Upgrade testing to Molecule 3.x

 - remove support (and testing) for Debian8 and DNS-01 challenges
   (because dns-lexicon requires newer version of python (3.5)
    than is available in stock Debian 8)
 - have vagrant to use python virtualenv (matching travis).
 - upgrade travis distro to bionic (matching vagrant).
 - move molecule deprecated `playbook.yml` to `converge.yml`.
 - add prepare.yml to install cron into docker containers.
 - update linting to be Molecule 3.x compliant.
 - update README.md with testing details.
 - some trailing whitespace (auto-)removed.

.travis.yml

@@ -1,7 +1,8 @@
 ---
 language: python
 services: docker
-dist: xenial
+dist: bionic
+
 env:
   - GOPATH=~/gopath
 

.yamllint

@@ -1,5 +1,5 @@
+---
 extends: default
-
 rules:
   braces:
     max-spaces-inside: 1

README.md

@@ -18,6 +18,7 @@ Install, configure and run dehydrated Let's Encrypt client
   * [Additinal hook scripts](#additinal-hook-scripts)
     + [Writing shell fragments for single hooks](#writing-shell-fragments-for-single-hooks)
     + [deploying complete hook script files](#deploying-complete-hook-script-files)
+  * [Testing](#testing)
   * [License](#license)
   * [Author Information](#author-information)
 
@@ -30,10 +31,10 @@ Install, configure and run dehydrated Let's Encrypt client
 Variable | Function | Default
 --- | --- | ---
 dehydrated_accept_letsencrypt_terms | Set to yes to automatically register and accept Let's Encrypt terms | no
-dehydrated_contactemail | E-Mail address (required) | 
-dehydrated_domains | List of domains to request SSL certificates for | 
-dehydrated_deploycert | Script to run to deploy a certificate (see below) | 
-dehydrated_wellknown | Directory where to deploy http-01 challenges | 
+dehydrated_contactemail | E-Mail address (required) |
+dehydrated_domains | List of domains to request SSL certificates for |
+dehydrated_deploycert | Script to run to deploy a certificate (see below) |
+dehydrated_wellknown | Directory where to deploy http-01 challenges |
 dehydrated_install_root | Where to install dehydrated | /opt/dehydrated
 dehydrated_update | Update dehydrated sources on ansible run | yes
 dehydrated_version | Which version to check out from github | HEAD
@@ -47,9 +48,9 @@ dehydrated_keysize | Size of Key (only for rsa Keys) | 4096
 dehydrated_ca | CA to use | https://acme-v02.api.letsencrypt.org/directory
 dehydrated_cronjob | Install cronjob for certificate renewals | yes
 dehydrated_systemd_timer | Use systemd timer for certificate renewals | no
-dehydrated_config_extra | Add arbitrary text to config | 
+dehydrated_config_extra | Add arbitrary text to config |
 dehydrated_run_on_changes | If dehydrated should run if the list of domains changed | yes
-dehydrated_systemd_timer_onfailure | If set, an OnFailure-Directive will be added to the systemd unit | 
+dehydrated_systemd_timer_onfailure | If set, an OnFailure-Directive will be added to the systemd unit |
 dehydrated_cert_config | Override configuration for certificates | []
 dehydrated_repo_url | Specify URL to git repository of dehydrated | https://github.com/dehydrated-io/dehydrated.git
 dehydrated_install_pip | Whether pip will be installed when using lexicon | yes
@@ -58,9 +59,13 @@ dehydrated_pip_executable | Name of pip executable to use | autodetected by pip
 
 ## Using dns-01 challenges
 
-When dehydrated_challengetype is set to dns-01, this role will automatically install lexicon from python pip to be able to set and remove the necessary DNS-Records needed to obtain an SSL certificate.
+When `dehydrated_challengetype` is set to `dns-01`, this role will automatically install `lexicon` from python pip to be able to set and remove the necessary DNS records needed to obtain an SSL certificate.
 
-lexicon uses environment variables for username and password.
+`lexicon` uses environment variables for username/token and password/secret; see examples below.
+
+### Platforms supporting `dns-01` challenges
+
+All platforms supported by this role will work with `dns-01` challenges, **except** for Debian 8 (codename: Jessie).  The `dns-lexicon` package requires Python version >= 3.5, which is not available by default on Debian 8.
 
 ## using systemd timers
 
@@ -230,7 +235,6 @@ If you decide, that you don't need the hook anymore, you can add `state: absent`
 
 **Note:** Filenames must match ^[a-zA-Z0-9_-]+$ - otherwise they won't be executed!
 
-
 # Testing
 
 This role is automatically tested using Travis CI. Local testing can be done using Vagrant. Both run `molecule/setup.sh` script to setup the testing environment.
@@ -243,6 +247,18 @@ boulder (using docker) | Let's Encrypt CA for validations
 nginx | webserver for http-01
 powerdns | Used as a nameserver for dns-01. lexicon as a plugin to manipulate records.
 
+## Vagrant testing example
+
+Assuming you have Vagrant already configured, run a complete test via Vagrant:
+
+    vagrant up
+    vagrant ssh
+    source ~/venv/bin/activate
+    cd /vagrant
+    molecule test
+    exit
+    vagrant destroy
+
 # License
 
 MIT License

Vagrantfile

@@ -3,18 +3,19 @@
 
 Vagrant.configure("2") do |config|
     config.vm.box = "ubuntu/bionic64"
-  
- 
+
+
     config.vm.provider "virtualbox" do |vb|
       vb.linked_clone = true
       vb.cpus   = 4
       vb.memory = 4096
     end
-   
+
     config.vm.provision "shell-1", type: "shell", inline: <<-SHELL
         export DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true
         apt-get update
         apt-get -y install python3-pip jq
+        pip3 install virtualenv
         curl -sSL "https://github.com/docker/compose/releases/download/1.23.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
         chmod +x /usr/local/bin/docker-compose
     SHELL

molecule/default/molecule.yml

@@ -3,8 +3,6 @@ dependency:
   name: galaxy
 driver:
   name: docker
-lint:
-  name: yamllint
 platforms:
   - name: ubuntu1804-http01
     image: ubuntu:18.04
@@ -37,9 +35,9 @@ platforms:
   - name: ubuntu1604-dns01
     image: ubuntu:16.04
     groups: [dns01]
-  - name: debian8-dns01
-    image: debian:8
-    groups: [dns01]
+  # - name: debian8-dns01
+  #   image: debian:8
+  #   groups: [dns01]
   - name: debian9-dns01
     image: debian:9
     groups: [dns01]
@@ -48,8 +46,6 @@ platforms:
     groups: [dns01]
 provisioner:
   name: ansible
-  lint:
-    name: ansible-lint
   inventory:
     group_vars:
       http01:
@@ -79,5 +75,4 @@ scenario:
   name: default
 verifier:
   name: testinfra
-  lint:
-    name: flake8
+lint: 'molecule/lint.sh'

molecule/default/prepare.yml

@@ -0,0 +1,8 @@
+---
+- name: Prepare
+  hosts: all
+  tasks:
+    - name: Install cron for molecule based role testing
+      package:
+        name: cron
+        state: present

molecule/lint.sh

@@ -0,0 +1,22 @@
+#!/bin/bash
+# accumulate error codes, allowing all linters to execute.
+# exit with total of all error codes at end.
+
+declare -i errors
+catch() { errors=$errors+$?; }
+trap catch ERR
+onexit() { exit $errors; }
+trap onexit EXIT
+
+#set -e
+
+yamllint .
+
+# adding "." to avoid warning over expectation of playbook.yml
+# ansible-lint
+ansible-lint .
+
+# explictly run on molecule playbooks, skipped otherwise
+ansible-lint molecule/*/*.yml
+
+flake8

molecule/setup.sh

@@ -1,9 +1,22 @@
 #!/bin/bash
 
+# NOTE: this assumes we are running in Travis or Vagrant,
+# so happily installs things globally, and with abandon.
+
 set -eo pipefail
 
+# if running in vagrant, `/vagrant` exists;
+# Then, setup local virtualenv and use it.
+if [ -d /vagrant ]; then
+  (cd ~; virtualenv -p python3 venv)
+  source ~/venv/bin/activate
+fi
+
 # Install molecule
-pip3 install "molecule>=2.22rc3" docker
+pip install "molecule>=3.0.3" testinfra docker
+
+# Install linting tools
+pip install yamllint ansible-lint flake8
 
 # Let's Encrypt CA (boulder)
 export GOPATH=~/gopath