Sys-ctl-cln-certs Role

Description: No description available

Variables

  • author: Kevin Veen-Birkenbach

  • description: Automates the revocation and deletion of unused Let’s Encrypt certificates

  • license: Infinito.Nexus NonCommercial License

  • license_url: https://s.infinito.nexus/license

  • company: Kevin Veen-Birkenbach

Consulting & Coaching Solutions https://www.veen.world

README

Certbot Reaper

Description

This Ansible role automates the detection, revocation and deletion of unused Let’s Encrypt certificates. It leverages the `certreap <https://github.com/kevinveenbirkenbach/certreap>`__ tool to identify certificates no longer referenced by any active NGINX configuration and removes them automatically.

Overview

  • Installs the certreap cleanup tool using the pkgmgr-install role

  • Deploys and configures a systemd unit

  • (Optionally) Sets up a recurring cleanup via a systemd timer using the sys-timer role

  • Integrates with sys-ctl-alm-compose to send failure notifications

  • Ensures idempotent execution with a run_once_sys_ctl_cln_certs flag

Features

  • Certificate Cleanup Tool Installation
    Uses pkgmgr-install to install the certreap binary.
  • Systemd Service Configuration
    Deploys service and reloads/restarts it on changes.
  • Systemd Timer Scheduling
    Optionally wires in a timer via the sys-timer role, controlled by the on_calendar_cleanup_certs variable.
  • Smart Execution Logic
    Prevents multiple runs in one play by setting a run_once_sys_ctl_cln_certs fact.
  • Failure Notification
    Triggers service on failure.

Further Resources