move certbot from cron to systemd service and timer

roles/certbot/tasks/main.yaml

@@ -29,14 +29,24 @@
   args:
     creates: /etc/letsencrypt/live/{{ server_fqdn }}/cert.pem
 
-# - name: add certbot cron
-#   cron:
-#     name: "certbot cron"
-#     minute: "30"
-#     hour: "2"
-#     job: '/usr/bin/certbot renew -n --renew-hook "/bin/systemctl reload {{ webserver_name }}"'
-
 - name: Restart webservers
   service:
     name: "{{ webserver_name }}"
     state: started
+
+- name: Add systemd timer for cert renewal
+  template:
+    src: certbot.timer
+    dest: /etc/systemd/system/certbot.timer
+
+- name: Add systemd service for cert renewal
+  template:
+    src: certbot.service
+    dest: /etc/systemd/system/certbot.service
+
+- name: Enable timer
+  systemd:
+    name: certbot.timer
+    state: started
+    enabled: true
+    daemon_reaload: true

roles/certbot/templates/certbot.service

@@ -0,0 +1,6 @@
+[Unit]
+Description=Let's Encrypt renewal
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/certbot renew --agree-tos --post-hook "systemctl restart {{ webserver_name }}"

roles/certbot/templates/certbot.timer

@@ -0,0 +1,10 @@
+[Unit]
+Description=Run certbot weekly
+
+[Timer]
+OnBootSec=15min
+OnUnitActiveSec=1w
+RandomizedDelaySec=1h
+
+[Install]
+WantedBy=timers.target

web_ca.yaml

@@ -13,7 +13,7 @@
     - role: dns_record
     - role: reverse_proxy
     - role: nginx
-      config_name: "ca"
+      config_name: "ca-webpage"
       server_fqdn: "ca.lilik.it"
 - hosts: status
   roles: