Merge branch 'systemd' of github.com:tterranigma/ansible-role-certbot into systemd

2025-04-19 17:01:37 +02:00 · 2019-05-13 00:14:17 +02:00 · 2019-05-13 00:14:17 +02:00 · cb5f729e2e
commit cb5f729e2e
parent 5e295e8714 9b02af1064
10 changed files with 23 additions and 21 deletions
--- a/README.md
+++ b/README.md
@ -20,7 +20,8 @@ The variable `certbot_install_from_source` controls whether to install Certbot f
    certbot_auto_renew_minute: 30
    certbot_auto_renew_options: "--quiet --no-self-upgrade"
-By default, this role installs a systemd service that runs under the provided user account and a timer that fires at the given hour and minute, every day. The defaults run `certbot renew` (or `certbot-auto renew`) every day at 03:30:00 by the user you use in your Ansible playbook. It's preferred that you set a custom user/hour/minute so the renewal is during a low-traffic period and done by a non-root user account.
+
 By default, this role configures a cron job to run under the provided user account at the given hour and minute, every day. The defaults run `certbot renew` (or `certbot-auto renew`) via cron every day at 03:30:00 by the user you use in your Ansible playbook. It's preferred that you set a custom user/hour/minute so the renewal is during a low-traffic period and done by a non-root user account. Alternatively, you can use `certbot_auto_renew_systemd` to install a systemd timer.
 ### Automatic Certificate Generation
--- a/molecule/default/playbook-source-install.yml
+++ b/molecule/default/playbook-source-install.yml
@ -13,6 +13,14 @@
      when: ansible_os_family == 'Debian'
      changed_when: false
    - name: Install cron (RedHat).
      yum: name=cronie state=present
      when: ansible_os_family == 'RedHat'
    - name: Install cron (Debian).
      apt: name=cron state=present
      when: ansible_os_family == 'Debian'
  roles:
    - geerlingguy.git
    - geerlingguy.certbot
--- a/tasks/systemd.yml
+++ b/tasks/systemd.yml
@ -1,10 +1,17 @@
 ---
 - name: Get absolute path of certbot executable
  command: "which {{ certbot_script }}"
  register: certbot_script_absolute
  changed_when: false
 - name: Create certbot-renew service
  template:
    src: certbot-renew.service.j2
    dest: /etc/systemd/system/certbot-renew.service
  notify: certbot restart renew timer
  vars:
    certbot_script_path: "{{ certbot_script_absolute.stdout }}"
 - name: Create certbot-renew timer
  template:
--- a/templates/certbot-renew.service.j2
+++ b/templates/certbot-renew.service.j2
@ -1,9 +1,10 @@
 [Unit]
-Description=Let's Encrypt renewal service
+Description=Certbot
 Documentation=file:///usr/share/doc/python-certbot-doc/html/index.html
 Documentation=https://letsencrypt.readthedocs.io/en/latest/
 [Service]
 User={{ certbot_auto_renew_user }}
 Type=oneshot
-ExecStart={{ certbot_script }} renew {{ certbot_auto_renew_options }}
+ExecStart={{ certbot_script_path }} renew {{ certbot_auto_renew_options }}
-
+PrivateTmp=true
 ExecStartPost=/bin/systemctl reload {{ certbot_web_service }}.service
--- a/templates/certbot-renew.timer.j2
+++ b/templates/certbot-renew.timer.j2
@ -3,6 +3,7 @@ Description=Periodically check for Let's Encrypt's certificates renewal
 [Timer]
 OnCalendar=*-*-* {{ certbot_auto_renew_hour }}:{{ certbot_auto_renew_minute }}:00
 RandomizedDelaySec=43200
 Persistent=true
 [Install]
--- a/vars/Debian.yml
+++ b/vars/Debian.yml
@ -1,4 +0,0 @@
 ---
 certbot_package: certbot
 certbot_web_service: apache2
--- a/vars/RedHat.yml
+++ b/vars/RedHat.yml
@ -1,4 +0,0 @@
 ---
 certbot_package: certbot
 certbot_web_service: httpd
--- a/vars/Suse.yml
+++ b/vars/Suse.yml
@ -1,4 +0,0 @@
 ---
 certbot_package: certbot
 certbot_web_service: httpd2
--- a/vars/Ubuntu-16.04.yml
+++ b/vars/Ubuntu-16.04.yml
@ -1,4 +1,2 @@
 ---
 certbot_package: letsencrypt
 certbot_web_service: apache2
--- a/vars/default.yml
+++ b/vars/default.yml
@ -1,4 +1,2 @@
 ---
 certbot_package: certbot
 certbot_web_service: httpd