From d4e0a92b9dcb8d47bbc63c9f1cd308bc35ad1533 Mon Sep 17 00:00:00 2001 From: Robert Kaussow Date: Sat, 17 Apr 2021 12:20:07 +0200 Subject: [PATCH] use venv to install certbot --- defaults/main.yml | 14 ++++--- molecule/centos7/converge.yml | 3 -- molecule/centos7/tests/test_default.py | 4 +- tasks/install.yml | 49 ++++++++++++++++++---- templates/usr/local/bin/certbot-wrapper.j2 | 4 ++ vars/main.yml | 16 ++++--- 6 files changed, 67 insertions(+), 23 deletions(-) create mode 100644 templates/usr/local/bin/certbot-wrapper.j2 diff --git a/defaults/main.yml b/defaults/main.yml index 75956a2..43d957a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,9 +1,11 @@ --- +# @var certbot_version:description: Set a fix version of the certbot package to install. +# @var certbot_version: $ "_unset_" + # @var certbot_packages_extra:description: Extra packages to install with pip (e.g. DNS plugins). certbot_packages_extra: [] certbot_user: root -certbot_pip: "pip{{ ansible_python.version.major }}" certbot_work_dir: /var/lib/letsencrypt certbot_config_dir: /etc/letsencrypt @@ -34,11 +36,11 @@ certbot_command_arguments: # @var certbot_cron_enabled:description: Enable scheduling via cron. certbot_cron_enabled: True -certbot_cron_minute: "30" -certbot_cron_hour: "3" - -# @var certbot_cron_file:description: Use a file under /etc/cron.d but this will only work if `certbot_user` -# has write permissions for this location. +# @var certbot_cron_file:description: > +# Use a file under /etc/cron.d but this will only work if `certbot_user` has write permissions for this location. # @end # @var certbot_cron_file: $ "_unset_" # @var certbot_cron_file:example: certbot-letsencrypt + +certbot_cron_minute: "30" +certbot_cron_hour: "3" diff --git a/molecule/centos7/converge.yml b/molecule/centos7/converge.yml index 2bfe5af..81b39da 100644 --- a/molecule/centos7/converge.yml +++ b/molecule/centos7/converge.yml @@ -1,9 +1,6 @@ --- - name: Converge hosts: all - vars: - certbot_pip: pip3 - roles: - role: xoxys.python3 - role: xoxys.certbot diff --git a/molecule/centos7/tests/test_default.py b/molecule/centos7/tests/test_default.py index 481f8cd..9f58367 100644 --- a/molecule/centos7/tests/test_default.py +++ b/molecule/centos7/tests/test_default.py @@ -10,11 +10,11 @@ testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( def test_certbot_is_installed(host): - pkg = host.pip_package.get_packages(pip_path="pip3") + pkg = host.pip_package.get_packages(pip_path="/opt/python3/certbot/bin/pip") assert "certbot" in pkg def test_certbot_run(host): - cmd = host.run("~/.local/bin/certbot --help") + cmd = host.run("/usr/local/bin/certbot --help") assert "Certbot can obtain and install HTTPS/TLS/SSL certificates." in cmd.stdout assert cmd.succeeded diff --git a/tasks/install.yml b/tasks/install.yml index 1bc24ee..1c2113b 100644 --- a/tasks/install.yml +++ b/tasks/install.yml @@ -7,22 +7,57 @@ when: not certbot_user == 'root' - block: + - name: Upgrade python dependencies + pip: + name: "{{ item }}" + virtualenv: /opt/python3/certbot + virtualenv_command: /usr/bin/python3 -m venv + extra_args: --upgrade + loop: + - pip + - setuptools + - name: Install dependencies pip: name: "{{ item }}" - extra_args: --user - executable: "{{ certbot_pip }}" - state: present + virtualenv: /opt/python3/certbot + virtualenv_command: /usr/bin/python3 -m venv + environment: + TMPDIR: /opt/python3/tmp loop: "{{ certbot_packages_extra }}" - - name: Install certbot with pip + - name: Install certbot pip: name: "{{ item }}" - extra_args: --user - executable: "{{ certbot_pip }}" - state: present + virtualenv: /opt/python3/certbot + virtualenv_command: /usr/bin/python3 -m venv loop: "{{ __certbot_packages }}" + - name: Adjust file permissions + file: + name: /opt/python3/certbot + recurse: True + mode: u+rwX,go+rX,go-w + state: directory + + - name: Make certbot binaries executable + file: + name: "/opt/python3/certbot/bin/{{ item }}" + mode: 0755 + loop: "{{ __certbot_binaries }}" + + - name: Deploy certbot bin wrappers + template: + src: usr/local/bin/certbot-wrapper.j2 + dest: "/usr/local/bin/{{ item }}" + owner: root + group: root + mode: 0755 + loop: "{{ __certbot_binaries }}" + become: True + become_user: root + +- block: - name: Create certbot environment file: path: "{{ item.name }}" diff --git a/templates/usr/local/bin/certbot-wrapper.j2 b/templates/usr/local/bin/certbot-wrapper.j2 new file mode 100644 index 0000000..14f7cf1 --- /dev/null +++ b/templates/usr/local/bin/certbot-wrapper.j2 @@ -0,0 +1,4 @@ +#!/usr/bin/env sh +set -eo pipefail + +exec /opt/python3/certbot/bin/{{ item }} "$@" diff --git a/vars/main.yml b/vars/main.yml index c17e360..23421bb 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,10 +1,16 @@ --- __certbot_packages: - - certbot + - "certbot{{ '==' + certbot_version if certbot_version is defined else '' }}" __certbot_environment: - - { name: "{{ certbot_work_dir }}", mode: "0755" } - - { name: "{{ certbot_config_dir }}", mode: "0755" } - - { name: "{{ certbot_log_dir }}", mode: "0700" } + - name: "{{ certbot_work_dir }}" + mode: "0755" + - name: "{{ certbot_config_dir }}" + mode: "0755" + - name: "{{ certbot_log_dir }}" + mode: "0700" -__certbot_bin: "{{ '/root/.local/bin/certbot' if certbot_user == 'root' else '/home/' + certbot_user + '/.local/bin/certbot' }}" +__certbot_binaries: + - certbot + +__certbot_bin: "/usr/local/bin/certbot"