2020-04-19 21:29:27 +00:00
16 changed files with 233 additions and 75 deletions
--- a/.drone.jsonnet
+++ b/.drone.jsonnet
@ -111,6 +111,7 @@ local PipelineDocumentation = {
  },
  depends_on: [
    'testing-centos7',
    'testing-centos8',
  ],
 };
@ -149,6 +150,7 @@ local PipelineNotification = {
 [
  PipelineLinting,
  PipelineDeployment(scenario='centos7'),
  PipelineDeployment(scenario='centos8'),
  PipelineDocumentation,
  PipelineNotification,
 ]
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -1,17 +1,12 @@
 ---
 certbot_packages_extra: []
 certbot_user: root
 certbot_initial_run_enabled: False
 certbot_work_dir: /var/lib/letsencrypt
 certbot_config_dir: /etc/letsencrypt
 certbot_log_dir: /var/log/letsencrypt
 certbot_plugin_dir: /etc/letsencrypt/plugins
 certbot_environment:
  - { name: "{{ certbot_work_dir }}", mode: '0755' }
  - { name: "{{ certbot_config_dir }}", mode: '0755' }
  - { name: "{{ certbot_log_dir }}", mode: '0700' }
  - { name: "{{ certbot_plugin_dir }}",  mode: '0755' }
 certbot_user: root
 certbot_preferred_challenges: dns
 certbot_server: https://acme-v02.api.letsencrypt.org/directory
@ -20,30 +15,25 @@ certbot_rsa_key_size: 4096
 certbot_domains:
  - example.com
 # @var certbot_credentials:description: >
 # Specify key value parairs for your credentials (e.g. plugin credentials).
 # The credentials will be saved to `{{ certbot_config_dir }}/credentials.ini and you
 # could add the path to `certbot_command_arguments` if required.
 # @end
 certbot_credentials: []
 certbot_command_arguments:
  - "certonly"
-  - "--agree-tos"
+  - "-n -d {{ certbot_domains | join(',') }}"
  - "--manual"
  - "--manual-auth-hook /path/to/authenticator.py"
  - "--manual-cleanup-hook /path/to/cleanup.py"
  - "--manual-public-ip-logging-ok"
  - "-n"
  - "-d {{ certbot_domains | join(',') }}"
-# enable scheduling via cron
+# @var certbot_scheduler_enabled:description: Enable scheduling via cron.
 certbot_scheduler_enabled: True
-# Use a file under /etc/cron.d
+certbot_cron_minute: 30
-# Works onyl if certbot_user is root
+certbot_cron_hour: 3
 # certbot_cronfile: certbot-letsencrypt
-# Setup manual auth for core-networks api
+# @var certbot_cron_file:description: Use a file under /etc/cron.d but this will only work if `certbot_user`
-certbot_core_networks_plugin_enabled: False
+# has write permissions for this location.
-certbot_core_networks_plugin_repo: https://git.rknet.org/xoxys/certbot_dns_corenetworks.git
+# @end
-certbot_core_networks_base_dir: "{{ certbot_plugin_dir }}/certbot_dns_corenetworks"
+# @var certbot_cron_file: $ "_unset_"
-certbot_core_networks_plugin_version: master
+# @var certbot_cron_file:example: certbot-letsencrypt
 certbot_core_networks_api_host: https://beta.api.core-networks.de/
 certbot_core_networks_api_user: myuser
 certbot_core_networks_api_password: secure
 certbot_core_networks_dns_zone: mydomain.com
 certbot_core_networks_log_level: error
--- a/molecule/centos8/converge.yml
+++ b/molecule/centos8/converge.yml
@ -0,0 +1,9 @@
 ---
 - name: Converge
  hosts: all
  vars:
    certbot_packages_extra:
      - epel-release
  roles:
    - role: xoxys.certbot
--- a/molecule/centos8/create.yml
+++ b/molecule/centos8/create.yml
@ -0,0 +1,87 @@
 ---
 - name: Create
  hosts: localhost
  connection: local
  gather_facts: false
  no_log: "{{ molecule_no_log }}"
  vars:
    ssh_user: root
    ssh_port: 22
    keypair_name: molecule_key
    keypair_path: "{{ lookup('env', 'MOLECULE_EPHEMERAL_DIRECTORY') }}/ssh_key"
  tasks:
    - name: Create local keypair
      user:
        name: "{{ lookup('env', 'USER') }}"
        generate_ssh_key: true
        ssh_key_file: "{{ keypair_path }}"
      register: local_keypair
    - name: Create remote keypair
      digital_ocean_sshkey:
        name: "{{ keypair_name }}"
        ssh_pub_key: "{{ local_keypair.ssh_public_key }}"
        state: present
      register: remote_keypair
    - name: Create molecule instance(s)
      digital_ocean_droplet:
        name: "{{ item.name }}"
        unique_name: true
        region: "{{ item.region_id }}"
        image: "{{ item.image_id }}"
        size: "{{ item.size_id }}"
        ssh_keys: "{{ remote_keypair.data.ssh_key.id }}"
        wait: true
        wait_timeout: 300
        state: present
      register: server
      loop: "{{ molecule_yml.platforms }}"
      async: 7200
      poll: 0
    - name: Wait for instance(s) creation to complete
      async_status:
        jid: "{{ item.ansible_job_id }}"
      register: digitalocean_jobs
      until: digitalocean_jobs.finished
      retries: 300
      loop: "{{ server.results }}"
    # Mandatory configuration for Molecule to function.
    - name: Populate instance config dict
      set_fact:
        instance_conf_dict: {
          'instance': "{{ item.data.droplet.name }}",
          'address': "{{ item.data.ip_address }}",
          'user': "{{ ssh_user }}",
          'port': "{{ ssh_port }}",
          'identity_file': "{{ keypair_path }}",
          'droplet_id': "{{ item.data.droplet.id }}",
          'ssh_key_id': "{{ remote_keypair.data.ssh_key.id }}",
        }
      loop: "{{ digitalocean_jobs.results }}"
      register: instance_config_dict
      when: server.changed | bool
    - name: Convert instance config dict to a list
      set_fact:
        instance_conf: "{{ instance_config_dict.results | map(attribute='ansible_facts.instance_conf_dict') | list }}"
      when: server.changed | bool
    - name: Dump instance config
      copy:
        content: "{{ instance_conf | to_json | from_json | molecule_to_yaml | molecule_header }}"
        dest: "{{ molecule_instance_config }}"
      when: server.changed | bool
    - name: Wait for SSH
      wait_for:
        port: "{{ ssh_port }}"
        host: "{{ item.address }}"
        search_regex: SSH
        delay: 10
        timeout: 320
      loop: "{{ lookup('file', molecule_instance_config) | molecule_from_yaml }}"
--- a/molecule/centos8/default
+++ b/molecule/centos8/default
@ -0,0 +1 @@
 default
--- a/molecule/centos8/destroy.yml
+++ b/molecule/centos8/destroy.yml
@ -0,0 +1,54 @@
 ---
 - name: Destroy
  hosts: localhost
  connection: local
  gather_facts: false
  no_log: "{{ molecule_no_log }}"
  tasks:
    - block:
        - name: Populate instance config
          set_fact:
            instance_conf: "{{ lookup('file', molecule_instance_config) | molecule_from_yaml }}"
            skip_instances: false
      rescue:
        - name: Populate instance config when file missing
          set_fact:
            instance_conf: {}
            skip_instances: true
    - name: Destroy molecule instance(s)
      digital_ocean_droplet:
        name: "{{ item.instance }}"
        id: "{{ item.droplet_id }}"
        state: absent
      register: server
      loop: "{{ instance_conf | flatten(levels=1) }}"
      when: not skip_instances
      async: 7200
      poll: 0
    - name: Wait for instance(s) deletion to complete
      async_status:
        jid: "{{ item.ansible_job_id }}"
      register: digitalocean_jobs
      until: digitalocean_jobs.finished
      retries: 300
      loop: "{{ server.results }}"
    - name: Delete remote keypair
      digital_ocean_sshkey:
        fingerprint: "{{ item.ssh_key_id }}"
        state: absent
      loop: "{{ instance_conf | flatten(levels=1) }}"
    # Mandatory configuration for Molecule to function.
    - name: Populate instance config
      set_fact:
        instance_conf: {}
    - name: Dump instance config
      copy:
        content: "{{ instance_conf | molecule_to_yaml | molecule_header }}"
        dest: "{{ molecule_instance_config }}"
      when: server.changed | bool
--- a/molecule/centos8/molecule.yml
+++ b/molecule/centos8/molecule.yml
@ -0,0 +1,19 @@
 ---
 dependency:
  name: galaxy
 driver:
  name: delegated
 platforms:
  - name: centos7-certbot
    region_id: fra1
    image_id: centos-8-x64
    size_id: s-1vcpu-1gb
 lint: |
  flake8
 provisioner:
  name: ansible
  env:
    ANSIBLE_FILTER_PLUGINS: ${ANSIBLE_FILTER_PLUGINS:-./plugins/filter}
    ANSIBLE_LIBRARY: ${ANSIBLE_LIBRARY:-./library}
 verifier:
  name: testinfra
--- a/molecule/centos8/prepare.yml
+++ b/molecule/centos8/prepare.yml
@ -0,0 +1,9 @@
 ---
 - name: Prepare
  hosts: all
  gather_facts: false
  tasks:
    - name: Install python for Ansible
      raw: test -e /usr/bin/python || (dnf -y install python3 && alternatives --set python /usr/bin/python3)
      become: true
      changed_when: false
--- a/molecule/centos8/tests/test_default.py
+++ b/molecule/centos8/tests/test_default.py
@ -0,0 +1,14 @@
 import os
 import testinfra.utils.ansible_runner
 import warnings
 warnings.filterwarnings("ignore", category=DeprecationWarning)
 testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
    os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all')
 def test_certbot_is_installed(host):
    certbot = host.package("certbot")
    assert certbot.is_installed
--- a/molecule/default
+++ b/molecule/default
@ -1 +1 @@
-centos7
+centos8
--- a/tasks/install.yml
+++ b/tasks/install.yml
@ -30,19 +30,26 @@
        src: config/cli.ini.j2
        dest: "{{ certbot_config_dir }}/cli.ini"
    - name: Deploy credentials file
      template:
        src: config/credentials.ini.j2
        dest: "{{ certbot_config_dir }}/credentials.ini"
      when: certbot_credentials
      mode: 600
    - name: Schedule certbot run
      cron:
-        name: certbot - letsencrypt certs renewal
+        name: Certbot automatic renewal
-        minute: "55"
+        minute: "{{ certbot_cron_minute }}"
-        hour: "3"
+        hour: "{{ certbot_cron_hour }}"
-        user: "{{ certbot_user }}"
+        user: "{{ certbot_cron_user | default(certbot_user) }}"
        job: >
          certbot
          --config-dir {{ certbot_config_dir }}
          --work-dir {{ certbot_work_dir }}
          --logs-dir {{ certbot_log_dir }}
          {{ certbot_command_arguments | join(' ') }}
-        cron_file: "{{ certbot_cronfile | default(omit) }}"
+        cron_file: "{{ certbot_cron_file | default(omit) }}"
      when: certbot_scheduler_enabled
  become: True
  become_user: "{{ certbot_user }}"
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -1,7 +1,3 @@
 ---
 - include_tasks: install.yml
-
+- include_tasks: setup.yml
 - include_tasks: plugins.yml
  when: certbot_core_networks_plugin_enabled
 - include_tasks: init.yml
--- a/tasks/plugins.yml
+++ b/tasks/plugins.yml
@ -1,24 +0,0 @@
 ---
 - name: Setup core-networks dns plugin
  block:
    - name: Create plugin directories
      file:
        path: "{{ item }}"
        state: directory
      loop:
        - "{{ certbot_core_networks_base_dir }}"
        - ~/.certbot_dns_corenetworks
    - name: Clone repo to '{{ certbot_plugin_dir }}'
      git:
        repo: "{{ certbot_core_networks_plugin_repo }}"
        dest: "{{ certbot_core_networks_base_dir }}"
        version: "{{ certbot_core_networks_plugin_version }}"
    - name: Deploy plugin configuration
      template:
        src: corenetworks/config.ini.j2
        dest: "~/.certbot_dns_corenetworks/config.ini"
        mode: 0600
  become: True
  become_user: "{{ certbot_user }}"
--- a/tasks/setup.yml
+++ b/tasks/setup.yml
@ -7,6 +7,7 @@
        --config-dir {{ certbot_config_dir }}
        --work-dir {{ certbot_work_dir }}
        --logs-dir {{ certbot_log_dir }}
        --agree-tos
        {{ certbot_command_arguments | join(' ') }}
      register: certbot_init
      changed_when: certbot_init.rc == 130
--- a/templates/corenetworks/config.ini.j2
+++ b/templates/corenetworks/config.ini.j2
@ -1,12 +0,0 @@
 #jinja2: lstrip_blocks: True
 {{ ansible_managed | comment }}
 [API]
 HOST        = {{ certbot_core_networks_api_host }}
 USER        = {{ certbot_core_networks_api_user }}
 PASSWORD    = {{ certbot_core_networks_api_password }}
 [DNS]
 ZONE        = {{ certbot_core_networks_dns_zone }}
 [LOG]
 LEVEL       = {{ certbot_core_networks_log_level }}
--- a/vars/main.yml
+++ b/vars/main.yml
@ -1,3 +1,8 @@
 ---
 __certbot_packages:
  - certbot
 __certbot_environment:
  - { name: "{{ certbot_work_dir }}", mode: "0755" }
  - { name: "{{ certbot_config_dir }}", mode: "0755" }
  - { name: "{{ certbot_log_dir }}", mode: "0700" }