Merge pull request #68 from spantaleev/manage-cronjobs-with-cron-module

Switch to managing cronjobs with the Ansible cron module

CHANGELOG.md

@@ -1,3 +1,15 @@
+# 2019-01-08
+
+## (BC Break) Cronjob schedule no longer configurable
+
+Due to the way we manage cronjobs now, you can no longer configure the schedule they're invoked at.
+
+If you were previously using `matrix_ssl_lets_encrypt_renew_cron_time_definition` or `matrix_nginx_proxy_reload_cron_time_definition`
+to set a custom schedule, you should note that these variables don't affect anything anymore.
+
+If you miss this functionality, please [open an Issue](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/new) and let us know about your use case!
+
+
 # 2018-12-23
 
 ## (BC Break) More SSL certificate retrieval methods

roles/matrix-server/defaults/main.yml

@@ -408,9 +408,6 @@ matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:v0.29.1"
 matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402
 matrix_ssl_lets_encrypt_support_email: "{{ host_specific_matrix_ssl_lets_encrypt_support_email }}"
 
-# Specifies when to attempt to retrieve new SSL certificates from Let's Encrypt.
-matrix_ssl_lets_encrypt_renew_cron_time_definition: "15 4 */5 * *"
-
 matrix_ssl_base_path: "{{ matrix_base_data_path }}/ssl"
 matrix_ssl_config_dir_path: "{{ matrix_ssl_base_path }}/config"
 matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log"

roles/matrix-server/tasks/setup/setup_nginx_proxy.yml

@@ -31,6 +31,7 @@
     - "matrix-synapse.conf"
     - "matrix-riot-web.conf"
 
+
 #
 # Tasks related to setting up matrix-nginx-proxy
 #
@@ -57,12 +58,6 @@
     mode: 0644
   when: matrix_nginx_proxy_enabled
 
-- name: Ensure periodic restarting of matrix-nginx-proxy is configured (for SSL renewal)
-  template:
-    src: "{{ role_path }}/templates/cron.d/matrix-nginx-proxy-periodic-restarter.j2"
-    dest: "/etc/cron.d/matrix-nginx-proxy-periodic-restarter"
-    mode: 0600
-  when: "matrix_nginx_proxy_enabled and matrix_ssl_retrieval_method == 'lets-encrypt'"
 
 #
 # Tasks related to getting rid of matrix-nginx-proxy (if it was previously enabled)
@@ -86,9 +81,3 @@
     path: "/etc/systemd/system/matrix-nginx-proxy.service"
     state: absent
   when: "not matrix_nginx_proxy_enabled and matrix_nginx_proxy_service_stat.stat.exists"
-
-- name: Ensure periodic restarting of matrix-nginx-proxy is removed
-  file:
-    path: "/etc/cron.d/matrix-nginx-proxy-periodic-restarter"
-    state: absent
-  when: "not matrix_nginx_proxy_enabled or matrix_ssl_retrieval_method != 'lets-encrypt'"

roles/matrix-server/tasks/setup/ssl/setup_ssl_lets_encrypt.yml

@@ -1,5 +1,17 @@
 ---
 
+# This is a cleanup/migration task, because of to the new way we manage cronjobs (`cron` module) and the new script name.
+# This migration task can be removed some time in the future.
+- name: (Migration) Remove deprecated Let's Encrypt SSL certificate management files
+  file:
+    path: "{{ item }}"
+    state: absent
+  with_items:
+    - /usr/local/bin/matrix-ssl-certificates-renew
+    - /etc/cron.d/matrix-ssl-certificate-renewal
+    - /etc/cron.d/matrix-nginx-proxy-periodic-restarter
+
+
 #
 # Tasks related to setting up Let's Encrypt's management of certificates
 #
@@ -32,18 +44,44 @@
     loop_var: domain_name
   when: "matrix_ssl_retrieval_method == 'lets-encrypt'"
 
-- name: Ensure SSL renewal script installed
+- name: Ensure Let's Encrypt SSL renewal script installed
   template:
-    src: "{{ role_path }}/templates/usr-local-bin/matrix-ssl-certificates-renew.j2"
-    dest: "/usr/local/bin/matrix-ssl-certificates-renew"
+    src: "{{ role_path }}/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2"
+    dest: /usr/local/bin/matrix-ssl-lets-encrypt-certificates-renew
     mode: 0750
   when: "matrix_ssl_retrieval_method == 'lets-encrypt'"
 
-- name: Ensure periodic SSL renewal cronjob configured
-  template:
-    src: "{{ role_path }}/templates/cron.d/matrix-ssl-certificate-renewal.j2"
-    dest: "/etc/cron.d/matrix-ssl-certificate-renewal"
-    mode: 0600
+- block:
+  - name: Ensure periodic SSL renewal cronjob configured (MAILTO)
+    cron:
+      user: root
+      cron_file: matrix-ssl-lets-encrypt
+      env: yes
+      name: MAILTO
+      value: "{{ matrix_ssl_lets_encrypt_support_email }}"
+
+  - name: Ensure periodic SSL renewal cronjob configured (matrix-ssl-lets-encrypt-certificates-renew)
+    cron:
+      user: root
+      cron_file: matrix-ssl-lets-encrypt
+      name: matrix-ssl-lets-encrypt-certificates-renew
+      state: present
+      hour: 4
+      minute: 15
+      day: "*/5"
+      job: /usr/local/bin/matrix-ssl-lets-encrypt-certificates-renew
+
+  - name: Ensure periodic reloading of matrix-nginx-proxy is configured for SSL renewal (matrix-nginx-proxy-reload)
+    cron:
+      user: root
+      cron_file: matrix-ssl-lets-encrypt
+      name: matrix-nginx-proxy-reload
+      state: present
+      hour: 4
+      minute: 20
+      day: "*/5"
+      job: /usr/bin/systemctl reload matrix-nginx-proxy.service
+    when: matrix_nginx_proxy_enabled
   when: "matrix_ssl_retrieval_method == 'lets-encrypt'"
 
 
@@ -51,11 +89,26 @@
 # Tasks related to getting rid of Let's Encrypt's management of certificates
 #
 
-- name: Ensure Let's Encrypt SSL certificate management files removed
-  file:
-    path: "{{ item }}"
+# When nginx-proxy is disabled, make sure its reloading cronjob is gone.
+# Other cronjobs can potentially remain there (see below).
+- name: Ensure matrix-nginx-proxy-reload cronjob removed
+  cron:
+    user: root
+    cron_file: matrix-ssl-lets-encrypt
+    name: matrix-nginx-proxy-reload
+    state: absent
+  when: "not matrix_nginx_proxy_enabled"
+
+# When Let's Encrypt is not used at all, remove all cronjobs in that cron file.
+- name: Ensure matrix-ssl-lets-encrypt-renew cronjob removed
+  cron:
+    user: root
+    cron_file: matrix-ssl-lets-encrypt
     state: absent
-  with_items:
-    - /usr/local/bin/matrix-ssl-certificates-renew
-    - /etc/cron.d/matrix-ssl-certificate-renewal
   when: "matrix_ssl_retrieval_method != 'lets-encrypt'"
+
+- name: Ensure Let's Encrypt SSL renewal script removed
+  file:
+    path: /usr/local/bin/matrix-ssl-lets-encrypt-certificates-renew
+    state: absent
+  when: "matrix_ssl_retrieval_method != 'lets-encrypt'"

roles/matrix-server/templates/cron.d/matrix-nginx-proxy-periodic-restarter.j2

@@ -1,8 +0,0 @@
-MAILTO="{{ matrix_ssl_lets_encrypt_support_email }}"
-
-# This periodically reloads the matrix-nginx-proxy service
-# to ensure it's using the latest SSL certificate
-# in case it got renewed by the `matrix-ssl-certificate-renewal` cronjob
-# (which happens once every ~2-3 months).
-
-{{ matrix_nginx_proxy_reload_cron_time_definition }} root /usr/bin/systemctl reload matrix-nginx-proxy.service

roles/matrix-server/templates/cron.d/matrix-ssl-certificate-renewal.j2

@@ -1,11 +0,0 @@
-MAILTO="{{ matrix_ssl_lets_encrypt_support_email }}"
-
-# The goal of this cronjob is to ask certbot to check
-# the current SSL certificates and to see if some need renewal.
-# If so, it would attempt to renew.
-#
-# Various services depend on these certificates and would need to be restarted.
-# This is not our concern here. We simply make sure the certificates are up to date.
-# Restarting of services happens on its own different schedule (other cronjobs).
-
-{{ matrix_ssl_lets_encrypt_renew_cron_time_definition }} root /bin/bash /usr/local/bin/matrix-ssl-certificates-renew