roles/certbot: Run periodically as certbot user

The default systemd unit configuration for *certbot-renew.service* runs the `certbot renew …` command as root. This can cause permissions issues, since this Ansible role expects the *certbot* user to be able to access all configuration, data, and log files. As such, this commit adds a systemd unit extension for *certbot-renew.service* to run the command as *certbot*.
2018-12-30 15:22:27 -06:00 · 2018-12-30 15:22:27 -06:00 · d1a72de6b0
parent 50396c88d4
commit d1a72de6b0
3 changed files with 16 additions and 0 deletions
--- a/roles/certbot/files/certbot-renew-runas.service
+++ b/roles/certbot/files/certbot-renew-runas.service
@ -0,0 +1,3 @@
+[Service]
+User=certbot
+Group=certbot
--- a/roles/certbot/handlers/main.yml
+++ b/roles/certbot/handlers/main.yml
@ -1,3 +1,5 @@
+- name: reload systemd
+  command: systemctl daemon-reload
 - name: reload httpd
  service:
    name=httpd
--- a/roles/certbot/tasks/main.yml
+++ b/roles/certbot/tasks/main.yml
@ -92,6 +92,17 @@
    dest=/etc/sysconfig/certbot
    mode=0644

+- name: ensure certbot renew service extension directory exists
+  file:
+    path=/etc/systemd/system/certbot-renew.service.d
+    mode=0755
+    state=directory
+- name: ensure certbot renew runs as certbot user
+  copy:
+    src=certbot-renew-runas.service
+    dest=/etc/systemd/system/certbot-renew.service.d/run-as-certbot.conf
+    mode=0644
+  notify: reload systemd
 - name: ensure certbot timer is enabled
  service:
    name=certbot-renew.timer