Refactor systemctl services and categories due to alarm bugs

This commit restructures systemctl service definitions and category mappings. Motivation: Alarm-related bugs revealed inconsistencies in service and role handling. Preparation step: lays the groundwork for fixing the alarm issues by aligning categories, roles, and service templates.
2025-08-29 15:06:26 +02:00 · 2025-08-18 13:35:43 +02:00
parent 29f50da226
commit 3a839cfe37
289 changed files with 975 additions and 948 deletions
--- a/roles/sys-ctl-mtn-cert-renew/README.md
+++ b/roles/sys-ctl-mtn-cert-renew/README.md
@@ -0,0 +1,33 @@
+# Nginx Certbot Automation
+
+## 🔥 Description
+
+This role automates the setup of an automatic [Let's Encrypt](https://letsencrypt.org/) certificate renewal system for Nginx using [Certbot](https://certbot.eff.org/). It ensures that SSL/TLS certificates are renewed seamlessly in the background and that Nginx reloads automatically after successful renewals.
+
+## 📖 Overview
+
+Optimized for Archlinux systems, this role installs the `certbot-nginx` package, configures a dedicated `systemd` service for certificate renewal, and integrates with a `sys-timer` to schedule periodic renewals. After a renewal, Nginx is reloaded to apply the updated certificates immediately.
+
+### Key Features
+- **Automatic Renewal:** Schedules unattended certificate renewals using sys-timers.
+- **Seamless Nginx Reload:** Reloads the Nginx service automatically after successful renewals.
+- **Systemd Integration:** Manages renewal operations reliably with `systemd` and `sys-ctl-alm-compose`.
+- **Quiet and Safe Operation:** Uses `--quiet` and `--agree-tos` flags to ensure non-interactive renewals.
+
+## 🎯 Purpose
+
+The Nginx Certbot Automation role ensures that Let's Encrypt SSL/TLS certificates stay valid without manual intervention. It enhances the security and reliability of web services by automating certificate lifecycle management.
+
+## 🚀 Features
+
+- **Certbot-Nginx Package Installation:** Installs required certbot plugins for Nginx.
+- **Custom Systemd Service:** Configures a lightweight, dedicated renewal service.
+- **Timer Setup:** Uses sys-timer to run certbot renewals periodically.
+- **Failure Notification:** Integrated with `sys-ctl-alm-compose` for alerting on failures.
+
+## 🔗 Learn More
+
+- [Certbot Official Website](https://certbot.eff.org/)
+- [Let's Encrypt](https://letsencrypt.org/)
+- [Systemd (Wikipedia)](https://en.wikipedia.org/wiki/Systemd)
+- [HTTPS (Wikipedia)](https://en.wikipedia.org/wiki/HTTPS)
--- a/roles/sys-ctl-mtn-cert-renew/handlers/main.yml
+++ b/roles/sys-ctl-mtn-cert-renew/handlers/main.yml
@@ -0,0 +1,6 @@
+- name: "reload certbot service"
+  systemd:
+    name: sys-ctl-mtn-cert-renew{{ SYS_SERVICE_SUFFIX }}
+    state: reloaded
+    enabled: yes
+    daemon_reload: yes
--- a/roles/sys-ctl-mtn-cert-renew/meta/main.yml
+++ b/roles/sys-ctl-mtn-cert-renew/meta/main.yml
@@ -0,0 +1,29 @@
+galaxy_info:
+  author: "Kevin Veen-Birkenbach"
+  description: |
+    Automates Let's Encrypt SSL/TLS certificate renewals for Nginx using Certbot and systemd services with automatic reloads after successful renewals.
+  license: "Infinito.Nexus NonCommercial License"
+  license_url: "https://s.infinito.nexus/license"
+  company: |
+    Kevin Veen-Birkenbach
+    Consulting & Coaching Solutions
+    https://www.veen.world
+  min_ansible_version: "2.9"
+  platforms:
+  - name: Archlinux
+    versions:
+    - rolling
+  galaxy_tags:
+  - nginx
+  - certbot
+  - ssl
+  - tls
+  - letsencrypt
+  - https
+  - systemd
+  - automation
+  repository: "https://s.infinito.nexus/code"
+  issue_tracker_url: "https://s.infinito.nexus/issues"
+  documentation: "https://docs.infinito.nexus"
+dependencies:
+- sys-ctl-cln-certs
--- a/roles/sys-ctl-mtn-cert-renew/tasks/01_core.yml
+++ b/roles/sys-ctl-mtn-cert-renew/tasks/01_core.yml
@@ -0,0 +1,30 @@
+- name: Include dependencies
+  include_role:
+    name: '{{ item }}'
+  loop:
+  - sys-svc-certbot
+  - srv-web-7-4-core
+  - sys-ctl-alm-compose
+
+- name: install certbot
+  community.general.pacman:
+    name:
+    - certbot-nginx
+    state: present
+
+- name: configure sys-ctl-mtn-cert-renew service
+  template:
+    src: sys-ctl-mtn-cert-renew.service.j2
+    dest: /etc/systemd/system/sys-ctl-mtn-cert-renew{{ SYS_SERVICE_SUFFIX }}
+  notify: reload certbot service
+
+- name: "set 'service_name' to '{{ role_name }}'"
+  set_fact:
+    service_name: "{{ role_name }}"
+
+- name: "include role for sys-timer for {{ service_name }}"
+  include_role:
+    name: sys-timer
+  vars:
+    on_calendar: "{{ SYS_SCHEDULE_MAINTANANCE_LETSENCRYPT_RENEW }}"
+    persistent: "true"
--- a/roles/sys-ctl-mtn-cert-renew/tasks/main.yml
+++ b/roles/sys-ctl-mtn-cert-renew/tasks/main.yml
@@ -0,0 +1,4 @@
+- block:
+    - include_tasks: 01_core.yml
+    - include_tasks: utils/run_once.yml
+  when: run_once_sys_ctl_mtn_cert_renew is not defined
--- a/roles/sys-ctl-mtn-cert-renew/templates/sys-ctl-mtn-cert-renew.service.j2
+++ b/roles/sys-ctl-mtn-cert-renew/templates/sys-ctl-mtn-cert-renew.service.j2
@@ -0,0 +1,8 @@
+[Unit]
+Description=Let's Encrypt renewal
+OnFailure=sys-ctl-alm-compose.{{ SOFTWARE_NAME }}@%n.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/certbot renew --quiet --agree-tos
+ExecStartPost=/usr/bin/docker restart {{ applications | get_app_conf('svc-prx-openresty', 'docker.services.openresty.name', True) }}