From c5f2475537d4ece3015ede9780f020a2202477fa Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Wed, 27 Mar 2024 17:27:13 -0700
Subject: [PATCH] batcave: renew proxy letsencrypt certs weekly

We occasionally run into problems with certs that aren't renewed in time
or are close to expiring. Just running the proxies playbook will renew
them, but in freezes or the like sometimes there's a long time period
where we don't run that playbook.

So, lets just run weekly with the right tag. This should renew any cert
thats close to expiring.

The job shouldn't normally output anything, but if there's errors it
will email them to admin@

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
---
 roles/batcave/files/proxy-certs-check-renew.cron |  8 ++++++++
 roles/batcave/tasks/main.yml                     | 11 +++++++++++
 2 files changed, 19 insertions(+)
 create mode 100755 roles/batcave/files/proxy-certs-check-renew.cron

diff --git a/roles/batcave/files/proxy-certs-check-renew.cron b/roles/batcave/files/proxy-certs-check-renew.cron
new file mode 100755
index 0000000000..1283c66bd8
--- /dev/null
+++ b/roles/batcave/files/proxy-certs-check-renew.cron
@@ -0,0 +1,8 @@
+#!/bin/bash
+mailto='admin@fedoraproject.org'
+source /root/sshagent >>/dev/null
+export ANSIBLE_HOST_KEY_CHECKING=False
+export HOME=/root/
+#export ANSIBLE_SSH_PIPELINING=False
+export ANSIBLE_HASH_BEHAVIOUR=merge
+timeout 24h ansible-playbook /srv/web/infra/ansible/playbooks/groups/proxies.yml -t letsencrypt -f 20 |& grep fatal
diff --git a/roles/batcave/tasks/main.yml b/roles/batcave/tasks/main.yml
index 92604500b9..b8729ae939 100644
--- a/roles/batcave/tasks/main.yml
+++ b/roles/batcave/tasks/main.yml
@@ -258,6 +258,17 @@
   - config
   when: inventory_hostname.startswith('batcave01')
 
+#
+# Setup job that runs letsencrypt on proxies each week
+#
+
+- name: setup letsencrypt run for proxies
+  copy: src=proxy-certs-check-renew.cron dest=/etc/cron.weekly/proxy-certs-check-renew.cron mode=0755
+  tags:
+  - batcave
+  - config
+  when: inventory_hostname.startswith('batcave01')
+
 #
 # Setup rhel6 sync script.
 #