add option for removing cron provided by distro pkgs

Author: gmenuel

REFERENCE.md

@@ -81,6 +81,7 @@ The following parameters are available in the `letsencrypt` class:
 * [`renew_post_hook_commands`](#renew_post_hook_commands)
 * [`renew_deploy_hook_commands`](#renew_deploy_hook_commands)
 * [`renew_additional_args`](#renew_additional_args)
+* [`renew_disable_distro_cron`](#renew_disable_distro_cron)
 * [`renew_cron_ensure`](#renew_cron_ensure)
 * [`renew_cron_hour`](#renew_cron_hour)
 * [`renew_cron_minute`](#renew_cron_minute)
@@ -258,6 +259,14 @@ Array of additional command line arguments to pass to 'certbot renew'.
 
 Default value: `[]`
 
+##### <a name="renew_disable_distro_cron"></a>`renew_disable_distro_cron`
+
+Data type: `Any`
+
+Boolean, set to true to disable the cron created by the distro package
+
+Default value: ``true``
+
 ##### <a name="renew_cron_ensure"></a>`renew_cron_ensure`
 
 Data type: `Any`
@@ -561,6 +570,8 @@ Note: Hooks set here will run before/after/for ALL certificates, including
 any not managed by Puppet. If you want to create hooks for specific
 certificates only, create them using letsencrypt::certonly.
 
+will be deleted (unless systemd is used)
+
 #### Parameters
 
 The following parameters are available in the `letsencrypt::renew` class:
@@ -569,6 +580,9 @@ The following parameters are available in the `letsencrypt::renew` class:
 * [`post_hook_commands`](#post_hook_commands)
 * [`deploy_hook_commands`](#deploy_hook_commands)
 * [`additional_args`](#additional_args)
+* [`disable_distro_cron`](#disable_distro_cron)
+* [`distro_renew_cron_file`](#distro_renew_cron_file)
+* [`distro_renew_timer`](#distro_renew_timer)
 * [`cron_ensure`](#cron_ensure)
 * [`cron_hour`](#cron_hour)
 * [`cron_minute`](#cron_minute)
@@ -611,6 +625,30 @@ Array of additional command line arguments to pass to 'certbot renew'.
 
 Default value: `$letsencrypt::renew_additional_args`
 
+##### <a name="disable_distro_cron"></a>`disable_distro_cron`
+
+Data type: `Boolean`
+
+Boolean, set to true to disable the cron created by the distro package
+
+Default value: `$letsencrypt::renew_disable_distro_cron`
+
+##### <a name="distro_renew_cron_file"></a>`distro_renew_cron_file`
+
+Data type: `Optional[Stdlib::Unixpath]`
+
+Optional Unixpath, if set and if disable_distro_cron is true this file
+
+Default value: ``undef``
+
+##### <a name="distro_renew_timer"></a>`distro_renew_timer`
+
+Data type: `Optional[String]`
+
+Optional String, name of the systemd timer to disable if disable_distro_cron is true
+
+Default value: ``undef``
+
 ##### <a name="cron_ensure"></a>`cron_ensure`
 
 Data type: `Enum['present', 'absent']`

data/Debian-family.yaml

@@ -2,3 +2,5 @@
 letsencrypt::plugin::dns_rfc2136::package_name: 'python3-certbot-dns-rfc2136'
 letsencrypt::plugin::dns_route53::package_name: 'python3-certbot-dns-route53'
 letsencrypt::plugin::dns_cloudflare::package_name: 'python3-certbot-dns-cloudflare'
+letsencrypt::renew::distro_renew_cron_file: /etc/cron.d/certbot
+letsencrypt::renew::distro_renew_timer: certbot.timer

data/FreeBSD-family.yaml

@@ -5,3 +5,4 @@ letsencrypt::cron_owner_group: 'wheel'
 letsencrypt::plugin::dns_rfc2136::package_name: 'py39-certbot-dns-rfc2136'
 letsencrypt::plugin::dns_route53::package_name: 'py39-certbot-dns-route53'
 letsencrypt::plugin::dns_cloudflare::package_name: 'py39-certbot-dns-cloudflare'
+letsencrypt::renew::distro_renew_cron_file: /etc/periodic/weekly/500.certbot-3.9

data/RedHat-family.yaml

@@ -3,3 +3,4 @@ letsencrypt::configure_epel: true
 letsencrypt::plugin::dns_rfc2136::package_name: 'python3-certbot-dns-rfc2136'
 letsencrypt::plugin::dns_route53::package_name: 'python3-certbot-dns-route53'
 letsencrypt::plugin::dns_cloudflare::package_name: 'python3-certbot-dns-cloudflare'
+letsencrypt::renew::distro_renew_timer: certbot-renew.timer

manifests/init.pp

@@ -39,6 +39,7 @@
 #   - $RENEWED_DOMAINS: A space-delimited list of renewed certificate domains.
 #                       Example: "example.com www.example.com"
 # @param renew_additional_args Array of additional command line arguments to pass to 'certbot renew'.
+# @param renew_disable_distro_cron Boolean, set to true to disable the cron created by the distro package
 # @param renew_cron_ensure Intended state of the cron resource running certbot renew.
 # @param renew_cron_hour
 #   Optional string, integer or array of hour(s) the renewal command should run.
@@ -74,6 +75,7 @@
   $renew_post_hook_commands          = [],
   $renew_deploy_hook_commands        = [],
   $renew_additional_args             = [],
+  $renew_disable_distro_cron         = true,
   $renew_cron_ensure                 = 'absent',
   $renew_cron_hour                   = fqdn_rand(24),
   $renew_cron_minute                 = fqdn_rand(60),

manifests/renew.pp

@@ -16,6 +16,10 @@
 #   - $RENEWED_DOMAINS: A space-delimited list of renewed certificate domains.
 #                       Example: "example.com www.example.com"
 # @param additional_args Array of additional command line arguments to pass to 'certbot renew'.
+# @param disable_distro_cron Boolean, set to true to disable the cron created by the distro package
+# @param distro_renew_cron_file Optional Unixpath, if set and if disable_distro_cron is true this file
+# will be deleted (unless systemd is used)
+# @param distro_renew_timer Optional String, name of the systemd timer to disable if disable_distro_cron is true
 # @param cron_ensure Intended state of the cron resource running certbot renew
 # @param cron_hour
 #   Optional string, integer or array of hour(s) the renewal command should run.
@@ -28,14 +32,17 @@
 #   run. E.g. '2-30/2' to run on even days. Default: Every day.
 #
 class letsencrypt::renew (
-  Variant[String[1], Array[String[1]]] $pre_hook_commands    = $letsencrypt::renew_pre_hook_commands,
-  Variant[String[1], Array[String[1]]] $post_hook_commands   = $letsencrypt::renew_post_hook_commands,
-  Variant[String[1], Array[String[1]]] $deploy_hook_commands = $letsencrypt::renew_deploy_hook_commands,
-  Array[String[1]]                     $additional_args      = $letsencrypt::renew_additional_args,
-  Enum['present', 'absent']            $cron_ensure          = $letsencrypt::renew_cron_ensure,
-  Letsencrypt::Cron::Hour              $cron_hour            = $letsencrypt::renew_cron_hour,
-  Letsencrypt::Cron::Minute            $cron_minute          = $letsencrypt::renew_cron_minute,
-  Letsencrypt::Cron::Monthday          $cron_monthday        = $letsencrypt::renew_cron_monthday,
+  Variant[String[1], Array[String[1]]] $pre_hook_commands      = $letsencrypt::renew_pre_hook_commands,
+  Variant[String[1], Array[String[1]]] $post_hook_commands     = $letsencrypt::renew_post_hook_commands,
+  Variant[String[1], Array[String[1]]] $deploy_hook_commands   = $letsencrypt::renew_deploy_hook_commands,
+  Array[String[1]]                     $additional_args        = $letsencrypt::renew_additional_args,
+  Boolean                              $disable_distro_cron    = $letsencrypt::renew_disable_distro_cron,
+  Optional[Stdlib::Unixpath]           $distro_renew_cron_file = undef,
+  Optional[String]                     $distro_renew_timer     = undef,
+  Enum['present', 'absent']            $cron_ensure            = $letsencrypt::renew_cron_ensure,
+  Letsencrypt::Cron::Hour              $cron_hour              = $letsencrypt::renew_cron_hour,
+  Letsencrypt::Cron::Minute            $cron_minute            = $letsencrypt::renew_cron_minute,
+  Letsencrypt::Cron::Monthday          $cron_monthday          = $letsencrypt::renew_cron_monthday,
 ) {
   # Directory used for Puppet-managed renewal hooks. Make sure old unmanaged
   # hooks in this directory are purged. Leave custom hooks in the default
@@ -84,4 +91,17 @@
     minute   => $cron_minute,
     monthday => $cron_monthday,
   }
+
+  if $disable_distro_cron and $distro_renew_timer and $facts['service_provider'] == 'systemd' {
+    service { $distro_renew_timer:
+      ensure => stopped,
+      enable => false,
+    }
+  }
+  elsif $disable_distro_cron and $distro_renew_cron_file and $facts['service_provider'] != 'systemd' {
+    file { $distro_renew_cron_file:
+      ensure  => file,
+      content => '# certbot renew managed by puppet',
+    }
+  }
 }

spec/classes/letsencrypt_spec.rb

@@ -211,6 +211,41 @@
             end
           end
 
+          describe 'renew_cron_ensure and disable_distro_cron (with systemd)' do
+            let(:additional_params) do
+              { renew_cron_ensure: 'present' }
+            end
+            let(:facts) do
+              facts.merge({
+                            service_provider: 'systemd',
+                          })
+            end
+
+            it do
+              case facts[:os]['family']
+              when 'RedHat'
+                is_expected.to contain_service('certbot-renew.timer').with(ensure: 'stopped', enable: false)
+              when 'Debian'
+                is_expected.to contain_service('certbot.timer').with(ensure: 'stopped', enable: false)
+              end
+            end
+          end
+
+          describe 'renew_cron_ensure and disable_distro_cron (without systemd)' do
+            let(:additional_params) do
+              { renew_cron_ensure: 'present' }
+            end
+
+            it do
+              case facts[:os]['family']
+              when 'Debian'
+                is_expected.to contain_file('/etc/cron.d/certbot')
+              when 'FreeBSD'
+                is_expected.to contain_file('/etc/periodic/weekly/500.certbot-3.9')
+              end
+            end
+          end
+
           describe 'renew_cron_ensure and additional args' do
             let(:additional_params) do
               { renew_cron_ensure: 'present',