Move certbot to daemonised container

playbooks/roles/services/deploy/rproxy/files/crontabs/root

@@ -0,0 +1,2 @@
+# min   hour    day     month   weekday command
+0       6       *       *       5       /bin/sleep $(($RANDOM % 3600)) && /usr/local/bin/certbot --non-interactive renew

playbooks/roles/services/deploy/rproxy/tasks/main.yml

@@ -41,6 +41,13 @@
       loop: "{{ services_deploy_rproxy_nginx_subdomain_config_files }}"
       register: services_deploy_rproxy_subdomain_config_files
 
+    - name: "{{ services_service_name }} : certbot crontab"
+      ansible.builtin.copy:
+        src: "./crontabs/root"
+        dest: "{{ services_service_user_home }}/.config/service/crontabs-root"
+        mode: 0600
+      register: services_deploy_rproxy_crontabs_root
+
     - name: "{{ services_service_name }} : configure systemd service"
       ansible.builtin.template:
         src: "./systemd/{{ item }}"
@@ -52,7 +59,6 @@
         - "pod-rproxy.service"
         - "container-rproxy-nginx.service"
         - "container-rproxy-certbot.service"
-        - "container-rproxy-certbot.timer"
       register: services_deploy_rproxy_systemd_files
 
     - name: "{{ services_service_name }} : systemd user daemon reload"
@@ -62,14 +68,6 @@
       when:
         services_deploy_rproxy_systemd_files.changed
 
-    - name: "\
-        {{ services_service_name }} : enable container-{{ services_service_name }}-certbot timer"
-      ansible.builtin.systemd:
-        name: "container-{{ services_service_name }}-certbot.timer"
-        enabled: true
-        scope: "user"
-      register: services_deploy_rproxy_certbot_timer
-
     - name: "{{ services_service_name }} : generate diffie hellman ephemeral parameters"
       ansible.builtin.command: >-
         openssl dhparam --out /{{ services_service_user_home }}/.config/service/dhparam.pem 4096
@@ -101,8 +99,8 @@
         services_deploy_rproxy_generic_config.changed or
         services_deploy_rproxy_stream_config.changed or
         services_deploy_rproxy_subdomain_config_files.changed or
+        services_deploy_rproxy_crontabs_root.changed or
         services_deploy_rproxy_systemd_files.changed or
-        services_deploy_rproxy_certbot_timer.changed or
         services_deploy_rproxy_dhparam.changed) and
         services_deploy_rproxy_service_active_state.stdout == "active"
 

playbooks/roles/services/deploy/rproxy/templates/systemd/container-rproxy-certbot.service

@@ -1,24 +1,40 @@
 [Unit]
 Description=Podman container-{{ services_service_name }}-certbot.service
 Documentation=man:podman-generate-systemd(1)
+Wants=network.target
+After=network-online.target
+BindsTo=pod-{{ services_service_name }}.service container-{{ services_service_name }}-nginx.service
+After=pod-{{ services_service_name }}.service container-{{ services_service_name }}-nginx.service
 OnFailure=status-mail@%n.service
 
 [Service]
 Environment=PODMAN_SYSTEMD_UNIT=%n
+Restart=on-failure
 TimeoutStopSec=70
 ExecStartPre=/bin/rm -f %t/container-{{ services_service_name }}-certbot.pid %t/container-{{ services_service_name }}-certbot.ctr-id
-ExecStartPre=/usr/bin/podman pull docker.io/certbot/certbot
 ExecStart=/usr/bin/podman run \
     --conmon-pidfile %t/container-{{ services_service_name }}-certbot.pid \
     --cidfile %t/container-{{ services_service_name }}-certbot.ctr-id \
     --cgroups=no-conmon \
     --pod-id-file %t/pod-{{ services_service_name }}.pod-id \
     --replace \
+    --label "io.containers.autoupdate=image" \
+    --log-driver=journald \
+    -dt \
     -v {{ system_etc_root_directory }}/resolv.conf:/etc/resolv.conf:ro \
     -v {{ services_data_directory }}/{{ services_service_user_name }}/etc-letsencrypt/_data:/etc/letsencrypt \
     -v var-lib-letsencrypt:/var/lib/letsencrypt \
     -v var-www-html:/var/www/html \
+    -v ./.config/service/crontabs-root:/etc/crontabs/root \
+    -v /etc/timezone:/etc/timezone:ro \
+    -v /etc/localtime:/etc/localtime:ro \
     --name=pod-{{ services_service_name }}-certbot \
-    docker.io/certbot/certbot --non-interactive renew
+    --entrypoint=/usr/sbin/crond \
+    docker.io/certbot/certbot:{{ services_service_deploy_versions.certbot }} -f
+ExecStop=/usr/bin/podman stop --ignore --cidfile %t/container-{{ services_service_name }}-certbot.ctr-id -t 10
 ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile %t/container-{{ services_service_name }}-certbot.ctr-id
-Type=oneshot
+PIDFile=%t/container-{{ services_service_name }}-certbot.pid
+Type=forking
+
+[Install]
+WantedBy=multi-user.target default.target

playbooks/roles/services/deploy/rproxy/templates/systemd/container-rproxy-certbot.timer

@@ -1,14 +0,0 @@
-[Unit]
-Description=Renew certificates with certbot
-Documentation=man:certbot(1)
-BindsTo=pod-{{ services_service_name }}.service
-After=pod-{{ services_service_name }}.service
-DefaultDependencies=no
-
-[Timer]
-OnCalendar=Fri *-*-* 06:00:00
-Persistent=true
-RandomizedDelaySec=1h
-
-[Install]
-WantedBy=pod-{{ services_service_name }}.service

playbooks/roles/services/deploy/rproxy/templates/systemd/pod-rproxy.service

@@ -3,8 +3,8 @@ Description=Podman pod-{{ services_service_name }}.service
 Documentation=man:podman-generate-systemd(1)
 Wants=network.target
 After=network-online.target
-Requires=container-{{ services_service_name }}-nginx.service
+Requires=container-{{ services_service_name }}-nginx.service container-{{ services_service_name }}-certbot.service
-Before=container-{{ services_service_name }}-nginx.service
+Before=container-{{ services_service_name }}-nginx.service container-{{ services_service_name }}-certbot.service
 OnFailure=status-mail@%n.service
 
 [Service]

playbooks/vars/services/deploy/versions.yml

@@ -2,10 +2,12 @@
 services_deploy_versions:
   rproxy:
     nginx: "stable"
+    certbot: "latest"
   www:
     nginx: "stable"
   lrproxy:
     nginx: "stable"
+    certbot: "latest"
   database:
     postgres: "15"
     pgadmin4: "latest"