use venv to install certbot

2021-04-17 12:20:07 +02:00 · 2021-04-17 12:20:07 +02:00 · d4e0a92b9d
commit d4e0a92b9d
parent 8acf3bd72c
6 changed files with 67 additions and 23 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -1,9 +1,11 @@
 ---
+# @var certbot_version:description: Set a fix version of the certbot package to install.
+# @var certbot_version: $ "_unset_"
+
 # @var certbot_packages_extra:description: Extra packages to install with pip (e.g. DNS plugins).
 certbot_packages_extra: []

 certbot_user: root
-certbot_pip: "pip{{ ansible_python.version.major }}"

 certbot_work_dir: /var/lib/letsencrypt
 certbot_config_dir: /etc/letsencrypt
@ -34,11 +36,11 @@ certbot_command_arguments:
 # @var certbot_cron_enabled:description: Enable scheduling via cron.
 certbot_cron_enabled: True

-certbot_cron_minute: "30"
-certbot_cron_hour: "3"
-
-# @var certbot_cron_file:description: Use a file under /etc/cron.d but this will only work if `certbot_user`
-# has write permissions for this location.
+# @var certbot_cron_file:description: >
+# Use a file under /etc/cron.d but this will only work if `certbot_user` has write permissions for this location.
 # @end
 # @var certbot_cron_file: $ "_unset_"
 # @var certbot_cron_file:example: certbot-letsencrypt
+
+certbot_cron_minute: "30"
+certbot_cron_hour: "3"
--- a/molecule/centos7/converge.yml
+++ b/molecule/centos7/converge.yml
@ -1,9 +1,6 @@
 ---
 - name: Converge
  hosts: all
-  vars:
-    certbot_pip: pip3
-
  roles:
    - role: xoxys.python3
    - role: xoxys.certbot
--- a/molecule/centos7/tests/test_default.py
+++ b/molecule/centos7/tests/test_default.py
@ -10,11 +10,11 @@ testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(


 def test_certbot_is_installed(host):
-    pkg = host.pip_package.get_packages(pip_path="pip3")
+    pkg = host.pip_package.get_packages(pip_path="/opt/python3/certbot/bin/pip")
    assert "certbot" in pkg


 def test_certbot_run(host):
-    cmd = host.run("~/.local/bin/certbot --help")
+    cmd = host.run("/usr/local/bin/certbot --help")
    assert "Certbot can obtain and install HTTPS/TLS/SSL certificates." in cmd.stdout
    assert cmd.succeeded
--- a/tasks/install.yml
+++ b/tasks/install.yml
@ -7,22 +7,57 @@
  when: not certbot_user == 'root'

 - block:
+    - name: Upgrade python dependencies
+      pip:
+        name: "{{ item }}"
+        virtualenv: /opt/python3/certbot
+        virtualenv_command: /usr/bin/python3 -m venv
+        extra_args: --upgrade
+      loop:
+        - pip
+        - setuptools
+
    - name: Install dependencies
      pip:
        name: "{{ item }}"
-        extra_args: --user
-        executable: "{{ certbot_pip }}"
-        state: present
+        virtualenv: /opt/python3/certbot
+        virtualenv_command: /usr/bin/python3 -m venv
+      environment:
+        TMPDIR: /opt/python3/tmp
      loop: "{{ certbot_packages_extra }}"

-    - name: Install certbot with pip
+    - name: Install certbot
      pip:
        name: "{{ item }}"
-        extra_args: --user
-        executable: "{{ certbot_pip }}"
-        state: present
+        virtualenv: /opt/python3/certbot
+        virtualenv_command: /usr/bin/python3 -m venv
      loop: "{{ __certbot_packages }}"

+    - name: Adjust file permissions
+      file:
+        name: /opt/python3/certbot
+        recurse: True
+        mode: u+rwX,go+rX,go-w
+        state: directory
+
+    - name: Make certbot binaries executable
+      file:
+        name: "/opt/python3/certbot/bin/{{ item }}"
+        mode: 0755
+      loop: "{{ __certbot_binaries }}"
+
+    - name: Deploy certbot bin wrappers
+      template:
+        src: usr/local/bin/certbot-wrapper.j2
+        dest: "/usr/local/bin/{{ item }}"
+        owner: root
+        group: root
+        mode: 0755
+      loop: "{{ __certbot_binaries }}"
+  become: True
+  become_user: root
+
+- block:
    - name: Create certbot environment
      file:
        path: "{{ item.name }}"
--- a/templates/usr/local/bin/certbot-wrapper.j2
+++ b/templates/usr/local/bin/certbot-wrapper.j2
@ -0,0 +1,4 @@
+#!/usr/bin/env sh
+set -eo pipefail
+
+exec /opt/python3/certbot/bin/{{ item }} "$@"
--- a/vars/main.yml
+++ b/vars/main.yml
@ -1,10 +1,16 @@
 ---
 __certbot_packages:
-  - certbot
+  - "certbot{{ '==' + certbot_version if certbot_version is defined else '' }}"

 __certbot_environment:
-  - { name: "{{ certbot_work_dir }}", mode: "0755" }
-  - { name: "{{ certbot_config_dir }}", mode: "0755" }
-  - { name: "{{ certbot_log_dir }}", mode: "0700" }
+  - name: "{{ certbot_work_dir }}"
+    mode: "0755"
+  - name: "{{ certbot_config_dir }}"
+    mode: "0755"
+  - name: "{{ certbot_log_dir }}"
+    mode: "0700"

-__certbot_bin: "{{ '/root/.local/bin/certbot' if certbot_user == 'root' else '/home/' + certbot_user + '/.local/bin/certbot' }}"
+__certbot_binaries:
+  - certbot
+
+__certbot_bin: "/usr/local/bin/certbot"