Initial code commit

.yamllint

@@ -0,0 +1,15 @@
+---
+extends: default
+
+rules:
+  line-length:
+    max: 250
+    level: warning
+  comments:
+    min-spaces-from-content: 1
+  comments-indentation: false
+  braces:
+    max-spaces-inside: 1
+  octal-values:
+    forbid-explicit-octal: true
+    forbid-implicit-octal: true

README.md

@@ -0,0 +1,124 @@
+# Ansible Role: cerbot_netcup
+
+An [Ansible](https://www.ansible.com) role to install [Certbot](https://certbot.eff.org/) and issue certificates with the DNS01 challenge by using Netcup's DNS servers.
+
+
+## Requirements
+
+- Netcup DNS setup
+- Netcup API Key and Password
+
+## Dependencies
+
+- [geerlingguy.pip](https://galaxy.ansible.com/ui/standalone/roles/geerlingguy/pip/)
+- [geerlingguy.certbot](https://galaxy.ansible.com/ui/standalone/roles/geerlingguy/certbot/) (or some fork of it)
+- [community.general](https://galaxy.ansible.com/ui/repo/published/community/general/)
+
+Install dependencies with
+```shell
+ansible-galaxy install -r requirements.yml
+```
+
+## Role Variables
+
+```yaml
+# Netcup customer ID
+certbot_netcup_customer_id: ""
+```
+The Netcup Customer ID
+
+```yaml
+# Netcup API Key
+certbot_netcup_api_key: ""
+```
+
+The Netcup API Key
+
+```yaml
+# Netcup API Password
+certbot_netcup_api_password: ""
+```
+
+The Netcup API Password
+
+```yaml
+# Path where to store netcup credentials file
+certbot_netcup_credentials_path: "/etc/letsencrypt/netcup_credentials.ini"
+```
+
+The path where to store the Netcup credentials for the Certbot DNS plugin. Usually it's not required to change this.
+
+```yaml
+# DNS propagation time for DNS plugin to wait until trying to verify the DNS challenge
+certbot_netcup_propagation_seconds: 1200
+```
+
+The time to wait in seconds after creating the DNS TXT records for the new records to propagate so they can be verified.
+
+```yaml
+certbot_certs:
+  - email: "admin@example3.com"
+    domains:
+      - *.example3.com
+```
+
+The primary reason for using the `DNS01` challenge is to provision wildcard certificates. But of course this method can be used for non-wildcard certificates as well, if no webserver should be spun up.
+
+```yaml
+certbot_cloudflare_acme_server: "{{ certbot_cloudflare_acme_test }}"
+```
+or 
+```yaml
+certbot_cloudflare_acme_server: "{{ certbot_cloudflare_acme_live }}"
+```
+    
+Let's Encrypt server to use, defaults to test.
+
+
+```yaml
+# The base role for installing and configuring certbot. This role was developed
+# with geerlingguy.certbot v5.2.1, so any fork using the same role variable names and providing the task "create-cert-standalone.yml"
+# should work.
+certbot_netcup_certbot_base_role: "geerlingguy.certbot"
+```
+
+The role to use for installing certbot in the first place.
+This role re-uses the following role variables from `geerlingguy.certbot`:
+- `certbot_create_standalone_stop_services`
+- `certbot_create_if_missing` 
+- `certbot_dir`
+- `certbot_install_method`
+
+This role expects the certbot role to build the certbot `create` command the same way `geerlingguy.certbot` does. It then explicitly calls
+the certbot rule's `create-cert-standalone.yml` task if  `certbot_create_if_missing` is set to `true`.
+If `certbot_install_method` is set to `snap`, the Netcup DNS plugin will be installed using Snap as well, otherwise it is installed using pip.
+
+Example Playbook
+----------------
+
+Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+```yaml
+- name: "Install Certbot and issue wildcard certificate"
+  hosts: servers
+  vars:
+    certbot_netcup_customer_id: "123456"
+    certbot_netcup_api_key: "0123456789abcdef0123456789abcdef01234567"
+    certbot_netcup_api_password: "abcdef0123456789abcdef01234567abcdef0123"
+    certbot_admin_email: "mail@example3.com"
+    # Issue the certificate as part of the playbook
+    certbot_create_if_missing: true
+    certbot_certs:
+        - domains:
+          - *.example3.com
+  roles:
+      - salvoxia.certbot-netcup
+```
+
+## License
+
+MIT
+
+
+## Author Information
+
+This role was created by Salvoxia (salvoxia@blindfish.info).

defaults/main.yml

@@ -0,0 +1,29 @@
+---
+# defaults file for certbot-netcup
+
+# Netcup customer ID
+certbot_netcup_customer_id: ""
+# Netcup API Key
+certbot_netcup_api_key: ""
+# Netcup API Password
+certbot_netcup_api_password: ""
+# Path where to store netcup credentials file
+certbot_netcup_credentials_path: "/etc/letsencrypt/netcup_credentials.ini"
+# DNS propagation time for DNS plugin to wait until trying to verify the DNS challenge
+certbot_netcup_propagation_seconds: 1200
+# The base role for installing and configuring certbot. This role was developed
+# with geerlingguy.certbot v5.2.1, so any fork using the same role variable names and providing the task "create-cert-standalone.yml"
+# should work.
+certbot_netcup_certbot_base_role: "geerlingguy.certbot"
+
+certbot_create_standalone_stop_services: []
+certbot_create_if_missing: true
+
+certbot_dir: "/opt/certbot"
+
+# Use the ACME v2 staging URI for testing things
+certbot_netcup_acme_test: "https://acme-staging-v02.api.letsencrypt.org/directory"
+# Production ACME v2 API endpoint
+certbot_netcup_acme_live: "https://acme-v02.api.letsencrypt.org/directory"
+
+certbot_netcup_acme_server: "{{ certbot_netcup_acme_test }}"

meta/main.yml

@@ -0,0 +1,34 @@
+---
+galaxy_info:
+  role_name: certbot_netcup
+  author: salvoxia
+  description: Install and configure certbot for creating Let's Encrypt certificates with the DNS01 challenge using Netcup. Based on michaelpporter.certbot_cloudflare.
+  issue_tracker_url: https://github.com/salvoxia/ansible-role-certbot-netcup/issues
+  license: "license (BSD, MIT)"
+  min_ansible_version: "2.4"
+  platforms:
+    - name: Ubuntu
+      versions:
+        - jammy
+    - name: Debian
+      versions:
+        - bullseye
+        - bookworm
+  galaxy_tags:
+    - netcup
+    - networking
+    - system
+    - web
+    - certbot
+    - letsencrypt
+    - encryption
+    - certificates
+    - ssl
+    - https
+
+dependencies:
+  - src: geerlingguy.pip
+    version: 3.1.0
+  - role: geerlingguy.certbot
+    version: 5.2.1
+    certbot_certs: []

molecule/install_from_pkgmgr/converge.yml

@@ -0,0 +1,27 @@
+---
+- name: "Converge"
+  hosts: all
+  become: true
+  pre_tasks:
+    - name: "Install dependencies (RedHat)."
+      ansible.builtin.yum:
+        name:
+          - cronie
+          - epel-release
+        state: present
+      when: ansible_os_family == 'RedHat'
+
+    - name: "Install cron (Debian)."
+      ansible.builtin.apt:
+        name:
+          - cron
+        state: present
+        update_cache: true
+      when: ansible_os_family == 'Debian'
+  vars:
+    certbot_auto_renew_user: "root"
+    certbot_netcup_customer_id: "123456"
+    certbot_netcup_api_key: "0123456789abcdef0123456789abcdef01234567"
+    certbot_netcup_api_password: "abcdef0123456789abcdef01234567abcdef0123"
+  roles:
+    - role: "salvoxia.certbot_netcup"

molecule/install_from_pkgmgr/molecule.yml

@@ -0,0 +1,18 @@
+---
+dependency:
+  name: galaxy
+driver:
+  name: docker
+platforms:
+  - name: "${MOLECULE_IMAGE:-debian12}"
+    image: "geerlingguy/docker-${MOLECULE_IMAGE:-debian12}-ansible:latest"
+    command: ${MOLECULE_DOCKER_COMMAND:-""}
+    pre_build_image: true
+    cgroupns_mode: host
+    privileged: true
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+provisioner:
+  name: ansible
+verifier:
+  name: ansible

molecule/install_from_pkgmgr/prepare.yml

@@ -0,0 +1,33 @@
+---
+- name: "Prepare"
+  hosts: all
+  become: true
+  tasks:
+    - name: "Install pre-requisites for molecule tests (Debian)"
+      ansible.builtin.package:
+        name:
+          - cron
+        state: present
+        update_cache: true
+      when: ansible_os_family in ['Debian', 'Ubuntu']
+
+    - name: "Install pre-requisites for molecule tests (RedHat)"
+      ansible.builtin.package:
+        name:
+          - cronie
+          - epel-release
+        state: present
+        update_cache: true
+      when: ansible_os_family == 'RedHat'
+
+    - name: "Install pip"
+      ansible.builtin.include_role:
+        name: geerlingguy.pip
+
+    # Required for molecule testing images to have an up-to-date pyopenssl
+    - name: "Install pyopenssl"
+      ansible.builtin.pip:
+        name: pyopenssl
+        state: latest
+      tags:
+        - skip_ansible_lint

molecule/install_from_pkgmgr/verify.yml

@@ -0,0 +1,27 @@
+---
+- name: "Verify"
+  hosts: all
+  gather_facts: false
+  tasks:
+    - name: Check if certbot is installed
+      ansible.builtin.command: which certbot
+      changed_when: false
+      become: true
+      failed_when: certbot_install_check_result.rc not in [0, 1]
+      register: certbot_install_check_result
+
+    - name: Evaluating check result
+      ansible.builtin.assert:
+        that: "{{ certbot_install_check_result.rc in [0] }}"
+        fail_msg: "Certbot is not installed!"
+
+    - name: "Check if certbot-dns-netcup plugin is installed"
+      ansible.builtin.shell: "certbot plugins | grep dns-netcup"
+      register: netcup_check
+      ignore_errors: true
+      changed_when: "netcup_check is failed"
+
+    - name: Evaluating check result
+      ansible.builtin.assert:
+        that: netcup_check is not failed
+        fail_msg: "certbot-dns-netcup not installed successfully!"

molecule/install_from_snap/converge.yml

@@ -0,0 +1,5 @@
+---
+- name: "Install from snap"
+  vars:
+    certbot_install_method: "snap"
+  ansible.builtin.import_playbook: ../install_from_pkgmgr/converge.yml

molecule/install_from_snap/molecule.yml

@@ -0,0 +1,30 @@
+---
+dependency:
+  name: galaxy
+driver:
+  name: docker
+platforms:
+  - name: "${MOLECULE_IMAGE:-debian11}"
+    image: "geerlingguy/docker-${MOLECULE_IMAGE:-debian11}-ansible:latest"
+    command: ${MOLECULE_DOCKER_COMMAND:-""}
+    pre_build_image: true
+    cgroupns_mode: host
+    privileged: true
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+      # Required for snap inside containers
+      - /sys/kernel/security:/sys/kernel/security:rw
+  - name: "${MOLECULE_IMAGE:-debian12}"
+    image: "geerlingguy/docker-${MOLECULE_IMAGE:-debian12}-ansible:latest"
+    command: ${MOLECULE_DOCKER_COMMAND:-""}
+    pre_build_image: true
+    cgroupns_mode: host
+    privileged: true
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+      # Required for snap inside containers
+      - /sys/kernel/security:/sys/kernel/security:rw
+provisioner:
+  name: ansible
+verifier:
+  name: ansible

molecule/install_from_snap/prepare.yml

@@ -0,0 +1,27 @@
+---
+- name: "Prepare"
+  hosts: all
+  become: true
+  tasks:
+    - name: "Install dependencies (Debian)."
+      ansible.builtin.apt:
+        name:
+          - snapd
+        state: present
+        update_cache: true
+      when: ansible_os_family in ['Debian', 'Ubuntu']
+
+    - name: "List service facts"
+      ansible.builtin.service_facts:
+
+    # This is required to work around an "too early for operations" error
+    # when using snapd directly after installation
+    - name: "Ensure snapd seeded service is restarted."
+      ansible.builtin.service:
+        name: "{{ item }}"
+        state: restarted
+      when: "item in ansible_facts.services"
+      with_items:
+        - snapd.service
+        - snapd.seeded.service
+        - systemd-udevd.service

molecule/install_from_snap/verify.yml

@@ -0,0 +1,3 @@
+---
+- name: "Verify installation from snap"
+  ansible.builtin.import_playbook: ../install_from_pkgmgr/verify.yml

requirements.yml

@@ -0,0 +1,9 @@
+---
+collections:
+  - name: community.general
+    version: ">=7.0.0"
+roles:
+  - name: geerlingguy.certbot
+    version: "5.2.1"
+  - name: geerlingguy.pip
+    version: "3.1.0"