test: add forgejo workflow

.forgejo/workflows/molecule.yml

@@ -0,0 +1,18 @@
+---
+on: [push]
+jobs:
+  lint:
+    runs-on: docker
+    container:
+      image: code.waks.be/nishiki/molecule:docker
+    steps:
+      - uses: actions/checkout@v3
+      - run: ansible-lint .
+      - run: yamllint .
+  molecule:
+    runs-on: docker
+    container:
+      image: code.waks.be/nishiki/molecule:docker
+    steps:
+      - uses: actions/checkout@v3
+      - run: molecule test

.gitignore

@@ -1,2 +1,2 @@
 .kitchen/*
-
+*.pyc

.gitlab-ci.yml

@@ -0,0 +1,10 @@
+---
+image: nishiki/molecule:docker
+
+before_script:
+  - molecule --version
+
+molecule:
+  stage: test
+  script:
+    - molecule test

.kitchen.yml

@@ -1,26 +0,0 @@
-driver:
-  name: docker_cli
-
-transport:
-  name: docker_cli
-
-provisioner:
-  name: ansible_playbook
-  hosts: localhost
-  require_ansible_repo: false
-  require_ansible_omnibus: false
-  require_chef_for_busser: true
-  ansible_verbose: false
-  ansible_inventory: ./test/integration/inventory
-
-platforms:
-  - name: debian-9
-    driver_config:
-      image: nishiki/debian9:ansible-<%= ENV['ANSIBLE_VERSION'] ? ENV['ANSIBLE_VERSION'] : '2.6' %>
-      command: /bin/systemd
-      volume:
-        - /sys/fs/cgroup:/sys/fs/cgroup:ro
-      security_opt: seccomp=unconfined
-
-suites:
-  - name: certbot

.rubocop.yml

@@ -1,38 +0,0 @@
-
-AllCops:
-  Exclude:
-    - db/**/*
-    - config/**/*
-    - Vagrantfile
-  TargetRubyVersion: 2.3
-
-Naming/AccessorMethodName:
-  Enabled: false
-
-Lint/RescueWithoutErrorClass:
-  Enabled: false
-
-Metrics/LineLength:
-  Max: 120
-Metrics/CyclomaticComplexity:
-  Enabled: false
-Metrics/PerceivedComplexity:
-  Enabled: false
-Metrics/MethodLength:
-  Enabled: false
-Metrics/BlockLength:
-  Enabled: false
-Metrics/ClassLength:
-  Enabled: false
-Metrics/AbcSize:
-  Enabled: false
-
-Style/NumericLiteralPrefix:
-  Enabled: false
-Style/FrozenStringLiteralComment:
-  Enabled: false
-Style/CommandLiteral:
-  Enabled: true
-  EnforcedStyle: percent_x
-Style/Documentation:
-  Enabled: false

.travis.yml

@@ -1,20 +1,30 @@
+---
 sudo: required
-language: ruby
+dist: bionic
+addons:
+  apt:
+    packages:
+      - python3
+      - python3-pip
+      - python3-setuptools
 
 env:
-  - ANSIBLE_VERSION=2.5
+  - ANSIBLE_VERSION=2.9.25
-  - ANSIBLE_VERSION=2.6
+  - ANSIBLE_VERSION=2.10.7
-  - ANSIBLE_VERSION=2.7
+  - ANSIBLE_VERSION=3.4.0
+  - ANSIBLE_VERSION=4.4.0
+
 services:
   - docker
 
 before_install:
-  - bundle install
+  - sudo pip3 install ansible==${ANSIBLE_VERSION}
+  - sudo pip3 install molecule 'molecule[docker]' docker testinfra ansible-lint yamllint
+  - git clone https://github.com/ansible/galaxy-lint-rules.git
 
 script:
-  - kitchen conv certbot-debian-9
+  - ansible --version
-  - kitchen conv certbot-debian-9 | grep changed=0
+  - molecule test
-  - kitchen verify certbot-debian-9
 
 notifications:
   webhooks: https://galaxy.ansible.com/api/v1/notifications/

.yamllint

@@ -0,0 +1,12 @@
+---
+extends: default
+
+ignore: |
+  .kitchen/*
+  vendor/
+  .forgejo/
+
+rules:
+  line-length:
+    max: 120
+    level: warning

CHANGELOG.md

@@ -3,16 +3,51 @@
 This project adheres to [Semantic Versioning](http://semver.org/).
 Which is based on [Keep A Changelog](http://keepachangelog.com/)
 
-## [Unreleased]
+## Unreleased
+
+### Added
+
+- feat: add certbot_port variable
+- feat: add hook scripts
+- test: add support debian 12
+
+### Changed
+
+- test: use personal docker registry
+
+## v2.2.0 - 2021-08-24
+
+### Added
+
+- test: add check yamllint
+- test: add support debian 11
+
+### Changed
+
+- test: replace kitchen to molecule
+- chore: use FQCN for module name
+- feat: check if the port 80 is used
+
+### Removed
+
+- test: remove support debian 9
+
+## v2.1.1 - 2018-11-26
+
+- fix: replace shell module to command
+- test: add check ansible-lint with galaxy rules
+
+## v2.1.0 - 2018-11-25
 
-## [2.1.0]
 - BREAKING CHANGE: minimal ansible version is 2.5 now
 - fix: replace inline module to cron for renew cron
 - test: use new docker images
 - test: add tavis-ci to run tests
 
-## [2.0.0] 2018-07-07
+## v2.0.0 - 2018-07-07
+
 - feat: add renew hook script
 
-## [1.0.0] - 2018-06-10
+## v1.0.0 - 2018-06-10
+
 - first version

Gemfile

@@ -1,8 +0,0 @@
-source 'https://rubygems.org'
-
-group :development do
-  gem 'kitchen-ansible'
-  gem 'kitchen-docker_cli'
-  gem 'rubocop', '0.50.0'
-  gem 'test-kitchen'
-end

Gemfile.lock

@@ -1,94 +0,0 @@
-GEM
-  remote: https://rubygems.org/
-  specs:
-    ast (2.4.0)
-    builder (3.2.3)
-    erubis (2.7.0)
-    ffi (1.9.23)
-    gssapi (1.2.0)
-      ffi (>= 1.0.1)
-    gyoku (1.3.1)
-      builder (>= 2.1.2)
-    httpclient (2.8.3)
-    kitchen-ansible (0.47.5)
-      net-ssh (>= 3)
-      test-kitchen (~> 1.4)
-    kitchen-docker_cli (0.18.0)
-      test-kitchen (>= 1.3)
-    little-plugger (1.1.4)
-    logging (2.2.2)
-      little-plugger (~> 1.1)
-      multi_json (~> 1.10)
-    mixlib-install (3.6.0)
-      mixlib-shellout
-      mixlib-versioning
-      thor
-    mixlib-shellout (2.3.2)
-    mixlib-versioning (1.2.2)
-    multi_json (1.13.1)
-    net-scp (1.2.1)
-      net-ssh (>= 2.6.5)
-    net-ssh (4.2.0)
-    net-ssh-gateway (1.3.0)
-      net-ssh (>= 2.6.5)
-    nori (2.6.0)
-    parallel (1.12.1)
-    parser (2.5.0.2)
-      ast (~> 2.4.0)
-    powerpack (0.1.1)
-    rainbow (2.2.2)
-      rake
-    rake (12.3.1)
-    rubocop (0.50.0)
-      parallel (~> 1.10)
-      parser (>= 2.3.3.1, < 3.0)
-      powerpack (~> 0.1)
-      rainbow (>= 2.2.2, < 3.0)
-      ruby-progressbar (~> 1.7)
-      unicode-display_width (~> 1.0, >= 1.0.1)
-    ruby-progressbar (1.9.0)
-    rubyntlm (0.6.2)
-    rubyzip (1.2.1)
-    safe_yaml (1.0.4)
-    test-kitchen (1.18.0)
-      mixlib-install (~> 3.6)
-      mixlib-shellout (>= 1.2, < 3.0)
-      net-scp (~> 1.1)
-      net-ssh (>= 2.9, < 5.0)
-      net-ssh-gateway (~> 1.2)
-      safe_yaml (~> 1.0)
-      thor (~> 0.19, < 0.19.2)
-      winrm (~> 2.0)
-      winrm-elevated (~> 1.0)
-      winrm-fs (~> 1.0.2)
-    thor (0.19.1)
-    unicode-display_width (1.3.0)
-    winrm (2.2.3)
-      builder (>= 2.1.2)
-      erubis (~> 2.7)
-      gssapi (~> 1.2)
-      gyoku (~> 1.0)
-      httpclient (~> 2.2, >= 2.2.0.2)
-      logging (>= 1.6.1, < 3.0)
-      nori (~> 2.0)
-      rubyntlm (~> 0.6.0, >= 0.6.1)
-    winrm-elevated (1.1.0)
-      winrm (~> 2.0)
-      winrm-fs (~> 1.0)
-    winrm-fs (1.0.2)
-      erubis (~> 2.7)
-      logging (>= 1.6.1, < 3.0)
-      rubyzip (~> 1.1)
-      winrm (~> 2.0)
-
-PLATFORMS
-  ruby
-
-DEPENDENCIES
-  kitchen-ansible
-  kitchen-docker_cli
-  rubocop (= 0.50.0)
-  test-kitchen
-
-BUNDLED WITH
-   1.16.0

README.md

@@ -1,21 +1,32 @@
 # Ansible role: Certbot
-[![Version](https://img.shields.io/badge/latest_version-2.1.0-green.svg)](https://git.yaegashi.fr/nishiki/ansible-role-certbot/releases)
+
-[![Build Status](https://travis-ci.org/nishiki/ansible-role-certbot.svg?branch=master)](https://travis-ci.org/nishiki/ansible-role-certbot)
+[![Version](https://img.shields.io/badge/latest_version-2.2.0-green.svg)](https://code.waks.be/nishiki/ansible-role-certbot/releases)
-[![License](https://img.shields.io/badge/license-Apache--2.0-blue.svg)](https://git.yaegashi.fr/nishiki/ansible-role-certbot/src/branch/master/LICENSE)
+[![License](https://img.shields.io/badge/license-Apache--2.0-blue.svg)](https://code.waks.be/nishiki/ansible-role-certbot/src/branch/main/LICENSE)
+[![Build](https://code.waks.be/nishiki/ansible-role-certbot/actions/workflows/molecule.yml/badge.svg?branch=main)](https://code.waks.be/nishiki/ansible-role-certbot/actions?workflow=molecule.yml)
 
 Generate certificate SSL with certbot.
 
 ## Requirements
 
-* Ansible >= 2.5
+- Ansible >= 2.10
-* Debian Stretch
+- Debian
+  - Bullseye
+  - Bookworm
 
 ## Role variables
 
 - `certbot_mail` - mail address used by let's encrypt to notify
 - `certbot_key_size` - private key size (default: `4096`)
+- `certbot_port` - port to listen for certbot web (default: `80`)
 - `certbot_path` - path where certbot write temporary files(default: `/var/www/acme`)
-- `certbot_domains` - array with the domain name and command
+- `certbot_domains` - dict with the domain name and the script
+
+```
+  website.com:
+    #!/bin/bash
+    echo "test" > /tmp/log
+```
+
 - `certbot_role` - string must be master or slave, if master generate the certificates
 
 ## How to use
@@ -27,13 +38,13 @@ Generate certificate SSL with certbot.
 ```
 
 ## Development
-### Tests with docker
 
-  * install [docker](https://docs.docker.com/engine/installation/)
+### Test with molecule and docker
-  * install ruby
+
-  * install bundler `gem install bundler`
+- install [docker](https://docs.docker.com/engine/installation/)
-  * install dependencies `bundle install`
+- install `python3` and `python3-pip`
-  * run the tests `kitchen test`
+- install molecule and dependencies `pip3 install molecule molecule-plugins[docker] docker ansible-lint pytest-testinfra yamllint`
+- run `molecule test`
 
 ## License
 

defaults/main.yml

@@ -1,5 +1,7 @@
+---
 certbot_mail: ssl@host.local
 certbot_key_size: 4096
+certbot_port: 80
 certbot_path: /var/www/acme
 certbot_role: master
-certbot_domains: []
+certbot_domains: {}

meta/main.yml

@@ -1,17 +1,23 @@
+---
 galaxy_info:
+  role_name: certbot
+  namespace: nishiki
   author: Adrien Waksberg
+  company: Adrien Waksberg
   description: Generate certificate SSL with certbot
   license: Apache2
-  min_ansible_version: 2.5
+  min_ansible_version: "2.10"
-
   platforms:
     - name: Debian
       versions:
-        - stretch
+        - bullseye
+        - bookworm
 
   galaxy_tags:
     - certbot
+    - letsencrypt
     - ssl
     - https
+    - certifactes
 
 dependencies: []

molecule/default/converge.yml

@@ -0,0 +1,14 @@
+---
+- name: Converge
+  hosts: all
+  roles:
+    - ansible-role-certbot
+  vars:
+    certbot_role: slave
+    certbot_domains:
+      test.local: 'echo OK > /tmp/test.txt'
+
+  pre_tasks:
+    - name: update apt cache
+      ansible.builtin.apt:
+        update_cache: true

molecule/default/molecule.yml

@@ -0,0 +1,28 @@
+---
+driver:
+  name: docker
+platforms:
+  - name: debian12
+    image: code.waks.be/nishiki/molecule:debian12
+    privileged: true
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+    cgroupns_mode: host
+    command: /bin/systemd
+    capabilities:
+      - SYS_ADMIN
+  - name: debian11
+    image: code.waks.be/nishiki/molecule:debian11
+    privileged: true
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+    cgroupns_mode: host
+    command: /bin/systemd
+    capabilities:
+      - SYS_ADMIN
+lint: |
+  set -e
+  yamllint .
+  ansible-lint .
+verifier:
+  name: testinfra

molecule/default/tests/test_default.py

@@ -0,0 +1,44 @@
+import testinfra.utils.ansible_runner
+
+def test_packages(host):
+  package = host.package('certbot')
+  assert package.is_installed
+
+def test_acme_directory(host):
+  path = host.file('/var/www/acme')
+  assert path.exists
+  assert path.is_directory
+  assert path.user == 'root'
+  assert path.group == 'root'
+  assert path.mode == 0o755
+
+def test_old_cron_file(host):
+  path = host.file('/etc/cron.d/certbot')
+  assert not path.exists
+
+def test_cron_file(host):
+  path = host.file('/var/spool/cron/crontabs/root')
+  assert path.exists
+  assert path.is_file
+  assert path.user == 'root'
+  assert path.group == 'crontab'
+  assert path.mode == 0o600
+  assert path.contains('perl -e \'sleep int(rand(3600))\' && certbot -q renew')
+
+def test_config_file(host):
+  path = host.file('/etc/letsencrypt/hook-test.local')
+  assert path.exists
+  assert path.is_file
+  assert path.user == 'root'
+  assert path.group == 'root'
+  assert path.mode == 0o700
+  assert path.contains('echo OK > /tmp/test.txt')
+
+def test_renew(host):
+  cmd = host.run('/etc/letsencrypt/hook-test.local')
+  assert cmd.succeeded
+
+  path = host.file('/tmp/test.txt')
+  assert path.exists
+  assert path.is_file
+  assert path.contains('OK')

tasks/base.yml

@@ -1,52 +1,45 @@
-- name: install certbot package
+---
-  apt:
+- name: Install certbot package
-    name: '{{ packages }}'
+  ansible.builtin.apt:
-    default_release: '{{ certbot_distribution|default(ansible_distribution_release) }}'
+    name:
-    state: present
-  vars:
-    packages:
       - certbot
       - cron
+    default_release: "{{ certbot_distribution | default(ansible_distribution_release) }}"
+    state: present
   tags: certbot
 
-- name: create webroot path directory
+- name: Create webroot path directory
-  file:
+  ansible.builtin.file:
-    path: '{{ certbot_path }}'
+    path: "{{ certbot_path }}"
     owner: root
     group: root
     mode: 0755
     state: directory
   tags: certbot
 
-- name: install certbot-renew binary
+- name: Install hooks script
-  copy:
+  ansible.builtin.copy:
-    src: certbot-renew
+    content: "{{ item.value | default('#!/bin/bash') }}"
-    dest: /usr/local/bin/certbot-renew
+    dest: "/etc/letsencrypt/hook-{{ item.key }}"
     owner: root
     group: root
-    mode: 0755
+    mode: 0700
+  loop: "{{ certbot_domains | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
   tags: certbot
 
-- name: install certbot renew configuration
+- name: Remove old cerbot renew cron
-  template:
+  ansible.builtin.file:
-    src: renew.cfg.j2
-    dest: /etc/letsencrypt/renew.cfg
-    owner: root
-    group: root
-    mode: 0644
-  tags: certbot
-
-- name: remove old cerbot renew cron
-  file:
     path: /etc/cron.d/certbot
     state: absent
   tags: certbot
 
-- name: add certbot renew cron
+- name: Add certbot renew cron
-  cron:
+  ansible.builtin.cron:
     name: certbot-renew
     user: root
-    hour: '*/12'
+    hour: "*/12"
-    minute: 0
+    minute: "0"
-    job: perl -e 'sleep int(rand(3600))' && certbot -q renew --renew-hook /usr/local/bin/certbot-renew
+    job: "perl -e 'sleep int(rand(3600))' && certbot -q renew"
   tags: certbot

tasks/certificates.yml

@@ -1,24 +1,40 @@
-- name: check if certificate exist
+---
-  stat:
+- name: Check if certificate exist
-    path: '/etc/letsencrypt/live/{{ item.name }}'
+  ansible.builtin.stat:
-  loop: '{{ certbot_domains }}'
+    path: "/etc/letsencrypt/live/{{ item.key }}"
+  loop: "{{ certbot_domains | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
   register: st
   tags: certbot
 
-- name: check if nginx is launch
+- name: Check if a webservice is started
-  stat:
+  ansible.builtin.wait_for:
-    path: /var/run/nginx.pid
+    port: "{{ certbot_port }}"
-  register: ng
+    state: started
+    timeout: 2
+  ignore_errors: true
+  register: web
   tags: certbot
 
-- name: create a new certificate
+- name: Create a new certificate  # noqa no-changed-when
-  shell: 'certbot certonly -n --agree-tos -d {{ item.item.name }} -m {{ certbot_mail }} --webroot --webroot-path {{ certbot_path }} --rsa-key-size {{ certbot_key_size }}'
+  ansible.builtin.command: >
-  loop: '{{ st.results }}'
+    certbot certonly -n --agree-tos -d {{ item.item.key }} -m {{ certbot_mail }}
-  when: (certbot_role == 'master' or item.item.name == ansible_fqdn) and not item.stat.exists and ng.stat.exists
+    --webroot --webroot-path {{ certbot_path }} --rsa-key-size {{ certbot_key_size }}
+    --deploy-hook /etc/letsencrypt/hook-{{ item.item.key }}
+  loop: "{{ st.results }}"
+  loop_control:
+    label: "{{ item.item.key }}"
+  when: (certbot_role == "master" or item.item.key == ansible_fqdn) and not item.stat.exists and not web.failed
   tags: certbot
 
-- name: create a new certificate (standalone)
+- name: Create a new certificate (standalone)  # noqa no-changed-when
-  shell: 'certbot certonly -n --agree-tos -d {{ item.item.name }} -m {{ certbot_mail }} --standalone --rsa-key-size {{ certbot_key_size }}'
+  ansible.builtin.command: >
-  loop: '{{ st.results }}'
+    certbot certonly -n --agree-tos -d {{ item.item.key }} -m {{ certbot_mail }}
-  when: (certbot_role == 'master' or item.item.name == ansible_fqdn) and not item.stat.exists and not ng.stat.exists
+    --standalone --rsa-key-size {{ certbot_key_size }} --deploy-hook /etc/letsencrypt/hook-{{ item.item.key }}
+    --http-01-port {{ certbot_port }}
+  loop: "{{ st.results }}"
+  loop_control:
+    label: "{{ item.item.key }}"
+  when: (certbot_role == "master" or item.item.key == ansible_fqdn) and not item.stat.exists and web.failed
   tags: certbot

tasks/main.yml

@@ -1,5 +1,8 @@
-- import_tasks: base.yml
+---
+- name: Import base
+  ansible.builtin.import_tasks: base.yml
   tags: certbot
 
-- import_tasks: certificates.yml
+- name: Import certificates
+  ansible.builtin.import_tasks: certificates.yml
   tags: certbot

test/integration/certbot/default.yml

@@ -1,8 +0,0 @@
-- hosts: certbot
-  connection: local
-  vars:
-    certbot_role: slave
-    certbot_domains:
-      - { name: test.local, command: 'echo OK > /tmp/test.txt'}
-  roles:
-      - ansible-role-certbot

test/integration/certbot/serverspec/certbot_spec.rb

@@ -1,47 +0,0 @@
-require 'serverspec'
-
-set :backend, :exec
-
-describe package('certbot') do
-  it { should be_installed }
-end
-
-describe file('/var/www/acme') do
-  it { should exist }
-  it { should be_directory }
-  it { should be_mode 755 }
-  it { should be_owned_by 'root' }
-  it { should be_grouped_into 'root' }
-end
-
-describe file('/etc/cron.d/certbot') do
-  it { should_not exist }
-end
-
-describe file('/var/spool/cron/crontabs/root') do
-  it { should exist }
-  it { should be_file }
-  it { should be_mode 600 }
-  it { should be_owned_by 'root' }
-  it { should be_grouped_into 'crontab' }
-  it { should contain '--renew-hook /usr/local/bin/certbot-renew' }
-end
-
-describe file('/etc/letsencrypt/renew.cfg') do
-  it { should exist }
-  it { should be_file }
-  it { should be_mode 644 }
-  it { should be_owned_by 'root' }
-  it { should be_grouped_into 'root' }
-  it { should contain 'test.local = echo OK > /tmp/test.txt' }
-end
-
-describe command('RENEWED_DOMAINS=test.local /usr/local/bin/certbot-renew') do
-  its(:exit_status) { should eq 0 }
-end
-
-describe file('/tmp/test.txt') do
-  it { should exist }
-  it { should be_file }
-  it { should contain 'OK' }
-end

test/integration/inventory

@@ -1,2 +0,0 @@
-[certbot]
-localhost