From 7a5b35d625122c5baff81b037e21a7263f95a0c4 Mon Sep 17 00:00:00 2001 From: Zhuravlev E Date: Thu, 25 Jul 2024 13:11:03 +0200 Subject: [PATCH 1/3] ansible-lint --- tasks/create-cert-standalone.yml | 13 ++++++++----- tasks/create-cert-webroot.yml | 12 +++++++++--- tasks/include-vars.yml | 2 +- tasks/install-from-source.yml | 6 +++--- tasks/install-with-package.yml | 6 ++++-- tasks/install-with-snap.yml | 21 ++++++++------------- tasks/main.yml | 24 ++++++++++++++++-------- tasks/renew-cron.yml | 2 +- tasks/setup-RedHat.yml | 25 +++++++++++-------------- 9 files changed, 61 insertions(+), 50 deletions(-) diff --git a/tasks/create-cert-standalone.yml b/tasks/create-cert-standalone.yml index 1d1f979f..090ba4e2 100644 --- a/tasks/create-cert-standalone.yml +++ b/tasks/create-cert-standalone.yml @@ -1,11 +1,11 @@ --- - name: Check if certificate already exists. - stat: + ansible.builtin.stat: path: /etc/letsencrypt/live/{{ cert_item.domains | first | replace('*.', '') }}/cert.pem register: letsencrypt_cert - name: Ensure pre and post hook folders exist. - file: + ansible.builtin.file: path: /etc/letsencrypt/renewal-hooks/{{ item }} state: directory mode: 0755 @@ -16,7 +16,7 @@ - post - name: Create pre hook to stop services. - template: + ansible.builtin.template: src: stop_services.j2 dest: /etc/letsencrypt/renewal-hooks/pre/stop_services owner: root @@ -27,7 +27,7 @@ - certbot_create_standalone_stop_services - name: Create post hook to start services. - template: + ansible.builtin.template: src: start_services.j2 dest: /etc/letsencrypt/renewal-hooks/post/start_services owner: root @@ -38,5 +38,8 @@ - certbot_create_standalone_stop_services - name: Generate new certificate if one doesn't exist. - command: "{{ certbot_create_command }}" + ansible.builtin.command: "{{ certbot_create_command }}" + register: certbot_create_command_result when: not letsencrypt_cert.stat.exists + changed_when: + - certbot_create_command_result.rc is defined and certbot_create_command_result.rc == 0 diff --git a/tasks/create-cert-webroot.yml b/tasks/create-cert-webroot.yml index 8399872b..a99fe172 100644 --- a/tasks/create-cert-webroot.yml +++ b/tasks/create-cert-webroot.yml @@ -1,14 +1,20 @@ --- - name: Check if certificate already exists. - stat: + ansible.builtin.stat: path: /etc/letsencrypt/live/{{ cert_item.domains | first }}/cert.pem register: letsencrypt_cert - name: Create webroot directory if it doesn't exist yet - file: + ansible.builtin.file: path: "{{ cert_item.webroot | default(certbot_webroot) }}" state: directory + owner: root + group: root + mode: '0755' - name: Generate new certificate if one doesn't exist. - command: "{{ certbot_create_command }}" + ansible.builtin.command: "{{ certbot_create_command }}" + register: certbot_create_command_result when: not letsencrypt_cert.stat.exists + changed_when: + - certbot_create_command_result.rc is defined and certbot_create_command_result.rc == 0 diff --git a/tasks/include-vars.yml b/tasks/include-vars.yml index 0a70e503..da86128d 100644 --- a/tasks/include-vars.yml +++ b/tasks/include-vars.yml @@ -1,6 +1,6 @@ --- - name: Load a variable file based on the OS type, or a default if not found. - include_vars: "{{ item }}" + ansible.builtin.include_vars: "{{ item }}" with_first_found: - "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yml" - "{{ ansible_distribution }}.yml" diff --git a/tasks/install-from-source.yml b/tasks/install-from-source.yml index daee685f..195bcb7f 100644 --- a/tasks/install-from-source.yml +++ b/tasks/install-from-source.yml @@ -1,6 +1,6 @@ --- - name: Clone Certbot into configured directory. - git: + ansible.builtin.git: repo: "{{ certbot_repo }}" dest: "{{ certbot_dir }}" version: "{{ certbot_version }}" @@ -8,10 +8,10 @@ force: true - name: Set Certbot script variable. - set_fact: + ansible.builtin.set_fact: certbot_script: "{{ certbot_dir }}/certbot-auto" - name: Ensure certbot-auto is executable. - file: + ansible.builtin.file: path: "{{ certbot_script }}" mode: 0755 diff --git a/tasks/install-with-package.yml b/tasks/install-with-package.yml index 10490ffd..00d8c0d2 100644 --- a/tasks/install-with-package.yml +++ b/tasks/install-with-package.yml @@ -1,7 +1,9 @@ --- - name: Install Certbot. - package: "name={{ certbot_package }} state=present" + ansible.builtin.package: + name: "{{ certbot_package }}" + state: present - name: Set Certbot script variable. - set_fact: + ansible.builtin.set_fact: certbot_script: "{{ certbot_package }}" diff --git a/tasks/install-with-snap.yml b/tasks/install-with-snap.yml index 7a0ca65e..5900e9e0 100644 --- a/tasks/install-with-snap.yml +++ b/tasks/install-with-snap.yml @@ -1,41 +1,36 @@ --- - name: Ensure snapd is installed. - package: + ansible.builtin.package: name: snapd state: present - register: snapd_install + notify: + - Update snap after install - name: Ensure snapd is enabled. - systemd: + ansible.builtin.systemd: name: snapd.socket enabled: true state: started - name: Enable classic snap support. - file: + ansible.builtin.file: src: /var/lib/snapd/snap dest: /snap state: link when: ansible_os_family != "Debian" -- name: Update snap after install. - shell: snap install core; snap refresh core - changed_when: true - failed_when: false - when: snapd_install is changed - - name: Install certbot via snap. - snap: + community.general.snap: name: certbot classic: true - name: Symlink certbot into place. - file: + ansible.builtin.file: src: /snap/bin/certbot dest: /usr/bin/certbot state: link ignore_errors: "{{ ansible_check_mode }}" - name: Set Certbot script variable. - set_fact: + ansible.builtin.set_fact: certbot_script: /usr/bin/certbot diff --git a/tasks/main.yml b/tasks/main.yml index 894143c7..3e796ec8 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,19 +1,25 @@ --- -- import_tasks: include-vars.yml +- name: Include vars + ansible.builtin.import_tasks: include-vars.yml -- import_tasks: setup-RedHat.yml +- name: Import Redhat task + ansible.builtin.import_tasks: setup-RedHat.yml when: ansible_os_family == 'RedHat' -- import_tasks: install-with-package.yml +- name: Standalone install method choosed + ansible.builtin.import_tasks: install-with-package.yml when: certbot_install_method == 'package' -- import_tasks: install-with-snap.yml +- name: Snap install method choosed + ansible.builtin.import_tasks: install-with-snap.yml when: certbot_install_method == 'snap' -- import_tasks: install-from-source.yml +- name: Source install method choosed + ansible.builtin.import_tasks: install-from-source.yml when: certbot_install_method == 'source' -- include_tasks: create-cert-standalone.yml +- name: Create certs for standalone install + ansible.builtin.include_tasks: create-cert-standalone.yml with_items: "{{ certbot_certs }}" when: - certbot_create_if_missing @@ -21,7 +27,8 @@ loop_control: loop_var: cert_item -- include_tasks: create-cert-webroot.yml +- name: Create certs for webroot install + ansible.builtin.include_tasks: create-cert-webroot.yml with_items: "{{ certbot_certs }}" when: - certbot_create_if_missing @@ -29,5 +36,6 @@ loop_control: loop_var: cert_item -- import_tasks: renew-cron.yml +- name: Check cron jobs + ansible.builtin.import_tasks: renew-cron.yml when: certbot_auto_renew diff --git a/tasks/renew-cron.yml b/tasks/renew-cron.yml index 394a30e7..3ee6b708 100644 --- a/tasks/renew-cron.yml +++ b/tasks/renew-cron.yml @@ -1,6 +1,6 @@ --- - name: Add cron job for certbot renewal (if configured). - cron: + ansible.builtin.cron: name: Certbot automatic renewal. job: "{{ certbot_script }} renew {{ certbot_auto_renew_options }}" minute: "{{ certbot_auto_renew_minute }}" diff --git a/tasks/setup-RedHat.yml b/tasks/setup-RedHat.yml index 1f809bba..d9579210 100644 --- a/tasks/setup-RedHat.yml +++ b/tasks/setup-RedHat.yml @@ -1,30 +1,27 @@ --- # See: https://github.com/geerlingguy/ansible-role-certbot/issues/107 -- block: - +- name: Check dnf modules for Redhat family + when: + - ansible_distribution == 'CentOS' + - ansible_distribution_major_version | int >= 8 + block: - name: Ensure dnf-plugins are installed on CentOS 8+. - yum: + ansible.builtin.yum: name: dnf-plugins-core state: present - - block: - + when: ansible_facts['distribution_version'] is version('8.2', '<=') + - name: Check dnf modules for Centos + block: - name: Enable DNF module for CentOS 8.3+. - shell: | + ansible.builtin.shell: | dnf config-manager --set-enabled powertools register: dnf_module_enable changed_when: false - when: ansible_facts['distribution_version'] is version('8.3', '>=') - name: Enable DNF module for CentOS 8.0–8.2. - shell: | + ansible.builtin.shell: | dnf config-manager --set-enabled PowerTools register: dnf_module_enable changed_when: false - - when: ansible_facts['distribution_version'] is version('8.2', '<=') - - when: - - ansible_distribution == 'CentOS' - - ansible_distribution_major_version | int >= 8 From 9b1f1eedf9214e3d6f11ab1140dc6865175183dc Mon Sep 17 00:00:00 2001 From: Zhuravlev E Date: Wed, 31 Jul 2024 09:51:11 +0200 Subject: [PATCH 2/3] add handlers --- handlers/main.yml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 handlers/main.yml diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 00000000..c059bbea --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Update snap after install + ansible.builtin.shell: snap install core; snap refresh core + changed_when: true + failed_when: false From 53b9ad94d79600e77d6d843b885f5849245fa204 Mon Sep 17 00:00:00 2001 From: tonve Date: Wed, 31 Jul 2024 09:54:25 +0200 Subject: [PATCH 3/3] Update setup-RedHat.yml --- tasks/setup-RedHat.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/setup-RedHat.yml b/tasks/setup-RedHat.yml index 063c0646..44283de8 100644 --- a/tasks/setup-RedHat.yml +++ b/tasks/setup-RedHat.yml @@ -34,4 +34,4 @@ - name: Enable DNF module for Rocky/AlmaLinux. shell: | dnf config-manager --set-enabled crb - changed_when: false \ No newline at end of file + changed_when: false