From 49069bb0f25594eec7a0d4c1c993afb73d8ce961 Mon Sep 17 00:00:00 2001
From: Aaron LI <aly@aaronly.me>
Date: Thu, 3 Oct 2019 18:04:34 +0800
Subject: web: Employ monthly periodic task to renew certificates

---
 roles/web/files/600.acme-sh          | 27 +++++++++++++++++++++++++++
 roles/web/tasks/main.yml             | 31 +++++++++++++++----------------
 roles/web/templates/acme/renew.sh.j2 | 17 +++++++++++++++++
 3 files changed, 59 insertions(+), 16 deletions(-)
 create mode 100644 roles/web/files/600.acme-sh
 create mode 100644 roles/web/templates/acme/renew.sh.j2

diff --git a/roles/web/files/600.acme-sh b/roles/web/files/600.acme-sh
new file mode 100644
index 0000000..fdf4cc4
--- /dev/null
+++ b/roles/web/files/600.acme-sh
@@ -0,0 +1,27 @@
+#!/bin/sh
+#
+# Monthly task to renew and deploy acme certificates.
+
+if [ -r /etc/defaults/periodic.conf ]; then
+	. /etc/defaults/periodic.conf
+	source_periodic_confs
+fi
+
+export PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
+
+case "$monthly_acme_sh_enable" in
+	[Yy][Ee][Ss])
+		echo
+		echo "Checking Let's Encrypt certificates:"
+		if [ -x "$monthly_acme_sh_renewscript" ]; then
+			echo "Renewing certificates ..."
+			$monthly_acme_sh_renewscript
+			if [ -x "$monthly_acme_sh_deployscript" ]; then
+				echo "Deploying certificates ..."
+				$monthly_acme_sh_deployscript
+			fi
+		fi
+		;;
+	*)
+		;;
+esac
diff --git a/roles/web/tasks/main.yml b/roles/web/tasks/main.yml
index 905c60e..d354b18 100644
--- a/roles/web/tasks/main.yml
+++ b/roles/web/tasks/main.yml
@@ -147,28 +147,27 @@
   tags: acme
 
 - name: acme.sh - generate renew script
-  copy:
+  template:
+    src: acme/renew.sh.j2
     dest: "{{ web.acme_home }}/renew.sh"
     mode: 0755
-    content: |
-      acme.sh --cron
-      sh {{ web.acme_home }}/deploy.sh
   tags: acme
 
-- name: acme.sh - install cron job to renew (1)
-  cron:
-    user: acme
-    name: MAILTO
-    env: true
-    job: root
+- name: acme.sh - set monthly task for cert renewal (1)
+  copy:
+    src: 600.acme-sh
+    dest: /etc/periodic/monthly/600.acme-sh
+    mode: 0755
   tags: acme
 
-- name: acme.sh - install cron job to renew (2)
-  cron:
-    user: acme
-    name: "acme.sh-renew"
-    special_time: monthly
-    job: "sh {{ web.acme_home }}/renew.sh"
+- name: acme.sh - set monthly task for cert renewal (2)
+  blockinfile:
+    path: /etc/periodic.conf
+    marker: '# {mark} ANSIBLE MANAGED - acme'
+    block: |
+      monthly_acme_sh_enable="YES"
+      monthly_acme_sh_renewscript="{{ web.acme_home }}/renew.sh"
+      monthly_acme_sh_deployscript="{{ web.acme_home }}/deploy.sh"
   tags: acme
 
 - block:
diff --git a/roles/web/templates/acme/renew.sh.j2 b/roles/web/templates/acme/renew.sh.j2
new file mode 100644
index 0000000..33d5879
--- /dev/null
+++ b/roles/web/templates/acme/renew.sh.j2
@@ -0,0 +1,17 @@
+#!/bin/sh
+#
+# Renew 'acme.sh' issued certificates.
+#
+# Aaron LI
+# 2019-10-03
+#
+
+[ $(id -u) -eq 0 ] || {
+    echo "ERROR: must be run by root!"
+    exit 1
+}
+
+su - acme \
+    -c "acme.sh --cron --log /var/log/acme.sh.log \
+        --config-home {{ web.acme_home }}/.acme.sh \
+        --cert-home {{ web.acme_home }}/certs"
-- 
cgit v1.2.2