-networks.de/
-certbot_core_networks_api_user: myuser
-certbot_core_networks_api_password: secure
-certbot_core_networks_dns_zone: mydomain.com
-certbot_core_networks_log_level: error
+# @var certbot_cron_file:description: Use a file under /etc/cron.d but this will only work if `certbot_user`
+# has write permissions for this location.
+# @end
+# @var certbot_cron_file: $ "_unset_"
+# @var certbot_cron_file:example: certbot-letsencrypt

molecule/centos8/converge.yml

@@ -0,0 +1,9 @@
+---
+- name: Converge
+  hosts: all
+  vars:
+    certbot_packages_extra:
+      - epel-release
+
+  roles:
+    - role: xoxys.certbot

molecule/centos8/create.yml

@@ -0,0 +1,87 @@
+---
+- name: Create
+  hosts: localhost
+  connection: local
+  gather_facts: false
+  no_log: "{{ molecule_no_log }}"
+  vars:
+    ssh_user: root
+    ssh_port: 22
+
+    keypair_name: molecule_key
+    keypair_path: "{{ lookup('env', 'MOLECULE_EPHEMERAL_DIRECTORY') }}/ssh_key"
+  tasks:
+    - name: Create local keypair
+      user:
+        name: "{{ lookup('env', 'USER') }}"
+        generate_ssh_key: true
+        ssh_key_file: "{{ keypair_path }}"
+      register: local_keypair
+
+    - name: Create remote keypair
+      digital_ocean_sshkey:
+        name: "{{ keypair_name }}"
+        ssh_pub_key: "{{ local_keypair.ssh_public_key }}"
+        state: present
+      register: remote_keypair
+
+    - name: Create molecule instance(s)
+      digital_ocean_droplet:
+        name: "{{ item.name }}"
+        unique_name: true
+        region: "{{ item.region_id }}"
+        image: "{{ item.image_id }}"
+        size: "{{ item.size_id }}"
+        ssh_keys: "{{ remote_keypair.data.ssh_key.id }}"
+        wait: true
+        wait_timeout: 300
+        state: present
+      register: server
+      loop: "{{ molecule_yml.platforms }}"
+      async: 7200
+      poll: 0
+
+    - name: Wait for instance(s) creation to complete
+      async_status:
+        jid: "{{ item.ansible_job_id }}"
+      register: digitalocean_jobs
+      until: digitalocean_jobs.finished
+      retries: 300
+      loop: "{{ server.results }}"
+
+    # Mandatory configuration for Molecule to function.
+
+    - name: Populate instance config dict
+      set_fact:
+        instance_conf_dict: {
+          'instance': "{{ item.data.droplet.name }}",
+          'address': "{{ item.data.ip_address }}",
+          'user': "{{ ssh_user }}",
+          'port': "{{ ssh_port }}",
+          'identity_file': "{{ keypair_path }}",
+          'droplet_id': "{{ item.data.droplet.id }}",
+          'ssh_key_id': "{{ remote_keypair.data.ssh_key.id }}",
+        }
+      loop: "{{ digitalocean_jobs.results }}"
+      register: instance_config_dict
+      when: server.changed | bool
+
+    - name: Convert instance config dict to a list
+      set_fact:
+        instance_conf: "{{ instance_config_dict.results | map(attribute='ansible_facts.instance_conf_dict') | list }}"
+      when: server.changed | bool
+
+    - name: Dump instance config
+      copy:
+        content: "{{ instance_conf | to_json | from_json | molecule_to_yaml | molecule_header }}"
+        dest: "{{ molecule_instance_config }}"
+      when: server.changed | bool
+
+    - name: Wait for SSH
+      wait_for:
+        port: "{{ ssh_port }}"
+        host: "{{ item.address }}"
+        search_regex: SSH
+        delay: 10
+        timeout: 320
+      loop: "{{ lookup('file', molecule_instance_config) | molecule_from_yaml }}"

molecule/centos8/default

@@ -0,0 +1 @@
+default

molecule/centos8/destroy.yml

@@ -0,0 +1,54 @@
+---
+- name: Destroy
+  hosts: localhost
+  connection: local
+  gather_facts: false
+  no_log: "{{ molecule_no_log }}"
+  tasks:
+    - block:
+        - name: Populate instance config
+          set_fact:
+            instance_conf: "{{ lookup('file', molecule_instance_config) | molecule_from_yaml }}"
+            skip_instances: false
+      rescue:
+        - name: Populate instance config when file missing
+          set_fact:
+            instance_conf: {}
+            skip_instances: true
+
+    - name: Destroy molecule instance(s)
+      digital_ocean_droplet:
+        name: "{{ item.instance }}"
+        id: "{{ item.droplet_id }}"
+        state: absent
+      register: server
+      loop: "{{ instance_conf | flatten(levels=1) }}"
+      when: not skip_instances
+      async: 7200
+      poll: 0
+
+    - name: Wait for instance(s) deletion to complete
+      async_status:
+        jid: "{{ item.ansible_job_id }}"
+      register: digitalocean_jobs
+      until: digitalocean_jobs.finished
+      retries: 300
+      loop: "{{ server.results }}"
+
+    - name: Delete remote keypair
+      digital_ocean_sshkey:
+        fingerprint: "{{ item.ssh_key_id }}"
+        state: absent
+      loop: "{{ instance_conf | flatten(levels=1) }}"
+
+    # Mandatory configuration for Molecule to function.
+
+    - name: Populate instance config
+      set_fact:
+        instance_conf: {}
+
+    - name: Dump instance config
+      copy:
+        content: "{{ instance_conf | molecule_to_yaml | molecule_header }}"
+        dest: "{{ molecule_instance_config }}"
+      when: server.changed | bool

molecule/centos8/molecule.yml

@@ -0,0 +1,19 @@
+---
+dependency:
+  name: galaxy
+driver:
+  name: delegated
+platforms:
+  - name: centos7-certbot
+    region_id: fra1
+    image_id: centos-8-x64
+    size_id: s-1vcpu-1gb
+lint: |
+  flake8
+provisioner:
+  name: ansible
+  env:
+    ANSIBLE_FILTER_PLUGINS: ${ANSIBLE_FILTER_PLUGINS:-./plugins/filter}
+    ANSIBLE_LIBRARY: ${ANSIBLE_LIBRARY:-./library}
+verifier:
+  name: testinfra

molecule/centos8/prepare.yml

@@ -0,0 +1,9 @@
+---
+- name: Prepare
+  hosts: all
+  gather_facts: false
+  tasks:
+    - name: Install python for Ansible
+      raw: test -e /usr/bin/python || (dnf -y install python3 && alternatives --set python /usr/bin/python3)
+      become: true
+      changed_when: false

molecule/centos8/tests/test_default.py

@@ -0,0 +1,14 @@
+import os
+
+import testinfra.utils.ansible_runner
+
+import warnings
+warnings.filterwarnings("ignore", category=DeprecationWarning)
+
+testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
+    os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all')
+
+
+def test_certbot_is_installed(host):
+    certbot = host.package("certbot")
+    assert certbot.is_installed

molecule/default

@@ -1 +1 @@
-centos7
+centos8

tasks/install.yml

@@ -30,19 +30,26 @@
         src: config/cli.ini.j2
         dest: "{{ certbot_config_dir }}/cli.ini"
 
+    - name: Deploy credentials file
+      template:
+        src: config/credentials.ini.j2
+        dest: "{{ certbot_config_dir }}/credentials.ini"
+      when: certbot_credentials
+      mode: 600
+
     - name: Schedule certbot run
       cron:
-        name: certbot - letsencrypt certs renewal
-        minute: "55"
-        hour: "3"
-        user: "{{ certbot_user }}"
+        name: Certbot automatic renewal
+        minute: "{{ certbot_cron_minute }}"
+        hour: "{{ certbot_cron_hour }}"
+        user: "{{ certbot_cron_user | default(certbot_user) }}"
         job: >
           certbot
           --config-dir {{ certbot_config_dir }}
           --work-dir {{ certbot_work_dir }}
           --logs-dir {{ certbot_log_dir }}
           {{ certbot_command_arguments | join(' ') }}
-        cron_file: "{{ certbot_cronfile | default(omit) }}"
+        cron_file: "{{ certbot_cron_file | default(omit) }}"
       when: certbot_scheduler_enabled
   become: True
   become_user: "{{ certbot_user }}"

tasks/main.yml

@@ -1,7 +1,3 @@
 ---
 - include_tasks: install.yml
-
-- include_tasks: plugins.yml
-  when: certbot_core_networks_plugin_enabled
-
-- include_tasks: init.yml
+- include_tasks: setup.yml

tasks/plugins.yml

@@ -1,24 +0,0 @@
----
-- name: Setup core-networks dns plugin
-  block:
-    - name: Create plugin directories
-      file:
-        path: "{{ item }}"
-        state: directory
-      loop:
-        - "{{ certbot_core_networks_base_dir }}"
-        - ~/.certbot_dns_corenetworks
-
-    - name: Clone repo to '{{ certbot_plugin_dir }}'
-      git:
-        repo: "{{ certbot_core_networks_plugin_repo }}"
-        dest: "{{ certbot_core_networks_base_dir }}"
-        version: "{{ certbot_core_networks_plugin_version }}"
-
-    - name: Deploy plugin configuration
-      template:
-        src: corenetworks/config.ini.j2
-        dest: "~/.certbot_dns_corenetworks/config.ini"
-        mode: 0600
-  become: True
-  become_user: "{{ certbot_user }}"

tasks/setup.yml

@@ -7,6 +7,7 @@
         --config-dir {{ certbot_config_dir }}
         --work-dir {{ certbot_work_dir }}
         --logs-dir {{ certbot_log_dir }}
+        --agree-tos
         {{ certbot_command_arguments | join(' ') }}
       register: certbot_init
       changed_when: certbot_init.rc == 130

templates/corenetworks/config.ini.j2

@@ -1,12 +0,0 @@
-#jinja2: lstrip_blocks: True
-{{ ansible_managed | comment }}
-[API]
-HOST        = {{ certbot_core_networks_api_host }}
-USER        = {{ certbot_core_networks_api_user }}
-PASSWORD    = {{ certbot_core_networks_api_password }}
-
-[DNS]
-ZONE        = {{ certbot_core_networks_dns_zone }}
-
-[LOG]
-LEVEL       = {{ certbot_core_networks_log_level }}

vars/main.yml

@@ -1,3 +1,8 @@
 ---
 __certbot_packages:
   - certbot
+
+__certbot_environment:
+  - { name: "{{ certbot_work_dir }}", mode: "0755" }
+  - { name: "{{ certbot_config_dir }}", mode: "0755" }
+  - { name: "{{ certbot_log_dir }}", mode: "0700" }