[WIP] certbot: add support for install from sources on Debian 8

2020-03-15 12:00:10 +01:00 · 2020-03-15 12:00:10 +01:00 · 69c98bf562
parent 9d7b4dd52d
commit 69c98bf562
5 changed files with 67 additions and 5 deletions
--- a/certbot/files/cron_jessie
+++ b/certbot/files/cron_jessie
@ -0,0 +1,11 @@
+# /etc/cron.d/certbot: crontab entries for the certbot package
+#
+# Upstream recommends attempting renewal twice a day
+#
+# Eventually, this will be an opportunity to validate certificates
+# haven't been revoked, etc.  Renewal will only occur if expiration
+# is within 30 days.
+SHELL=/bin/sh
+PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+
+0 */12 * * * root test -x /usr/local/bin/certbot && perl -e 'sleep int(rand(3600))' && /usr/local/bin/certbot --no-self-update -q renew
--- a/certbot/handlers/main.yml
+++ b/certbot/handlers/main.yml
@ -14,3 +14,7 @@
  service:
    name: haproxy
    state: reloaded
+
+- name: systemd daemon-reload
+  systemd:
+    daemon_reload: yes
--- a/certbot/tasks/install-package.yml
+++ b/certbot/tasks/install-package.yml
@ -0,0 +1,6 @@
+---
+
+- name: certbot package is installed
+  apt:
+    name: certbot
+    state: latest
--- a/certbot/tasks/install-sources.yml
+++ b/certbot/tasks/install-sources.yml
@ -0,0 +1,34 @@
+---
+
+- name: certbot package is removed
+  apt:
+    name: certbot
+    state: absent
+
+- include_role:
+    name: evolix/remount-usr
+
+- name: Certbot script is downloaded
+  get_url:
+    url: https://dl.eff.org/certbot-auto
+    dest: /usr/local/bin/certbot
+    mode: '0755'
+    owner: root
+    group: root
+    force: no
+
+- name: systemd artefacts are absent
+  file:
+    dest: "{{ item }}"
+    state: absent
+  loop:
+    - /etc/systemd/system/certbot.service
+    - /etc/systemd/system/certbot.service.d
+    - /etc/systemd/system/certbot.timer
+  notify: systemd daemon-reload
+
+- name: custom crontab is present
+  copy:
+    src: cron_jessie
+    dest: /etc/cron.d/certbot
+    force: yes
--- a/certbot/tasks/main.yml
+++ b/certbot/tasks/main.yml
@ -4,13 +4,20 @@
  assert:
    that:
      - ansible_distribution == "Debian"
-      - ansible_distribution_major_version is version('9', '>=')
+      - ansible_distribution_major_version is version('8', '>=')
    msg: only compatible with Debian 9+

- name: certbot package is installed
-  apt:
-    name: certbot
-    state: latest
+- name: Install from sources on Debian 8
+  include: install-sources.yml
+  when:
+    - ansible_distribution == "Debian"
+    - ansible_distribution_major_version is version('8', '=')
+
+- name: Install package on Debian 9+
+  include: install-package.yml
+  when:
+    - ansible_distribution == "Debian"
+    - ansible_distribution_major_version is version('9', '>=')

 - include: acme-challenge.yml