Refactor systemctl services and categories due to alarm bugs

This commit restructures systemctl service definitions and category mappings. Motivation: Alarm-related bugs revealed inconsistencies in service and role handling. Preparation step: lays the groundwork for fixing the alarm issues by aligning categories, roles, and service templates.
2025-08-29 15:06:26 +02:00 · 2025-08-18 13:35:43 +02:00
parent 29f50da226
commit 3a839cfe37
289 changed files with 975 additions and 948 deletions
--- a/roles/sys-ctl-cln-certs/README.md
+++ b/roles/sys-ctl-cln-certs/README.md
@@ -0,0 +1,37 @@
+# Certbot Reaper
+
+## Description
+
+This Ansible role automates the detection, revocation and deletion of unused Let's Encrypt certificates. It leverages the [`certreap`](https://github.com/kevinveenbirkenbach/certreap) tool to identify certificates no longer referenced by any active NGINX configuration and removes them automatically.
+
+## Overview
+
+- Installs the `certreap` cleanup tool using the `pkgmgr-install` role
+- Deploys and configures a `sys-ctl-cln-certs{{ SYS_SERVICE_SUFFIX }}` systemd unit
+- (Optionally) Sets up a recurring cleanup via a systemd timer using the `sys-timer` role
+- Integrates with `sys-ctl-alm-compose` to send failure notifications
+- Ensures idempotent execution with a `run_once_sys_ctl_cln_certs` flag
+
+## Features
+
+- **Certificate Cleanup Tool Installation**  
+  Uses `pkgmgr-install` to install the `certreap` binary.
+
+- **Systemd Service Configuration**  
+  Deploys `sys-ctl-cln-certs{{ SYS_SERVICE_SUFFIX }}` and reloads/restarts it on changes.
+
+- **Systemd Timer Scheduling**  
+  Optionally wires in a timer via the `sys-timer` role, controlled by the `on_calendar_cleanup_certs` variable.
+
+- **Smart Execution Logic**  
+  Prevents multiple runs in one play by setting a `run_once_sys_ctl_cln_certs` fact.
+
+- **Failure Notification**  
+  Triggers `sys-ctl-alm-compose.infinito@sys-ctl-cln-certs{{ SYS_SERVICE_SUFFIX }}` on failure.
+
+## Further Resources
+
+- [certreap on GitHub](https://github.com/kevinveenbirkenbach/certreap)  
+- [Ansible community.general.pacman module](https://docs.ansible.com/ansible/latest/collections/community/general/pacman_module.html)  
+- [Infinito.Nexus NonCommercial License](https://s.infinito.nexus/license)  
+- [systemd.unit(5) manual](https://www.freedesktop.org/software/systemd/man/systemd.unit.html)  
--- a/roles/sys-ctl-cln-certs/handlers/main.yml
+++ b/roles/sys-ctl-cln-certs/handlers/main.yml
@@ -0,0 +1,6 @@
+- name: "Reload and restart sys-ctl-cln-certs service"
+  systemd:
+    name: sys-ctl-cln-certs{{ SYS_SERVICE_SUFFIX }}
+    enabled: yes
+    daemon_reload: yes
+    state: restarted
--- a/roles/sys-ctl-cln-certs/meta/main.yml
+++ b/roles/sys-ctl-cln-certs/meta/main.yml
@@ -0,0 +1,24 @@
+galaxy_info:
+  author: "Kevin Veen-Birkenbach"
+  description: "Automates the revocation and deletion of unused Let's Encrypt certificates"
+  license: "Infinito.Nexus NonCommercial License"
+  license_url: "https://s.infinito.nexus/license"
+  company: |
+    Kevin Veen-Birkenbach
+    Consulting & Coaching Solutions
+    https://www.veen.world
+  min_ansible_version: "2.9"
+  platforms:
+  - name: Archlinux
+    versions:
+    - rolling
+  galaxy_tags:
+  - certbot
+  - ssl
+  - cleanup
+  - automation
+  - systemd
+  repository: "https://github.com/kevinveenbirkenbach/certreap"
+  issue_tracker_url: "https://github.com/kevinveenbirkenbach/certreap/issues"
+  documentation: "https://github.com/kevinveenbirkenbach/certreap#readme"
+
--- a/roles/sys-ctl-cln-certs/tasks/01_core.yml
+++ b/roles/sys-ctl-cln-certs/tasks/01_core.yml
@@ -0,0 +1,28 @@
+- name: Include dependencies
+  include_role:
+    name: '{{ item }}'
+  loop:
+  - sys-ctl-alm-compose
+  - sys-rst-daemon
+
+- name: "pkgmgr install"
+  include_role:
+    name: pkgmgr-install
+  vars:
+    package_name: certreap
+
+- name: configure sys-ctl-cln-certs{{ SYS_SERVICE_SUFFIX }}
+  template:
+    src: sys-ctl-cln-certs.service.j2
+    dest: /etc/systemd/system/sys-ctl-cln-certs{{ SYS_SERVICE_SUFFIX }}
+  notify: Reload and restart sys-ctl-cln-certs service
+
+- name: "set 'service_name' to '{{ role_name }}'"
+  set_fact:
+    service_name: "{{ role_name }}"
+
+- name: "include role for sys-timer for {{ service_name }}"
+  include_role:
+    name: sys-timer
+  vars:
+    on_calendar: "{{ SYS_SCHEDULE_CLEANUP_CERTS }}"
--- a/roles/sys-ctl-cln-certs/tasks/main.yml
+++ b/roles/sys-ctl-cln-certs/tasks/main.yml
@@ -0,0 +1,4 @@
+- block:
+    - include_tasks: 01_core.yml
+    - include_tasks: utils/run_once.yml
+  when: run_once_sys_ctl_cln_certs is not defined
--- a/roles/sys-ctl-cln-certs/templates/sys-ctl-cln-certs.service.j2
+++ b/roles/sys-ctl-cln-certs/templates/sys-ctl-cln-certs.service.j2
@@ -0,0 +1,7 @@
+[Unit]
+Description=Detect, revoke, and delete unused Let's Encrypt certificates based on active NGINX configuration files.
+OnFailure=sys-ctl-alm-compose.{{ SOFTWARE_NAME }}@%n.service
+
+[Service]
+Type=oneshot
+ExecStart=/bin/sh -c 'certreap --force'