Merge 9dcabdc972d4b906908015b89b57926a9cb664e1 into 101111391444ac4d1d407c392ab78ffe0f932910

- Added variables for pre, post, and deploy renewal hooks in defaults/main.yml.
- Created a new task file tasks/setup-hooks.yml to manage the hooks setup.
- Included setup-hooks.yml in tasks/main.yml to ensure hooks are created if specified.

.github/workflows/ci.yml

@@ -50,6 +50,16 @@ jobs:
           - distro: debian12
             playbook: converge.yml
             experimental: false
+<<<<<<< Updated upstream
+=======
+          - distro: debian10
+            playbook: converge.yml
+            experimental: false
+          # Source install started failing recently.
+          # - distro: centos7
+          #   playbook: playbook-source-install.yml
+          #   experimental: false
+>>>>>>> Stashed changes
 
           - distro: rockylinux9
             playbook: playbook-snap-install.yml

defaults/main.yml

@@ -9,6 +9,12 @@ certbot_auto_renew_options: "--quiet"
 certbot_testmode: false
 certbot_hsts: false
 
+certbot_renewal_hook_post: ""
+certbot_renewal_hook_pre: ""
+certbot_renewal_hook_deploy: ""
+certbot_renewal_hook_post_filename: "post.sh"
+certbot_renewal_hook_pre_filename: "pre.sh"
+certbot_renewal_hook_deploy_filename: "deploy.sh"
 
 # Parameters used when creating new Certbot certs.
 certbot_create_if_missing: false

molecule/default/converge.yml

@@ -9,7 +9,7 @@
   pre_tasks:
     - name: Update apt cache.
       apt: update_cache=yes cache_valid_time=600
-      when: ansible_os_family == 'Debian'
+      when: ansible_facts.os_family == 'Debian'
       changed_when: false
 
     - name: Install dependencies (RedHat).
@@ -18,11 +18,11 @@
           - cronie
           - epel-release
         state: present
-      when: ansible_os_family == 'RedHat'
+      when: ansible_facts.os_family == 'RedHat'
 
     - name: Install cron (Debian).
       apt: name=cron state=present
-      when: ansible_os_family == 'Debian'
+      when: ansible_facts.os_family == 'Debian'
 
   roles:
     - geerlingguy.certbot

molecule/default/playbook-snap-install.yml

@@ -10,16 +10,16 @@
   pre_tasks:
     - name: Update apt cache.
       apt: update_cache=yes cache_valid_time=600
-      when: ansible_os_family == 'Debian'
+      when: ansible_facts.os_family == 'Debian'
       changed_when: false
 
     - name: Install cron (RedHat).
       yum: name=cronie state=present
-      when: ansible_os_family == 'RedHat'
+      when: ansible_facts.os_family == 'RedHat'
 
     - name: Install cron (Debian).
       apt: name=cron state=present
-      when: ansible_os_family == 'Debian'
+      when: ansible_facts.os_family == 'Debian'
 
   roles:
     - geerlingguy.git

molecule/default/playbook-source-install.yml

@@ -10,16 +10,16 @@
   pre_tasks:
     - name: Update apt cache.
       apt: update_cache=yes cache_valid_time=600
-      when: ansible_os_family == 'Debian'
+      when: ansible_facts.os_family == 'Debian'
       changed_when: false
 
     - name: Install cron (RedHat).
       yum: name=cronie state=present
-      when: ansible_os_family == 'RedHat'
+      when: ansible_facts.os_family == 'RedHat'
 
     - name: Install cron (Debian).
       apt: name=cron state=present
-      when: ansible_os_family == 'Debian'
+      when: ansible_facts.os_family == 'Debian'
 
   roles:
     - geerlingguy.git

molecule/default/playbook-standalone-nginx-aws.yml

@@ -111,19 +111,19 @@
   pre_tasks:
     - name: Update apt cache.
       apt: update_cache=true cache_valid_time=600
-      when: ansible_os_family == 'Debian'
+      when: ansible_facts.os_family == 'Debian'
       changed_when: false
 
     - name: Install dependencies (RedHat).
       yum: name={{ item }} state=present
-      when: ansible_os_family == 'RedHat'
+      when: ansible_facts.os_family == 'RedHat'
       with_items:
         - cronie
         - epel-release
 
     - name: Install cron (Debian).
       apt: name=cron state=present
-      when: ansible_os_family == 'Debian'
+      when: ansible_facts.os_family == 'Debian'
 
   roles:
     - geerlingguy.certbot

tasks/include-vars.yml

@@ -2,7 +2,7 @@
 - name: Load a variable file based on the OS type, or a default if not found.
   include_vars: "{{ item }}"
   with_first_found:
-    - "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yml"
+    - "{{ ansible_facts.distribution }}-{{ ansible_facts.distribution_version }}.yml"
-    - "{{ ansible_distribution }}.yml"
+    - "{{ ansible_facts.distribution }}.yml"
-    - "{{ ansible_os_family }}.yml"
+    - "{{ ansible_facts.os_family }}.yml"
     - "default.yml"

tasks/install-with-snap.yml

@@ -16,7 +16,7 @@
     src: /var/lib/snapd/snap
     dest: /snap
     state: link
-  when: ansible_os_family != "Debian"
+  when: ansible_facts.os_family != "Debian"
 
 - name: Update snap after install.
   shell: snap install core; snap refresh core

tasks/main.yml

@@ -2,7 +2,7 @@
 - import_tasks: include-vars.yml
 
 - import_tasks: setup-RedHat.yml
-  when: ansible_os_family == 'RedHat'
+  when: ansible_facts.os_family == 'RedHat'
 
 - import_tasks: install-with-package.yml
   when: certbot_install_method == 'package'
@@ -29,5 +29,7 @@
   loop_control:
     loop_var: cert_item
 
+- import_tasks: setup-hooks.yml
+
 - import_tasks: renew-cron.yml
   when: certbot_auto_renew

tasks/setup-hooks.yml

@@ -0,0 +1,30 @@
+---
+- name: Ensure renewal hook directories exist
+  file:
+    path: "/etc/letsencrypt/renewal-hooks/{{ item }}"
+    state: directory
+  with_items:
+    - post
+    - pre
+    - deploy
+
+- name: Create post-renewal hook
+  copy:
+    content: "{{ certbot_renewal_hook_post }}"
+    dest: "/etc/letsencrypt/renewal-hooks/post/{{ certbot_renewal_hook_post_filename }}"
+    mode: "0755"
+  when: certbot_renewal_hook_post != ""
+
+- name: Create pre-renewal hook
+  copy:
+    content: "{{ certbot_renewal_hook_pre }}"
+    dest: "/etc/letsencrypt/renewal-hooks/pre/{{ certbot_renewal_hook_pre_filename }}"
+    mode: "0755"
+  when: certbot_renewal_hook_pre != ""
+
+- name: Create deploy-renewal hook
+  copy:
+    content: "{{ certbot_renewal_hook_deploy }}"
+    dest: "/etc/letsencrypt/renewal-hooks/deploy/{{ certbot_renewal_hook_deploy_filename }}"
+    mode: "0755"
+  when: certbot_renewal_hook_deploy != ""

templates/start_services.j2

@@ -3,11 +3,11 @@
 
 {% for item in certbot_create_standalone_stop_services %}
 echo "starting service {{ item }}"
-{% if ansible_service_mgr == 'systemd' %}
+{% if ansible_facts.service_mgr == 'systemd' %}
 systemctl start {{ item }}
-{% elif ansible_service_mgr == 'upstart' %}
+{% elif ansible_facts.service_mgr == 'upstart' %}
 initctl start {{ item }}
-{% elif ansible_service_mgr == 'openrc' %}
+{% elif ansible_facts.service_mgr == 'openrc' %}
 rc-service {{ item }} start
 {% else %}
 service {{ item }} start

templates/stop_services.j2

@@ -3,11 +3,11 @@
 
 {% for item in certbot_create_standalone_stop_services %}
 echo "stopping service {{ item }}"
-{% if ansible_service_mgr == 'systemd' %}
+{% if ansible_facts.service_mgr == 'systemd' %}
 systemctl stop {{ item }}
-{% elif ansible_service_mgr == 'upstart' %}
+{% elif ansible_facts.service_mgr == 'upstart' %}
 initctl stop {{ item }}
-{% elif ansible_service_mgr == 'openrc' %}
+{% elif ansible_facts.service_mgr == 'openrc' %}
 rc-service {{ item }} stop
 {% else %}
 service {{ item }} stop