move roles, files and templates dirs out of playbook dir into root dir

Because of how Ansible local relative search paths work, the global
"files" and "templates" directories need to be next to the playbooks.
However its not intuitive to look into the "playbooks" directory to find
the files and templates for a host.
Therefore move them out of the "playbooks" directory into the root
directory and add symlinks so everything still works.

Similarly for local roles, they also need to be next to the playbooks.
So for a nicer structure, move the "roles" directory out into the root
directory as well and add a symlink so everything still works.

Also see:
https://docs.ansible.com/ansible/latest/playbook_guide/playbook_pathing.html#resolving-local-relative-paths
https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_reuse_roles.html#storing-and-finding-roles

roles/certbot/README.md

@@ -0,0 +1,15 @@
+# Role `certbot`
+
+A role for deploying Certbot and setting up certificates using it.
+
+Note: This role doesn't take care of deleting certificates.
+
+Also see the following documentation for a full How-to on how to get certificates using this role in the context of our infra: <https://wiki.ccchh.net/infrastructure:zertifikate>.
+
+## Required Arguments
+
+For the required arguments look at the [`argument_specs.yaml`](./meta/argument_specs.yaml).
+
+## `hosts`
+
+The `hosts` for this role need to be the machines on which you want to make sure Certbot is deployed and given certificates are set up.

roles/certbot/defaults/main.yaml

@@ -0,0 +1,2 @@
+certbot__http_01_port: 31820
+certbot__new_cert_commands: [ ]

roles/certbot/meta/argument_specs.yaml

@@ -0,0 +1,36 @@
+argument_specs:
+  main:
+    options:
+      certbot__version_spec:
+        description: >-
+          The version specification to use for installing the `certbot` package.
+          The provided version specification will be used like the following:
+          `cerbot={{ certbot__version_spec }}*`. This makes it possible to e.g.
+          specify until a minor version (like `1.3.`) and then have patch
+          versions be installed automatically (like `1.3.1` and so on).
+        type: str
+        required: true
+      certbot__acme_account_email_address:
+        description: The E-Mail address to give to certbot for the ACME account.
+        type: str
+        required: true
+      certbot__certificate_domains:
+        description: The domains for which to obtain a certificate.
+        type: list
+        elements: str
+        required: true
+      certbot__http_01_port:
+        description: |
+          The port number the bot listens on. Must be 80 if directly exposed to the internet.
+          Default is 31820 for the public-reverse-proxy setup.
+        type: str
+        required: false
+        default: 31820
+      certbot__new_cert_commands:
+        description: >-
+          A list of commands to execute after getting a new certificate.
+          Will be added into a bash script.
+        type: list
+        elements: str
+        required: false
+        default: [ ]

roles/certbot/meta/main.yaml

@@ -0,0 +1,9 @@
+---
+dependencies:
+  - role: distribution_check
+    vars:
+      distribution_check__distribution_support_spec:
+        - name: Debian
+          major_versions:
+            - 11
+            - 12

roles/certbot/tasks/main.yaml

@@ -0,0 +1,11 @@
+- name: ensure certbot installation
+  ansible.builtin.import_tasks:
+    file: main/install.yaml
+
+- name: ensure new cert commands
+  ansible.builtin.import_tasks:
+    file: main/new_cert_commands.yaml
+
+- name: ensure certificates
+  ansible.builtin.import_tasks:
+    file: main/certs.yaml

roles/certbot/tasks/main/cert.yaml

@@ -0,0 +1,24 @@
+- name: get expiry date before
+  ansible.builtin.command: /usr/bin/openssl x509 -enddate -noout -in /etc/letsencrypt/live/{{ item }}/fullchain.pem
+  ignore_errors: true
+  become: true
+  changed_when: false
+  register: certbot__cert_expiry_before
+
+- name: obtain the certificate using certbot
+  ansible.builtin.command: /usr/bin/certbot certonly --keep-until-expiring --agree-tos --non-interactive --email "{{ certbot__acme_account_email_address }}" --no-eff-email --standalone --http-01-port "{{ certbot__http_01_port }}" -d "{{ item }}"
+  become: true
+  changed_when: false
+
+- name: get expiry date after
+  ansible.builtin.command: /usr/bin/openssl x509 -enddate -noout -in /etc/letsencrypt/live/{{ item }}/fullchain.pem
+  become: true
+  changed_when: false
+  register: certbot__cert_expiry_after
+
+# Doesn't work anymore. Dunno why.
+# TODO: Fix
+# - name: potentially report changed
+#   ansible.builtin.debug:
+#     msg: "If this reports changed, then the certificate expiry date and therefore the certificate changed."
+#   changed_when: certbot__cert_expiry_before.stdout != certbot__cert_expiry_after.stdout

roles/certbot/tasks/main/certs.yaml

@@ -0,0 +1,4 @@
+- name: obtain certificates
+  loop: "{{ certbot__certificate_domains }}"
+  ansible.builtin.include_tasks:
+    file: main/cert.yaml

roles/certbot/tasks/main/install.yaml

@@ -0,0 +1,19 @@
+- name: make sure the `openssl` package is installed
+  ansible.builtin.apt:
+    name: openssl
+    state: present
+  become: true
+
+- name: make sure the `certbot` package is installed
+  ansible.builtin.apt:
+    name: certbot={{ certbot__version_spec }}*
+    state: present
+    allow_change_held_packages: true
+    update_cache: true
+  become: true
+
+- name: apt-mark hold `certbot`
+  ansible.builtin.dpkg_selections:
+    name: certbot
+    selection: hold
+  become: true

roles/certbot/tasks/main/new_cert_commands.yaml

@@ -0,0 +1,17 @@
+- name: ensure existence of renewal deploy hooks directory
+  ansible.builtin.file:
+    path: /etc/letsencrypt/renewal-hooks/deploy
+    state: directory
+    owner: root
+    group: root
+    mode: "0755"
+  become: true
+
+- name: ensure renewal deploy hook commands
+  ansible.builtin.template:
+    src: renewal_deploy_hook_commands.sh.j2
+    dest: /etc/letsencrypt/renewal-hooks/deploy/ansible_commands.sh
+    owner: root
+    group: root
+    mode: "0770"
+  become: true

roles/certbot/templates/renewal_deploy_hook_commands.sh.j2

@@ -0,0 +1,4 @@
+#!/bin/bash
+{% for command in certbot__new_cert_commands %}
+{{ command }}
+{% endfor %}