From ad825caa73e49b6a31627894f1d82af9937095f6 Mon Sep 17 00:00:00 2001 From: Chithra K Date: Tue, 17 Nov 2020 22:04:15 +0530 Subject: [PATCH 01/16] Add automated tests --- .github/workflows/molecule.yml | 44 ++++++++++++++++++++++++++++++++++ molecule/default/INSTALL.rst | 22 +++++++++++++++++ molecule/default/converge.yml | 14 +++++++++++ molecule/default/molecule.yml | 17 +++++++++++++ 4 files changed, 97 insertions(+) create mode 100644 .github/workflows/molecule.yml create mode 100644 molecule/default/INSTALL.rst create mode 100644 molecule/default/converge.yml create mode 100644 molecule/default/molecule.yml diff --git a/.github/workflows/molecule.yml b/.github/workflows/molecule.yml new file mode 100644 index 0000000..5ae8a37 --- /dev/null +++ b/.github/workflows/molecule.yml @@ -0,0 +1,44 @@ +--- +on: + # Trigger the workflow on push or pull request, + # but only for the main branch + push: + branches: + - master + pull_request: + branches: + - master +jobs: + lint: + runs-on: ubuntu-latest + steps: + - name: checkout + uses: actions/checkout@v2 + with: + path: "${{ github.repository }}" + - name: molecule + uses: robertdebock/molecule-action@2.6.3 + with: + command: lint + test: + needs: + - lint + runs-on: ubuntu-latest + strategy: + matrix: + image: + - geerlingguy/docker-ubuntu2004-ansible:latest + - geerlingguy/docker-ubuntu1804-ansible:latest + - geerlingguy/docker-ubuntu1604-ansible:latest + - geerlingguy/docker-centos8-ansible:latest + - geerlingguy/docker-centos7-ansible:latest + steps: + - name: checkout + uses: actions/checkout@v2 + with: + path: "${{ github.repository }}" + - name: molecule + uses: robertdebock/molecule-action@2.6.3 + with: + image: "${{ matrix.image }}" + options: parallel diff --git a/molecule/default/INSTALL.rst b/molecule/default/INSTALL.rst new file mode 100644 index 0000000..6a44bde --- /dev/null +++ b/molecule/default/INSTALL.rst @@ -0,0 +1,22 @@ +******* +Docker driver installation guide +******* + +Requirements +============ + +* Docker Engine + +Install +======= + +Please refer to the `Virtual environment`_ documentation for installation best +practices. If not using a virtual environment, please consider passing the +widely recommended `'--user' flag`_ when invoking ``pip``. + +.. _Virtual environment: https://virtualenv.pypa.io/en/latest/ +.. _'--user' flag: https://packaging.python.org/tutorials/installing-packages/#installing-to-the-user-site + +.. code-block:: bash + + $ pip install 'molecule[docker]' diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml new file mode 100644 index 0000000..91699e1 --- /dev/null +++ b/molecule/default/converge.yml @@ -0,0 +1,14 @@ +--- +- name: Converge + hosts: all + become: true + + vars: + + pre_tasks: + - name: Update apt cache. + apt: update_cache=true cache_valid_time=600 + when: ansible_os_family == 'Debian' + + roles: + - role: ansible-role-letsencrypt diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml new file mode 100644 index 0000000..c7e5363 --- /dev/null +++ b/molecule/default/molecule.yml @@ -0,0 +1,17 @@ +--- +dependency: + name: galaxy +driver: + name: docker +platforms: + - name: instance + image: "geerlingguy/docker-${MOLECULE_DISTRO:-ubuntu2004}-ansible:latest" + command: ${MOLECULE_DOCKER_COMMAND:-""} + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:ro + privileged: true + pre_build_image: true +provisioner: + name: ansible + playbooks: + converge: ${MOLECULE_PLAYBOOK:-converge.yml} From fc231728faba154018f8aac8a602b23b324d4a01 Mon Sep 17 00:00:00 2001 From: Chithra K Date: Mon, 23 Nov 2020 21:28:51 +0530 Subject: [PATCH 02/16] Fix molecule tests --- .github/workflows/molecule.yml | 2 ++ molecule/default/converge.yml | 11 +++++++---- molecule/default/molecule.yml | 2 +- 3 files changed, 10 insertions(+), 5 deletions(-) diff --git a/.github/workflows/molecule.yml b/.github/workflows/molecule.yml index 5ae8a37..642c88b 100644 --- a/.github/workflows/molecule.yml +++ b/.github/workflows/molecule.yml @@ -42,3 +42,5 @@ jobs: with: image: "${{ matrix.image }}" options: parallel + env: + MOLECULE_DOCKER_IMAGE: "${{ matrix.image }}" diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml index 91699e1..d7df265 100644 --- a/molecule/default/converge.yml +++ b/molecule/default/converge.yml @@ -4,11 +4,14 @@ become: true vars: - + - default_mail_recipient: webmaster@acromedia.com pre_tasks: - - name: Update apt cache. - apt: update_cache=true cache_valid_time=600 - when: ansible_os_family == 'Debian' + + - name: Install nginx + apt: + name: nginx + update_cache: yes + state: present roles: - role: ansible-role-letsencrypt diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index c7e5363..e3ce9d4 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -5,7 +5,7 @@ driver: name: docker platforms: - name: instance - image: "geerlingguy/docker-${MOLECULE_DISTRO:-ubuntu2004}-ansible:latest" + image: ${MOLECULE_DOCKER_IMAGE:-'geerlingguy/docker-ubuntu1804-ansible:latest'} command: ${MOLECULE_DOCKER_COMMAND:-""} volumes: - /sys/fs/cgroup:/sys/fs/cgroup:ro From 519d2f88940e072b94c8b39bb89aaaba5eaf13f7 Mon Sep 17 00:00:00 2001 From: Chithra K Date: Mon, 23 Nov 2020 21:30:14 +0530 Subject: [PATCH 03/16] Add status badge --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index a516ccb..55f23cf 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,7 @@ # Ansible role: letsencrypt +![.github/workflows/molecule.yml](https://github.com/AcroMedia/ansible-role-letsencrypt/workflows/.github/workflows/molecule.yml/badge.svg) + For use on shared hosting servers. The role: - Installs LetsEncrypt, - Makes a `/.well-known/acme-challenge` virtual directory available to all virtual hosts on the server (including the default site), so all sites can regsiter and renew LE SSL certificates, From 61a493bb2fd8b9ed489b841525a88f8ba35def41 Mon Sep 17 00:00:00 2001 From: Chithra K Date: Wed, 2 Dec 2020 17:15:57 +0530 Subject: [PATCH 04/16] Use prepare.yml --- molecule/default/converge.yml | 7 ------- molecule/default/prepare.yml | 23 +++++++++++++++++++++++ 2 files changed, 23 insertions(+), 7 deletions(-) create mode 100644 molecule/default/prepare.yml diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml index d7df265..4e7b33a 100644 --- a/molecule/default/converge.yml +++ b/molecule/default/converge.yml @@ -5,13 +5,6 @@ vars: - default_mail_recipient: webmaster@acromedia.com - pre_tasks: - - - name: Install nginx - apt: - name: nginx - update_cache: yes - state: present roles: - role: ansible-role-letsencrypt diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml new file mode 100644 index 0000000..cb401fe --- /dev/null +++ b/molecule/default/prepare.yml @@ -0,0 +1,23 @@ +- name:Install nginx + become: no + gather_facts: yes + tasks: + + - name: Update yum + yum: + update_cache: yes + when: ansible_os_family == 'RedHat' + + - name: Install nginx for RedHat + package: + name: + - nginx + state: present + when: ansible_os_family == 'RedHat' + + - name: Install nginx + apt: + name: nginx + update_cache: yes + state: present + when: ansible_os_family == 'Ubuntu' From 1d1c05ebbe70fe977f166350ea965db2f6da683e Mon Sep 17 00:00:00 2001 From: Chithra K Date: Wed, 2 Dec 2020 17:25:11 +0530 Subject: [PATCH 05/16] Fix typo --- molecule/default/prepare.yml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml index cb401fe..714a477 100644 --- a/molecule/default/prepare.yml +++ b/molecule/default/prepare.yml @@ -1,4 +1,6 @@ -- name:Install nginx +- name: Install nginx + hosts: localhost + connection: local become: no gather_facts: yes tasks: @@ -8,16 +10,16 @@ update_cache: yes when: ansible_os_family == 'RedHat' - - name: Install nginx for RedHat + - name: Ensure nginx is isntalled package: name: - nginx state: present when: ansible_os_family == 'RedHat' - - name: Install nginx + - name: Ensure nginx is isntalled apt: - name: nginx - update_cache: yes + name: + - nginx state: present when: ansible_os_family == 'Ubuntu' From 911b60fa7a0b4b595d4b0e227da1c5f0f0520654 Mon Sep 17 00:00:00 2001 From: Chithra K Date: Wed, 2 Dec 2020 20:22:37 +0530 Subject: [PATCH 06/16] Fix typo --- molecule/default/prepare.yml | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml index 714a477..00fbd93 100644 --- a/molecule/default/prepare.yml +++ b/molecule/default/prepare.yml @@ -1,6 +1,6 @@ - name: Install nginx - hosts: localhost - connection: local + hosts: all + # connection: local become: no gather_facts: yes tasks: @@ -10,16 +10,14 @@ update_cache: yes when: ansible_os_family == 'RedHat' - - name: Ensure nginx is isntalled + - name: Ensure nginx is installed package: name: - nginx state: present when: ansible_os_family == 'RedHat' - - name: Ensure nginx is isntalled - apt: - name: - - nginx - state: present - when: ansible_os_family == 'Ubuntu' + + - name: Ensure nginx is installed + apt: pkg=nginx state=present update_cache=true + when: ansible_os_family == 'Debian' From feb07848761bfb6f03465e5a662907bd66eb647c Mon Sep 17 00:00:00 2001 From: Chithra K Date: Wed, 2 Dec 2020 20:58:07 +0530 Subject: [PATCH 07/16] Install python --- molecule/default/prepare.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml index 00fbd93..524a482 100644 --- a/molecule/default/prepare.yml +++ b/molecule/default/prepare.yml @@ -21,3 +21,7 @@ - name: Ensure nginx is installed apt: pkg=nginx state=present update_cache=true when: ansible_os_family == 'Debian' + + - name: Ensure python is installed + apt: pkg=python state=present update_cache=true + when: ansible_os_family == 'Debian' From b2b10ce71811c06ef3f283089880fd6370cfd838 Mon Sep 17 00:00:00 2001 From: Chithra K Date: Wed, 2 Dec 2020 20:59:49 +0530 Subject: [PATCH 08/16] Install python --- molecule/default/prepare.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml index 524a482..74251ad 100644 --- a/molecule/default/prepare.yml +++ b/molecule/default/prepare.yml @@ -17,11 +17,17 @@ state: present when: ansible_os_family == 'RedHat' + - name: Ensure python is installed + package: + name: + - python + state: present + when: ansible_os_family == 'RedHat' - - name: Ensure nginx is installed + - name: Ensure nginx is installed for Debian apt: pkg=nginx state=present update_cache=true when: ansible_os_family == 'Debian' - - name: Ensure python is installed + - name: Ensure python is installed for Debian apt: pkg=python state=present update_cache=true when: ansible_os_family == 'Debian' From a29ea9442a21c93683dd28c0a9b44a746c882296 Mon Sep 17 00:00:00 2001 From: Chithra K Date: Tue, 8 Dec 2020 11:59:20 +0530 Subject: [PATCH 09/16] Add acromedia-nginx role as dependency --- molecule/default/converge.yml | 3 ++- molecule/default/prepare.yml | 35 +++++++++++++++++++------------ molecule/default/requirements.yml | 6 ++++++ 3 files changed, 30 insertions(+), 14 deletions(-) create mode 100644 molecule/default/requirements.yml diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml index 4e7b33a..f1bea66 100644 --- a/molecule/default/converge.yml +++ b/molecule/default/converge.yml @@ -4,7 +4,8 @@ become: true vars: - - default_mail_recipient: webmaster@acromedia.com + - default_mail_recipient: webmaster@xyz.com + - letsencrypt_install_certbot_from_ppa: true roles: - role: ansible-role-letsencrypt diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml index 74251ad..da1ecad 100644 --- a/molecule/default/prepare.yml +++ b/molecule/default/prepare.yml @@ -1,7 +1,6 @@ -- name: Install nginx +- name: Prepare hosts: all - # connection: local - become: no + become: true gather_facts: yes tasks: @@ -10,24 +9,34 @@ update_cache: yes when: ansible_os_family == 'RedHat' - - name: Ensure nginx is installed - package: - name: - - nginx - state: present - when: ansible_os_family == 'RedHat' - name: Ensure python is installed package: name: - - python + - python3 state: present when: ansible_os_family == 'RedHat' - - name: Ensure nginx is installed for Debian - apt: pkg=nginx state=present update_cache=true + - name: Update cache + apt: update_cache=true cache_valid_time=600 + changed_when: false when: ansible_os_family == 'Debian' + - name: Ensure python is installed for Debian - apt: pkg=python state=present update_cache=true + apt: pkg=python3 state=present update_cache=true + when: ansible_os_family == 'Debian' + +- name: Install role dependencies that acromedia.letsencrypt will need + hosts: all + become: yes + gather_facts: yes + + pre_tasks: + - name: Ensure dirmngr is installed + apt: + name: dirmngr + state: present when: ansible_os_family == 'Debian' + roles: + - contrib/acromedia.nginx diff --git a/molecule/default/requirements.yml b/molecule/default/requirements.yml new file mode 100644 index 0000000..269a5d9 --- /dev/null +++ b/molecule/default/requirements.yml @@ -0,0 +1,6 @@ +--- + +- name: contrib/acromedia.postfix + src: https://github.com/AcroMedia/ansible-role-nginx + version: origin/master + From c192d6436739af854da7e0112ffbb833dd6daa8e Mon Sep 17 00:00:00 2001 From: Chithra K Date: Tue, 8 Dec 2020 12:06:05 +0530 Subject: [PATCH 10/16] Add acromedia-nginx role as dependency --- molecule/default/requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/molecule/default/requirements.yml b/molecule/default/requirements.yml index 269a5d9..edfbe62 100644 --- a/molecule/default/requirements.yml +++ b/molecule/default/requirements.yml @@ -1,6 +1,6 @@ --- -- name: contrib/acromedia.postfix +- name: contrib/acromedia.nginx src: https://github.com/AcroMedia/ansible-role-nginx version: origin/master From a08b573eca6cd4ae0c497b583ace9c3e4e91aeae Mon Sep 17 00:00:00 2001 From: Dale Anderson Date: Thu, 17 Dec 2020 11:56:07 -0800 Subject: [PATCH 11/16] Do some housekeeping / reorganizing --- molecule/default/converge.yml | 6 +----- molecule/default/group_vars/all.yml | 2 ++ molecule/default/prepare.yml | 28 ++++++++++------------------ molecule/default/verify.yml | 8 ++++++++ 4 files changed, 21 insertions(+), 23 deletions(-) create mode 100644 molecule/default/group_vars/all.yml create mode 100644 molecule/default/verify.yml diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml index f1bea66..b5d2c96 100644 --- a/molecule/default/converge.yml +++ b/molecule/default/converge.yml @@ -2,10 +2,6 @@ - name: Converge hosts: all become: true - - vars: - - default_mail_recipient: webmaster@xyz.com - - letsencrypt_install_certbot_from_ppa: true - + gather_facts: true roles: - role: ansible-role-letsencrypt diff --git a/molecule/default/group_vars/all.yml b/molecule/default/group_vars/all.yml new file mode 100644 index 0000000..8d7aec1 --- /dev/null +++ b/molecule/default/group_vars/all.yml @@ -0,0 +1,2 @@ +--- +default_mail_recipient: webmaster@example.com diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml index da1ecad..1c4890a 100644 --- a/molecule/default/prepare.yml +++ b/molecule/default/prepare.yml @@ -4,39 +4,31 @@ gather_facts: yes tasks: - - name: Update yum + - name: Update yum cache yum: update_cache: yes when: ansible_os_family == 'RedHat' + - name: Update cache + apt: + update_cache: yes + when: ansible_os_family == 'Debian' - - name: Ensure python is installed + - name: Ensure python3 is installed package: name: - python3 state: present - when: ansible_os_family == 'RedHat' - - - name: Update cache - apt: update_cache=true cache_valid_time=600 - changed_when: false - when: ansible_os_family == 'Debian' - - - name: Ensure python is installed for Debian - apt: pkg=python3 state=present update_cache=true + - name: Ensure dirmngr is installed (required to install software from PPAs) + apt: + name: dirmngr + state: present when: ansible_os_family == 'Debian' - name: Install role dependencies that acromedia.letsencrypt will need hosts: all become: yes gather_facts: yes - - pre_tasks: - - name: Ensure dirmngr is installed - apt: - name: dirmngr - state: present - when: ansible_os_family == 'Debian' roles: - contrib/acromedia.nginx diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml new file mode 100644 index 0000000..f34adc7 --- /dev/null +++ b/molecule/default/verify.yml @@ -0,0 +1,8 @@ +--- +- name: Converge + hosts: all + become: true + gather_facts: true + tasks: + - name: Make sure certbot runs + command: /usr/local/bin/certbot-auto From 4c884e0dbda172c6342e4a72f4cc47658e4e4e03 Mon Sep 17 00:00:00 2001 From: Dale Anderson Date: Thu, 17 Dec 2020 13:12:37 -0800 Subject: [PATCH 12/16] Let us just install certbot, and not actually try and register a cert, in order to pass molecule tests --- defaults/main.yml | 6 ++++++ molecule/default/group_vars/all.yml | 1 + molecule/default/molecule.yml | 3 +++ tasks/main.yml | 2 ++ 4 files changed, 12 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index 18a5a23..ba0e8ec 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -26,3 +26,9 @@ letsencrypt_renew_cron_day: "*" letsencrypt_webroot: /var/www/letsencrypt letsencrypt_install_certbot_from_ppa: false + +# Since molecule tests cannot actually run with valid DNS, or even an incoming +# connection on port 80, we need to be able to disable the automatic creattion +# of the default site certificates. If you think you need to set this false +# for any other purpose, you probably shouldn't be using letsencrypt at all. +letsencrypt_create_default_server_cert: true diff --git a/molecule/default/group_vars/all.yml b/molecule/default/group_vars/all.yml index 8d7aec1..e0c9bb4 100644 --- a/molecule/default/group_vars/all.yml +++ b/molecule/default/group_vars/all.yml @@ -1,2 +1,3 @@ --- default_mail_recipient: webmaster@example.com +letsencrypt_create_default_server_cert: false diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index e3ce9d4..7d4ff10 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -15,3 +15,6 @@ provisioner: name: ansible playbooks: converge: ${MOLECULE_PLAYBOOK:-converge.yml} + config_options: + defaults: + verbosity: ${MOLECULE_VERBOSITY:-0} diff --git a/tasks/main.yml b/tasks/main.yml index 50a1f9f..c3a3aa7 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -134,6 +134,7 @@ when: default_cert_result is defined and default_cert_result.rc is defined and default_cert_result.rc != 0 + and letsencrypt_create_default_server_cert environment: DEBIAN_FRONTEND: noninteractive @@ -145,3 +146,4 @@ - name: Run {{ letsencrypt_webserver }}_default_ssl.yml playbook include: "{{ letsencrypt_webserver }}_default_ssl.yml" + when: letsencrypt_create_default_server_cert From 5438014d0268459a89bb28cb04232a8b1825720d Mon Sep 17 00:00:00 2001 From: Dale Anderson Date: Thu, 17 Dec 2020 13:19:55 -0800 Subject: [PATCH 13/16] Write a passing test so we can close this PR, and open a new one that addresses the new snap-based certbot installation --- molecule/default/verify.yml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml index f34adc7..b1bd039 100644 --- a/molecule/default/verify.yml +++ b/molecule/default/verify.yml @@ -4,5 +4,14 @@ become: true gather_facts: true tasks: - - name: Make sure certbot runs - command: /usr/local/bin/certbot-auto + - name: Trivailly execute the certbot script, just to make sure it's present, + but only call it with the --help flag, so it does not try to do any work. + The certbot-auto script is no longer supported, and has been replaced + by snapd. This upgrade will be addressed in a new pull request. + shell: /usr/local/bin/certbot-auto --help + register: certbot_result + + - name: Ensure output looks as expected + assert: + that: + '"A self-updating wrapper script for the Certbot ACME client." in certbot_result.stdout' From a3906cc50f16e5fd7a108dbd65578f8a70a84a73 Mon Sep 17 00:00:00 2001 From: Dale Anderson Date: Thu, 17 Dec 2020 14:56:31 -0800 Subject: [PATCH 14/16] Stop after the first failure --- .github/workflows/molecule.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/molecule.yml b/.github/workflows/molecule.yml index 642c88b..f5c4aae 100644 --- a/.github/workflows/molecule.yml +++ b/.github/workflows/molecule.yml @@ -17,7 +17,7 @@ jobs: with: path: "${{ github.repository }}" - name: molecule - uses: robertdebock/molecule-action@2.6.3 + uses: robertdebock/molecule-action@2.6.8 with: command: lint test: @@ -38,9 +38,10 @@ jobs: with: path: "${{ github.repository }}" - name: molecule - uses: robertdebock/molecule-action@2.6.3 + uses: robertdebock/molecule-action@2.6.8 with: image: "${{ matrix.image }}" options: parallel env: MOLECULE_DOCKER_IMAGE: "${{ matrix.image }}" + max_failures: 1 From f53097eb4781b8de20b1f09173c9c84f77e1b39c Mon Sep 17 00:00:00 2001 From: Dale Anderson Date: Thu, 17 Dec 2020 14:57:18 -0800 Subject: [PATCH 15/16] Conver shell tasks to something that passes idempotence --- defaults/main.yml | 10 +++++----- molecule/default/group_vars/all.yml | 1 + tasks/apache_default_ssl.yml | 8 ++++---- tasks/main.yml | 18 ++++++++---------- tasks/nginx_default_ssl.yml | 4 +++- 5 files changed, 21 insertions(+), 20 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index ba0e8ec..4e2316e 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -27,8 +27,8 @@ letsencrypt_webroot: /var/www/letsencrypt letsencrypt_install_certbot_from_ppa: false -# Since molecule tests cannot actually run with valid DNS, or even an incoming -# connection on port 80, we need to be able to disable the automatic creattion -# of the default site certificates. If you think you need to set this false -# for any other purpose, you probably shouldn't be using letsencrypt at all. -letsencrypt_create_default_server_cert: true +# Since molecule tests cannot actually run with valid DNS, or even listen for +# external connections on port 80, we need to be able to simulate some pieces +# of the letsencrypt process in order to check the rest of the moving parts of the role. +# This variable should only ever be used by molecule tests. +letsencrypt_molecule_mock_mode: false diff --git a/molecule/default/group_vars/all.yml b/molecule/default/group_vars/all.yml index e0c9bb4..bcdeab1 100644 --- a/molecule/default/group_vars/all.yml +++ b/molecule/default/group_vars/all.yml @@ -1,3 +1,4 @@ --- default_mail_recipient: webmaster@example.com letsencrypt_create_default_server_cert: false +letsencrypt_molecule_mock_mode: true diff --git a/tasks/apache_default_ssl.yml b/tasks/apache_default_ssl.yml index 5279a24..96d8722 100644 --- a/tasks/apache_default_ssl.yml +++ b/tasks/apache_default_ssl.yml @@ -11,8 +11,8 @@ backup: true notify: restart apache when: default_cert_retest is defined - and default_cert_retest.rc is defined - and default_cert_retest.rc == 0 + and default_cert_retest.stat is defined + and default_cert_retest.stat.exists - name: Disable the factory default site on EL Apache 2.2 (we already set up in the welcome file) template: @@ -21,7 +21,7 @@ backup: true notify: restart apache when: default_cert_retest is defined - and default_cert_retest.rc is defined - and default_cert_retest.rc == 0 + and default_cert_retest.stat is defined + and default_cert_retest.stat.exists and ansible_os_family == 'RedHat' and apache_version is version('2.4.0', '<' ) diff --git a/tasks/main.yml b/tasks/main.yml index c3a3aa7..f86509c 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -111,10 +111,9 @@ creates: /usr/local/ssl/private/dhparams.pem - name: Stat the default site SSL cert - shell: "test -e /etc/letsencrypt/live/{{ default_site_fqdn }}" + stat: + path: "/etc/letsencrypt/live/{{ default_site_fqdn }}" register: default_cert_result - changed_when: "default_cert_result.rc != 0" - ignore_errors: true - name: Compose the certbot command string for the default site cert set_fact: @@ -132,18 +131,17 @@ {{ certbot_command_string }} --dry-run && {{ certbot_command_string }} register: certbot_result when: default_cert_result is defined - and default_cert_result.rc is defined - and default_cert_result.rc != 0 - and letsencrypt_create_default_server_cert + and default_cert_result.exists is defined + and (not default_cert_result.exists) + and (not letsencrypt_molecule_mock_mode) environment: DEBIAN_FRONTEND: noninteractive - name: Re-stat default site SSL cert - shell: "test -e /etc/letsencrypt/live/{{ default_site_fqdn }}" + stat: + path: "/etc/letsencrypt/live/{{ default_site_fqdn }}" register: default_cert_retest - ignore_errors: true - changed_when: default_cert_retest.rc != default_cert_result.rc - name: Run {{ letsencrypt_webserver }}_default_ssl.yml playbook include: "{{ letsencrypt_webserver }}_default_ssl.yml" - when: letsencrypt_create_default_server_cert + when: not letsencrypt_molecule_mock_mode diff --git a/tasks/nginx_default_ssl.yml b/tasks/nginx_default_ssl.yml index 8657e4d..c1c1a55 100644 --- a/tasks/nginx_default_ssl.yml +++ b/tasks/nginx_default_ssl.yml @@ -5,4 +5,6 @@ dest: "{{ nginx_vhost_conf_dir }}/{{ nginx_default_vhost_filename }}" backup: yes notify: reload nginx - when: default_cert_retest.rc == 0 + when: default_cert_retest is defined + and default_cert_retest.stat is defined + and default_cert_retest.stat.exists From 84fcbd65ab5566b205dc10f0ad55db139fee3341 Mon Sep 17 00:00:00 2001 From: Dale Anderson Date: Thu, 17 Dec 2020 15:10:30 -0800 Subject: [PATCH 16/16] Make sure cron job can be installed during molecule test on RedHat --- molecule/default/prepare.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml index 1c4890a..edece61 100644 --- a/molecule/default/prepare.yml +++ b/molecule/default/prepare.yml @@ -26,6 +26,12 @@ state: present when: ansible_os_family == 'Debian' + - name: Ensure cron is installed + yum: + name: cronie + state: present + when: ansible_os_family == 'RedHat' + - name: Install role dependencies that acromedia.letsencrypt will need hosts: all become: yes