refactor role #1

Merged
xoxys merged 1 commits from refactoring into master 2020-04-19 21:29:27 +00:00
16 changed files with 233 additions and 75 deletions

View File

@ -111,6 +111,7 @@ local PipelineDocumentation = {
},
depends_on: [
'testing-centos7',
'testing-centos8',
],
};
@ -149,6 +150,7 @@ local PipelineNotification = {
[
PipelineLinting,
PipelineDeployment(scenario='centos7'),
PipelineDeployment(scenario='centos8'),
PipelineDocumentation,
PipelineNotification,
]

View File

@ -1,17 +1,12 @@
---
certbot_packages_extra: []
certbot_user: root
certbot_initial_run_enabled: False
certbot_work_dir: /var/lib/letsencrypt
certbot_config_dir: /etc/letsencrypt
certbot_log_dir: /var/log/letsencrypt
certbot_plugin_dir: /etc/letsencrypt/plugins
certbot_environment:
- { name: "{{ certbot_work_dir }}", mode: '0755' }
- { name: "{{ certbot_config_dir }}", mode: '0755' }
- { name: "{{ certbot_log_dir }}", mode: '0700' }
- { name: "{{ certbot_plugin_dir }}", mode: '0755' }
certbot_user: root
certbot_preferred_challenges: dns
certbot_server: https://acme-v02.api.letsencrypt.org/directory
@ -20,30 +15,25 @@ certbot_rsa_key_size: 4096
certbot_domains:
- example.com
# @var certbot_credentials:description: >
# Specify key value parairs for your credentials (e.g. plugin credentials).
# The credentials will be saved to `{{ certbot_config_dir }}/credentials.ini and you
# could add the path to `certbot_command_arguments` if required.
# @end
certbot_credentials: []
certbot_command_arguments:
- "certonly"
- "--agree-tos"
- "--manual"
- "--manual-auth-hook /path/to/authenticator.py"
- "--manual-cleanup-hook /path/to/cleanup.py"
- "--manual-public-ip-logging-ok"
- "-n"
- "-d {{ certbot_domains | join(',') }}"
- "-n -d {{ certbot_domains | join(',') }}"
# enable scheduling via cron
# @var certbot_scheduler_enabled:description: Enable scheduling via cron.
certbot_scheduler_enabled: True
# Use a file under /etc/cron.d
# Works onyl if certbot_user is root
# certbot_cronfile: certbot-letsencrypt
certbot_cron_minute: 30
certbot_cron_hour: 3
# Setup manual auth for core-networks api
certbot_core_networks_plugin_enabled: False
certbot_core_networks_plugin_repo: https://git.rknet.org/xoxys/certbot_dns_corenetworks.git
certbot_core_networks_base_dir: "{{ certbot_plugin_dir }}/certbot_dns_corenetworks"
certbot_core_networks_plugin_version: master
certbot_core_networks_api_host: https://beta.api.core-networks.de/
certbot_core_networks_api_user: myuser
certbot_core_networks_api_password: secure
certbot_core_networks_dns_zone: mydomain.com
certbot_core_networks_log_level: error
# @var certbot_cron_file:description: Use a file under /etc/cron.d but this will only work if `certbot_user`
# has write permissions for this location.
# @end
# @var certbot_cron_file: $ "_unset_"
# @var certbot_cron_file:example: certbot-letsencrypt

View File

@ -0,0 +1,9 @@
---
- name: Converge
hosts: all
vars:
certbot_packages_extra:
- epel-release
roles:
- role: xoxys.certbot

View File

@ -0,0 +1,87 @@
---
- name: Create
hosts: localhost
connection: local
gather_facts: false
no_log: "{{ molecule_no_log }}"
vars:
ssh_user: root
ssh_port: 22
keypair_name: molecule_key
keypair_path: "{{ lookup('env', 'MOLECULE_EPHEMERAL_DIRECTORY') }}/ssh_key"
tasks:
- name: Create local keypair
user:
name: "{{ lookup('env', 'USER') }}"
generate_ssh_key: true
ssh_key_file: "{{ keypair_path }}"
register: local_keypair
- name: Create remote keypair
digital_ocean_sshkey:
name: "{{ keypair_name }}"
ssh_pub_key: "{{ local_keypair.ssh_public_key }}"
state: present
register: remote_keypair
- name: Create molecule instance(s)
digital_ocean_droplet:
name: "{{ item.name }}"
unique_name: true
region: "{{ item.region_id }}"
image: "{{ item.image_id }}"
size: "{{ item.size_id }}"
ssh_keys: "{{ remote_keypair.data.ssh_key.id }}"
wait: true
wait_timeout: 300
state: present
register: server
loop: "{{ molecule_yml.platforms }}"
async: 7200
poll: 0
- name: Wait for instance(s) creation to complete
async_status:
jid: "{{ item.ansible_job_id }}"
register: digitalocean_jobs
until: digitalocean_jobs.finished
retries: 300
loop: "{{ server.results }}"
# Mandatory configuration for Molecule to function.
- name: Populate instance config dict
set_fact:
instance_conf_dict: {
'instance': "{{ item.data.droplet.name }}",
'address': "{{ item.data.ip_address }}",
'user': "{{ ssh_user }}",
'port': "{{ ssh_port }}",
'identity_file': "{{ keypair_path }}",
'droplet_id': "{{ item.data.droplet.id }}",
'ssh_key_id': "{{ remote_keypair.data.ssh_key.id }}",
}
loop: "{{ digitalocean_jobs.results }}"
register: instance_config_dict
when: server.changed | bool
- name: Convert instance config dict to a list
set_fact:
instance_conf: "{{ instance_config_dict.results | map(attribute='ansible_facts.instance_conf_dict') | list }}"
when: server.changed | bool
- name: Dump instance config
copy:
content: "{{ instance_conf | to_json | from_json | molecule_to_yaml | molecule_header }}"
dest: "{{ molecule_instance_config }}"
when: server.changed | bool
- name: Wait for SSH
wait_for:
port: "{{ ssh_port }}"
host: "{{ item.address }}"
search_regex: SSH
delay: 10
timeout: 320
loop: "{{ lookup('file', molecule_instance_config) | molecule_from_yaml }}"

1
molecule/centos8/default Symbolic link
View File

@ -0,0 +1 @@
default

View File

@ -0,0 +1,54 @@
---
- name: Destroy
hosts: localhost
connection: local
gather_facts: false
no_log: "{{ molecule_no_log }}"
tasks:
- block:
- name: Populate instance config
set_fact:
instance_conf: "{{ lookup('file', molecule_instance_config) | molecule_from_yaml }}"
skip_instances: false
rescue:
- name: Populate instance config when file missing
set_fact:
instance_conf: {}
skip_instances: true
- name: Destroy molecule instance(s)
digital_ocean_droplet:
name: "{{ item.instance }}"
id: "{{ item.droplet_id }}"
state: absent
register: server
loop: "{{ instance_conf | flatten(levels=1) }}"
when: not skip_instances
async: 7200
poll: 0
- name: Wait for instance(s) deletion to complete
async_status:
jid: "{{ item.ansible_job_id }}"
register: digitalocean_jobs
until: digitalocean_jobs.finished
retries: 300
loop: "{{ server.results }}"
- name: Delete remote keypair
digital_ocean_sshkey:
fingerprint: "{{ item.ssh_key_id }}"
state: absent
loop: "{{ instance_conf | flatten(levels=1) }}"
# Mandatory configuration for Molecule to function.
- name: Populate instance config
set_fact:
instance_conf: {}
- name: Dump instance config
copy:
content: "{{ instance_conf | molecule_to_yaml | molecule_header }}"
dest: "{{ molecule_instance_config }}"
when: server.changed | bool

View File

@ -0,0 +1,19 @@
---
dependency:
name: galaxy
driver:
name: delegated
platforms:
- name: centos7-certbot
region_id: fra1
image_id: centos-8-x64
size_id: s-1vcpu-1gb
lint: |
flake8
provisioner:
name: ansible
env:
ANSIBLE_FILTER_PLUGINS: ${ANSIBLE_FILTER_PLUGINS:-./plugins/filter}
ANSIBLE_LIBRARY: ${ANSIBLE_LIBRARY:-./library}
verifier:
name: testinfra

View File

@ -0,0 +1,9 @@
---
- name: Prepare
hosts: all
gather_facts: false
tasks:
- name: Install python for Ansible
raw: test -e /usr/bin/python || (dnf -y install python3 && alternatives --set python /usr/bin/python3)
become: true
changed_when: false

View File

@ -0,0 +1,14 @@
import os
import testinfra.utils.ansible_runner
import warnings
warnings.filterwarnings("ignore", category=DeprecationWarning)
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all')
def test_certbot_is_installed(host):
certbot = host.package("certbot")
assert certbot.is_installed

View File

@ -1 +1 @@
centos7
centos8

View File

@ -30,19 +30,26 @@
src: config/cli.ini.j2
dest: "{{ certbot_config_dir }}/cli.ini"
- name: Deploy credentials file
template:
src: config/credentials.ini.j2
dest: "{{ certbot_config_dir }}/credentials.ini"
when: certbot_credentials
mode: 600
- name: Schedule certbot run
cron:
name: certbot - letsencrypt certs renewal
minute: "55"
hour: "3"
user: "{{ certbot_user }}"
name: Certbot automatic renewal
minute: "{{ certbot_cron_minute }}"
hour: "{{ certbot_cron_hour }}"
user: "{{ certbot_cron_user | default(certbot_user) }}"
job: >
certbot
--config-dir {{ certbot_config_dir }}
--work-dir {{ certbot_work_dir }}
--logs-dir {{ certbot_log_dir }}
{{ certbot_command_arguments | join(' ') }}
cron_file: "{{ certbot_cronfile | default(omit) }}"
cron_file: "{{ certbot_cron_file | default(omit) }}"
when: certbot_scheduler_enabled
become: True
become_user: "{{ certbot_user }}"

View File

@ -1,7 +1,3 @@
---
- include_tasks: install.yml
- include_tasks: plugins.yml
when: certbot_core_networks_plugin_enabled
- include_tasks: init.yml
- include_tasks: setup.yml

View File

@ -1,24 +0,0 @@
---
- name: Setup core-networks dns plugin
block:
- name: Create plugin directories
file:
path: "{{ item }}"
state: directory
loop:
- "{{ certbot_core_networks_base_dir }}"
- ~/.certbot_dns_corenetworks
- name: Clone repo to '{{ certbot_plugin_dir }}'
git:
repo: "{{ certbot_core_networks_plugin_repo }}"
dest: "{{ certbot_core_networks_base_dir }}"
version: "{{ certbot_core_networks_plugin_version }}"
- name: Deploy plugin configuration
template:
src: corenetworks/config.ini.j2
dest: "~/.certbot_dns_corenetworks/config.ini"
mode: 0600
become: True
become_user: "{{ certbot_user }}"

View File

@ -7,6 +7,7 @@
--config-dir {{ certbot_config_dir }}
--work-dir {{ certbot_work_dir }}
--logs-dir {{ certbot_log_dir }}
--agree-tos
{{ certbot_command_arguments | join(' ') }}
register: certbot_init
changed_when: certbot_init.rc == 130

View File

@ -1,12 +0,0 @@
#jinja2: lstrip_blocks: True
{{ ansible_managed | comment }}
[API]
HOST = {{ certbot_core_networks_api_host }}
USER = {{ certbot_core_networks_api_user }}
PASSWORD = {{ certbot_core_networks_api_password }}
[DNS]
ZONE = {{ certbot_core_networks_dns_zone }}
[LOG]
LEVEL = {{ certbot_core_networks_log_level }}

View File

@ -1,3 +1,8 @@
---
__certbot_packages:
- certbot
__certbot_environment:
- { name: "{{ certbot_work_dir }}", mode: "0755" }
- { name: "{{ certbot_config_dir }}", mode: "0755" }
- { name: "{{ certbot_log_dir }}", mode: "0700" }