Add basic rootless Certbot role

This automatically renews Let's Encrypt certificates, but does nothing
further with them. You need additional logic to use them for example
with nginx.

roles/podman_certbot/defaults/main.yml

@@ -0,0 +1,3 @@
+---
+sce_certbot_port_mapping: "8080:80"
+sce_certbot_timer: weekly

roles/podman_certbot/handlers/main.yml

@@ -0,0 +1,7 @@
+---
+- name: Reload user systemd daemon
+  ansible.builtin.systemd_service:
+    daemon_reload: true
+    scope: user
+  become_method: community.general.machinectl
+  become_user: podman

roles/podman_certbot/tasks/machinectl.yml

@@ -0,0 +1,48 @@
+---
+- name: Create Certbot volumes
+  containers.podman.podman_volume:
+    name: "{{ item }}"
+    state: present
+  loop:
+    - certbot-etc
+    - certbot-var-lib
+
+- name: Create LetsEncrypt container
+  containers.podman.podman_container:
+    name: certbot
+    state: present
+    image: docker.io/certbot/certbot
+    command: certonly -n --standalone --domains {{ sce_certbot_domains }} --agree-tos --email {{ sce_certbot_email }}
+    volumes:
+      - certbot-etc:/etc/letsencrypt
+      - certbot-var-lib:/var/lib/letsencrypt
+    ports:
+      - "{{ sce_certbot_port_mapping }}"
+    generate_systemd:
+      path: ~/.config/systemd/user
+      # If validation fails a number of times in a pre-defined window, we will get rate-limited by
+      # LetsEncrypt. Setting this option will prevent us from angering the rate-limiter.
+      #
+      # Also, search for the YAML norway problem, lol, these quotations are necessary. YAML is insane.
+      restart_policy: "no"
+  notify: Reload user systemd daemon
+
+- name: Install systemd files for certbot certificate renewal
+  ansible.builtin.template:
+    src: "{{ filename }}.j2"
+    dest: ~/.config/systemd/user/{{ filename }}
+    mode: "0640"
+  vars:
+    filename: container-certbot.timer
+  notify: Reload user systemd daemon
+
+# Must be placed here to ensure proper ordering of events
+- name: Flush handlers
+  meta: flush_handlers
+
+- name: Ensure certbot timer unit is enabled and started
+  ansible.builtin.systemd_service:
+    name: container-certbot.timer
+    state: started
+    scope: user
+    enabled: true

roles/podman_certbot/tasks/main.yml

@@ -0,0 +1,5 @@
+---
+- name: Configure Certbot service
+  ansible.builtin.import_tasks: machinectl.yml
+  become_method: community.general.machinectl
+  become_user: podman

roles/podman_certbot/templates/container-certbot.timer.j2

@@ -0,0 +1,10 @@
+# {{ ansible_managed }}
+[Unit]
+Description=Run certbot renewal process
+
+[Timer]
+OnCalendar={{ sce_certbot_timer }}
+Persistent=true
+
+[Install]
+WantedBy=timers.target