Move certbot to daemonised container

2023-11-10 11:19:08 +01:00 · 2023-11-10 11:19:08 +01:00 · de9a3d06d2
commit de9a3d06d2
parent 2603efe2bc
7 changed files with 34 additions and 30 deletions
--- a/playbooks/files/system/base/logs/asgard
+++ b/playbooks/files/system/base/logs/asgard
@ -1,5 +1,5 @@
 ^([[:alpha:]]{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]\-]+ conmon\[[0-9]+\]: .*$
-^([[:alpha:]]{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]\-]+ pod-[[:alnum:]\-]+\[[0-9]+\]: .*$
+^([[:alpha:]]{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]\-]+ pod-[[:alnum:]\-]+\[[0-9]+\]:.*$
 ^([[:alpha:]]{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]\-]+ restic-batch\[[0-9]+\]: Backing up [-_[:alnum:]]+$
 ^([[:alpha:]]{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]\-]+ systemd\[[0-9]+\]: Finished (Podman auto-update service|Pod service auto-update service|Prune dangling podman images|Backup snapshots using restic)\.$
 ^([[:alpha:]]{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]\-]+ systemd\[[0-9]+\]: var-lib-containers-storage-overlay\.mount: Succeeded\.$
--- a/playbooks/roles/services/deploy/rproxy/files/crontabs/root
+++ b/playbooks/roles/services/deploy/rproxy/files/crontabs/root
@ -0,0 +1,2 @@
+# min   hour    day     month   weekday command
+0       6       *       *       5       /bin/sleep $(($RANDOM % 3600)) && /usr/local/bin/certbot --non-interactive renew
--- a/playbooks/roles/services/deploy/rproxy/tasks/main.yml
+++ b/playbooks/roles/services/deploy/rproxy/tasks/main.yml
@ -41,6 +41,13 @@
      loop: "{{ services_deploy_rproxy_nginx_subdomain_config_files }}"
      register: services_deploy_rproxy_subdomain_config_files

+    - name: "{{ services_service_name }} : certbot crontab"
+      ansible.builtin.copy:
+        src: "./crontabs/root"
+        dest: "{{ services_service_user_home }}/.config/service/crontabs-root"
+        mode: 0600
+      register: services_deploy_rproxy_crontabs_root
+
    - name: "{{ services_service_name }} : configure systemd service"
      ansible.builtin.template:
        src: "./systemd/{{ item }}"
@ -52,7 +59,6 @@
        - "pod-rproxy.service"
        - "container-rproxy-nginx.service"
        - "container-rproxy-certbot.service"
-        - "container-rproxy-certbot.timer"
      register: services_deploy_rproxy_systemd_files

    - name: "{{ services_service_name }} : systemd user daemon reload"
@ -62,14 +68,6 @@
      when:
        services_deploy_rproxy_systemd_files.changed

-    - name: "\
-        {{ services_service_name }} : enable container-{{ services_service_name }}-certbot timer"
-      ansible.builtin.systemd:
-        name: "container-{{ services_service_name }}-certbot.timer"
-        enabled: true
-        scope: "user"
-      register: services_deploy_rproxy_certbot_timer
-
    - name: "{{ services_service_name }} : generate diffie hellman ephemeral parameters"
      ansible.builtin.command: >-
        openssl dhparam --out /{{ services_service_user_home }}/.config/service/dhparam.pem 4096
@ -101,8 +99,8 @@
        services_deploy_rproxy_generic_config.changed or
        services_deploy_rproxy_stream_config.changed or
        services_deploy_rproxy_subdomain_config_files.changed or
+        services_deploy_rproxy_crontabs_root.changed or
        services_deploy_rproxy_systemd_files.changed or
-        services_deploy_rproxy_certbot_timer.changed or
        services_deploy_rproxy_dhparam.changed) and
        services_deploy_rproxy_service_active_state.stdout == "active"

--- a/playbooks/roles/services/deploy/rproxy/templates/systemd/container-rproxy-certbot.service
+++ b/playbooks/roles/services/deploy/rproxy/templates/systemd/container-rproxy-certbot.service
@ -1,24 +1,40 @@
 [Unit]
 Description=Podman container-{{ services_service_name }}-certbot.service
 Documentation=man:podman-generate-systemd(1)
+Wants=network.target
+After=network-online.target
+BindsTo=pod-{{ services_service_name }}.service container-{{ services_service_name }}-nginx.service
+After=pod-{{ services_service_name }}.service container-{{ services_service_name }}-nginx.service
 OnFailure=status-mail@%n.service

 [Service]
 Environment=PODMAN_SYSTEMD_UNIT=%n
+Restart=on-failure
 TimeoutStopSec=70
 ExecStartPre=/bin/rm -f %t/container-{{ services_service_name }}-certbot.pid %t/container-{{ services_service_name }}-certbot.ctr-id
-ExecStartPre=/usr/bin/podman pull docker.io/certbot/certbot
 ExecStart=/usr/bin/podman run \
    --conmon-pidfile %t/container-{{ services_service_name }}-certbot.pid \
    --cidfile %t/container-{{ services_service_name }}-certbot.ctr-id \
    --cgroups=no-conmon \
    --pod-id-file %t/pod-{{ services_service_name }}.pod-id \
    --replace \
+    --label "io.containers.autoupdate=image" \
+    --log-driver=journald \
+    -dt \
    -v {{ system_etc_root_directory }}/resolv.conf:/etc/resolv.conf:ro \
    -v {{ services_data_directory }}/{{ services_service_user_name }}/etc-letsencrypt/_data:/etc/letsencrypt \
    -v var-lib-letsencrypt:/var/lib/letsencrypt \
    -v var-www-html:/var/www/html \
+    -v ./.config/service/crontabs-root:/etc/crontabs/root \
+    -v /etc/timezone:/etc/timezone:ro \
+    -v /etc/localtime:/etc/localtime:ro \
    --name=pod-{{ services_service_name }}-certbot \
-    docker.io/certbot/certbot --non-interactive renew
+    --entrypoint=/usr/sbin/crond \
+    docker.io/certbot/certbot:{{ services_service_deploy_versions.certbot }} -f
+ExecStop=/usr/bin/podman stop --ignore --cidfile %t/container-{{ services_service_name }}-certbot.ctr-id -t 10
 ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile %t/container-{{ services_service_name }}-certbot.ctr-id
-Type=oneshot
+PIDFile=%t/container-{{ services_service_name }}-certbot.pid
+Type=forking
+
+[Install]
+WantedBy=multi-user.target default.target
--- a/playbooks/roles/services/deploy/rproxy/templates/systemd/container-rproxy-certbot.timer
+++ b/playbooks/roles/services/deploy/rproxy/templates/systemd/container-rproxy-certbot.timer
@ -1,14 +0,0 @@
-[Unit]
-Description=Renew certificates with certbot
-Documentation=man:certbot(1)
-BindsTo=pod-{{ services_service_name }}.service
-After=pod-{{ services_service_name }}.service
-DefaultDependencies=no
-
-[Timer]
-OnCalendar=Fri *-*-* 06:00:00
-Persistent=true
-RandomizedDelaySec=1h
-
-[Install]
-WantedBy=pod-{{ services_service_name }}.service
--- a/playbooks/roles/services/deploy/rproxy/templates/systemd/pod-rproxy.service
+++ b/playbooks/roles/services/deploy/rproxy/templates/systemd/pod-rproxy.service
@ -3,8 +3,8 @@ Description=Podman pod-{{ services_service_name }}.service
 Documentation=man:podman-generate-systemd(1)
 Wants=network.target
 After=network-online.target
-Requires=container-{{ services_service_name }}-nginx.service
-Before=container-{{ services_service_name }}-nginx.service
+Requires=container-{{ services_service_name }}-nginx.service container-{{ services_service_name }}-certbot.service
+Before=container-{{ services_service_name }}-nginx.service container-{{ services_service_name }}-certbot.service
 OnFailure=status-mail@%n.service

 [Service]
--- a/playbooks/vars/services/deploy/versions.yml
+++ b/playbooks/vars/services/deploy/versions.yml
@ -2,10 +2,12 @@
 services_deploy_versions:
  rproxy:
    nginx: "stable"
+    certbot: "latest"
  www:
    nginx: "stable"
  lrproxy:
    nginx: "stable"
+    certbot: "latest"
  database:
    postgres: "15"
    pgadmin4: "latest"