Add option to use distro provided certbot package

This patch allows a certbot package from a distro repository to be
used instead of the certbot-auto script. For ubuntu the distro package
takes care of setting up all the necessary directories in /etc/letsencrypt
and creates a systemd service for running the renewal. This avoids
needing to manage those aspects of the installation in this ansible role.

Change-Id: If7c5bcde299362bb3d2a136db659ca319e22e35b

tasks/haproxy_ssl_letsencrypt.yml

@@ -55,6 +55,12 @@
         user: "root"
         state: present
 
+- name: Install certbot from distro package
+  package:
+    name: "{{ haproxy_distro_certbot_packages }}"
+    state: present
+  when: haproxy_ssl_letsencrypt_install_method == 'distro'
+
 - name: Stop haproxy for certbot activity
   service:
     name: "haproxy"
@@ -75,6 +81,13 @@
   args:
     creates: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ external_lb_vip_address }}/fullchain.pem"
 
+- name: Create certbot post renewal hook
+  template:
+    src: letsencrypt_renew_certbot_distro.j2
+    dest: /etc/letsencrypt/renewal-hooks/post/haproxy-renew
+    mode: 0755
+  when: haproxy_ssl_letsencrypt_install_method == 'distro'
+
 - name: Create new pem file for haproxy
   assemble:
     src: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ external_lb_vip_address }}"

templates/letsencrypt_renew_certbot_distro.j2

@@ -0,0 +1,7 @@
+#!/bin/bash
+# renew cert if required and copy to haproxy destination
+
+cat /etc/letsencrypt/live/{{ external_lb_vip_address }}/{fullchain,privkey}.pem \
+    > /etc/ssl/private/haproxy.pem
+
+systemctl reload haproxy

vars/debian.yml

@@ -21,3 +21,6 @@ haproxy_distro_packages:
   - netcat # Used for the Ansible haproxy module
   - psmisc
   - vim-haproxy
+
+haproxy_distro_certbot_packages:
+  - certbot

vars/ubuntu.yml

@@ -21,3 +21,6 @@ haproxy_distro_packages:
   - netcat # Used for the Ansible haproxy module
   - psmisc
   - vim-haproxy
+
+haproxy_distro_certbot_packages:
+  - certbot