From c3d1ce24d71299ee1676dacf2b5413e7525a0933 Mon Sep 17 00:00:00 2001
From: Robert Kaussow <mail@geeklabor.de>
Date: Sun, 19 Apr 2020 23:27:41 +0200
Subject: [PATCH] refator role

---
 .drone.jsonnet                         |  2 +
 defaults/main.yml                      | 50 ++++++---------
 molecule/centos8/converge.yml          |  9 +++
 molecule/centos8/create.yml            | 87 ++++++++++++++++++++++++++
 molecule/centos8/default               |  1 +
 molecule/centos8/destroy.yml           | 54 ++++++++++++++++
 molecule/centos8/molecule.yml          | 19 ++++++
 molecule/centos8/prepare.yml           |  9 +++
 molecule/centos8/tests/test_default.py | 14 +++++
 molecule/default                       |  2 +-
 tasks/install.yml                      | 17 +++--
 tasks/main.yml                         |  6 +-
 tasks/plugins.yml                      | 24 -------
 tasks/{init.yml => setup.yml}          |  1 +
 templates/corenetworks/config.ini.j2   | 12 ----
 vars/main.yml                          |  5 ++
 16 files changed, 235 insertions(+), 77 deletions(-)
 create mode 100644 molecule/centos8/converge.yml
 create mode 100644 molecule/centos8/create.yml
 create mode 120000 molecule/centos8/default
 create mode 100644 molecule/centos8/destroy.yml
 create mode 100644 molecule/centos8/molecule.yml
 create mode 100644 molecule/centos8/prepare.yml
 create mode 100644 molecule/centos8/tests/test_default.py
 delete mode 100644 tasks/plugins.yml
 rename tasks/{init.yml => setup.yml} (95%)
 delete mode 100644 templates/corenetworks/config.ini.j2

diff --git a/.drone.jsonnet b/.drone.jsonnet
index 22d7062..bdf05a6 100644
--- a/.drone.jsonnet
+++ b/.drone.jsonnet
@@ -111,6 +111,7 @@ local PipelineDocumentation = {
   },
   depends_on: [
     'testing-centos7',
+    'testing-centos8',
   ],
 };
 
@@ -149,6 +150,7 @@ local PipelineNotification = {
 [
   PipelineLinting,
   PipelineDeployment(scenario='centos7'),
+  PipelineDeployment(scenario='centos8'),
   PipelineDocumentation,
   PipelineNotification,
 ]
diff --git a/defaults/main.yml b/defaults/main.yml
index 8e8456a..3450a7b 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -1,17 +1,12 @@
 ---
 certbot_packages_extra: []
 
+certbot_user: root
 certbot_initial_run_enabled: False
+
 certbot_work_dir: /var/lib/letsencrypt
 certbot_config_dir: /etc/letsencrypt
 certbot_log_dir: /var/log/letsencrypt
-certbot_plugin_dir: /etc/letsencrypt/plugins
-certbot_environment:
-  - { name: "{{ certbot_work_dir }}", mode: '0755' }
-  - { name: "{{ certbot_config_dir }}", mode: '0755' }
-  - { name: "{{ certbot_log_dir }}", mode: '0700' }
-  - { name: "{{ certbot_plugin_dir }}",  mode: '0755' }
-certbot_user: root
 
 certbot_preferred_challenges: dns
 certbot_server: https://acme-v02.api.letsencrypt.org/directory
@@ -20,30 +15,25 @@ certbot_rsa_key_size: 4096
 certbot_domains:
   - example.com
 
+# @var certbot_credentials:description: >
+# Specify key value parairs for your credentials (e.g. plugin credentials).
+# The credentials will be saved to `{{ certbot_config_dir }}/credentials.ini and you
+# could add the path to `certbot_command_arguments` if required.
+# @end
+certbot_credentials: []
+
 certbot_command_arguments:
   - "certonly"
-  - "--agree-tos"
-  - "--manual"
-  - "--manual-auth-hook /path/to/authenticator.py"
-  - "--manual-cleanup-hook /path/to/cleanup.py"
-  - "--manual-public-ip-logging-ok"
-  - "-n"
-  - "-d {{ certbot_domains | join(',') }}"
-
-# enable scheduling via cron
+  - "-n -d {{ certbot_domains | join(',') }}"
+
+# @var certbot_scheduler_enabled:description: Enable scheduling via cron.
 certbot_scheduler_enabled: True
 
-# Use a file under /etc/cron.d
-# Works onyl if certbot_user is root
-# certbot_cronfile: certbot-letsencrypt
-
-# Setup manual auth for core-networks api
-certbot_core_networks_plugin_enabled: False
-certbot_core_networks_plugin_repo: https://git.rknet.org/xoxys/certbot_dns_corenetworks.git
-certbot_core_networks_base_dir: "{{ certbot_plugin_dir }}/certbot_dns_corenetworks"
-certbot_core_networks_plugin_version: master
-certbot_core_networks_api_host: https://beta.api.core-networks.de/
-certbot_core_networks_api_user: myuser
-certbot_core_networks_api_password: secure
-certbot_core_networks_dns_zone: mydomain.com
-certbot_core_networks_log_level: error
+certbot_cron_minute: 30
+certbot_cron_hour: 3
+
+# @var certbot_cron_file:description: Use a file under /etc/cron.d but this will only work if `certbot_user`
+# has write permissions for this location.
+# @end
+# @var certbot_cron_file: $ "_unset_"
+# @var certbot_cron_file:example: certbot-letsencrypt
diff --git a/molecule/centos8/converge.yml b/molecule/centos8/converge.yml
new file mode 100644
index 0000000..bd3ac25
--- /dev/null
+++ b/molecule/centos8/converge.yml
@@ -0,0 +1,9 @@
+---
+- name: Converge
+  hosts: all
+  vars:
+    certbot_packages_extra:
+      - epel-release
+
+  roles:
+    - role: xoxys.certbot
diff --git a/molecule/centos8/create.yml b/molecule/centos8/create.yml
new file mode 100644
index 0000000..41f112d
--- /dev/null
+++ b/molecule/centos8/create.yml
@@ -0,0 +1,87 @@
+---
+- name: Create
+  hosts: localhost
+  connection: local
+  gather_facts: false
+  no_log: "{{ molecule_no_log }}"
+  vars:
+    ssh_user: root
+    ssh_port: 22
+
+    keypair_name: molecule_key
+    keypair_path: "{{ lookup('env', 'MOLECULE_EPHEMERAL_DIRECTORY') }}/ssh_key"
+  tasks:
+    - name: Create local keypair
+      user:
+        name: "{{ lookup('env', 'USER') }}"
+        generate_ssh_key: true
+        ssh_key_file: "{{ keypair_path }}"
+      register: local_keypair
+
+    - name: Create remote keypair
+      digital_ocean_sshkey:
+        name: "{{ keypair_name }}"
+        ssh_pub_key: "{{ local_keypair.ssh_public_key }}"
+        state: present
+      register: remote_keypair
+
+    - name: Create molecule instance(s)
+      digital_ocean_droplet:
+        name: "{{ item.name }}"
+        unique_name: true
+        region: "{{ item.region_id }}"
+        image: "{{ item.image_id }}"
+        size: "{{ item.size_id }}"
+        ssh_keys: "{{ remote_keypair.data.ssh_key.id }}"
+        wait: true
+        wait_timeout: 300
+        state: present
+      register: server
+      loop: "{{ molecule_yml.platforms }}"
+      async: 7200
+      poll: 0
+
+    - name: Wait for instance(s) creation to complete
+      async_status:
+        jid: "{{ item.ansible_job_id }}"
+      register: digitalocean_jobs
+      until: digitalocean_jobs.finished
+      retries: 300
+      loop: "{{ server.results }}"
+
+    # Mandatory configuration for Molecule to function.
+
+    - name: Populate instance config dict
+      set_fact:
+        instance_conf_dict: {
+          'instance': "{{ item.data.droplet.name }}",
+          'address': "{{ item.data.ip_address }}",
+          'user': "{{ ssh_user }}",
+          'port': "{{ ssh_port }}",
+          'identity_file': "{{ keypair_path }}",
+          'droplet_id': "{{ item.data.droplet.id }}",
+          'ssh_key_id': "{{ remote_keypair.data.ssh_key.id }}",
+        }
+      loop: "{{ digitalocean_jobs.results }}"
+      register: instance_config_dict
+      when: server.changed | bool
+
+    - name: Convert instance config dict to a list
+      set_fact:
+        instance_conf: "{{ instance_config_dict.results | map(attribute='ansible_facts.instance_conf_dict') | list }}"
+      when: server.changed | bool
+
+    - name: Dump instance config
+      copy:
+        content: "{{ instance_conf | to_json | from_json | molecule_to_yaml | molecule_header }}"
+        dest: "{{ molecule_instance_config }}"
+      when: server.changed | bool
+
+    - name: Wait for SSH
+      wait_for:
+        port: "{{ ssh_port }}"
+        host: "{{ item.address }}"
+        search_regex: SSH
+        delay: 10
+        timeout: 320
+      loop: "{{ lookup('file', molecule_instance_config) | molecule_from_yaml }}"
diff --git a/molecule/centos8/default b/molecule/centos8/default
new file mode 120000
index 0000000..331d858
--- /dev/null
+++ b/molecule/centos8/default
@@ -0,0 +1 @@
+default
\ No newline at end of file
diff --git a/molecule/centos8/destroy.yml b/molecule/centos8/destroy.yml
new file mode 100644
index 0000000..19c8c93
--- /dev/null
+++ b/molecule/centos8/destroy.yml
@@ -0,0 +1,54 @@
+---
+- name: Destroy
+  hosts: localhost
+  connection: local
+  gather_facts: false
+  no_log: "{{ molecule_no_log }}"
+  tasks:
+    - block:
+        - name: Populate instance config
+          set_fact:
+            instance_conf: "{{ lookup('file', molecule_instance_config) | molecule_from_yaml }}"
+            skip_instances: false
+      rescue:
+        - name: Populate instance config when file missing
+          set_fact:
+            instance_conf: {}
+            skip_instances: true
+
+    - name: Destroy molecule instance(s)
+      digital_ocean_droplet:
+        name: "{{ item.instance }}"
+        id: "{{ item.droplet_id }}"
+        state: absent
+      register: server
+      loop: "{{ instance_conf | flatten(levels=1) }}"
+      when: not skip_instances
+      async: 7200
+      poll: 0
+
+    - name: Wait for instance(s) deletion to complete
+      async_status:
+        jid: "{{ item.ansible_job_id }}"
+      register: digitalocean_jobs
+      until: digitalocean_jobs.finished
+      retries: 300
+      loop: "{{ server.results }}"
+
+    - name: Delete remote keypair
+      digital_ocean_sshkey:
+        fingerprint: "{{ item.ssh_key_id }}"
+        state: absent
+      loop: "{{ instance_conf | flatten(levels=1) }}"
+
+    # Mandatory configuration for Molecule to function.
+
+    - name: Populate instance config
+      set_fact:
+        instance_conf: {}
+
+    - name: Dump instance config
+      copy:
+        content: "{{ instance_conf | molecule_to_yaml | molecule_header }}"
+        dest: "{{ molecule_instance_config }}"
+      when: server.changed | bool
diff --git a/molecule/centos8/molecule.yml b/molecule/centos8/molecule.yml
new file mode 100644
index 0000000..8fb4ca0
--- /dev/null
+++ b/molecule/centos8/molecule.yml
@@ -0,0 +1,19 @@
+---
+dependency:
+  name: galaxy
+driver:
+  name: delegated
+platforms:
+  - name: centos7-certbot
+    region_id: fra1
+    image_id: centos-8-x64
+    size_id: s-1vcpu-1gb
+lint: |
+  flake8
+provisioner:
+  name: ansible
+  env:
+    ANSIBLE_FILTER_PLUGINS: ${ANSIBLE_FILTER_PLUGINS:-./plugins/filter}
+    ANSIBLE_LIBRARY: ${ANSIBLE_LIBRARY:-./library}
+verifier:
+  name: testinfra
diff --git a/molecule/centos8/prepare.yml b/molecule/centos8/prepare.yml
new file mode 100644
index 0000000..559de83
--- /dev/null
+++ b/molecule/centos8/prepare.yml
@@ -0,0 +1,9 @@
+---
+- name: Prepare
+  hosts: all
+  gather_facts: false
+  tasks:
+    - name: Install python for Ansible
+      raw: test -e /usr/bin/python || (dnf -y install python3 && alternatives --set python /usr/bin/python3)
+      become: true
+      changed_when: false
diff --git a/molecule/centos8/tests/test_default.py b/molecule/centos8/tests/test_default.py
new file mode 100644
index 0000000..7f55e98
--- /dev/null
+++ b/molecule/centos8/tests/test_default.py
@@ -0,0 +1,14 @@
+import os
+
+import testinfra.utils.ansible_runner
+
+import warnings
+warnings.filterwarnings("ignore", category=DeprecationWarning)
+
+testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
+    os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all')
+
+
+def test_certbot_is_installed(host):
+    certbot = host.package("certbot")
+    assert certbot.is_installed
diff --git a/molecule/default b/molecule/default
index 2fdf3e8..575742e 120000
--- a/molecule/default
+++ b/molecule/default
@@ -1 +1 @@
-centos7
\ No newline at end of file
+centos8
\ No newline at end of file
diff --git a/tasks/install.yml b/tasks/install.yml
index b1b2529..b2b4b6f 100644
--- a/tasks/install.yml
+++ b/tasks/install.yml
@@ -30,19 +30,26 @@
         src: config/cli.ini.j2
         dest: "{{ certbot_config_dir }}/cli.ini"
 
+    - name: Deploy credentials file
+      template:
+        src: config/credentials.ini.j2
+        dest: "{{ certbot_config_dir }}/credentials.ini"
+      when: certbot_credentials
+      mode: 600
+
     - name: Schedule certbot run
       cron:
-        name: certbot - letsencrypt certs renewal
-        minute: "55"
-        hour: "3"
-        user: "{{ certbot_user }}"
+        name: Certbot automatic renewal
+        minute: "{{ certbot_cron_minute }}"
+        hour: "{{ certbot_cron_hour }}"
+        user: "{{ certbot_cron_user | default(certbot_user) }}"
         job: >
           certbot
           --config-dir {{ certbot_config_dir }}
           --work-dir {{ certbot_work_dir }}
           --logs-dir {{ certbot_log_dir }}
           {{ certbot_command_arguments | join(' ') }}
-        cron_file: "{{ certbot_cronfile | default(omit) }}"
+        cron_file: "{{ certbot_cron_file | default(omit) }}"
       when: certbot_scheduler_enabled
   become: True
   become_user: "{{ certbot_user }}"
diff --git a/tasks/main.yml b/tasks/main.yml
index a8417d5..b31d58c 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,7 +1,3 @@
 ---
 - include_tasks: install.yml
-
-- include_tasks: plugins.yml
-  when: certbot_core_networks_plugin_enabled
-
-- include_tasks: init.yml
+- include_tasks: setup.yml
diff --git a/tasks/plugins.yml b/tasks/plugins.yml
deleted file mode 100644
index ba27be2..0000000
--- a/tasks/plugins.yml
+++ /dev/null
@@ -1,24 +0,0 @@
----
-- name: Setup core-networks dns plugin
-  block:
-    - name: Create plugin directories
-      file:
-        path: "{{ item }}"
-        state: directory
-      loop:
-        - "{{ certbot_core_networks_base_dir }}"
-        - ~/.certbot_dns_corenetworks
-
-    - name: Clone repo to '{{ certbot_plugin_dir }}'
-      git:
-        repo: "{{ certbot_core_networks_plugin_repo }}"
-        dest: "{{ certbot_core_networks_base_dir }}"
-        version: "{{ certbot_core_networks_plugin_version }}"
-
-    - name: Deploy plugin configuration
-      template:
-        src: corenetworks/config.ini.j2
-        dest: "~/.certbot_dns_corenetworks/config.ini"
-        mode: 0600
-  become: True
-  become_user: "{{ certbot_user }}"
diff --git a/tasks/init.yml b/tasks/setup.yml
similarity index 95%
rename from tasks/init.yml
rename to tasks/setup.yml
index efb5e06..bbdd424 100644
--- a/tasks/init.yml
+++ b/tasks/setup.yml
@@ -7,6 +7,7 @@
         --config-dir {{ certbot_config_dir }}
         --work-dir {{ certbot_work_dir }}
         --logs-dir {{ certbot_log_dir }}
+        --agree-tos
         {{ certbot_command_arguments | join(' ') }}
       register: certbot_init
       changed_when: certbot_init.rc == 130
diff --git a/templates/corenetworks/config.ini.j2 b/templates/corenetworks/config.ini.j2
deleted file mode 100644
index 241a945..0000000
--- a/templates/corenetworks/config.ini.j2
+++ /dev/null
@@ -1,12 +0,0 @@
-#jinja2: lstrip_blocks: True
-{{ ansible_managed | comment }}
-[API]
-HOST        = {{ certbot_core_networks_api_host }}
-USER        = {{ certbot_core_networks_api_user }}
-PASSWORD    = {{ certbot_core_networks_api_password }}
-
-[DNS]
-ZONE        = {{ certbot_core_networks_dns_zone }}
-
-[LOG]
-LEVEL       = {{ certbot_core_networks_log_level }}
diff --git a/vars/main.yml b/vars/main.yml
index 2dd2a42..7c77e0f 100644
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -1,3 +1,8 @@
 ---
 __certbot_packages:
   - certbot
+
+__certbot_environment:
+  - { name: "{{ certbot_work_dir }}", mode: "0755" }
+  - { name: "{{ certbot_config_dir }}", mode: "0755" }
+  - { name: "{{ certbot_log_dir }}", mode: "0700" }