From 35ceee9f1b5ff2e71d6f90db61ef10b0a980e54c Mon Sep 17 00:00:00 2001 From: exploide Date: Thu, 23 Feb 2017 20:00:42 +0100 Subject: [PATCH 1/6] restructured tasks such that subtask files are included this is a preparation for installing certbot from package management additionally, it might be useful when further tasks are added, e.g. for initial certificate retrieval --- tasks/install-from-git.yml | 13 +++++++++++++ tasks/main.yml | 21 ++------------------- tasks/renew-cron.yml | 8 ++++++++ 3 files changed, 23 insertions(+), 19 deletions(-) create mode 100644 tasks/install-from-git.yml create mode 100644 tasks/renew-cron.yml diff --git a/tasks/install-from-git.yml b/tasks/install-from-git.yml new file mode 100644 index 0000000..24a3544 --- /dev/null +++ b/tasks/install-from-git.yml @@ -0,0 +1,13 @@ +--- +- name: Clone Certbot into configured directory. + git: + repo: "{{ certbot_repo }}" + dest: "{{ certbot_dir }}" + version: "{{ certbot_version }}" + update: "{{ certbot_keep_updated }}" + force: yes + +- name: Ensure certbot-auto is executable. + file: + path: "{{ certbot_dir }}/certbot-auto" + mode: 0755 diff --git a/tasks/main.yml b/tasks/main.yml index 5e17fb6..27aab86 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,22 +1,5 @@ --- -- name: Clone Certbot into configured directory. - git: - repo: "{{ certbot_repo }}" - dest: "{{ certbot_dir }}" - version: "{{ certbot_version }}" - update: "{{ certbot_keep_updated }}" - force: yes +- include: install-from-git.yml -- name: Ensure certbot-auto is executable. - file: - path: "{{ certbot_dir }}/certbot-auto" - mode: 0755 - -- name: Add cron job for 'certbot-auto renew' (if configured). - cron: - name: Certbot automatic renewal. - job: "{{ certbot_dir }}/certbot-auto renew --quiet --no-self-upgrade" - minute: "{{ certbot_auto_renew_minute }}" - hour: "{{ certbot_auto_renew_hour }}" - user: "{{ certbot_auto_renew_user }}" +- include: renew-cron.yml when: certbot_auto_renew diff --git a/tasks/renew-cron.yml b/tasks/renew-cron.yml new file mode 100644 index 0000000..62ba3bd --- /dev/null +++ b/tasks/renew-cron.yml @@ -0,0 +1,8 @@ +--- +- name: Add cron job for 'certbot-auto renew' (if configured). + cron: + name: Certbot automatic renewal. + job: "{{ certbot_dir }}/certbot-auto renew --quiet --no-self-upgrade" + minute: "{{ certbot_auto_renew_minute }}" + hour: "{{ certbot_auto_renew_hour }}" + user: "{{ certbot_auto_renew_user }}" From f3a260e94e9d48d269e15b821255244110424a86 Mon Sep 17 00:00:00 2001 From: exploide Date: Fri, 24 Feb 2017 10:10:20 +0100 Subject: [PATCH 2/6] added possibility to install certbot from package management - introduces a variable certbot_from_git - adds install from package tasks - makes a variable called certbot_script available (to handle certbot vs certbot-auto naming) - fixes #18 --- defaults/main.yml | 3 ++- tasks/install-from-git.yml | 6 +++++- tasks/install-from-package.yml | 7 +++++++ tasks/main.yml | 4 ++++ tasks/renew-cron.yml | 4 ++-- 5 files changed, 20 insertions(+), 4 deletions(-) create mode 100644 tasks/install-from-package.yml diff --git a/defaults/main.yml b/defaults/main.yml index 793362c..53be380 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,10 +1,11 @@ --- # Where to get Certbot. +certbot_from_git: no certbot_repo: https://github.com/certbot/certbot.git certbot_version: master certbot_keep_updated: yes -# Where to put Certbot. +# Where to put Certbot when cloning from Git. certbot_dir: /opt/certbot # How to keep Certbot certs up to date. diff --git a/tasks/install-from-git.yml b/tasks/install-from-git.yml index 24a3544..8ff2040 100644 --- a/tasks/install-from-git.yml +++ b/tasks/install-from-git.yml @@ -7,7 +7,11 @@ update: "{{ certbot_keep_updated }}" force: yes +- name: Set Certbot script variable + set_fact: + certbot_script: "{{ certbot_dir }}/certbot-auto" + - name: Ensure certbot-auto is executable. file: - path: "{{ certbot_dir }}/certbot-auto" + path: "{{ certbot_script }}" mode: 0755 diff --git a/tasks/install-from-package.yml b/tasks/install-from-package.yml new file mode 100644 index 0000000..20f4a2f --- /dev/null +++ b/tasks/install-from-package.yml @@ -0,0 +1,7 @@ +--- +- name: Install Certbot + package: name=certbot state=present + +- name: Set Certbot script variable + set_fact: + certbot_script: certbot diff --git a/tasks/main.yml b/tasks/main.yml index 27aab86..0f1ac91 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,5 +1,9 @@ --- +- include: install-from-package.yml + when: not certbot_from_git + - include: install-from-git.yml + when: certbot_from_git - include: renew-cron.yml when: certbot_auto_renew diff --git a/tasks/renew-cron.yml b/tasks/renew-cron.yml index 62ba3bd..7678a7c 100644 --- a/tasks/renew-cron.yml +++ b/tasks/renew-cron.yml @@ -1,8 +1,8 @@ --- -- name: Add cron job for 'certbot-auto renew' (if configured). +- name: Add cron job for certbot renewal (if configured). cron: name: Certbot automatic renewal. - job: "{{ certbot_dir }}/certbot-auto renew --quiet --no-self-upgrade" + job: "{{ certbot_script }} renew --quiet --no-self-upgrade" minute: "{{ certbot_auto_renew_minute }}" hour: "{{ certbot_auto_renew_hour }}" user: "{{ certbot_auto_renew_user }}" From b82eeeed799ecbb34215d43adc9b5fcc50fca453 Mon Sep 17 00:00:00 2001 From: exploide Date: Fri, 24 Feb 2017 10:16:07 +0100 Subject: [PATCH 3/6] adapted README to cover install from package possibility --- README.md | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 101c6f3..bfd0353 100644 --- a/README.md +++ b/README.md @@ -6,26 +6,27 @@ Installs Certbot (for Let's Encrypt) for RHEL/CentOS or Debian/Ubuntu. ## Requirements -Certbot requires Git to be installed. You can install Git using the `geerlingguy.git` role. +Certbot requires Git to be installed if one wants to install Certbot from Git repository instead of package management. You can install Git using the `geerlingguy.git` role. ## Role Variables + certbot_from_git: no certbot_repo: https://github.com/certbot/certbot.git certbot_version: master certbot_keep_updated: yes -Certbot code repository options. This role clones the agent from the configured repo, then makes the `certbot-auto` script executable. +Certbot Git repository options. This role clones the agent from the configured repo, then makes the `certbot-auto` script executable if `certbot_from_git` is `yes`. Otherwise it will be installed from distribution's package management. certbot_dir: /opt/certbot -The directory inside which Certbot will be cloned. +The directory inside which Certbot will be cloned when using Git. certbot_auto_renew: true certbot_auto_renew_user: "{{ ansible_user }}" certbot_auto_renew_hour: 3 certbot_auto_renew_minute: 30 -By default, this role configures a cron job to run under the provided user account at the given hour and minute, every day. The defaults run `certbot-auto renew` via cron every day at 03:30:00 by the user you use in your Ansible playbook. It's preferred that you set a custom user/hour/minute so the renewal is during a low-traffic period and done by a non-root user account. +By default, this role configures a cron job to run under the provided user account at the given hour and minute, every day. The defaults run `certbot renew` (or `certbot-auto renew`) via cron every day at 03:30:00 by the user you use in your Ansible playbook. It's preferred that you set a custom user/hour/minute so the renewal is during a low-traffic period and done by a non-root user account. ## Dependencies @@ -34,20 +35,20 @@ None. ## Example Playbook - hosts: servers - + vars: certbot_auto_renew_user: your_username_here certbot_auto_renew_minute: 20 certbot_auto_renew_hour: 5 - + roles: - geerlingguy.certbot -After installation, you can create certificates using the `certbot-auto` script, which by default is installed inside the configured `certbot_dir`, so by default, `/opt/certbot/certbot-auto`. Here are some example commands to configure certificates with Certbot: +After installation, you can create certificates using the `certbot` (or `certbot-auto`) script, which by default is installed inside the configured `certbot_dir` (when using Git). Here are some example commands to configure certificates with Certbot: # Automatically add certs for all Apache virtualhosts (use with caution!). /opt/certbot/certbot-auto --apache - + # Generate certs, but don't modify Apache configuration (safer). /opt/certbot/certbot-auto --apache certonly From 33724b0a9361e4e75d20eb0e6b3fd4e39eb9d1ad Mon Sep 17 00:00:00 2001 From: exploide Date: Fri, 24 Feb 2017 10:19:01 +0100 Subject: [PATCH 4/6] this role is also compatible with Fedora - mention Fedora in meta - adapt description of role because this role should work on most distributions, not only EL and Debian/Ubuntu --- README.md | 2 +- meta/main.yml | 9 ++++++--- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index bfd0353..ba8cf6a 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ [![Build Status](https://travis-ci.org/geerlingguy/ansible-role-certbot.svg?branch=master)](https://travis-ci.org/geerlingguy/ansible-role-certbot) -Installs Certbot (for Let's Encrypt) for RHEL/CentOS or Debian/Ubuntu. +Installs and configures Certbot (for Let's Encrypt). ## Requirements diff --git a/meta/main.yml b/meta/main.yml index 2a9422b..ee4dc79 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -3,7 +3,7 @@ dependencies: [] galaxy_info: author: geerlingguy - description: "Certbot (for Let's Encrypt) for RHEL/CentOS and Debian/Ubuntu." + description: "Installs and configures Certbot (for Let's Encrypt)." company: "Midwestern Mac, LLC" license: "license (BSD, MIT)" min_ansible_version: 1.8 @@ -12,12 +12,15 @@ galaxy_info: versions: - 6 - 7 + - name: Fedora + versions: + - all - name: Ubuntu versions: - - all + - all - name: Debian versions: - - all + - all galaxy_tags: - networking - system From 314ea208c2c31a3bd44e7b4e052812d2222f0159 Mon Sep 17 00:00:00 2001 From: Peter Janes Date: Fri, 17 Mar 2017 21:21:32 -0400 Subject: [PATCH 5/6] Only apply package install config when on Fedora or RedHat --- tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 0f1ac91..193f9e4 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,9 +1,9 @@ --- - include: install-from-package.yml - when: not certbot_from_git + when: not certbot_from_git and (ansible_distribution == 'Fedora' or ansible_distribution == 'RedHat') - include: install-from-git.yml - when: certbot_from_git + when: certbot_from_git or (ansible_distribution == 'Ubuntu') - include: renew-cron.yml when: certbot_auto_renew From 5f54b5d397863c41ea4c329988fb317ac830f95b Mon Sep 17 00:00:00 2001 From: Peter Janes Date: Fri, 17 Mar 2017 21:24:02 -0400 Subject: [PATCH 6/6] Explicitly install from git if not on Fedora or RedHat --- tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/main.yml b/tasks/main.yml index 193f9e4..d68f47b 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -3,7 +3,7 @@ when: not certbot_from_git and (ansible_distribution == 'Fedora' or ansible_distribution == 'RedHat') - include: install-from-git.yml - when: certbot_from_git or (ansible_distribution == 'Ubuntu') + when: certbot_from_git or (ansible_distribution != 'Fedora' and ansible_distribution != 'RedHat') - include: renew-cron.yml when: certbot_auto_renew