From d1a72de6b09b427f31506ac66ab2a0734f25c391 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Sun, 30 Dec 2018 15:22:27 -0600
Subject: [PATCH] roles/certbot: Run periodically as certbot user
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The default systemd unit configuration for *certbot-renew.service* runs
the `certbot renew …` command as root. This can cause permissions
issues, since this Ansible role expects the *certbot* user to be able to
access all configuration, data, and log files. As such, this commit adds
a systemd unit extension for *certbot-renew.service* to run the command
as *certbot*.
---
 roles/certbot/files/certbot-renew-runas.service |  3 +++
 roles/certbot/handlers/main.yml                 |  2 ++
 roles/certbot/tasks/main.yml                    | 11 +++++++++++
 3 files changed, 16 insertions(+)
 create mode 100644 roles/certbot/files/certbot-renew-runas.service

diff --git a/roles/certbot/files/certbot-renew-runas.service b/roles/certbot/files/certbot-renew-runas.service
new file mode 100644
index 0000000..396222b
--- /dev/null
+++ b/roles/certbot/files/certbot-renew-runas.service
@@ -0,0 +1,3 @@
+[Service]
+User=certbot
+Group=certbot
diff --git a/roles/certbot/handlers/main.yml b/roles/certbot/handlers/main.yml
index 09fd3c8..c52841c 100644
--- a/roles/certbot/handlers/main.yml
+++ b/roles/certbot/handlers/main.yml
@@ -1,3 +1,5 @@
+- name: reload systemd
+  command: systemctl daemon-reload
 - name: reload httpd
   service:
     name=httpd
diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml
index 4bba249..3896643 100644
--- a/roles/certbot/tasks/main.yml
+++ b/roles/certbot/tasks/main.yml
@@ -92,6 +92,17 @@
     dest=/etc/sysconfig/certbot
     mode=0644
 
+- name: ensure certbot renew service extension directory exists
+  file:
+    path=/etc/systemd/system/certbot-renew.service.d
+    mode=0755
+    state=directory
+- name: ensure certbot renew runs as certbot user
+  copy:
+    src=certbot-renew-runas.service
+    dest=/etc/systemd/system/certbot-renew.service.d/run-as-certbot.conf
+    mode=0644
+  notify: reload systemd
 - name: ensure certbot timer is enabled
   service:
     name=certbot-renew.timer