Switch to managing cronjobs with the Ansible cron module

As suggested in #65 (Github issue), this patch switches cronjob management from using templates to using Ansible's `cron` module. It also moves the management of the nginx-reload cronjob to `setup_ssl_lets_encrypt.yml`, which is a more fitting place for it (given that this cronjob is only required when Let's Encrypt is used). Pros: - using a module is more Ansible-ish than templating our own files in special directories - more reliable: will fail early (during playbook execution) if `/usr/bin/crontab` is not available, which is more of a guarantee that cron is working fine (idea: we should probably install some cron package using the playbook) Cons: - invocation schedule is no longer configurable, unless we define individual variables for everything or do something smart (splitting on ' ', etc.). Likely not necessary, however. - requires us to deprecate and clean-up after the old way of managing cronjobs, because it's not compatible (using the same file as before means appending additional jobs to it)
2019-01-08 12:24:59 +02:00 · 2019-01-08 12:24:59 +02:00 · b222d26c86
parent ef2dc3745a
commit b222d26c86
7 changed files with 80 additions and 48 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,3 +1,15 @@
+# 2019-01-08
+
+## (BC Break) Cronjob schedule no longer configurable
+
+Due to the way we manage cronjobs now, you can no longer configure the schedule they're invoked at.
+
+If you were previously using `matrix_ssl_lets_encrypt_renew_cron_time_definition` or `matrix_nginx_proxy_reload_cron_time_definition`
+to set a custom schedule, you should note that these variables don't affect anything anymore.
+
+If you miss this functionality, please [open an Issue](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/new) and let us know about your use case!
+
+
 # 2018-12-23

 ## (BC Break) More SSL certificate retrieval methods
--- a/roles/matrix-server/defaults/main.yml
+++ b/roles/matrix-server/defaults/main.yml
@ -408,9 +408,6 @@ matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:v0.29.1"
 matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402
 matrix_ssl_lets_encrypt_support_email: "{{ host_specific_matrix_ssl_lets_encrypt_support_email }}"

-# Specifies when to attempt to retrieve new SSL certificates from Let's Encrypt.
-matrix_ssl_lets_encrypt_renew_cron_time_definition: "15 4 */5 * *"
-
 matrix_ssl_base_path: "{{ matrix_base_data_path }}/ssl"
 matrix_ssl_config_dir_path: "{{ matrix_ssl_base_path }}/config"
 matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log"
--- a/roles/matrix-server/tasks/setup/setup_nginx_proxy.yml
+++ b/roles/matrix-server/tasks/setup/setup_nginx_proxy.yml
@ -31,6 +31,7 @@
    - "matrix-synapse.conf"
    - "matrix-riot-web.conf"

+
 #
 # Tasks related to setting up matrix-nginx-proxy
 #
@ -57,12 +58,6 @@
    mode: 0644
  when: matrix_nginx_proxy_enabled

- name: Ensure periodic restarting of matrix-nginx-proxy is configured (for SSL renewal)
-  template:
-    src: "{{ role_path }}/templates/cron.d/matrix-nginx-proxy-periodic-restarter.j2"
-    dest: "/etc/cron.d/matrix-nginx-proxy-periodic-restarter"
-    mode: 0600
-  when: "matrix_nginx_proxy_enabled and matrix_ssl_retrieval_method == 'lets-encrypt'"

 #
 # Tasks related to getting rid of matrix-nginx-proxy (if it was previously enabled)
@ -86,9 +81,3 @@
    path: "/etc/systemd/system/matrix-nginx-proxy.service"
    state: absent
  when: "not matrix_nginx_proxy_enabled and matrix_nginx_proxy_service_stat.stat.exists"
-
- name: Ensure periodic restarting of matrix-nginx-proxy is removed
-  file:
-    path: "/etc/cron.d/matrix-nginx-proxy-periodic-restarter"
-    state: absent
-  when: "not matrix_nginx_proxy_enabled or matrix_ssl_retrieval_method != 'lets-encrypt'"
--- a/roles/matrix-server/tasks/setup/ssl/setup_ssl_lets_encrypt.yml
+++ b/roles/matrix-server/tasks/setup/ssl/setup_ssl_lets_encrypt.yml
@ -1,5 +1,17 @@
 ---

+# This is a cleanup/migration task, because of to the new way we manage cronjobs (`cron` module) and the new script name.
+# This migration task can be removed some time in the future.
+- name: (Migration) Remove deprecated Let's Encrypt SSL certificate management files
+  file:
+    path: "{{ item }}"
+    state: absent
+  with_items:
+    - /usr/local/bin/matrix-ssl-certificates-renew
+    - /etc/cron.d/matrix-ssl-certificate-renewal
+    - /etc/cron.d/matrix-nginx-proxy-periodic-restarter
+
+
 #
 # Tasks related to setting up Let's Encrypt's management of certificates
 #
@ -32,18 +44,44 @@
    loop_var: domain_name
  when: "matrix_ssl_retrieval_method == 'lets-encrypt'"

- name: Ensure SSL renewal script installed
+- name: Ensure Let's Encrypt SSL renewal script installed
  template:
-    src: "{{ role_path }}/templates/usr-local-bin/matrix-ssl-certificates-renew.j2"
-    dest: "/usr/local/bin/matrix-ssl-certificates-renew"
+    src: "{{ role_path }}/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2"
+    dest: /usr/local/bin/matrix-ssl-lets-encrypt-certificates-renew
    mode: 0750
  when: "matrix_ssl_retrieval_method == 'lets-encrypt'"

- name: Ensure periodic SSL renewal cronjob configured
-  template:
-    src: "{{ role_path }}/templates/cron.d/matrix-ssl-certificate-renewal.j2"
-    dest: "/etc/cron.d/matrix-ssl-certificate-renewal"
-    mode: 0600
+- block:
+  - name: Ensure periodic SSL renewal cronjob configured (MAILTO)
+    cron:
+      user: root
+      cron_file: matrix-ssl-lets-encrypt
+      env: yes
+      name: MAILTO
+      value: "{{ matrix_ssl_lets_encrypt_support_email }}"
+
+  - name: Ensure periodic SSL renewal cronjob configured (matrix-ssl-lets-encrypt-certificates-renew)
+    cron:
+      user: root
+      cron_file: matrix-ssl-lets-encrypt
+      name: matrix-ssl-lets-encrypt-certificates-renew
+      state: present
+      hour: 4
+      minute: 15
+      day: "*/5"
+      job: /usr/local/bin/matrix-ssl-lets-encrypt-certificates-renew
+
+  - name: Ensure periodic reloading of matrix-nginx-proxy is configured for SSL renewal (matrix-nginx-proxy-reload)
+    cron:
+      user: root
+      cron_file: matrix-ssl-lets-encrypt
+      name: matrix-nginx-proxy-reload
+      state: present
+      hour: 4
+      minute: 20
+      day: "*/5"
+      job: /usr/bin/systemctl reload matrix-nginx-proxy.service
+    when: matrix_nginx_proxy_enabled
  when: "matrix_ssl_retrieval_method == 'lets-encrypt'"


@ -51,11 +89,26 @@
 # Tasks related to getting rid of Let's Encrypt's management of certificates
 #

- name: Ensure Let's Encrypt SSL certificate management files removed
-  file:
-    path: "{{ item }}"
+# When nginx-proxy is disabled, make sure its reloading cronjob is gone.
+# Other cronjobs can potentially remain there (see below).
+- name: Ensure matrix-nginx-proxy-reload cronjob removed
+  cron:
+    user: root
+    cron_file: matrix-ssl-lets-encrypt
+    name: matrix-nginx-proxy-reload
+    state: absent
+  when: "not matrix_nginx_proxy_enabled"
+
+# When Let's Encrypt is not used at all, remove all cronjobs in that cron file.
+- name: Ensure matrix-ssl-lets-encrypt-renew cronjob removed
+  cron:
+    user: root
+    cron_file: matrix-ssl-lets-encrypt
    state: absent
-  with_items:
-    - /usr/local/bin/matrix-ssl-certificates-renew
-    - /etc/cron.d/matrix-ssl-certificate-renewal
  when: "matrix_ssl_retrieval_method != 'lets-encrypt'"
+
+- name: Ensure Let's Encrypt SSL renewal script removed
+  file:
+    path: /usr/local/bin/matrix-ssl-lets-encrypt-certificates-renew
+    state: absent
+  when: "matrix_ssl_retrieval_method != 'lets-encrypt'"
--- a/roles/matrix-server/templates/cron.d/matrix-nginx-proxy-periodic-restarter.j2
+++ b/roles/matrix-server/templates/cron.d/matrix-nginx-proxy-periodic-restarter.j2
@ -1,8 +0,0 @@
-MAILTO="{{ matrix_ssl_lets_encrypt_support_email }}"
-
-# This periodically reloads the matrix-nginx-proxy service
-# to ensure it's using the latest SSL certificate
-# in case it got renewed by the `matrix-ssl-certificate-renewal` cronjob
-# (which happens once every ~2-3 months).
-
-{{ matrix_nginx_proxy_reload_cron_time_definition }} root /usr/bin/systemctl reload matrix-nginx-proxy.service
--- a/roles/matrix-server/templates/cron.d/matrix-ssl-certificate-renewal.j2
+++ b/roles/matrix-server/templates/cron.d/matrix-ssl-certificate-renewal.j2
@ -1,11 +0,0 @@
-MAILTO="{{ matrix_ssl_lets_encrypt_support_email }}"
-
-# The goal of this cronjob is to ask certbot to check
-# the current SSL certificates and to see if some need renewal.
-# If so, it would attempt to renew.
-#
-# Various services depend on these certificates and would need to be restarted.
-# This is not our concern here. We simply make sure the certificates are up to date.
-# Restarting of services happens on its own different schedule (other cronjobs).
-
-{{ matrix_ssl_lets_encrypt_renew_cron_time_definition }} root /bin/bash /usr/local/bin/matrix-ssl-certificates-renew
--- a/roles/matrix-server/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2
+++ b/roles/matrix-server/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2