add --cert-name and --deploy-hook options

[Hoeze]

Can be used like this:

certbot_certs:
  - name: squid
    domains:
      - "{{ ansible_hostname }}.{{ domain_zone }}"
    deploy_hook: >-
      install -o squid -g squid -m 0600 $RENEWED_LINEAGE/fullchain.pem /etc/squid/fullchain.pem;
      install -o squid -g squid -m 0600 $RENEWED_LINEAGE/privkey.pem /etc/squid/privkey.pem;
      systemctl reload squid || true

[Hoeze]

Does someone know why this fails? Seems unrelated to my PR:

  fatal: [instance]: FAILED! => {"ansible_facts": {}, "changed": false, "failed_modules": {"ansible.legacy.setup": {"ansible_facts": {"discovered_interpreter_python": "/usr/bin/python3.9"}, "failed": true, "module_stderr": "sudo: PAM account management error: Authentication service cannot retrieve authentication info\nsudo: a password is required\n", "module_stdout": "", "msg": "MODULE FAILURE: No start of json char found\nSee stdout/stderr for the exact error", "rc": 1}}, "msg": "The following modules failed to execute: ansible.legacy.setup\n"}

[Hoeze]

This PR fixes the CI issue and adds --cert-name and --deploy-hook.
Also, it automatically determines changes to the domain names of a cert before taking actions.

It would have been nice to have a second domain to test adding certificates in the CI.
Anyways, I just tested this PR back-and-forth on my current project, without issues.

@geerlingguy I would be very happy if you could review+merge this PR :)

[geerlingguy]

How do these changes interact with the updates from #208 from @theS1LV3R ? Sorry don't have time to do a full review at the current moment :)

[Hoeze]

• Allow for certificates to be expanded to include new domains #208 relies on the certbot command output to determine whether running it changed anything.
  This could be problematic. At least in my case it led to requesting a new certificate each time, exhausting my request limit.
• This PR checks first whether an update is necessary at all by comparing the list of domain names. Moreover, it enables us to remove additional domains. As far as I can tell, --expand only adds additional domains.

So at least for me, this PR makes --expand obsolete.
@geerlingguy I hope this helps.

[geerlingguy]

Is it possible to rebase this PR on master? I don't see the changes from https://github.com/geerlingguy/ansible-role-certbot/pull/208/files being updated, it looks like the branch forks from somewhere prior to current master.

[Hoeze]

@geerlingguy sorry for the delay, I missed your answer.
I have merged the master branch now.

The reason why I started from #223 instead of #208 is that after some testing I noticed that --expand does not do exactly what I wanted. My aim was to have an idempotent role which ensures that exactly and only those domains are in the certificate that are also listed in the role. With --expand, this was not the case when one added and removed again a domain.

The main difference is that #208 checks if there was a change based on the output of the certbot command:

changed_when: "'no action taken' not in certbot_create.stdout"

This PR provides a much more powerful approach as it explicitly checks the domains that a certain (named) certificate has:

- name: Determine if domains have changed
  set_fact:
    letsencrypt_cert_domains_changed: "{{ letsencrypt_cert_domains != (cert_item.domains | map('trim') | select('!=', '') | list | sort) }}"

TL;DR: --expand is still available, but useless when the role explicitly checks the desired domains per certificate.

[Hoeze]

@geerlingguy if you wish I can squash the commits for a clean history.