Merge pull request 'Switch Certbot to Snap package on Ubuntu 20.04+' (#211) from feature/certbot_snap into master

Reviewed-on: #211

site-cookbooks/kosmos-base/files/default/certbot.service

@@ -1,7 +1,6 @@
 [Unit]
 Description=Certbot
-Documentation=file:///usr/share/doc/python-certbot-doc/html/index.html
-Documentation=https://letsencrypt.readthedocs.io/en/latest/
+Documentation=https://certbot.eff.org/docs/
 OnFailure=status-email-ops@%n.service
 [Service]
 Type=oneshot

site-cookbooks/kosmos-base/recipes/letsencrypt.rb

@@ -24,13 +24,24 @@
 # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 # THE SOFTWARE.
 
-# Install certbot and set up hooks
-
-apt_repository "certbot" do
-  uri "ppa:certbot/certbot"
+unless platform?('ubuntu')
+  raise "This recipe only supports Ubuntu installs"
 end
 
-package "certbot"
+if node[:platform_version].to_f < 20.04
+  apt_repository "certbot" do
+    uri "ppa:certbot/certbot"
+  end
+  package "certbot"
+else
+  bash "install_certbot_snap" do
+    code "snap install --classic certbot"
+  end
+  # TODO switch to snap_package resource when they fix it
+  # snap_package "certbot" do
+  #   options "--classic"
+  # end
+end
 
 %w(deploy post pre).each do |subdir|
   directory "/etc/letsencrypt/renewal-hooks/#{subdir}" do
@@ -52,22 +63,23 @@ systemctl reload nginx
   group "root"
 end
 
-gandi_api_data_bag_item = data_bag_item('credentials', 'gandi_api_5apps')
+# gandi_api_data_bag_item = data_bag_item('credentials', 'gandi_api_5apps')
 
-template "/root/gandi_dns_certbot_hook.sh" do
-  variables gandi_api_key: gandi_api_data_bag_item["key"]
-  mode 0770
-end
+# TODO only write to machines that actually need it (e.g. via role)
+# template "/root/gandi_dns_certbot_hook.sh" do
+#   variables gandi_api_key: gandi_api_data_bag_item["key"]
+#   mode 0770
+# end
 
-include_recipe 'kosmos-base::systemd_emails'
+# include_recipe 'kosmos-base::systemd_emails'
 
+# TODO Check the deployed certs expiration dates instead of overwriting supplied systemd services
 # Overwrite the systemd service to add email notifications on failures
-cookbook_file "/lib/systemd/system/certbot.service" do
-  source "certbot.service"
-  notifies :run, "execute[systemctl daemon-reload]", :delayed
-end
-
-execute "systemctl daemon-reload" do
-  command "systemctl daemon-reload"
-  action :nothing
-end
+# cookbook_file "/lib/systemd/system/certbot.service" do
+#   source "certbot.service"
+#   notifies :run, "execute[systemctl daemon-reload]", :delayed
+# end
+# execute "systemctl daemon-reload" do
+#   command "systemctl daemon-reload"
+#   action :nothing
+# end

site-cookbooks/kosmos-nginx/resources/nginx_certbot_site.rb

@@ -39,10 +39,12 @@ action :create do
 
   include_recipe "kosmos-base::letsencrypt"
 
+  certbot_bin = node[:platform_version].to_f < 20.04 ? "/usr/bin/certbot" : "/snap/bin/certbot"
+
   # Generate a Let's Encrypt cert (only if the nginx vhost exists and no cert
   # has been generated before. The renew cron will take care of renewing
   execute "letsencrypt cert for #{domain}" do
-    command "/usr/bin/certbot certonly --webroot --agree-tos --email ops@kosmos.org --webroot-path #{root_directory} -d #{domain} -n"
+    command "#{certbot_bin} certonly --webroot --agree-tos --email ops@kosmos.org --webroot-path #{root_directory} -d #{domain} -n"
     only_if do
       ::File.exist?("#{node['nginx']['dir']}/sites-enabled/#{domain}_certbot") &&
         !::File.exist?("/etc/letsencrypt/live/#{domain}/fullchain.pem")