certbot-auto was removed from the certbot repo by EFF in 2021 (see issue
#204), which leaves certbot_install_method: source broken — the existing
install-from-source.yml still references {{ certbot_dir }}/certbot-auto,
a path that no longer exists after the git clone.
This adds a new install method `pip` that follows EFF's recommended
install path (https://certbot.eff.org/instructions?os=pip): create a
Python venv at {{ certbot_dir }}, pip install certbot, symlink the
binary onto PATH at /usr/local/bin/certbot.
Plugins (e.g. certbot-dns-rfc2136, certbot-dns-cloudflare) can be
opted into per-host via a new certbot_pip_extra_packages list, which
installs additional pip packages into the same venv after certbot.
The legacy `source` method is left in place for backwards compatibility
but is now documented as deprecated in the README and defaults file.
Tested on Debian 12 and Debian 13.
Due to the certbot package not being really installed on the initial
dry-run the symlink generation fails. The corresponding will be ignored
in check mode.
The command that will create the certificates need the hook script
ansible.sh to exist before it is run, elsewise an error will occur in
case of first run on a new host.
(cherry picked from commit 2346cd52a262bf2fa89419f29abba0e8ea95cdb7)
The PowerTools repo exists only on CentOS, but the current selector ansible_os_family == 'RedHat' also evaluates to true on Fedora and RHEL, making this role fail.
This patch switches the when statement to only evaluate to true if really running on CentOS, which I think was the intention
* Move 'stop' services to pre-hook and post-hook. This way they will also be stopped and started when renewing.
- remove service stop/start tasks
- add pre-hook/post-hook templates
- add pre-hook/pos-hook template tasks
- create missing directories at first run
- run pre and post hook during first manual run
