diff --git a/REFERENCE.md b/REFERENCE.md
index 68b33149..fabc7187 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -81,6 +81,7 @@ The following parameters are available in the `letsencrypt` class:
* [`renew_post_hook_commands`](#renew_post_hook_commands)
* [`renew_deploy_hook_commands`](#renew_deploy_hook_commands)
* [`renew_additional_args`](#renew_additional_args)
+* [`renew_disable_distro_cron`](#renew_disable_distro_cron)
* [`renew_cron_ensure`](#renew_cron_ensure)
* [`renew_cron_hour`](#renew_cron_hour)
* [`renew_cron_minute`](#renew_cron_minute)
@@ -258,6 +259,14 @@ Array of additional command line arguments to pass to 'certbot renew'.
Default value: `[]`
+##### `renew_disable_distro_cron`
+
+Data type: `Any`
+
+Boolean, set to true to disable the cron created by the distro package
+
+Default value: ``true``
+
##### `renew_cron_ensure`
Data type: `Any`
@@ -561,6 +570,8 @@ Note: Hooks set here will run before/after/for ALL certificates, including
any not managed by Puppet. If you want to create hooks for specific
certificates only, create them using letsencrypt::certonly.
+will be deleted (unless systemd is used)
+
#### Parameters
The following parameters are available in the `letsencrypt::renew` class:
@@ -569,6 +580,9 @@ The following parameters are available in the `letsencrypt::renew` class:
* [`post_hook_commands`](#post_hook_commands)
* [`deploy_hook_commands`](#deploy_hook_commands)
* [`additional_args`](#additional_args)
+* [`disable_distro_cron`](#disable_distro_cron)
+* [`distro_renew_cron_file`](#distro_renew_cron_file)
+* [`distro_renew_timer`](#distro_renew_timer)
* [`cron_ensure`](#cron_ensure)
* [`cron_hour`](#cron_hour)
* [`cron_minute`](#cron_minute)
@@ -611,6 +625,30 @@ Array of additional command line arguments to pass to 'certbot renew'.
Default value: `$letsencrypt::renew_additional_args`
+##### `disable_distro_cron`
+
+Data type: `Boolean`
+
+Boolean, set to true to disable the cron created by the distro package
+
+Default value: `$letsencrypt::renew_disable_distro_cron`
+
+##### `distro_renew_cron_file`
+
+Data type: `Optional[Stdlib::Unixpath]`
+
+Optional Unixpath, if set and if disable_distro_cron is true this file
+
+Default value: ``undef``
+
+##### `distro_renew_timer`
+
+Data type: `Optional[String]`
+
+Optional String, name of the systemd timer to disable if disable_distro_cron is true
+
+Default value: ``undef``
+
##### `cron_ensure`
Data type: `Enum['present', 'absent']`
diff --git a/data/Debian-family.yaml b/data/Debian-family.yaml
index c52a03b6..4d41c8a3 100644
--- a/data/Debian-family.yaml
+++ b/data/Debian-family.yaml
@@ -2,3 +2,5 @@
letsencrypt::plugin::dns_rfc2136::package_name: 'python3-certbot-dns-rfc2136'
letsencrypt::plugin::dns_route53::package_name: 'python3-certbot-dns-route53'
letsencrypt::plugin::dns_cloudflare::package_name: 'python3-certbot-dns-cloudflare'
+letsencrypt::renew::distro_renew_cron_file: /etc/cron.d/certbot
+letsencrypt::renew::distro_renew_timer: certbot.timer
diff --git a/data/FreeBSD-family.yaml b/data/FreeBSD-family.yaml
index ba1ac097..da2e476c 100644
--- a/data/FreeBSD-family.yaml
+++ b/data/FreeBSD-family.yaml
@@ -5,3 +5,4 @@ letsencrypt::cron_owner_group: 'wheel'
letsencrypt::plugin::dns_rfc2136::package_name: 'py39-certbot-dns-rfc2136'
letsencrypt::plugin::dns_route53::package_name: 'py39-certbot-dns-route53'
letsencrypt::plugin::dns_cloudflare::package_name: 'py39-certbot-dns-cloudflare'
+letsencrypt::renew::distro_renew_cron_file: /etc/periodic/weekly/500.certbot-3.9
diff --git a/data/RedHat-family.yaml b/data/RedHat-family.yaml
index 35f52041..d8c979be 100644
--- a/data/RedHat-family.yaml
+++ b/data/RedHat-family.yaml
@@ -3,3 +3,4 @@ letsencrypt::configure_epel: true
letsencrypt::plugin::dns_rfc2136::package_name: 'python3-certbot-dns-rfc2136'
letsencrypt::plugin::dns_route53::package_name: 'python3-certbot-dns-route53'
letsencrypt::plugin::dns_cloudflare::package_name: 'python3-certbot-dns-cloudflare'
+letsencrypt::renew::distro_renew_timer: certbot-renew.timer
diff --git a/manifests/init.pp b/manifests/init.pp
index 5c90de9a..4b03c3fd 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -39,6 +39,7 @@
# - $RENEWED_DOMAINS: A space-delimited list of renewed certificate domains.
# Example: "example.com www.example.com"
# @param renew_additional_args Array of additional command line arguments to pass to 'certbot renew'.
+# @param renew_disable_distro_cron Boolean, set to true to disable the cron created by the distro package
# @param renew_cron_ensure Intended state of the cron resource running certbot renew.
# @param renew_cron_hour
# Optional string, integer or array of hour(s) the renewal command should run.
@@ -74,6 +75,7 @@
$renew_post_hook_commands = [],
$renew_deploy_hook_commands = [],
$renew_additional_args = [],
+ $renew_disable_distro_cron = true,
$renew_cron_ensure = 'absent',
$renew_cron_hour = fqdn_rand(24),
$renew_cron_minute = fqdn_rand(60),
diff --git a/manifests/renew.pp b/manifests/renew.pp
index 350b9fff..19267f88 100644
--- a/manifests/renew.pp
+++ b/manifests/renew.pp
@@ -16,6 +16,10 @@
# - $RENEWED_DOMAINS: A space-delimited list of renewed certificate domains.
# Example: "example.com www.example.com"
# @param additional_args Array of additional command line arguments to pass to 'certbot renew'.
+# @param disable_distro_cron Boolean, set to true to disable the cron created by the distro package
+# @param distro_renew_cron_file Optional Unixpath, if set and if disable_distro_cron is true this file
+# will be deleted (unless systemd is used)
+# @param distro_renew_timer Optional String, name of the systemd timer to disable if disable_distro_cron is true
# @param cron_ensure Intended state of the cron resource running certbot renew
# @param cron_hour
# Optional string, integer or array of hour(s) the renewal command should run.
@@ -28,14 +32,17 @@
# run. E.g. '2-30/2' to run on even days. Default: Every day.
#
class letsencrypt::renew (
- Variant[String[1], Array[String[1]]] $pre_hook_commands = $letsencrypt::renew_pre_hook_commands,
- Variant[String[1], Array[String[1]]] $post_hook_commands = $letsencrypt::renew_post_hook_commands,
- Variant[String[1], Array[String[1]]] $deploy_hook_commands = $letsencrypt::renew_deploy_hook_commands,
- Array[String[1]] $additional_args = $letsencrypt::renew_additional_args,
- Enum['present', 'absent'] $cron_ensure = $letsencrypt::renew_cron_ensure,
- Letsencrypt::Cron::Hour $cron_hour = $letsencrypt::renew_cron_hour,
- Letsencrypt::Cron::Minute $cron_minute = $letsencrypt::renew_cron_minute,
- Letsencrypt::Cron::Monthday $cron_monthday = $letsencrypt::renew_cron_monthday,
+ Variant[String[1], Array[String[1]]] $pre_hook_commands = $letsencrypt::renew_pre_hook_commands,
+ Variant[String[1], Array[String[1]]] $post_hook_commands = $letsencrypt::renew_post_hook_commands,
+ Variant[String[1], Array[String[1]]] $deploy_hook_commands = $letsencrypt::renew_deploy_hook_commands,
+ Array[String[1]] $additional_args = $letsencrypt::renew_additional_args,
+ Boolean $disable_distro_cron = $letsencrypt::renew_disable_distro_cron,
+ Optional[Stdlib::Unixpath] $distro_renew_cron_file = undef,
+ Optional[String] $distro_renew_timer = undef,
+ Enum['present', 'absent'] $cron_ensure = $letsencrypt::renew_cron_ensure,
+ Letsencrypt::Cron::Hour $cron_hour = $letsencrypt::renew_cron_hour,
+ Letsencrypt::Cron::Minute $cron_minute = $letsencrypt::renew_cron_minute,
+ Letsencrypt::Cron::Monthday $cron_monthday = $letsencrypt::renew_cron_monthday,
) {
# Directory used for Puppet-managed renewal hooks. Make sure old unmanaged
# hooks in this directory are purged. Leave custom hooks in the default
@@ -84,4 +91,17 @@
minute => $cron_minute,
monthday => $cron_monthday,
}
+
+ if $disable_distro_cron and $distro_renew_timer and $facts['service_provider'] == 'systemd' {
+ service { $distro_renew_timer:
+ ensure => stopped,
+ enable => false,
+ }
+ }
+ elsif $disable_distro_cron and $distro_renew_cron_file and $facts['service_provider'] != 'systemd' {
+ file { $distro_renew_cron_file:
+ ensure => file,
+ content => '# certbot renew managed by puppet',
+ }
+ }
}
diff --git a/spec/classes/letsencrypt_spec.rb b/spec/classes/letsencrypt_spec.rb
index 9d849d64..8cc18e4f 100644
--- a/spec/classes/letsencrypt_spec.rb
+++ b/spec/classes/letsencrypt_spec.rb
@@ -211,6 +211,41 @@
end
end
+ describe 'renew_cron_ensure and disable_distro_cron (with systemd)' do
+ let(:additional_params) do
+ { renew_cron_ensure: 'present' }
+ end
+ let(:facts) do
+ facts.merge({
+ service_provider: 'systemd',
+ })
+ end
+
+ it do
+ case facts[:os]['family']
+ when 'RedHat'
+ is_expected.to contain_service('certbot-renew.timer').with(ensure: 'stopped', enable: false)
+ when 'Debian'
+ is_expected.to contain_service('certbot.timer').with(ensure: 'stopped', enable: false)
+ end
+ end
+ end
+
+ describe 'renew_cron_ensure and disable_distro_cron (without systemd)' do
+ let(:additional_params) do
+ { renew_cron_ensure: 'present' }
+ end
+
+ it do
+ case facts[:os]['family']
+ when 'Debian'
+ is_expected.to contain_file('/etc/cron.d/certbot')
+ when 'FreeBSD'
+ is_expected.to contain_file('/etc/periodic/weekly/500.certbot-3.9')
+ end
+ end
+ end
+
describe 'renew_cron_ensure and additional args' do
let(:additional_params) do
{ renew_cron_ensure: 'present',