Test dns01 and debian

.gitignore

@@ -1,2 +1,4 @@
 .vscode
 *.code-workspace
+.vagrant/
+*.log

.travis.yml

@@ -1,26 +1,12 @@
 ---
 language: python
 services: docker
+dist: xenial
 env:
   - GOPATH=~/gopath
 
 install:
-  - pip install "molecule>=2.22rc3" docker
-  - mkdir -p $GOPATH
-  - git clone https://github.com/letsencrypt/boulder/ $GOPATH/src/github.com/letsencrypt/boulder
-  - cd $GOPATH/src/github.com/letsencrypt/boulder
-  - patch -p1 < $TRAVIS_BUILD_DIR/molecule/boulder-allow-example.com.patch
-  - "echo -e \"version: '3.0'\\nservices: {boulder: {environment: {FAKE_DNS: 10.77.77.1}}}\" > docker-compose.override.yml"
-  - docker-compose up -d
-  - until curl http://127.0.0.1:4001/directory; do sleep 0.5; done
-  - cd -
-  - mkdir -p /tmp/www/.well-known/acme-challenge
-  - docker run --rm -d -v /tmp/www:/usr/share/nginx/html:ro -p 10.77.77.1:5002:80 nginx
-
-before_script:
-  - cd ..
-  - mv ansible-dehydrated clutterbox.dehydrated
-  - cd clutterbox.dehydrated
+  - ./molecule/setup.sh
 
 script:
   - molecule test

README.md

@@ -231,10 +231,22 @@ If you decide, that you don't need the hook anymore, you can add `state: absent`
 **Note:** Filenames must match ^[a-zA-Z0-9_-]+$ - otherwise they won't be executed!
 
 
-## License
+# Testing
+
+This role is automatically tested using Travis CI. Local testing can be done using Vagrant. Both run `molecule/setup.sh` script to setup the testing environment.
+
+Multiple services are started in the environment to test both http-01 and dns-01.
+
+Service | Usage
+---|---
+boulder (using docker) | Let's Encrypt CA for validations
+nginx | webserver for http-01
+powerdns | Used as a nameserver for dns-01. lexicon as a plugin to manipulate records.
+
+# License
 
 MIT License
 
-## Author Information
+# Author Information
 
 Alexander Zielke - mail@alexander.zielke.name

Vagrantfile

@@ -0,0 +1,28 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+Vagrant.configure("2") do |config|
+    config.vm.box = "ubuntu/bionic64"
+
+
+    config.vm.provider "virtualbox" do |vb|
+      vb.linked_clone = true
+      vb.cpus   = 4
+      vb.memory = 4096
+    end
+
+    config.vm.provision "shell-1", type: "shell", inline: <<-SHELL
+        export DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true
+        apt-get update
+        apt-get -y install python3-pip jq
+        curl -sSL "https://github.com/docker/compose/releases/download/1.23.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
+        chmod +x /usr/local/bin/docker-compose
+    SHELL
+    config.vm.provision "docker" do |d|
+        d.pull_images "ubuntu:18.04"
+        d.pull_images "ubuntu:16.04"
+    end
+    config.vm.provision "shell-2", type: "shell", inline: <<-SHELL
+        sudo -u vagrant -H sh -c "cd /vagrant && ./molecule/setup.sh"
+    SHELL
+end

meta/main.yml

@@ -11,6 +11,11 @@ galaxy_info:
         - trusty
         - xenial
         - bionic
+    - name: Debian
+      versions:
+        - jessie
+        - stretch
+        - buster
   galaxy_tags: []
 
   dependencies: []

molecule/Dockerfile.pdns

@@ -0,0 +1,9 @@
+FROM ubuntu:bionic
+ADD     pdns.conf /etc/powerdns/pdns.conf
+RUN     apt-get update && \
+        echo "pdns-backend-sqlite3 pdns-backend-sqlite3/dbconfig-install boolean true" | debconf-set-selections && \
+        apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" install pdns-server pdns-backend-sqlite3 sqlite3 && \
+        apt-get clean
+
+EXPOSE  8081 53 53/udp
+CMD     ["/usr/sbin/pdns_server", "--guardian=no", "--daemon=no", "--disable-syslog", "--log-timestamp=no", "--write-pid=no"]

molecule/default/molecule.yml

@@ -6,14 +6,75 @@ driver:
 lint:
   name: yamllint
 platforms:
-  - name: instance
+  - name: ubuntu1804-http01
+    image: ubuntu:18.04
+    groups: [http01]
+    volumes:
+      - "/tmp/www:/tmp/www"
+  - name: ubuntu1604-http01
     image: ubuntu:16.04
+    groups: [http01]
     volumes:
       - "/tmp/www:/tmp/www"
+  - name: debian8-http01
+    image: debian:8
+    groups: [http01]
+    volumes:
+      - "/tmp/www:/tmp/www"
+  - name: debian9-http01
+    image: debian:9
+    groups: [http01]
+    volumes:
+      - "/tmp/www:/tmp/www"
+  - name: debian10-http01
+    image: debian:10
+    groups: [http01]
+    volumes:
+      - "/tmp/www:/tmp/www"
+  - name: ubuntu1804-dns01
+    image: ubuntu:18.04
+    groups: [dns01]
+  - name: ubuntu1604-dns01
+    image: ubuntu:16.04
+    groups: [dns01]
+  - name: debian8-dns01
+    image: debian:8
+    groups: [dns01]
+  - name: debian9-dns01
+    image: debian:9
+    groups: [dns01]
+  - name: debian10-dns01
+    image: debian:10
+    groups: [dns01]
 provisioner:
   name: ansible
   lint:
     name: ansible-lint
+  inventory:
+    group_vars:
+      http01:
+        dehydrated_contactemail: notused@le2.wtf
+        dehydrated_accept_letsencrypt_terms: true
+        dehydrated_domains: |
+          le2.wtf
+        dehydrated_wellknown: /tmp/www/.well-known/acme-challenge
+        dehydrated_use_lexicon: false
+        dehydrated_ca: http://10.77.77.1:4001/directory
+        dehydrated_cronjob: false
+      dns01:
+        dehydrated_contactemail: notused@le3.wtf
+        dehydrated_accept_letsencrypt_terms: true
+        dehydrated_domains: |
+          le3.wtf
+        dehydrated_challengetype: dns-01
+        dehydrated_ca: http://10.77.77.1:4001/directory
+        dehydrated_cronjob: false
+        dehydrated_wellknown: /tmp/www/.well-known/acme-challenge
+        dehydrated_lexicon_dns:
+          PROVIDER: powerdns
+          LEXICON_POWERDNS_PDNS_SERVER: http://10.77.77.1:8081
+          LEXICON_POWERDNS_PDNS_SERVER_ID: localhost
+          LEXICON_POWERDNS_TOKEN: dummy
 scenario:
   name: default
 verifier:

molecule/default/playbook.yml

@@ -1,14 +1,5 @@
 ---
 - name: Converge
   hosts: all
-  vars:
-    dehydrated_contactemail: notused@example.com
-    dehydrated_accept_letsencrypt_terms: true
-    dehydrated_domains: |
-      example.com www.example.com
-    dehydrated_wellknown: /tmp/www/.well-known/acme-challenge
-    dehydrated_use_lexicon: false
-    dehydrated_ca: http://10.77.77.1:4001/directory
-    dehydrated_cronjob: false
   roles:
-    - role: clutterbox.dehydrated
+    - role: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}"

molecule/default/tests/test_dns01.py

@@ -0,0 +1,18 @@
+import os
+
+import testinfra.utils.ansible_runner
+
+testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
+    os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('dns01')
+
+
+def test_certificate_file_exists(host):
+    cert = host.file('/etc/dehydrated/certs/le3.wtf/cert.pem')
+    chain = host.file('/etc/dehydrated/certs/le3.wtf/chain.pem')
+    fullchain = host.file('/etc/dehydrated/certs/le3.wtf/fullchain.pem')
+    privkey = host.file('/etc/dehydrated/certs/le3.wtf/privkey.pem')
+
+    assert cert.exists
+    assert chain.exists
+    assert fullchain.exists
+    assert privkey.exists

molecule/default/tests/test_http01.py

@@ -0,0 +1,18 @@
+import os
+
+import testinfra.utils.ansible_runner
+
+testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
+    os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('http01')
+
+
+def test_certificate_file_exists(host):
+    cert = host.file('/etc/dehydrated/certs/le2.wtf/cert.pem')
+    chain = host.file('/etc/dehydrated/certs/le2.wtf/chain.pem')
+    fullchain = host.file('/etc/dehydrated/certs/le2.wtf/fullchain.pem')
+    privkey = host.file('/etc/dehydrated/certs/le2.wtf/privkey.pem')
+
+    assert cert.exists
+    assert chain.exists
+    assert fullchain.exists
+    assert privkey.exists

molecule/pdns.conf

@@ -0,0 +1,14 @@
+api=yes
+api-key=dummy
+include-dir=/etc/powerdns/pdns.d
+launch=
+local-address=0.0.0.0
+local-port=53
+local-ipv6=
+security-poll-suffix=
+setgid=pdns
+setuid=pdns
+webserver=yes
+webserver-address=0.0.0.0
+webserver-allow-from=0.0.0.0/0
+webserver-port=8081

molecule/setup.sh

@@ -0,0 +1,40 @@
+#!/bin/bash
+
+set -eo pipefail
+
+# Install molecule
+pip3 install "molecule>=2.22rc3" docker
+
+# Let's Encrypt CA (boulder)
+export GOPATH=~/gopath
+mkdir -p $GOPATH
+git clone https://github.com/letsencrypt/boulder/ $GOPATH/src/github.com/letsencrypt/boulder
+cd $GOPATH/src/github.com/letsencrypt/boulder
+jq '.va.dnsResolvers = ["10.77.77.1:53"]' test/config/va.json > test/config/va.json.new
+mv test/config/va.json.new test/config/va.json
+docker-compose up -d
+until curl -s http://127.0.0.1:4001/directory; do sleep 0.5; done
+cd -
+
+# nginx for http-01 challenges
+mkdir -p /tmp/www/.well-known/acme-challenge
+docker run -d -v /tmp/www:/usr/share/nginx/html:ro -p 10.77.77.1:5002:80 nginx
+
+# powerdns for dns-01 challenges
+docker build -t pdns -f molecule/Dockerfile.pdns molecule/
+docker run -d -p 10.77.77.1:53:53/udp -p 10.77.77.1:53:53 -p 10.77.77.1:8081:8081 pdns
+
+# create example.com dummy zone for http-01
+curl -v -H 'X-API-Key: dummy' -X POST http://10.77.77.1:8081/api/v1/servers/localhost/zones \
+    -d '{ "name": "le2.wtf.", "kind": "Native", "nameservers": ["localhost."] }'
+curl -v -H 'X-API-Key: dummy' -X PATCH http://10.77.77.1:8081/api/v1/servers/localhost/zones/le2.wtf. \
+    -d '{"rrsets": [
+            {"name": "le2.wtf.", "type": "A", "ttl": 60, "changetype": "REPLACE", "records": [
+                {"content": "10.77.77.1", "disabled": false}
+            ]}
+    ]}'
+
+curl -v -H 'X-API-Key: dummy' -X POST http://10.77.77.1:8081/api/v1/servers/localhost/zones \
+    -d '{ "name": "le3.wtf.", "kind": "Native", "nameservers": ["localhost."] }'
+
+echo "Environment setup done!"