Merge branch 'systemd' of github.com:tterranigma/ansible-role-certbot into systemd

README.md

@@ -20,7 +20,8 @@ The variable `certbot_install_from_source` controls whether to install Certbot f
     certbot_auto_renew_minute: 30
     certbot_auto_renew_options: "--quiet --no-self-upgrade"
 
-By default, this role installs a systemd service that runs under the provided user account and a timer that fires at the given hour and minute, every day. The defaults run `certbot renew` (or `certbot-auto renew`) every day at 03:30:00 by the user you use in your Ansible playbook. It's preferred that you set a custom user/hour/minute so the renewal is during a low-traffic period and done by a non-root user account.
+
+By default, this role configures a cron job to run under the provided user account at the given hour and minute, every day. The defaults run `certbot renew` (or `certbot-auto renew`) via cron every day at 03:30:00 by the user you use in your Ansible playbook. It's preferred that you set a custom user/hour/minute so the renewal is during a low-traffic period and done by a non-root user account. Alternatively, you can use `certbot_auto_renew_systemd` to install a systemd timer.
 
 ### Automatic Certificate Generation
 

molecule/default/playbook-source-install.yml

@@ -13,6 +13,14 @@
       when: ansible_os_family == 'Debian'
       changed_when: false
 
+    - name: Install cron (RedHat).
+      yum: name=cronie state=present
+      when: ansible_os_family == 'RedHat'
+
+    - name: Install cron (Debian).
+      apt: name=cron state=present
+      when: ansible_os_family == 'Debian'
+
   roles:
     - geerlingguy.git
     - geerlingguy.certbot

tasks/systemd.yml

@@ -1,10 +1,17 @@
 ---
 
+- name: Get absolute path of certbot executable
+  command: "which {{ certbot_script }}"
+  register: certbot_script_absolute
+  changed_when: false
+
 - name: Create certbot-renew service
   template:
     src: certbot-renew.service.j2
     dest: /etc/systemd/system/certbot-renew.service
   notify: certbot restart renew timer
+  vars:
+    certbot_script_path: "{{ certbot_script_absolute.stdout }}"
 
 - name: Create certbot-renew timer
   template:

templates/certbot-renew.service.j2

@@ -1,9 +1,10 @@
 [Unit]
-Description=Let's Encrypt renewal service
+Description=Certbot
+Documentation=file:///usr/share/doc/python-certbot-doc/html/index.html
+Documentation=https://letsencrypt.readthedocs.io/en/latest/
 
 [Service]
 User={{ certbot_auto_renew_user }}
 Type=oneshot
-ExecStart={{ certbot_script }} renew {{ certbot_auto_renew_options }}
-
-ExecStartPost=/bin/systemctl reload {{ certbot_web_service }}.service
+ExecStart={{ certbot_script_path }} renew {{ certbot_auto_renew_options }}
+PrivateTmp=true

templates/certbot-renew.timer.j2

@@ -3,6 +3,7 @@ Description=Periodically check for Let's Encrypt's certificates renewal
 
 [Timer]
 OnCalendar=*-*-* {{ certbot_auto_renew_hour }}:{{ certbot_auto_renew_minute }}:00
+RandomizedDelaySec=43200
 Persistent=true
 
 [Install]

vars/Debian.yml

@@ -1,4 +0,0 @@
----
-
-certbot_package: certbot
-certbot_web_service: apache2

vars/RedHat.yml

@@ -1,4 +0,0 @@
----
-
-certbot_package: certbot
-certbot_web_service: httpd

vars/Suse.yml

@@ -1,4 +0,0 @@
----
-
-certbot_package: certbot
-certbot_web_service: httpd2

vars/Ubuntu-16.04.yml

@@ -1,4 +1,2 @@
 ---
-
 certbot_package: letsencrypt
-certbot_web_service: apache2

vars/default.yml

@@ -1,4 +1,2 @@
 ---
-
 certbot_package: certbot
-certbot_web_service: httpd