Kevin Veen-Birkenbach
2569abc0be
- Unified service templates into generic systemctl templates - Introduced reusable filter plugins for script path handling - Updated path variables and service/timer definitions - Migrated roles (backup, cleanup, repair, etc.) to use systemctl role - Added sys-daemon role for core systemd cleanup - Simplified timer handling via sys-timer role Note: This is a large refactor and some errors may still exist. Further testing and adjustments will be needed.
Certbot Reaper
Description
This Ansible role automates the detection, revocation and deletion of unused Let's Encrypt certificates. It leverages the certreap tool to identify certificates no longer referenced by any active NGINX configuration and removes them automatically.
Overview
- Installs the
certreapcleanup tool using thepkgmgr-installrole - Deploys and configures a
sys-ctl-cln-certs{{ SYS_SERVICE_SUFFIX }}systemd unit - (Optionally) Sets up a recurring cleanup via a systemd timer using the
sys-timerrole - Integrates with
sys-ctl-alm-composeto send failure notifications - Ensures idempotent execution with a
run_once_sys_ctl_cln_certsflag
Features
-
Certificate Cleanup Tool Installation
Usespkgmgr-installto install thecertreapbinary. -
Systemd Service Configuration
Deployssys-ctl-cln-certs{{ SYS_SERVICE_SUFFIX }}and reloads/restarts it on changes. -
Systemd Timer Scheduling
Optionally wires in a timer via thesys-timerrole, controlled by theon_calendar_cleanup_certsvariable. -
Smart Execution Logic
Prevents multiple runs in one play by setting arun_once_sys_ctl_cln_certsfact. -
Failure Notification
Triggerssys-ctl-alm-compose.infinito@sys-ctl-cln-certs{{ SYS_SERVICE_SUFFIX }}on failure.