ansible-lint

tasks/create-cert-standalone.yml

@@ -1,11 +1,11 @@
 ---
 - name: Check if certificate already exists.
-  stat:
+  ansible.builtin.stat:
     path: /etc/letsencrypt/live/{{ cert_item.domains | first | replace('*.', '') }}/cert.pem
   register: letsencrypt_cert
 
 - name: Ensure pre and post hook folders exist.
-  file:
+  ansible.builtin.file:
     path: /etc/letsencrypt/renewal-hooks/{{ item }}
     state: directory
     mode: 0755
@@ -16,7 +16,7 @@
     - post
 
 - name: Create pre hook to stop services.
-  template:
+  ansible.builtin.template:
     src: stop_services.j2
     dest: /etc/letsencrypt/renewal-hooks/pre/stop_services
     owner: root
@@ -27,7 +27,7 @@
     - certbot_create_standalone_stop_services
 
 - name: Create post hook to start services.
-  template:
+  ansible.builtin.template:
     src: start_services.j2
     dest: /etc/letsencrypt/renewal-hooks/post/start_services
     owner: root
@@ -38,5 +38,8 @@
     - certbot_create_standalone_stop_services
 
 - name: Generate new certificate if one doesn't exist.
-  command: "{{ certbot_create_command }}"
+  ansible.builtin.command: "{{ certbot_create_command }}"
+  register: certbot_create_command_result
   when: not letsencrypt_cert.stat.exists
+  changed_when:
+    - certbot_create_command_result.rc is defined and certbot_create_command_result.rc == 0

tasks/create-cert-webroot.yml

@@ -1,14 +1,20 @@
 ---
 - name: Check if certificate already exists.
-  stat:
+  ansible.builtin.stat:
     path: /etc/letsencrypt/live/{{ cert_item.domains | first }}/cert.pem
   register: letsencrypt_cert
 
 - name: Create webroot directory if it doesn't exist yet
-  file:
+  ansible.builtin.file:
     path: "{{ cert_item.webroot | default(certbot_webroot) }}"
     state: directory
+    owner: root
+    group: root
+    mode: '0755'
 
 - name: Generate new certificate if one doesn't exist.
-  command: "{{ certbot_create_command }}"
+  ansible.builtin.command: "{{ certbot_create_command }}"
+  register: certbot_create_command_result
   when: not letsencrypt_cert.stat.exists
+  changed_when:
+    - certbot_create_command_result.rc is defined and certbot_create_command_result.rc == 0

tasks/include-vars.yml

@@ -1,6 +1,6 @@
 ---
 - name: Load a variable file based on the OS type, or a default if not found.
-  include_vars: "{{ item }}"
+  ansible.builtin.include_vars: "{{ item }}"
   with_first_found:
     - "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yml"
     - "{{ ansible_distribution }}.yml"

tasks/install-from-source.yml

@@ -1,6 +1,6 @@
 ---
 - name: Clone Certbot into configured directory.
-  git:
+  ansible.builtin.git:
     repo: "{{ certbot_repo }}"
     dest: "{{ certbot_dir }}"
     version: "{{ certbot_version }}"
@@ -8,10 +8,10 @@
     force: true
 
 - name: Set Certbot script variable.
-  set_fact:
+  ansible.builtin.set_fact:
     certbot_script: "{{ certbot_dir }}/certbot-auto"
 
 - name: Ensure certbot-auto is executable.
-  file:
+  ansible.builtin.file:
     path: "{{ certbot_script }}"
     mode: 0755

tasks/install-with-package.yml

@@ -1,7 +1,9 @@
 ---
 - name: Install Certbot.
-  package: "name={{ certbot_package }} state=present"
+  ansible.builtin.package:
+    name: "{{ certbot_package }}"
+    state: present
 
 - name: Set Certbot script variable.
-  set_fact:
+  ansible.builtin.set_fact:
     certbot_script: "{{ certbot_package }}"

tasks/install-with-snap.yml

@@ -1,41 +1,36 @@
 ---
 - name: Ensure snapd is installed.
-  package:
+  ansible.builtin.package:
     name: snapd
     state: present
-  register: snapd_install
+  notify:
+    - Update snap after install
 
 - name: Ensure snapd is enabled.
-  systemd:
+  ansible.builtin.systemd:
     name: snapd.socket
     enabled: true
     state: started
 
 - name: Enable classic snap support.
-  file:
+  ansible.builtin.file:
     src: /var/lib/snapd/snap
     dest: /snap
     state: link
   when: ansible_os_family != "Debian"
 
-- name: Update snap after install.
-  shell: snap install core; snap refresh core
-  changed_when: true
-  failed_when: false
-  when: snapd_install is changed
-
 - name: Install certbot via snap.
-  snap:
+  community.general.snap:
     name: certbot
     classic: true
 
 - name: Symlink certbot into place.
-  file:
+  ansible.builtin.file:
     src: /snap/bin/certbot
     dest: /usr/bin/certbot
     state: link
   ignore_errors: "{{ ansible_check_mode }}"
 
 - name: Set Certbot script variable.
-  set_fact:
+  ansible.builtin.set_fact:
     certbot_script: /usr/bin/certbot

tasks/main.yml

@@ -1,19 +1,25 @@
 ---
-- import_tasks: include-vars.yml
+- name: Include vars
+  ansible.builtin.import_tasks: include-vars.yml
 
-- import_tasks: setup-RedHat.yml
+- name: Import Redhat task
+  ansible.builtin.import_tasks: setup-RedHat.yml
   when: ansible_os_family == 'RedHat'
 
-- import_tasks: install-with-package.yml
+- name: Standalone install method choosed
+  ansible.builtin.import_tasks: install-with-package.yml
   when: certbot_install_method == 'package'
 
-- import_tasks: install-with-snap.yml
+- name: Snap install method choosed
+  ansible.builtin.import_tasks: install-with-snap.yml
   when: certbot_install_method == 'snap'
 
-- import_tasks: install-from-source.yml
+- name: Source install method choosed
+  ansible.builtin.import_tasks: install-from-source.yml
   when: certbot_install_method == 'source'
 
-- include_tasks: create-cert-standalone.yml
+- name: Create certs for standalone install
+  ansible.builtin.include_tasks: create-cert-standalone.yml
   with_items: "{{ certbot_certs }}"
   when:
     - certbot_create_if_missing
@@ -21,7 +27,8 @@
   loop_control:
     loop_var: cert_item
 
-- include_tasks: create-cert-webroot.yml
+- name: Create certs for webroot install
+  ansible.builtin.include_tasks: create-cert-webroot.yml
   with_items: "{{ certbot_certs }}"
   when:
     - certbot_create_if_missing
@@ -29,5 +36,6 @@
   loop_control:
     loop_var: cert_item
 
-- import_tasks: renew-cron.yml
+- name: Check cron jobs
+  ansible.builtin.import_tasks: renew-cron.yml
   when: certbot_auto_renew

tasks/renew-cron.yml

@@ -1,6 +1,6 @@
 ---
 - name: Add cron job for certbot renewal (if configured).
-  cron:
+  ansible.builtin.cron:
     name: Certbot automatic renewal.
     job: "{{ certbot_script }} renew {{ certbot_auto_renew_options }}"
     minute: "{{ certbot_auto_renew_minute }}"

tasks/setup-RedHat.yml

@@ -1,30 +1,27 @@
 ---
 # See: https://github.com/geerlingguy/ansible-role-certbot/issues/107
-- block:
-
-  - name: Ensure dnf-plugins are installed on CentOS 8+.
-    yum:
-      name: dnf-plugins-core
-      state: present
-
-  - block:
-
-    - name: Enable DNF module for CentOS 8.3+.
-      shell: |
-        dnf config-manager --set-enabled powertools
-      register: dnf_module_enable
-      changed_when: false
-
-      when: ansible_facts['distribution_version'] is version('8.3', '>=')
-
-    - name: Enable DNF module for CentOS 8.0–8.2.
-      shell: |
-        dnf config-manager --set-enabled PowerTools
-      register: dnf_module_enable
-      changed_when: false
-
-    when: ansible_facts['distribution_version'] is version('8.2', '<=')
-
+- name: Check dnf modules for Redhat family
   when:
   - ansible_distribution == 'CentOS'
   - ansible_distribution_major_version | int >= 8
+  block:
+  - name: Ensure dnf-plugins are installed on CentOS 8+.
+    ansible.builtin.yum:
+      name: dnf-plugins-core
+      state: present
+
+    when: ansible_facts['distribution_version'] is version('8.2', '<=')
+  - name: Check dnf modules for Centos
+    block:
+    - name: Enable DNF module for CentOS 8.3+.
+      ansible.builtin.shell: |
+        dnf config-manager --set-enabled powertools
+      register: dnf_module_enable
+      changed_when: false
+      when: ansible_facts['distribution_version'] is version('8.3', '>=')
+
+    - name: Enable DNF module for CentOS 8.0–8.2.
+      ansible.builtin.shell: |
+        dnf config-manager --set-enabled PowerTools
+      register: dnf_module_enable
+      changed_when: false