updated to include more OSs and pip install

2025-04-19 17:01:37 +02:00 · 2020-04-27 13:27:59 -07:00 · 2020-04-27 13:27:59 -07:00 · 7203b84e63
commit 7203b84e63
parent 09c8986636
15 changed files with 230 additions and 36 deletions
--- a/.travis.yml
+++ b/.travis.yml
@ -7,12 +7,26 @@ env:
    - ROLE_NAME: certbot
  matrix:
    - MOLECULE_DISTRO: centos8
+    - MOLECULE_DISTRO: centos8
+      MOLECULE_PLAYBOOK: playbook-plugin-install.yml
+    - MOLECULE_DISTRO: centos8
+      MOLECULE_PLAYBOOK: playbook-pip-install.yml
    - MOLECULE_DISTRO: centos7
+    - MOLECULE_DISTRO: centos7
+      MOLECULE_PLAYBOOK: playbook-plugin-install.yml
+    - MOLECULE_DISTRO: centos7
+      MOLECULE_PLAYBOOK: playbook-pip-install.yml
    - MOLECULE_DISTRO: centos6
      MOLECULE_PLAYBOOK: playbook-source-install.yml
    - MOLECULE_DISTRO: ubuntu1804
+    - MOLECULE_DISTRO: ubuntu1804
+      MOLECULE_PLAYBOOK: playbook-ppa-install.yml
+    - MOLECULE_DISTRO: ubuntu1804
+      MOLECULE_PLAYBOOK: playbook-pip-install.yml
    - MOLECULE_DISTRO: ubuntu1604
    - MOLECULE_DISTRO: debian10
+    - MOLECULE_DISTRO: debian9
+

 install:
  # Install test dependencies.
--- a/README.md
+++ b/README.md
@ -22,6 +22,12 @@ The variable `certbot_install_from_source` controls whether to install Certbot f

 By default, this role configures a cron job to run under the provided user account at the given hour and minute, every day. The defaults run `certbot renew` (or `certbot-auto renew`) via cron every day at 03:30:00 by the user you use in your Ansible playbook. It's preferred that you set a custom user/hour/minute so the renewal is during a low-traffic period and done by a non-root user account.

+`certbot_pkg_mgr`: (string) (default: `ansible_pkg_mgr`) (options: `apt`, `dnf`, `pip`, `yum`) this allows configuring the type of package install
+`certbot_use_ppa`: (boolean) (Ubuntu Only) (optional) this var defaults to `no/false`, and if set to `yes/true` also installs the ppa:certbot/certbot for latest packages
+`certbot_plugins`: (list) (optional) `apache`, `dns-cloudflare`, `digitalocean`, `dns-dnsimple`, `dns-rfc2136`, `dns-route53`, `nginx` Specified as a list allows installation of certbot plugins
+`certbot_python`: (string) (optional) `python3`, `python2` Used when installing plugins via `apt`, `dnf`, `yum`, the repositories have differences depending on release and we handle this by default
+`certbot_pip_executable`: (string) (optional) `pip` or `pip3` used when specifying `pip` install. If using `geerlingguy.pip` this should match `pip_executable` role param
+
 ### Automatic Certificate Generation

 Currently there is one built-in method for generating new certificates using this role: `standalone`. Other methods (e.g. using nginx or apache and a webroot) may be added in the future.
@ -62,7 +68,7 @@ These services will only be stopped the first time a new cert is generated.

 ### Source Installation from Git

-You can install Certbot from it's Git source repository if desired. This might be useful in several cases, but especially when older distributions don't have Certbot packages available (e.g. CentOS < 7, Ubuntu < 16.10 and Debian < 8).
+You can install Certbot from it's Git source repository if desired. This might be useful in several cases, but especially when older distributions don't have Certbot packages available (e.g. CentOS &lt; 7, Ubuntu &lt; 16.10 and Debian &lt; 8).

    certbot_install_from_source: false
    certbot_repo: https://github.com/certbot/certbot.git
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -36,3 +36,8 @@ certbot_keep_updated: true

 # Where to put Certbot when installing from source.
 certbot_dir: /opt/certbot
+
+certbot_pkg_mgr: "{{ ansible_pkg_mgr }}"
+certbot_pip_version: 1.3.0
+certbot_pip_executable: pip
+certbot_use_ppa: false
--- a/molecule/default/playbook-pip-install.yml
+++ b/molecule/default/playbook-pip-install.yml
@ -0,0 +1,31 @@
+---
+- name: Converge
+  hosts: all
+  become: true
+
+  vars:
+    certbot_auto_renew_user: root
+
+  pre_tasks:
+    - name: Update apt cache.
+      apt: update_cache=yes cache_valid_time=600
+      when: ansible_os_family == 'Debian'
+      changed_when: false
+
+    - name: Install dependencies (RedHat).
+      yum: name={{ item }} state=present
+      with_items:
+        - cronie
+        - epel-release
+      when: ansible_os_family == 'RedHat'
+
+    - name: Install cron (Debian).
+      apt: name=cron state=present
+      when: ansible_os_family == 'Debian'
+
+  roles:
+    - role: geerlingguy.pip
+    - role: geerlingguy.certbot
+      certbot_install_from_source: false
+      certbot_pkg_mgr: pip
+      certbot_plugins: ['dns-route53']
--- a/molecule/default/playbook-plugin-install.yml
+++ b/molecule/default/playbook-plugin-install.yml
@ -0,0 +1,32 @@
+---
+- name: Converge
+  hosts: all
+  become: true
+
+  vars:
+    certbot_auto_renew_user: root
+
+  pre_tasks:
+    - name: Update apt cache.
+      apt: update_cache=yes cache_valid_time=600
+      when: ansible_os_family == 'Debian'
+      changed_when: false
+
+    - name: Install dependencies (RedHat).
+      yum: name={{ item }} state=present
+      with_items:
+        - cronie
+        - epel-release
+      when: ansible_os_family == 'RedHat'
+
+    - name: Install cron (Debian).
+      apt: name={{ item }} state=present
+      when: ansible_os_family == 'Debian'
+      with_items:
+        - cron
+        - gnupg
+
+  roles:
+    - role: geerlingguy.certbot
+      certbot_plugins:
+        - nginx
--- a/molecule/default/playbook-ppa-install.yml
+++ b/molecule/default/playbook-ppa-install.yml
@ -0,0 +1,33 @@
+---
+- name: Converge
+  hosts: all
+  become: true
+
+  vars:
+    certbot_auto_renew_user: root
+
+  pre_tasks:
+    - name: Update apt cache.
+      apt: update_cache=yes cache_valid_time=600
+      when: ansible_os_family == 'Debian'
+      changed_when: false
+
+    - name: Install dependencies (RedHat).
+      yum: name={{ item }} state=present
+      with_items:
+        - cronie
+        - epel-release
+      when: ansible_os_family == 'RedHat'
+
+    - name: Install cron (Debian).
+      apt: name={{ item }} state=present
+      when: ansible_os_family == 'Debian'
+      with_items:
+        - cron
+        - gnupg
+
+  roles:
+    - role: geerlingguy.certbot
+      certbot_use_ppa: true
+      certbot_plugins:
+        - nginx
--- a/molecule/default/playbook-standalone-nginx-aws.yml
+++ b/molecule/default/playbook-standalone-nginx-aws.yml
@ -115,10 +115,10 @@

    - name: Install dependencies (RedHat).
      yum: name={{ item }} state=present
-      when: ansible_os_family == 'RedHat'
      with_items:
        - cronie
        - epel-release
+      when: ansible_os_family == 'RedHat'

    - name: Install cron (Debian).
      apt: name=cron state=present
--- a/molecule/default/requirements.yml
+++ b/molecule/default/requirements.yml
@ -1,3 +1,4 @@
 ---
 - src: geerlingguy.git
 - src: geerlingguy.nginx
+- src: geerlingguy.pip
--- a/tasks/apt/install.yml
+++ b/tasks/apt/install.yml
@ -0,0 +1,25 @@
+---
+- name: Requirement for Debian 9 support
+  block:
+    - name: certbot | Debian | Install the Debian Backports repository
+      apt_repository:
+        repo: deb http://ftp.debian.org/debian stretch-backports main
+  when:
+    - ansible_distribution == 'Debian'
+    - ansible_distribution_major_version == '9'
+
+- block:
+    - name: Install the Ubuntu certbot/certbot PPA Apt Key
+      apt_key:
+        keyserver: keyserver.ubuntu.com
+        id: 7BF576066ADA65728FC7E70A8C47BE8E75BCA694
+    - name: Install the Ubuntu certbot/certbot PPA
+      apt_repository:
+        repo: ppa:certbot/certbot
+        codename: "{{ ansible_distribution_release }}"
+    - name: Set the package certbot_python to python3 (ppa uses python3)
+      set_fact:
+        certbot_python: python3
+  when:
+    - ansible_distribution == 'Ubuntu'
+    - certbot_use_ppa
--- a/tasks/dnf/install.yml
+++ b/tasks/dnf/install.yml
@ -0,0 +1,21 @@
+---
+# See: https://github.com/geerlingguy/ansible-role-certbot/issues/107
+- block:
+    - name: Ensure dnf-plugins are installed on CentOS 8+.
+      yum:
+        name: dnf-plugins-core
+        state: present
+
+    - name: Enable DNF module for CentOS 8+.
+      shell: |
+        dnf config-manager --set-enabled PowerTools
+      args:
+        warn: false
+      register: dnf_module_enable
+      changed_when: false
+    - name: Set the certbot_python to python3 (Certbot in RHEL 8 uses Python3)
+      set_fact:
+        certbot_python: python3
+  when:
+    - ansible_os_family == 'RedHat'
+    - ansible_distribution_major_version | int >= 8
--- a/tasks/install-with-package.yml
+++ b/tasks/install-with-package.yml
@ -1,6 +1,27 @@
 ---
- name: Install Certbot.
-  package: "name={{ certbot_package }} state=present"
+- name: Starting the Certbot Install via {{ certbot_pkg_mgr }}
+  include_tasks: "{{ certbot_pkg_mgr|lower }}/install.yml"
+
+- block:
+    - name: Install certbot package
+      package: name={{ certbot_package }}
+      register: task_result
+      until: task_result is success
+      retries: 10
+      delay: 2
+      when:
+        - certbot_plugins is undefined
+
+    - name: Install certbot plugins
+      apt:
+        name: "{{ certbot_python }}-certbot-{{ item }}"
+      register: task_result
+      until: task_result is success
+      retries: 10
+      delay: 2
+      loop: "{{ certbot_plugins }}"
+      when: certbot_plugins is defined
+  when: certbot_pkg_mgr != 'pip'

 - name: Set Certbot script variable.
  set_fact:
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -1,9 +1,6 @@
 ---
 - import_tasks: include-vars.yml

- import_tasks: setup-RedHat.yml
-  when: ansible_os_family == 'RedHat'
-
 - import_tasks: install-with-package.yml
  when: not certbot_install_from_source

--- a/tasks/pip/install.yml
+++ b/tasks/pip/install.yml
@ -0,0 +1,21 @@
+---
+- name: certbot | PyPI | Upgrade pip, setuptools, and pyopenssl as required
+  pip:
+    name: "{{ item }}"
+    executable: "{{ certbot_pip_executable }}"
+  loop:
+    - pip
+    - setuptools
+    - pyopenssl
+
+- name: certbot | PyPI | Install certbot {{ certbot_pip_version }}
+  pip:
+    name: certbot=={{ certbot_pip_version }}
+    executable: "{{ certbot_pip_executable }}"
+
+- name: certbot | PyPI | Install certbot plugins
+  pip:
+    name: "certbot-{{ item }}=={{ certbot_pip_version }}"
+    executable: "{{ certbot_pip_executable }}"
+  loop: "{{ certbot_plugins }}"
+  when: certbot_plugins is defined
--- a/tasks/setup-RedHat.yml
+++ b/tasks/setup-RedHat.yml
@ -1,20 +0,0 @@
---
-# See: https://github.com/geerlingguy/ansible-role-certbot/issues/107
- block:
-
-  - name: Ensure dnf-plugins are installed on CentOS 8+.
-    yum:
-      name: dnf-plugins-core
-      state: present
-
-  - name: Enable DNF module for CentOS 8+.
-    shell: |
-      dnf config-manager --set-enabled PowerTools
-    args:
-      warn: false
-    register: dnf_module_enable
-    changed_when: false
-
-  when:
-    - ansible_os_family == 'RedHat'
-    - ansible_distribution_major_version | int >= 8
--- a/tasks/yum/install.yml
+++ b/tasks/yum/install.yml
@ -0,0 +1,7 @@
+---
+- name: Set the certbot_python to python3 (Certbot in RHEL 7 uses Python3)
+  set_fact:
+    certbot_python: python2
+  when:
+    - ansible_os_family == 'RedHat'
+    - ansible_distribution_major_version | int <= 7