From b222d26c86e3859b51fd56cf55e45c0b9fafa567 Mon Sep 17 00:00:00 2001
From: Slavi Pantaleev <slavi@devture.com>
Date: Tue, 8 Jan 2019 12:24:59 +0200
Subject: [PATCH] Switch to managing cronjobs with the Ansible cron module

As suggested in #65 (Github issue), this patch switches
cronjob management from using templates to using Ansible's `cron` module.

It also moves the management of the nginx-reload cronjob to `setup_ssl_lets_encrypt.yml`,
which is a more fitting place for it (given that this cronjob is only required when
Let's Encrypt is used).

Pros:
- using a module is more Ansible-ish than templating our own files in
special directories

- more reliable: will fail early (during playbook execution) if `/usr/bin/crontab`
is not available, which is more of a guarantee that cron is working fine
(idea: we should probably install some cron package using the playbook)

Cons:
- invocation schedule is no longer configurable, unless we define individual
variables for everything or do something smart (splitting on ' ', etc.).
Likely not necessary, however.

- requires us to deprecate and clean-up after the old way of managing cronjobs,
because it's not compatible (using the same file as before means appending
additional jobs to it)
---
 CHANGELOG.md                                  | 12 +++
 roles/matrix-server/defaults/main.yml         |  3 -
 .../tasks/setup/setup_nginx_proxy.yml         | 13 +--
 .../setup/ssl/setup_ssl_lets_encrypt.yml      | 81 +++++++++++++++----
 .../matrix-nginx-proxy-periodic-restarter.j2  |  8 --
 .../cron.d/matrix-ssl-certificate-renewal.j2  | 11 ---
 ...ix-ssl-lets-encrypt-certificates-renew.j2} |  0
 7 files changed, 80 insertions(+), 48 deletions(-)
 delete mode 100644 roles/matrix-server/templates/cron.d/matrix-nginx-proxy-periodic-restarter.j2
 delete mode 100644 roles/matrix-server/templates/cron.d/matrix-ssl-certificate-renewal.j2
 rename roles/matrix-server/templates/usr-local-bin/{matrix-ssl-certificates-renew.j2 => matrix-ssl-lets-encrypt-certificates-renew.j2} (100%)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 500ec36b1..58af939ed 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,15 @@
+# 2019-01-08
+
+## (BC Break) Cronjob schedule no longer configurable
+
+Due to the way we manage cronjobs now, you can no longer configure the schedule they're invoked at.
+
+If you were previously using `matrix_ssl_lets_encrypt_renew_cron_time_definition` or `matrix_nginx_proxy_reload_cron_time_definition`
+to set a custom schedule, you should note that these variables don't affect anything anymore.
+
+If you miss this functionality, please [open an Issue](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/new) and let us know about your use case!
+
+
 # 2018-12-23
 
 ## (BC Break) More SSL certificate retrieval methods
diff --git a/roles/matrix-server/defaults/main.yml b/roles/matrix-server/defaults/main.yml
index 15e7dfce1..a6870ea60 100644
--- a/roles/matrix-server/defaults/main.yml
+++ b/roles/matrix-server/defaults/main.yml
@@ -408,9 +408,6 @@ matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:v0.29.1"
 matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402
 matrix_ssl_lets_encrypt_support_email: "{{ host_specific_matrix_ssl_lets_encrypt_support_email }}"
 
-# Specifies when to attempt to retrieve new SSL certificates from Let's Encrypt.
-matrix_ssl_lets_encrypt_renew_cron_time_definition: "15 4 */5 * *"
-
 matrix_ssl_base_path: "{{ matrix_base_data_path }}/ssl"
 matrix_ssl_config_dir_path: "{{ matrix_ssl_base_path }}/config"
 matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log"
diff --git a/roles/matrix-server/tasks/setup/setup_nginx_proxy.yml b/roles/matrix-server/tasks/setup/setup_nginx_proxy.yml
index b0a881a2e..123f97912 100644
--- a/roles/matrix-server/tasks/setup/setup_nginx_proxy.yml
+++ b/roles/matrix-server/tasks/setup/setup_nginx_proxy.yml
@@ -31,6 +31,7 @@
     - "matrix-synapse.conf"
     - "matrix-riot-web.conf"
 
+
 #
 # Tasks related to setting up matrix-nginx-proxy
 #
@@ -57,12 +58,6 @@
     mode: 0644
   when: matrix_nginx_proxy_enabled
 
-- name: Ensure periodic restarting of matrix-nginx-proxy is configured (for SSL renewal)
-  template:
-    src: "{{ role_path }}/templates/cron.d/matrix-nginx-proxy-periodic-restarter.j2"
-    dest: "/etc/cron.d/matrix-nginx-proxy-periodic-restarter"
-    mode: 0600
-  when: "matrix_nginx_proxy_enabled and matrix_ssl_retrieval_method == 'lets-encrypt'"
 
 #
 # Tasks related to getting rid of matrix-nginx-proxy (if it was previously enabled)
@@ -86,9 +81,3 @@
     path: "/etc/systemd/system/matrix-nginx-proxy.service"
     state: absent
   when: "not matrix_nginx_proxy_enabled and matrix_nginx_proxy_service_stat.stat.exists"
-
-- name: Ensure periodic restarting of matrix-nginx-proxy is removed
-  file:
-    path: "/etc/cron.d/matrix-nginx-proxy-periodic-restarter"
-    state: absent
-  when: "not matrix_nginx_proxy_enabled or matrix_ssl_retrieval_method != 'lets-encrypt'"
diff --git a/roles/matrix-server/tasks/setup/ssl/setup_ssl_lets_encrypt.yml b/roles/matrix-server/tasks/setup/ssl/setup_ssl_lets_encrypt.yml
index 0063242bb..add067d27 100644
--- a/roles/matrix-server/tasks/setup/ssl/setup_ssl_lets_encrypt.yml
+++ b/roles/matrix-server/tasks/setup/ssl/setup_ssl_lets_encrypt.yml
@@ -1,5 +1,17 @@
 ---
 
+# This is a cleanup/migration task, because of to the new way we manage cronjobs (`cron` module) and the new script name.
+# This migration task can be removed some time in the future.
+- name: (Migration) Remove deprecated Let's Encrypt SSL certificate management files
+  file:
+    path: "{{ item }}"
+    state: absent
+  with_items:
+    - /usr/local/bin/matrix-ssl-certificates-renew
+    - /etc/cron.d/matrix-ssl-certificate-renewal
+    - /etc/cron.d/matrix-nginx-proxy-periodic-restarter
+
+
 #
 # Tasks related to setting up Let's Encrypt's management of certificates
 #
@@ -32,18 +44,44 @@
     loop_var: domain_name
   when: "matrix_ssl_retrieval_method == 'lets-encrypt'"
 
-- name: Ensure SSL renewal script installed
+- name: Ensure Let's Encrypt SSL renewal script installed
   template:
-    src: "{{ role_path }}/templates/usr-local-bin/matrix-ssl-certificates-renew.j2"
-    dest: "/usr/local/bin/matrix-ssl-certificates-renew"
+    src: "{{ role_path }}/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2"
+    dest: /usr/local/bin/matrix-ssl-lets-encrypt-certificates-renew
     mode: 0750
   when: "matrix_ssl_retrieval_method == 'lets-encrypt'"
 
-- name: Ensure periodic SSL renewal cronjob configured
-  template:
-    src: "{{ role_path }}/templates/cron.d/matrix-ssl-certificate-renewal.j2"
-    dest: "/etc/cron.d/matrix-ssl-certificate-renewal"
-    mode: 0600
+- block:
+  - name: Ensure periodic SSL renewal cronjob configured (MAILTO)
+    cron:
+      user: root
+      cron_file: matrix-ssl-lets-encrypt
+      env: yes
+      name: MAILTO
+      value: "{{ matrix_ssl_lets_encrypt_support_email }}"
+
+  - name: Ensure periodic SSL renewal cronjob configured (matrix-ssl-lets-encrypt-certificates-renew)
+    cron:
+      user: root
+      cron_file: matrix-ssl-lets-encrypt
+      name: matrix-ssl-lets-encrypt-certificates-renew
+      state: present
+      hour: 4
+      minute: 15
+      day: "*/5"
+      job: /usr/local/bin/matrix-ssl-lets-encrypt-certificates-renew
+
+  - name: Ensure periodic reloading of matrix-nginx-proxy is configured for SSL renewal (matrix-nginx-proxy-reload)
+    cron:
+      user: root
+      cron_file: matrix-ssl-lets-encrypt
+      name: matrix-nginx-proxy-reload
+      state: present
+      hour: 4
+      minute: 20
+      day: "*/5"
+      job: /usr/bin/systemctl reload matrix-nginx-proxy.service
+    when: matrix_nginx_proxy_enabled
   when: "matrix_ssl_retrieval_method == 'lets-encrypt'"
 
 
@@ -51,11 +89,26 @@
 # Tasks related to getting rid of Let's Encrypt's management of certificates
 #
 
-- name: Ensure Let's Encrypt SSL certificate management files removed
-  file:
-    path: "{{ item }}"
+# When nginx-proxy is disabled, make sure its reloading cronjob is gone.
+# Other cronjobs can potentially remain there (see below).
+- name: Ensure matrix-nginx-proxy-reload cronjob removed
+  cron:
+    user: root
+    cron_file: matrix-ssl-lets-encrypt
+    name: matrix-nginx-proxy-reload
+    state: absent
+  when: "not matrix_nginx_proxy_enabled"
+
+# When Let's Encrypt is not used at all, remove all cronjobs in that cron file.
+- name: Ensure matrix-ssl-lets-encrypt-renew cronjob removed
+  cron:
+    user: root
+    cron_file: matrix-ssl-lets-encrypt
     state: absent
-  with_items:
-    - /usr/local/bin/matrix-ssl-certificates-renew
-    - /etc/cron.d/matrix-ssl-certificate-renewal
   when: "matrix_ssl_retrieval_method != 'lets-encrypt'"
+
+- name: Ensure Let's Encrypt SSL renewal script removed
+  file:
+    path: /usr/local/bin/matrix-ssl-lets-encrypt-certificates-renew
+    state: absent
+  when: "matrix_ssl_retrieval_method != 'lets-encrypt'"
\ No newline at end of file
diff --git a/roles/matrix-server/templates/cron.d/matrix-nginx-proxy-periodic-restarter.j2 b/roles/matrix-server/templates/cron.d/matrix-nginx-proxy-periodic-restarter.j2
deleted file mode 100644
index 0cfa2a7b1..000000000
--- a/roles/matrix-server/templates/cron.d/matrix-nginx-proxy-periodic-restarter.j2
+++ /dev/null
@@ -1,8 +0,0 @@
-MAILTO="{{ matrix_ssl_lets_encrypt_support_email }}"
-
-# This periodically reloads the matrix-nginx-proxy service
-# to ensure it's using the latest SSL certificate
-# in case it got renewed by the `matrix-ssl-certificate-renewal` cronjob
-# (which happens once every ~2-3 months).
-
-{{ matrix_nginx_proxy_reload_cron_time_definition }} root /usr/bin/systemctl reload matrix-nginx-proxy.service
diff --git a/roles/matrix-server/templates/cron.d/matrix-ssl-certificate-renewal.j2 b/roles/matrix-server/templates/cron.d/matrix-ssl-certificate-renewal.j2
deleted file mode 100644
index b8eb8ce88..000000000
--- a/roles/matrix-server/templates/cron.d/matrix-ssl-certificate-renewal.j2
+++ /dev/null
@@ -1,11 +0,0 @@
-MAILTO="{{ matrix_ssl_lets_encrypt_support_email }}"
-
-# The goal of this cronjob is to ask certbot to check
-# the current SSL certificates and to see if some need renewal.
-# If so, it would attempt to renew.
-#
-# Various services depend on these certificates and would need to be restarted.
-# This is not our concern here. We simply make sure the certificates are up to date.
-# Restarting of services happens on its own different schedule (other cronjobs).
-
-{{ matrix_ssl_lets_encrypt_renew_cron_time_definition }} root /bin/bash /usr/local/bin/matrix-ssl-certificates-renew
diff --git a/roles/matrix-server/templates/usr-local-bin/matrix-ssl-certificates-renew.j2 b/roles/matrix-server/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2
similarity index 100%
rename from roles/matrix-server/templates/usr-local-bin/matrix-ssl-certificates-renew.j2
rename to roles/matrix-server/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2