From 2a1ec38e3a0d8bf44a1b516d68a74107b01df148 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 6 Sep 2020 10:49:19 +0300 Subject: [PATCH] Stop using Ansible's cron module This is mainly to address SSL renewal not working for us due to: - https://github.com/ansible/ansible/issues/71213 - https://github.com/ansible/ansible/pull/71207 Using the cron module was hacky anyway. We shouldn't need an extra level of buggy abstraction to manage a cronjob file. --- roles/matrix-coturn/tasks/setup_coturn.yml | 18 +++---- .../cron.d/matrix-coturn-ssl-reload.j2 | 1 + .../tasks/ssl/setup_ssl_lets_encrypt.yml | 52 +++---------------- .../cron.d/matrix-ssl-lets-encrypt.j2 | 5 ++ 4 files changed, 19 insertions(+), 57 deletions(-) create mode 100644 roles/matrix-coturn/templates/cron.d/matrix-coturn-ssl-reload.j2 create mode 100644 roles/matrix-nginx-proxy/templates/cron.d/matrix-ssl-lets-encrypt.j2 diff --git a/roles/matrix-coturn/tasks/setup_coturn.yml b/roles/matrix-coturn/tasks/setup_coturn.yml index a83908d3c..17b6137d7 100644 --- a/roles/matrix-coturn/tasks/setup_coturn.yml +++ b/roles/matrix-coturn/tasks/setup_coturn.yml @@ -91,15 +91,10 @@ # We optimize for the common use-case though (short-lived Let's Encrypt certificates). # Reloading doesn't hurt anyway, so there's no need to make this more flexible. - name: Ensure periodic reloading of matrix-coturn is configured for SSL renewal (matrix-coturn-reload) - cron: - user: root - cron_file: matrix-coturn-ssl-reload - name: matrix-coturn-ssl-reload - state: present - hour: "4" - minute: "20" - day: "*/5" - job: "{{ matrix_host_command_systemctl }} reload matrix-coturn.service" + template: + src: "{{ role_path }}/templates/cron.d/matrix-coturn-ssl-reload.j2" + dest: /etc/cron.d/matrix-coturn-ssl-reload + mode: 0644 when: "matrix_coturn_enabled|bool and matrix_coturn_tls_enabled|bool" @@ -108,9 +103,8 @@ # - name: Ensure matrix-coturn-ssl-reload cronjob removed - cron: - user: root - cron_file: matrix-coturn-ssl-reload + file: + path: /etc/cron.d/matrix-coturn-ssl-reload state: absent when: "not matrix_coturn_enabled|bool or not matrix_coturn_tls_enabled|bool" diff --git a/roles/matrix-coturn/templates/cron.d/matrix-coturn-ssl-reload.j2 b/roles/matrix-coturn/templates/cron.d/matrix-coturn-ssl-reload.j2 new file mode 100644 index 000000000..1076f5396 --- /dev/null +++ b/roles/matrix-coturn/templates/cron.d/matrix-coturn-ssl-reload.j2 @@ -0,0 +1 @@ +20 4 */5 * * root {{ matrix_host_command_systemctl }} reload matrix-coturn.service diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml index 08dc6e58f..2946c111c 100644 --- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml +++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml @@ -55,37 +55,11 @@ mode: 0750 when: "matrix_ssl_retrieval_method == 'lets-encrypt'" -- block: - - name: Ensure periodic SSL renewal cronjob configured (MAILTO) - cron: - user: root - cron_file: matrix-ssl-lets-encrypt - env: yes - name: MAILTO - value: "{{ matrix_ssl_lets_encrypt_support_email }}" - - - name: Ensure periodic SSL renewal cronjob configured (matrix-ssl-lets-encrypt-certificates-renew) - cron: - user: root - cron_file: matrix-ssl-lets-encrypt - name: matrix-ssl-lets-encrypt-certificates-renew - state: present - hour: "4" - minute: "15" - day: "*" - job: "{{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew" - - - name: Ensure periodic reloading of matrix-nginx-proxy is configured for SSL renewal (matrix-nginx-proxy-reload) - cron: - user: root - cron_file: matrix-ssl-lets-encrypt - name: matrix-nginx-proxy-reload - state: present - hour: "5" - minute: "20" - day: "*" - job: "{{ matrix_host_command_systemctl }} reload matrix-nginx-proxy.service" - when: matrix_nginx_proxy_enabled|bool +- name: Ensure periodic SSL renewal cronjob configured + template: + src: "{{ role_path }}/templates/cron.d/matrix-ssl-lets-encrypt.j2" + dest: /etc/cron.d/matrix-ssl-lets-encrypt + mode: 0644 when: "matrix_ssl_retrieval_method == 'lets-encrypt'" @@ -93,21 +67,9 @@ # Tasks related to getting rid of Let's Encrypt's management of certificates # -# When nginx-proxy is disabled, make sure its reloading cronjob is gone. -# Other cronjobs can potentially remain there (see below). -- name: Ensure matrix-nginx-proxy-reload cronjob removed - cron: - user: root - cron_file: matrix-ssl-lets-encrypt - name: matrix-nginx-proxy-reload - state: absent - when: "not matrix_nginx_proxy_enabled|bool" - - name: Ensure matrix-ssl-lets-encrypt-renew cronjob removed - cron: - user: root - cron_file: matrix-ssl-lets-encrypt - name: matrix-ssl-lets-encrypt-certificates-renew + file: + path: /etc/cron.d/matrix-ssl-lets-encrypt state: absent when: "matrix_ssl_retrieval_method != 'lets-encrypt'" diff --git a/roles/matrix-nginx-proxy/templates/cron.d/matrix-ssl-lets-encrypt.j2 b/roles/matrix-nginx-proxy/templates/cron.d/matrix-ssl-lets-encrypt.j2 new file mode 100644 index 000000000..f58e37d42 --- /dev/null +++ b/roles/matrix-nginx-proxy/templates/cron.d/matrix-ssl-lets-encrypt.j2 @@ -0,0 +1,5 @@ +MAILTO="{{ matrix_ssl_lets_encrypt_support_email }}" +15 4 * * * root {{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew +{% if matrix_nginx_proxy_enabled %} +20 5 * * * root {{ matrix_host_command_systemctl }} reload matrix-nginx-proxy.service +{% endif %}