Switch Certbot to snap package on Ubuntu 20.04+

Needs only minor changes. Tested and running on wiki.kosmos.org already.
2020-09-06 13:46:06 +02:00
parent ded21fb009
commit a1a0d7e4c1
3 changed files with 36 additions and 23 deletions
--- a/site-cookbooks/kosmos-base/files/default/certbot.service
+++ b/site-cookbooks/kosmos-base/files/default/certbot.service
@@ -1,7 +1,6 @@
 [Unit]
 Description=Certbot
-Documentation=file:///usr/share/doc/python-certbot-doc/html/index.html
-Documentation=https://letsencrypt.readthedocs.io/en/latest/
+Documentation=https://certbot.eff.org/docs/
 OnFailure=status-email-ops@%n.service
 [Service]
 Type=oneshot
--- a/site-cookbooks/kosmos-base/recipes/letsencrypt.rb
+++ b/site-cookbooks/kosmos-base/recipes/letsencrypt.rb
@@ -24,13 +24,24 @@
 # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 # THE SOFTWARE.

-# Install certbot and set up hooks
-
-apt_repository "certbot" do
-  uri "ppa:certbot/certbot"
+unless platform?('ubuntu')
+  raise "This recipe only supports Ubuntu installs"
 end

-package "certbot"
+if node[:platform_version].to_f < 20.04
+  apt_repository "certbot" do
+    uri "ppa:certbot/certbot"
+  end
+  package "certbot"
+else
+  bash "install_certbot_snap" do
+    code "snap install --classic certbot"
+  end
+  # TODO switch to snap_package resource when they fix it
+  # snap_package "certbot" do
+  #   options "--classic"
+  # end
+end

 %w(deploy post pre).each do |subdir|
  directory "/etc/letsencrypt/renewal-hooks/#{subdir}" do
@@ -52,22 +63,23 @@ systemctl reload nginx
  group "root"
 end

-gandi_api_data_bag_item = data_bag_item('credentials', 'gandi_api_5apps')
+# gandi_api_data_bag_item = data_bag_item('credentials', 'gandi_api_5apps')

-template "/root/gandi_dns_certbot_hook.sh" do
-  variables gandi_api_key: gandi_api_data_bag_item["key"]
-  mode 0770
-end
+# TODO only write to machines that actually need it (e.g. via role)
+# template "/root/gandi_dns_certbot_hook.sh" do
+#   variables gandi_api_key: gandi_api_data_bag_item["key"]
+#   mode 0770
+# end

-include_recipe 'kosmos-base::systemd_emails'
+# include_recipe 'kosmos-base::systemd_emails'

+# TODO Check the deployed certs expiration dates instead of overwriting supplied systemd services
 # Overwrite the systemd service to add email notifications on failures
-cookbook_file "/lib/systemd/system/certbot.service" do
-  source "certbot.service"
-  notifies :run, "execute[systemctl daemon-reload]", :delayed
-end
-
-execute "systemctl daemon-reload" do
-  command "systemctl daemon-reload"
-  action :nothing
-end
+# cookbook_file "/lib/systemd/system/certbot.service" do
+#   source "certbot.service"
+#   notifies :run, "execute[systemctl daemon-reload]", :delayed
+# end
+# execute "systemctl daemon-reload" do
+#   command "systemctl daemon-reload"
+#   action :nothing
+# end