From 7afa36859416e752b7851a22cbd3448401962599 Mon Sep 17 00:00:00 2001
From: Kevin Veen-Birkenbach <kevin@veen.world>
Date: Wed, 7 May 2025 06:38:07 +0200
Subject: [PATCH] Added role cleanup-certs based on certreap

---
 group_vars/all/07_calendar.yml                |  3 +-
 roles/cleanup-certs/README.md                 | 25 ++++++++++++++++
 roles/cleanup-certs/handlers/main.yml         |  6 ++++
 roles/cleanup-certs/meta/main.yml             | 28 +++++++++++++++++
 roles/cleanup-certs/tasks/main.yml            | 30 +++++++++++++++++++
 .../cleanup-certs/templates/certs.service.j2  |  7 +++++
 roles/nginx-certbot/meta/main.yml             |  1 +
 7 files changed, 99 insertions(+), 1 deletion(-)
 create mode 100644 roles/cleanup-certs/README.md
 create mode 100644 roles/cleanup-certs/handlers/main.yml
 create mode 100644 roles/cleanup-certs/meta/main.yml
 create mode 100644 roles/cleanup-certs/tasks/main.yml
 create mode 100644 roles/cleanup-certs/templates/certs.service.j2

diff --git a/group_vars/all/07_calendar.yml b/group_vars/all/07_calendar.yml
index ac23dcc2..63f73079 100644
--- a/group_vars/all/07_calendar.yml
+++ b/group_vars/all/07_calendar.yml
@@ -6,11 +6,12 @@ on_calendar_health_disc_space:                "*-*-* 06,12,18,00:00:00"
 on_calendar_health_docker_container:          "*-*-* {{ hours_server_awake }}:00:00"  # Check once per hour if the docker containers are healthy
 on_calendar_health_docker_volumes:            "*-*-* {{ hours_server_awake }}:15:00"  # Check once per hour if the docker volumes are healthy
 on_calendar_health_nginx:                     "*-*-* {{ hours_server_awake }}:45:00"  # Check once per hour if all webservices are available
-on_calendar_health_msmtp:                     "*-*-* 00:00:00"                        # Check once per day SMTP Server
+on_calendar_health_msmtp:                     "*-*-* 00:00:00"                        # Check once per day SMTP Server              
 
 ## Schedule for Cleanup Tasks
 on_calendar_cleanup_backups:                  "*-*-* 00,06,12,18:30:00"               # Cleanup backups every 6 hours, MUST be called before disc space cleanup
 on_calendar_cleanup_disc_space:               "*-*-* 07,13,19,01:30:00"               # Cleanup disc space every 6 hours
+on_calendar_cleanup_certs:                    "*-*-* 12,00:45:00"                     # Deletes and revokes unused certs
 
 ## Schedule for Backup Tasks
 on_calendar_backup_docker_to_local:           "*-*-* 03:30:00"
diff --git a/roles/cleanup-certs/README.md b/roles/cleanup-certs/README.md
new file mode 100644
index 00000000..79e17f0c
--- /dev/null
+++ b/roles/cleanup-certs/README.md
@@ -0,0 +1,25 @@
+# Certbot Reaper
+
+## Description
+
+This Ansible role automates the process of detecting, revoking, and deleting unused Let's Encrypt certificates. It leverages the [`certreap`](https://github.com/kevinveenbirkenbach/certreap) tool to identify which certificates are no longer referenced by any active NGINX configuration and removes them accordingly.
+
+## Overview
+
+Optimized for Archlinux, this role installs the certificate cleanup tool, configures a systemd service, and sets up an optional recurring systemd timer for automatic cleanup. It integrates with dependent roles for timer scheduling and system notifications.
+
+## Purpose
+
+Certbot Reaper helps you maintain a clean and secure server environment by regularly removing obsolete SSL certificates. This prevents unnecessary renewal attempts, clutter, and potential security risks from stale certificates.
+
+## Features
+
+- **Certificate Cleanup Tool Installation:** Installs `certreap` using [pkgmgr](https://github.com/kevinveenbirkenbach/package-manager)
+- **Systemd Service Configuration:** Deploys and manages `cleanup-certs.cymais.service`
+- **Systemd Timer Scheduling:** Optional timer via the `systemd-timer` role
+- **Smart Execution Logic:** Ensures idempotent configuration using a `run_once` flag
+
+## License
+
+This role is licensed under the [CyMaIS NonCommercial License (CNCL)](https://s.veen.world/cncl).  
+Commercial use is not permitted without explicit permission.
\ No newline at end of file
diff --git a/roles/cleanup-certs/handlers/main.yml b/roles/cleanup-certs/handlers/main.yml
new file mode 100644
index 00000000..e2416e87
--- /dev/null
+++ b/roles/cleanup-certs/handlers/main.yml
@@ -0,0 +1,6 @@
+- name: "Reload and restart cleanup-certs.cymais.service"
+  systemd:
+    name: cleanup-certs.cymais.service
+    enabled: yes
+    daemon_reload: yes
+    state: restarted
\ No newline at end of file
diff --git a/roles/cleanup-certs/meta/main.yml b/roles/cleanup-certs/meta/main.yml
new file mode 100644
index 00000000..e5fdae16
--- /dev/null
+++ b/roles/cleanup-certs/meta/main.yml
@@ -0,0 +1,28 @@
+---
+galaxy_info:
+  author: "Kevin Veen-Birkenbach"
+  description: "Automates the revocation and deletion of unused Let's Encrypt certificates"
+  license: "CyMaIS NonCommercial License (CNCL)"
+  license_url: "https://s.veen.world/cncl"
+  company: |
+    Kevin Veen-Birkenbach
+    Consulting & Coaching Solutions
+    https://www.veen.world
+  min_ansible_version: "2.9"
+  platforms:
+    - name: Archlinux
+      versions:
+        - rolling
+  galaxy_tags:
+    - certbot
+    - ssl
+    - cleanup
+    - automation
+    - systemd
+  repository: "https://github.com/kevinveenbirkenbach/certreap"
+  issue_tracker_url: "https://github.com/kevinveenbirkenbach/certreap/issues"
+  documentation: "https://github.com/kevinveenbirkenbach/certreap#readme"
+
+dependencies:
+  - systemd-timer
+  - systemd-notifier
diff --git a/roles/cleanup-certs/tasks/main.yml b/roles/cleanup-certs/tasks/main.yml
new file mode 100644
index 00000000..afe50090
--- /dev/null
+++ b/roles/cleanup-certs/tasks/main.yml
@@ -0,0 +1,30 @@
+- name: "pkgmgr install"
+  include_role:
+    name: pkgmgr-install
+  vars:
+    package_name: cleanup-certs 
+  when: run_once_cleanup_certs is not defined
+
+- name: configure cleanup-certs.cymais.service
+  template:
+    src: cleanup-certs.service.j2
+    dest: /etc/systemd/system/cleanup-certs.cymais.service
+  notify: Reload and restart cleanup-certs.cymais.service
+  when: run_once_cleanup_certs is not defined
+
+- name: set service_name to the name of the current role
+  set_fact:
+    service_name: "{{ role_name }}"
+  when: run_once_cleanup_certs is not defined
+
+- name: "include role for systemd-timer for {{service_name}}"
+  include_role:
+    name: systemd-timer
+  vars:
+    on_calendar:  "{{ on_calendar_cleanup_certs }}"
+  when: run_once_cleanup_certs is not defined
+
+- name: run the run_once_cleanup_certs tasks once
+  set_fact:
+    run_once_cleanup_certs: true
+  when: run_once_cleanup_certs is not defined
\ No newline at end of file
diff --git a/roles/cleanup-certs/templates/certs.service.j2 b/roles/cleanup-certs/templates/certs.service.j2
new file mode 100644
index 00000000..4044771f
--- /dev/null
+++ b/roles/cleanup-certs/templates/certs.service.j2
@@ -0,0 +1,7 @@
+[Unit]
+Description=Detect, revoke, and delete unused Let's Encrypt certificates based on active NGINX configuration files.
+OnFailure=systemd-notifier.cymais@%n.service
+
+[Service]
+Type=oneshot
+ExecStartPre=/bin/sh -c '/usr/bin/python certreap --force'
\ No newline at end of file
diff --git a/roles/nginx-certbot/meta/main.yml b/roles/nginx-certbot/meta/main.yml
index fa9e0d74..d6fdbdd5 100644
--- a/roles/nginx-certbot/meta/main.yml
+++ b/roles/nginx-certbot/meta/main.yml
@@ -30,3 +30,4 @@ dependencies:
   - certbot
   - nginx
   - systemd-notifier
+  - cleanup-certs