2025-04-20 09:11:43 +02:00
25 changed files with 123 additions and 493 deletions
--- a/.ansible-lint
+++ b/.ansible-lint
@ -1,3 +0,0 @@
 skip_list:
  - 'yaml'
  - 'role-name'
--- a/.github/FUNDING.yml
+++ b/.github/FUNDING.yml
@ -1,4 +0,0 @@
 # These are supported funding model platforms
 ---
 github: geerlingguy
 patreon: geerlingguy
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -1,79 +0,0 @@
 ---
 name: CI
 'on':
  pull_request:
  push:
    branches:
      - master
  schedule:
    - cron: "30 2 * * 0"
 defaults:
  run:
    working-directory: 'geerlingguy.certbot'
 jobs:
  lint:
    name: Lint
    runs-on: ubuntu-latest
    steps:
      - name: Check out the codebase.
        uses: actions/checkout@v4
        with:
          path: 'geerlingguy.certbot'
      - name: Set up Python 3.
        uses: actions/setup-python@v5
        with:
          python-version: '3.x'
      - name: Install test dependencies.
        run: pip3 install yamllint
      - name: Lint code.
        run: |
          yamllint .
  molecule:
    name: Molecule
    runs-on: ubuntu-latest
    strategy:
      matrix:
        include:
          - distro: rockylinux9
            playbook: converge.yml
            experimental: false
          - distro: ubuntu2404
            playbook: converge.yml
            experimental: false
          - distro: debian12
            playbook: converge.yml
            experimental: false
          - distro: rockylinux9
            playbook: playbook-snap-install.yml
            experimental: true
    steps:
      - name: Check out the codebase.
        uses: actions/checkout@v4
        with:
          path: 'geerlingguy.certbot'
      - name: Set up Python 3.
        uses: actions/setup-python@v5
        with:
          python-version: '3.x'
      - name: Install test dependencies.
        run: pip3 install ansible molecule molecule-plugins[docker] docker
      - name: Run Molecule tests.
        run: molecule test
        continue-on-error: ${{ matrix.experimental }}
        env:
          PY_COLORS: '1'
          ANSIBLE_FORCE_COLOR: '1'
          MOLECULE_DISTRO: ${{ matrix.distro }}
          MOLECULE_PLAYBOOK: ${{ matrix.playbook }}
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -1,40 +0,0 @@
 ---
 # This workflow requires a GALAXY_API_KEY secret present in the GitHub
 # repository or organization.
 #
 # See: https://github.com/marketplace/actions/publish-ansible-role-to-galaxy
 # See: https://github.com/ansible/galaxy/issues/46
 name: Release
 'on':
  push:
    tags:
      - '*'
 defaults:
  run:
    working-directory: 'geerlingguy.certbot'
 jobs:
  release:
    name: Release
    runs-on: ubuntu-latest
    steps:
      - name: Check out the codebase.
        uses: actions/checkout@v4
        with:
          path: 'geerlingguy.certbot'
      - name: Set up Python 3.
        uses: actions/setup-python@v5
        with:
          python-version: '3.x'
      - name: Install Ansible.
        run: pip3 install ansible-core
      - name: Trigger a new import on Galaxy.
        run: >-
          ansible-galaxy role import --api-key ${{ secrets.GALAXY_API_KEY }}
          $(echo ${{ github.repository }} | cut -d/ -f1) $(echo ${{ github.repository }} | cut -d/ -f2)
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@ -1,34 +0,0 @@
 ---
 name: Close inactive issues
 'on':
  schedule:
    - cron: "55 12 * * 1"  # semi-random time
 jobs:
  close-issues:
    runs-on: ubuntu-latest
    permissions:
      issues: write
      pull-requests: write
    steps:
      - uses: actions/stale@v8
        with:
          days-before-stale: 120
          days-before-close: 60
          exempt-issue-labels: bug,pinned,security,planned
          exempt-pr-labels: bug,pinned,security,planned
          stale-issue-label: "stale"
          stale-pr-label: "stale"
          stale-issue-message: |
            This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!
            Please read [this blog post](https://www.jeffgeerling.com/blog/2020/enabling-stale-issue-bot-on-my-github-repositories) to see the reasons why I mark issues as stale.
          close-issue-message: |
            This issue has been closed due to inactivity. If you feel this is in error, please reopen the issue or file a new issue with the relevant details.
          stale-pr-message: |
            This pr has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!
            Please read [this blog post](https://www.jeffgeerling.com/blog/2020/enabling-stale-issue-bot-on-my-github-repositories) to see the reasons why I mark issues as stale.
          close-pr-message: |
            This pr has been closed due to inactivity. If you feel this is in error, please reopen the issue or file a new issue with the relevant details.
          repo-token: ${{ secrets.GITHUB_TOKEN }}
--- a/.gitignore
+++ b/.gitignore
@ -1,5 +1,3 @@
 *.retry
 */__pycache__
 *.pyc
 .cache
--- a/.travis.yml
+++ b/.travis.yml
@ -0,0 +1,33 @@
 ---
 language: python
 services: docker
 env:
  global:
    - ROLE_NAME: certbot
  matrix:
    - MOLECULE_DISTRO: centos7
      MOLECULE_DOCKER_COMMAND: /usr/lib/systemd/systemd
    - MOLECULE_DISTRO: centos6
      MOLECULE_PLAYBOOK: playbook-source-install.yml
    - MOLECULE_DISTRO: ubuntu1604
    - MOLECULE_DISTRO: ubuntu1404
      MOLECULE_PLAYBOOK: playbook-source-install.yml
    - MOLECULE_DISTRO: debian9
 install:
  # Install test dependencies.
  - pip install molecule docker
 before_script:
  # Use actual Ansible Galaxy role name for the project directory.
  - cd ../
  - mv ansible-role-$ROLE_NAME geerlingguy.$ROLE_NAME
  - cd geerlingguy.$ROLE_NAME
 script:
  # Run tests.
  - molecule test
 notifications:
  webhooks: https://galaxy.ansible.com/api/v1/notifications/
--- a/.yamllint
+++ b/.yamllint
@ -1,13 +0,0 @@
 ---
 extends: default
 rules:
  line-length:
    max: 180
    level: warning
  indentation:
    spaces: 2
    indent-sequences: consistent
 ignore: |
  .github/workflows/stale.yml
--- a/README.md
+++ b/README.md
@ -1,6 +1,6 @@
 # Ansible Role: Certbot (for Let's Encrypt)
-[![CI](https://github.com/geerlingguy/ansible-role-certbot/actions/workflows/ci.yml/badge.svg)](https://github.com/geerlingguy/ansible-role-certbot/actions/workflows/ci.yml)
+[![Build Status](https://travis-ci.org/geerlingguy/ansible-role-certbot.svg?branch=master)](https://travis-ci.org/geerlingguy/ansible-role-certbot)
 Installs and configures Certbot (for Let's Encrypt).
@ -12,39 +12,26 @@ Generally, installing from source (see section `Source Installation from Git`) l
 ## Role Variables
-    certbot_install_method: package
+The variable `certbot_install_from_source` controls whether to install Certbot from Git or package management. The latter is the default, so the variable defaults to `no`.
 Controls how Certbot is installed. Available options are 'package', 'snap', and 'source'.
    certbot_auto_renew: true
    certbot_auto_renew_user: "{{ ansible_user | default(lookup('env', 'USER')) }}"
-    certbot_auto_renew_hour: "3"
+    certbot_auto_renew_hour: 3
-    certbot_auto_renew_minute: "30"
+    certbot_auto_renew_minute: 30
-    certbot_auto_renew_options: "--quiet"
+    certbot_auto_renew_options: "--quiet --no-self-upgrade"
 By default, this role configures a cron job to run under the provided user account at the given hour and minute, every day. The defaults run `certbot renew` (or `certbot-auto renew`) via cron every day at 03:30:00 by the user you use in your Ansible playbook. It's preferred that you set a custom user/hour/minute so the renewal is during a low-traffic period and done by a non-root user account.
 ### Automatic Certificate Generation
-Currently the `standalone` and `webroot` method are supported for generating new certificates using this role.
+Currently there is one built-in method for generating new certificates using this role: `standalone`. Other methods (e.g. using nginx or apache and a webroot) may be added in the future.
-**For a complete example**: see the fully functional test playbook in [molecule/default/playbook-standalone-nginx-aws.yml](molecule/default/playbook-standalone-nginx-aws.yml).
+**For a complete example**: see the fully functional test playbook in [tests/test-standalone-nginx-aws.yml](tests/test-standalone-nginx-aws.yml).
    certbot_create_if_missing: false
 Set `certbot_create_if_missing` to `yes` or `True` to let this role generate certs. 
    certbot_create_method: standalone
-Set the method used for generating certs with the `certbot_create_method` variable — current allowed values are: `standalone` or `webroot`.
+Set `certbot_create_if_missing` to `yes` or `True` to let this role generate certs. Set the method used for generating certs with the `certbot_create_method` variable—current allowed values include: `standalone`.
    certbot_testmode: false
 Enable test mode to only run a test request without actually creating certificates.
    certbot_hsts: false
 Enable (HTTP Strict Transport Security) for the certificate generation.
    certbot_admin_email: email@example.com
@ -52,18 +39,17 @@ The email address used to agree to Let's Encrypt's TOS and subscribe to cert-rel
    certbot_certs: []
      # - email: janedoe@example.com
      #   webroot: "/var/www/html"
      #   domains:
      #     - example1.com
      #     - example2.com
      # - domains:
      #     - example3.com
-A list of domains (and other data) for which certs should be generated. You can add an `email` key to any list item to override the `certbot_admin_email`. When using the `webroot` creation method, a `webroot` item has to be provided, specifying which directory to use for the authentication. Make sure your webserver correctly delivers contents from this directory.
+A list of domains (and other data) for which certs should be generated. You can add an `email` key to any list item to override the `certbot_admin_email`.
    certbot_create_command: "{{ certbot_script }} certonly --standalone --noninteractive --agree-tos --email {{ cert_item.email | default(certbot_admin_email) }} -d {{ cert_item.domains | join(',') }}"
-The `certbot_create_command` defines the command used to generate the cert. See the full default command inside `defaults/main.yml` for a full example—and you can easily add in extra arguments that are not in the default command with the `certbot_create_extra_args` variable.
+The `certbot_create_command` defines the command used to generate the cert.
 #### Standalone Certificate Generation
@ -74,27 +60,16 @@ Services that should be stopped while `certbot` runs it's own standalone server
 These services will only be stopped the first time a new cert is generated.
 ### Snap Installation
 Beginning in December 2020, the Certbot maintainers decided to recommend installing Certbot from Snap rather than maintain scripts like `certbot-auto`.
 Setting `certbot_install_method: snap` configures this role to install Certbot via Snap.
 This install method is currently experimental and may or may not work across all Linux distributions.
 #### Webroot Certificate Generation
 When using the `webroot` creation method, a `webroot` item has to be provided for every `certbot_certs` item, specifying which directory to use for the authentication. Also, make sure your webserver correctly delivers contents from this directory.
 ### Source Installation from Git
-You can install Certbot from it's Git source repository if desired with `certbot_install_method: source`. This might be useful in several cases, but especially when older distributions don't have Certbot packages available (e.g. CentOS < 7, Ubuntu < 16.10 and Debian < 8).
+You can install Certbot from it's Git source repository if desired. This might be useful in several cases, but especially when older distributions don't have Certbot packages available (e.g. CentOS < 7, Ubuntu < 16.10 and Debian < 8).
    certbot_install_from_source: false
    certbot_repo: https://github.com/certbot/certbot.git
    certbot_version: master
    certbot_keep_updated: true
-Certbot Git repository options. If installing from source, the configured `certbot_repo` is cloned, respecting the `certbot_version` setting. If `certbot_keep_updated` is set to `yes`, the repository is updated every time this role runs.
+Certbot Git repository options. To install from source, set `certbot_install_from_source` to `yes`. This clones the configured `certbot_repo`, respecting the `certbot_version` setting. If `certbot_keep_updated` is set to `yes`, the repository is updated every time this role runs.
    certbot_dir: /opt/certbot
@ -116,8 +91,8 @@ None.
      vars:
        certbot_auto_renew_user: your_username_here
-        certbot_auto_renew_minute: "20"
+        certbot_auto_renew_minute: 20
-        certbot_auto_renew_hour: "5"
+        certbot_auto_renew_hour: 5
      roles:
        - geerlingguy.certbot
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -2,66 +2,34 @@
 # Certbot auto-renew cron job configuration (for certificate renewals).
 certbot_auto_renew: true
 certbot_auto_renew_user: "{{ ansible_user | default(lookup('env', 'USER')) }}"
-certbot_auto_renew_hour: "3"
+certbot_auto_renew_hour: 3
-certbot_auto_renew_minute: "30"
+certbot_auto_renew_minute: 30
-certbot_auto_renew_options: "--quiet"
+certbot_auto_renew_options: "--quiet --no-self-upgrade"
 certbot_testmode: false
 certbot_hsts: false
 # Parameters used when creating new Certbot certs.
 certbot_create_if_missing: false
 certbot_create_method: standalone
 certbot_create_extra_args: ""
 certbot_admin_email: email@example.com
 certbot_expand: false
 # Default webroot, overwritten by individual per-cert webroot directories
 certbot_webroot: /var/www/letsencrypt
 certbot_certs: []
-# - name: example.com
+# - email: janedoe@example.com
 #   email: janedoe@example.com
 #   webroot: "/var/www/html/"
 #   domains:
 #     - example1.com
 #     - example2.com
 # - domains:
 #     - example3.com
 certbot_create_command: >-
-  {{ certbot_script }} certonly --{{ certbot_create_method  }}
+  {{ certbot_script }} certonly --standalone --noninteractive --agree-tos
  {{ '--hsts' if certbot_hsts else '' }}
  {{ '--test-cert' if certbot_testmode else '' }}
  --noninteractive --agree-tos
  --email {{ cert_item.email | default(certbot_admin_email) }}
  {{ '--expand' if certbot_expand else '' }}
  {{ '--webroot-path ' if certbot_create_method == 'webroot'  else '' }}
  {{ cert_item.webroot | default(certbot_webroot) if certbot_create_method == 'webroot' else '' }}
  {{ certbot_create_extra_args }}
  --cert-name {{ cert_item_name }}
  -d {{ cert_item.domains | join(',') }}
  {{ '--expand' if certbot_expand else '' }}
  {{ '--pre-hook /etc/letsencrypt/renewal-hooks/pre/stop_services'
    if certbot_create_standalone_stop_services and certbot_create_method == 'standalone'
  else '' }}
  {{ '--post-hook /etc/letsencrypt/renewal-hooks/post/start_services'
    if certbot_create_standalone_stop_services and certbot_create_method == 'standalone'
  else '' }}
  {{ "--deploy-hook '" ~ cert_item.deploy_hook ~ "'"
    if 'deploy_hook' in cert_item
  else '' }}
 certbot_create_standalone_stop_services:
  - nginx
  # - apache
  # - varnish
-# Available options: 'package', 'snap', 'source'.
+# To install from source (on older OSes or if you need a specific or newer
-certbot_install_method: 'package'
+# version of Certbot), set this variable to `yes` and configure other options.
-
+certbot_install_from_source: false
 # Source install configuration.
 certbot_repo: https://github.com/certbot/certbot.git
 certbot_version: master
 certbot_keep_updated: true
--- a/meta/main.yml
+++ b/meta/main.yml
@ -2,13 +2,16 @@
 dependencies: []
 galaxy_info:
  role_name: certbot
  author: geerlingguy
  description: "Installs and configures Certbot (for Let's Encrypt)."
  company: "Midwestern Mac, LLC"
  license: "license (BSD, MIT)"
-  min_ansible_version: 2.10
+  min_ansible_version: 2.4
  platforms:
    - name: EL
      versions:
        - 6
        - 7
    - name: Fedora
      versions:
        - all
--- a/molecule/default/molecule.yml
+++ b/molecule/default/molecule.yml
@ -1,21 +1,27 @@
 ---
 role_name_check: 1
 dependency:
  name: galaxy
  options:
    ignore-errors: true
 driver:
  name: docker
 lint:
  name: yamllint
  options:
    config-file: molecule/default/yaml-lint.yml
 platforms:
  - name: instance
-    image: "geerlingguy/docker-${MOLECULE_DISTRO:-rockylinux9}-ansible:latest"
+    image: geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible
-    command: ${MOLECULE_DOCKER_COMMAND:-""}
+    command: ${MOLECULE_DOCKER_COMMAND:-"sleep infinity"}
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:rw
    cgroupns_mode: host
    privileged: true
    pre_build_image: true
 provisioner:
  name: ansible
  lint:
    name: ansible-lint
  playbooks:
-    converge: ${MOLECULE_PLAYBOOK:-converge.yml}
+    converge: ${MOLECULE_PLAYBOOK:-playbook.yml}
 scenario:
  name: default
 verifier:
  name: testinfra
  lint:
    name: flake8
--- a/molecule/default/playbook-snap-install.yml
+++ b/molecule/default/playbook-snap-install.yml
@ -1,26 +0,0 @@
 ---
 - name: Converge
  hosts: all
  #become: true
  vars:
    certbot_install_method: 'snap'
    certbot_auto_renew_user: root
  pre_tasks:
    - name: Update apt cache.
      apt: update_cache=yes cache_valid_time=600
      when: ansible_os_family == 'Debian'
      changed_when: false
    - name: Install cron (RedHat).
      yum: name=cronie state=present
      when: ansible_os_family == 'RedHat'
    - name: Install cron (Debian).
      apt: name=cron state=present
      when: ansible_os_family == 'Debian'
  roles:
    - geerlingguy.git
    - geerlingguy.certbot
--- a/molecule/default/playbook-source-install.yml
+++ b/molecule/default/playbook-source-install.yml
@ -1,10 +1,10 @@
 ---
 - name: Converge
  hosts: all
-  #become: true
+  become: true
  vars:
-    certbot_install_method: 'source'
+    certbot_install_from_source: true
    certbot_auto_renew_user: root
  pre_tasks:
--- a/molecule/default/playbook-standalone-nginx-aws.yml
+++ b/molecule/default/playbook-standalone-nginx-aws.yml
@ -40,8 +40,7 @@
        region: "us-east-1"
        name: certbot_test
        key_material: "{{ item }}"
-      with_file:
+      with_file: ~/.ssh/id_rsa.pub
        - ~/.ssh/id_rsa.pub
    - name: Provision EC2 instance.
      ec2:
@ -91,8 +90,7 @@
    certbot_create_if_missing: true
    certbot_create_standalone_stop_services: []
    certbot_certs:
-      - name: certbot-test.servercheck.in
+      - domains:
        domains:
          - certbot-test.servercheck.in
    nginx_vhosts:
      - listen: "443 ssl http2"
--- a/molecule/default/playbook.yml
+++ b/molecule/default/playbook.yml
@ -1,7 +1,7 @@
 ---
 - name: Converge
  hosts: all
-  # become: true
+  become: true
  vars:
    certbot_auto_renew_user: root
@ -13,12 +13,11 @@
      changed_when: false
    - name: Install dependencies (RedHat).
-      yum:
+      yum: name={{ item }} state=present
-        name:
+      when: ansible_os_family == 'RedHat'
      with_items:
        - cronie
        - epel-release
        state: present
      when: ansible_os_family == 'RedHat'
    - name: Install cron (Debian).
      apt: name=cron state=present
--- a/molecule/default/tests/test_default.py
+++ b/molecule/default/tests/test_default.py
@ -0,0 +1,14 @@
 import os
 import testinfra.utils.ansible_runner
 testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
    os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all')
 def test_hosts_file(host):
    f = host.file('/etc/hosts')
    assert f.exists
    assert f.user == 'root'
    assert f.group == 'root'
--- a/molecule/default/yaml-lint.yml
+++ b/molecule/default/yaml-lint.yml
@ -0,0 +1,6 @@
 ---
 extends: default
 rules:
  line-length:
    max: 120
    level: warning
--- a/tasks/create-cert-standalone.yml
+++ b/tasks/create-cert-standalone.yml
@ -1,63 +1,23 @@
 ---
 - name: Determine certificate name
  set_fact:
    cert_item_name: "{{ cert_item.name | default(cert_item.domains | first | replace('*.', '')) }}"
 - name: Check if certificate already exists.
  stat:
-    path: /etc/letsencrypt/live/{{ cert_item_name }}/cert.pem
+    path: /etc/letsencrypt/live/{{ cert_item.domains | first | replace('*.', '') }}/cert.pem
  register: letsencrypt_cert
- name: Ensure pre and post hook folders exist.
+- name: Stop services to allow certbot to generate a cert.
-  file:
+  service:
-    path: /etc/letsencrypt/renewal-hooks/{{ item }}
+    name: "{{ item }}"
-    state: directory
+    state: stopped
-    mode: 0755
+  when: not letsencrypt_cert.stat.exists
-    owner: root
+  with_items: "{{ certbot_create_standalone_stop_services }}"
    group: root
  with_items:
    - pre
    - post
 - name: Create pre hook to stop services.
  template:
    src: stop_services.j2
    dest: /etc/letsencrypt/renewal-hooks/pre/stop_services
    owner: root
    group: root
    mode: 0750
  when:
    - certbot_create_standalone_stop_services is defined
    - certbot_create_standalone_stop_services
 - name: Create post hook to start services.
  template:
    src: start_services.j2
    dest: /etc/letsencrypt/renewal-hooks/post/start_services
    owner: root
    group: root
    mode: 0750
  when:
    - certbot_create_standalone_stop_services is defined
    - certbot_create_standalone_stop_services
 - name: Check if domains have changed
  block:
    - name: Register certificate domains
      shell: "{{ certbot_script }} certificates --cert-name {{ cert_item_name }} | grep Domains | cut -d':' -f2"
      changed_when: false
      register: letsencrypt_cert_domains_dirty
    - name: Cleanup domain list
      set_fact:
        letsencrypt_cert_domains: "{{ letsencrypt_cert_domains_dirty.stdout | trim | split(' ') | map('trim') | select('!=', '') | list | sort }}"
    - name: Determine if domains have changed
      set_fact:
        letsencrypt_cert_domains_changed: "{{ letsencrypt_cert_domains != (cert_item.domains | map('trim') | select('!=', '') | list | sort) }}"
  when: letsencrypt_cert.stat.exists
 - name: Generate new certificate if one doesn't exist.
-  command: "{{ certbot_create_command }}"
+  shell: "{{ certbot_create_command }}"
-  when: not letsencrypt_cert.stat.exists or letsencrypt_cert_domains_changed | default(false)
+  when: not letsencrypt_cert.stat.exists
 - name: Start services after cert has been generated.
  service:
    name: "{{ item }}"
    state: started
  when: not letsencrypt_cert.stat.exists
  with_items: "{{ certbot_create_standalone_stop_services }}"
--- a/tasks/create-cert-webroot.yml
+++ b/tasks/create-cert-webroot.yml
@ -1,35 +0,0 @@
 ---
 - name: Determine certificate name
  set_fact:
    cert_item_name: "{{ cert_item.name | default(cert_item.domains | first | replace('*.', '')) }}"
 - name: Check if certificate already exists.
  stat:
    path: /etc/letsencrypt/live/{{ cert_item_name }}/cert.pem
  register: letsencrypt_cert
 - name: Create webroot directory if it doesn't exist yet
  file:
    path: "{{ cert_item.webroot | default(certbot_webroot) }}"
    state: directory
 - name: Check if domains have changed
  block:
    - name: Register certificate domains
      shell: "{{ certbot_script }} certificates --cert-name {{ cert_item_name }} | grep Domains | cut -d':' -f2"
      changed_when: false
      register: letsencrypt_cert_domains_dirty
    - name: Cleanup domain list
      set_fact:
        letsencrypt_cert_domains: "{{ letsencrypt_cert_domains_dirty.stdout | trim | split(' ') | map('trim') | select('!=', '') | list | sort }}"
    - name: Determine if domains have changed
      set_fact:
        letsencrypt_cert_domains_changed: "{{ letsencrypt_cert_domains != (cert_item.domains | map('trim') | select('!=', '') | list | sort) }}"
  when: letsencrypt_cert.stat.exists
 - name: Generate new certificate if one doesn't exist.
  command: "{{ certbot_create_command }}"
  when: not letsencrypt_cert.stat.exists or letsencrypt_cert_domains_changed | default(false)
--- a/tasks/install-with-snap.yml
+++ b/tasks/install-with-snap.yml
@ -1,41 +0,0 @@
 ---
 - name: Ensure snapd is installed.
  package:
    name: snapd
    state: present
  register: snapd_install
 - name: Ensure snapd is enabled.
  systemd:
    name: snapd.socket
    enabled: true
    state: started
 - name: Enable classic snap support.
  file:
    src: /var/lib/snapd/snap
    dest: /snap
    state: link
  when: ansible_os_family != "Debian"
 - name: Update snap after install.
  shell: snap install core; snap refresh core
  changed_when: true
  failed_when: false
  when: snapd_install is changed
 - name: Install certbot via snap.
  snap:
    name: certbot
    classic: true
 - name: Symlink certbot into place.
  file:
    src: /snap/bin/certbot
    dest: /usr/bin/certbot
    state: link
  ignore_errors: "{{ ansible_check_mode }}"
 - name: Set Certbot script variable.
  set_fact:
    certbot_script: /usr/bin/certbot
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -1,17 +1,11 @@
 ---
 - import_tasks: include-vars.yml
 - import_tasks: setup-RedHat.yml
  when: ansible_os_family == 'RedHat'
 - import_tasks: install-with-package.yml
-  when: certbot_install_method == 'package'
+  when: not certbot_install_from_source
 - import_tasks: install-with-snap.yml
  when: certbot_install_method == 'snap'
 - import_tasks: install-from-source.yml
-  when: certbot_install_method == 'source'
+  when: certbot_install_from_source
 - include_tasks: create-cert-standalone.yml
  with_items: "{{ certbot_certs }}"
@ -21,13 +15,5 @@
  loop_control:
    loop_var: cert_item
 - include_tasks: create-cert-webroot.yml
  with_items: "{{ certbot_certs }}"
  when:
    - certbot_create_if_missing
    - certbot_create_method == 'webroot'
  loop_control:
    loop_var: cert_item
 - import_tasks: renew-cron.yml
  when: certbot_auto_renew
--- a/tasks/setup-RedHat.yml
+++ b/tasks/setup-RedHat.yml
@ -1,11 +0,0 @@
 ---
 # See: https://github.com/geerlingguy/ansible-role-certbot/issues/107
 - name: Ensure dnf-plugins are installed on Rocky/AlmaLinux.
  yum:
    name: dnf-plugins-core
    state: present
 - name: Enable DNF module for Rocky/AlmaLinux.
  shell: |
    dnf config-manager --set-enabled crb
  changed_when: false
--- a/templates/start_services.j2
+++ b/templates/start_services.j2
@ -1,15 +0,0 @@
 #!/bin/bash
 # {{ ansible_managed }}
 {% for item in certbot_create_standalone_stop_services %}
 echo "starting service {{ item }}"
 {% if ansible_service_mgr == 'systemd' %}
 systemctl start {{ item }}
 {% elif ansible_service_mgr == 'upstart' %}
 initctl start {{ item }}
 {% elif ansible_service_mgr == 'openrc' %}
 rc-service {{ item }} start
 {% else %}
 service {{ item }} start
 {% endif %}
 {% endfor %}
--- a/templates/stop_services.j2
+++ b/templates/stop_services.j2
@ -1,15 +0,0 @@
 #!/bin/bash
 # {{ ansible_managed }}
 {% for item in certbot_create_standalone_stop_services %}
 echo "stopping service {{ item }}"
 {% if ansible_service_mgr == 'systemd' %}
 systemctl stop {{ item }}
 {% elif ansible_service_mgr == 'upstart' %}
 initctl stop {{ item }}
 {% elif ansible_service_mgr == 'openrc' %}
 rc-service {{ item }} stop
 {% else %}
 service {{ item }} stop
 {% endif %}
 {% endfor %}