support running certbot via docker container

Usefule so other containers can access the certificates when running
with UID remapping.

Signed-off-by: Jakub Sokołowski <jakub@status.im>

defaults/main.yml

@@ -1,13 +1,7 @@
 ---
-# Certbot auto-renew cron job configuration (for certificate renewals).
-certbot_auto_renew: true
-certbot_auto_renew_user: 'www-data'
-certbot_auto_renew_frequency: 'daily'
-certbot_auto_renew_timeout_sec: 120
-certbot_auto_renew_options: '--quiet --no-self-upgrade'
-
 # Parameters used when creating new Certbot certs.
 certbot_admin_email: 'email@example.com'
+certbot_certs_dir: '/etc/letsencrypt'
 certbot_certs: []
 # - domains:
 #     - example1.com
@@ -15,8 +9,9 @@ certbot_certs: []
 # - domains:
 #     - example3.com
 
-certbot_create_command: >-
-  certbot certonly --standalone --noninteractive --agree-tos
+certbot_entrypoint: '/usr/bin/certbot'
+certbot_create_arguments: >-
+  certonly --standalone --noninteractive --agree-tos
   --email {{ certbot_admin_email }}
   -d {{ cert_item.domains | join(',') }}
 
@@ -24,5 +19,13 @@ certbot_create_standalone_stop_services:
   - nginx
   # - apache
 
-# Where to put Certbot when installing from source.
-certbot_dir: /opt/certbot
+# Use docker container to manage certificates.
+certbot_docker_enabled: false
+certbot_docker_cont_name: 'certbot'
+certbot_docker_cont_tag: 'v1.15.0'
+certbot_docker_cont_image: 'certbot/certbot:{{ certbot_docker_cont_tag }}'
+
+# Certbot auto-renew cron job configuration (for certificate renewals).
+certbot_auto_renew: true
+certbot_auto_renew_frequency: 'daily'
+certbot_auto_renew_timeout_sec: 120

tasks/create.yml

@@ -1,9 +1,15 @@
 ---
 - name: Check if certificate already exists.
   stat:
-    path: '/etc/letsencrypt/live/{{ cert_item.domains | first | replace("*.", "") }}/cert.pem'
+    path: '{{ certbot_certs_dir }}/live/{{ cert_item.domains | first | replace("*.", "") }}/cert.pem'
   register: letsencrypt_cert
 
+- name: Fix LetsEncrypt folder permissions
+  file:
+    path: '{{ certbot_certs_dir }}'
+    owner: '{{ certbot_docker_enabled | ternary("dockremap", "root") }}'
+    recurse: true
+
 - when: not letsencrypt_cert.stat.exists
   block:
     - name: Stop services to allow certbot to generate a cert.
@@ -13,7 +19,7 @@
       with_items: "{{ certbot_create_standalone_stop_services }}"
 
     - name: Generate new certificate if one doesn't exist.
-      command: '{{ certbot_create_command }}'
+      command: '{{ certbot_entrypoint }} {{ certbot_create_arguments }}'
 
     - name: Start services after cert has been generated.
       service:

tasks/install.yml

@@ -2,3 +2,18 @@
 - name: Install Certbot.
   package:
     name: certbot
+  when: not certbot_docker_enabled
+
+- name: Create docker wrapper for certbot
+  copy:
+    dest: '{{ certbot_entrypoint }}'
+    mode: 0755
+    content: |
+      #!/usr/bin/env bash
+      exec docker run -i --rm \
+        --name='{{ certbot_docker_cont_name }}' \
+        -v '{{ certbot_certs_dir }}:{{ certbot_certs_dir }}' \
+        -p '80:80/tcp' -p '443:443/tcp' \
+        '{{ certbot_docker_cont_image }}' \
+        "$@"
+  when: certbot_docker_enabled

tasks/renew.yml

@@ -4,10 +4,10 @@
   vars:
     systemd_timer_name: 'certbot-renew'
     systemd_timer_description: 'LetsEncrypt certificate renewal via certbot.'
-    systemd_timer_user: '{{ certbot_auto_renew_user }}'
-    systemd_timer_work_dir: '{{ certbot_dir }}'
+    systemd_timer_user: 'root'
+    systemd_timer_work_dir: '{{ certbot_certs_dir }}'
     systemd_timer_frequency: '{{ certbot_auto_renew_frequency }}'
     systemd_timer_timeout_sec: '{{ certbot_auto_renew_timeout_sec }}'
     systemd_timer_start_on_creation: false
-    systemd_timer_script_path: '/usr/bin/certbot'
-    systemd_timer_script_args: 'renew {{ certbot_auto_renew_options }}'
+    systemd_timer_script_path: '{{ certbot_entrypoint }}'
+    systemd_timer_script_args: 'renew'