Add email notifications for failed certbot runs

Based on https://wiki.archlinux.org/index.php/Systemd/Timers#MAILTO This can easily be used by other services, with one line added to the [Unit] section of a service: OnFailure=status-email-ops@%n.service Refs #3
2019-06-20 12:46:27 +02:00
parent a7eb12d0eb
commit 3a693efcd6
7 changed files with 92 additions and 19 deletions
--- a/site-cookbooks/kosmos-base/recipes/letsencrypt.rb
+++ b/site-cookbooks/kosmos-base/recipes/letsencrypt.rb
@@ -26,26 +26,12 @@

 # Install certbot and set up hooks

-# Remove the unless/else when we get rid of dev, running 15.04. No ppa for it
-unless node["lsb"]["codename"] == "vivid"
-  apt_repository "certbot" do
-    uri "ppa:certbot/certbot"
-  end
-
-  package "certbot"
-else
-  remote_file "/usr/bin/certbot" do
-    source "https://dl.eff.org/certbot-auto"
-    mode 0755
-  end
-
-  cron "renew Let's Encrypt certificates" do
-   hour "4"
-   mailto "logs@5apps.com"
-   command "/usr/bin/certbot -q renew"
- end
+apt_repository "certbot" do
+  uri "ppa:certbot/certbot"
 end

+package "certbot"
+
 %w(deploy post pre).each do |subdir|
  directory "/etc/letsencrypt/renewal-hooks/#{subdir}" do
    recursive true
@@ -72,3 +58,16 @@ template "/root/gandi_dns_certbot_hook.sh" do
  variables gandi_api_key: gandi_api_data_bag_item["key"]
  mode 0770
 end
+
+include_recipe 'kosmos-base::systemd_emails'
+
+# Overwrite the systemd service to add email notifications on failures
+cookbook_file "/lib/systemd/system/certbot.service" do
+  source "certbot.service"
+  notifies :run, "execute[systemctl daemon-reload]", :delayed
+end
+
+execute "systemctl daemon-reload" do
+  command "systemctl daemon-reload"
+  action :nothing
+end