burp-client: Switch from cron to systemd timer

systemd timer units are supported on all relevant OS versions now. There is no longer any reason to use cron.
2023-04-06 22:49:49 -05:00 · 2023-04-06 22:49:49 -05:00 · 66d0a9157f
parent cd1f7b354b
commit 66d0a9157f
7 changed files with 64 additions and 9 deletions
--- a/burp-client.yml
+++ b/burp-client.yml
@ -1,4 +1,3 @@
 - hosts: burp-client
  roles:
  - cronie
  - burp-client
--- a/roles/burp-client/files/burp-backup.cron
+++ b/roles/burp-client/files/burp-backup.cron
@ -1 +0,0 @@
 18,48 * * * * root /usr/sbin/burp -a t -Q
--- a/roles/burp-client/files/burp-backup.fcron
+++ b/roles/burp-client/files/burp-backup.fcron
@ -1 +0,0 @@
@mail(no) 30 /usr/sbin/burp -a t
--- a/roles/burp-client/files/burp-backup.service
+++ b/roles/burp-client/files/burp-backup.service
@ -0,0 +1,27 @@
 # vim: set ft=systemd :
 [Unit]
 Description=BURP client
 After=network-online.target
 Wants=network-online.target
 [Service]
 Type=exec
 ExecStart=/usr/sbin/burp -a t -Q
 SuccessExitStatus=3
 CapabilityBoundingSet=CAP_BLOCK_SUSPEND CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH
 CapabilityBoundingSet=CAP_FOWNER CAP_LEASE CAP_SETGID CAP_SETUID
 NoNewPrivileges=yes
 PrivateDevices=yes
 PrivateTmp=yes
 ProcSubset=pid
 ProtectClock=yes
 ProtectControlGroups=yes
 ProtectHostname=yes
 ProtectKernelLogs=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
 ProtectProc=noaccess
 ProtectSystem=full
 SystemCallArchitectures=native
 SystemCallFilter=@system-service @privileged @mount
 SystemCallFilter=~@clock @debug @module @reboot @swap
--- a/roles/burp-client/files/burp-backup.timer
+++ b/roles/burp-client/files/burp-backup.timer
@ -0,0 +1,10 @@
 # vim: set ft=systemd :
 [Unit]
 Description=Periodically run BURP client
 [Timer]
 OnCalendar=*:18
 OnCalendar=*:48
 [Install]
 WantedBy=timers.target
--- a/roles/burp-client/handlers/main.yml
+++ b/roles/burp-client/handlers/main.yml
@ -1,2 +1,3 @@
- name: reload system crontab
+- name: reload systemd
-  command: /usr/libexec/check_system_crontabs -v -i
+  systemd:
    daemon_reload: true
--- a/roles/burp-client/tasks/main.yml
+++ b/roles/burp-client/tasks/main.yml
@ -49,8 +49,28 @@
  command:
    burp -c /etc/burp/burp.conf -g
    creates=/etc/burp/ssl_cert-client.pem
- name: ensure automatic backup is scheduled
+
 - name: ensure auto backup systemd units are installed
  copy:
-    src={{ burp_backup_crontab }}
+    src: '{{ item }}'
-    dest=/etc/cron.d/burp-backup
+    dest: /etc/systemd/system/
-    mode=0644
+    mode: u=rw,go=r
  loop:
  - burp-backup.service
  - burp-backup.timer
  notify:
  - reload systemd
  tags:
  - systemd
 - name: ensure auto backup timer is enabled
  systemd:
    name: burp-backup.timer
    enabled: true
    state: started
  tags:
  - service
 - name: ensure legacy burp crontab file is removed
  file:
    path: /etc/cron.d/burp-backup
    state: absent