diff --git a/README.md b/README.md index 3eb2616..20b3a99 100644 --- a/README.md +++ b/README.md @@ -20,7 +20,8 @@ The variable `certbot_install_from_source` controls whether to install Certbot f certbot_auto_renew_minute: 30 certbot_auto_renew_options: "--quiet --no-self-upgrade" -By default, this role installs a systemd service that runs under the provided user account and a timer that fires at the given hour and minute, every day. The defaults run `certbot renew` (or `certbot-auto renew`) every day at 03:30:00 by the user you use in your Ansible playbook. It's preferred that you set a custom user/hour/minute so the renewal is during a low-traffic period and done by a non-root user account. + +By default, this role configures a cron job to run under the provided user account at the given hour and minute, every day. The defaults run `certbot renew` (or `certbot-auto renew`) via cron every day at 03:30:00 by the user you use in your Ansible playbook. It's preferred that you set a custom user/hour/minute so the renewal is during a low-traffic period and done by a non-root user account. Alternatively, you can use `certbot_auto_renew_systemd` to install a systemd timer. ### Automatic Certificate Generation diff --git a/molecule/default/playbook-source-install.yml b/molecule/default/playbook-source-install.yml index bc46234..77ced51 100644 --- a/molecule/default/playbook-source-install.yml +++ b/molecule/default/playbook-source-install.yml @@ -13,6 +13,14 @@ when: ansible_os_family == 'Debian' changed_when: false + - name: Install cron (RedHat). + yum: name=cronie state=present + when: ansible_os_family == 'RedHat' + + - name: Install cron (Debian). + apt: name=cron state=present + when: ansible_os_family == 'Debian' + roles: - geerlingguy.git - geerlingguy.certbot diff --git a/tasks/systemd.yml b/tasks/systemd.yml index fa99236..dd25a81 100644 --- a/tasks/systemd.yml +++ b/tasks/systemd.yml @@ -1,10 +1,17 @@ --- +- name: Get absolute path of certbot executable + command: "which {{ certbot_script }}" + register: certbot_script_absolute + changed_when: false + - name: Create certbot-renew service template: src: certbot-renew.service.j2 dest: /etc/systemd/system/certbot-renew.service notify: certbot restart renew timer + vars: + certbot_script_path: "{{ certbot_script_absolute.stdout }}" - name: Create certbot-renew timer template: diff --git a/templates/certbot-renew.service.j2 b/templates/certbot-renew.service.j2 index 3c3d68c..b770b83 100644 --- a/templates/certbot-renew.service.j2 +++ b/templates/certbot-renew.service.j2 @@ -1,9 +1,10 @@ [Unit] -Description=Let's Encrypt renewal service +Description=Certbot +Documentation=file:///usr/share/doc/python-certbot-doc/html/index.html +Documentation=https://letsencrypt.readthedocs.io/en/latest/ [Service] User={{ certbot_auto_renew_user }} Type=oneshot -ExecStart={{ certbot_script }} renew {{ certbot_auto_renew_options }} - -ExecStartPost=/bin/systemctl reload {{ certbot_web_service }}.service +ExecStart={{ certbot_script_path }} renew {{ certbot_auto_renew_options }} +PrivateTmp=true diff --git a/templates/certbot-renew.timer.j2 b/templates/certbot-renew.timer.j2 index cbddb89..33ff9ff 100644 --- a/templates/certbot-renew.timer.j2 +++ b/templates/certbot-renew.timer.j2 @@ -3,6 +3,7 @@ Description=Periodically check for Let's Encrypt's certificates renewal [Timer] OnCalendar=*-*-* {{ certbot_auto_renew_hour }}:{{ certbot_auto_renew_minute }}:00 +RandomizedDelaySec=43200 Persistent=true [Install] diff --git a/vars/Debian.yml b/vars/Debian.yml deleted file mode 100644 index 883a537..0000000 --- a/vars/Debian.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- - -certbot_package: certbot -certbot_web_service: apache2 diff --git a/vars/RedHat.yml b/vars/RedHat.yml deleted file mode 100644 index 4846790..0000000 --- a/vars/RedHat.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- - -certbot_package: certbot -certbot_web_service: httpd diff --git a/vars/Suse.yml b/vars/Suse.yml deleted file mode 100644 index 313b569..0000000 --- a/vars/Suse.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- - -certbot_package: certbot -certbot_web_service: httpd2 diff --git a/vars/Ubuntu-16.04.yml b/vars/Ubuntu-16.04.yml index 43da3b4..83cf124 100644 --- a/vars/Ubuntu-16.04.yml +++ b/vars/Ubuntu-16.04.yml @@ -1,4 +1,2 @@ --- - certbot_package: letsencrypt -certbot_web_service: apache2 diff --git a/vars/default.yml b/vars/default.yml index 4846790..d88f2dc 100644 --- a/vars/default.yml +++ b/vars/default.yml @@ -1,4 +1,2 @@ --- - certbot_package: certbot -certbot_web_service: httpd