From dac04ee011b830d8b4074ce2dee0987d6f0bb7ee Mon Sep 17 00:00:00 2001
From: Timo Makinen <tmakinen@foo.sh>
Date: Sat, 2 Aug 2025 18:20:33 +0000
Subject: [PATCH] certbot: Add cron job to notify expiring certs

---
 roles/certbot/files/check-certs.sh | 16 ++++++++++++++++
 roles/certbot/tasks/main.yml       | 17 +++++++++++++++++
 2 files changed, 33 insertions(+)
 create mode 100755 roles/certbot/files/check-certs.sh

diff --git a/roles/certbot/files/check-certs.sh b/roles/certbot/files/check-certs.sh
new file mode 100755
index 0000000..f2c3a9d
--- /dev/null
+++ b/roles/certbot/files/check-certs.sh
@@ -0,0 +1,16 @@
+#!/bin/sh
+
+set -eu
+umask 077
+
+certbot certificates 2> /dev/null | awk '
+    {
+        if (/^  Certificate Name: /) { cert = $3 }
+        if (/^    Expiry Date: /) {
+            days = $6
+	    if (days < 30) {
+                print cert " " days " days"
+            }
+        }
+    }
+    '
diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml
index 189b36b..06c800e 100644
--- a/roles/certbot/tasks/main.yml
+++ b/roles/certbot/tasks/main.yml
@@ -65,3 +65,20 @@
   ansible.builtin.systemd:
     name: certbot-renew.timer
     enabled: false
+
+- name: Copy script to list expiring certificates
+  ansible.builtin.copy:
+    dest: /usr/local/bin/check-certs
+    src: check-certs.sh
+    mode: "0755"
+    owner: root
+    group: "{{ ansible_wheel }}"
+
+- name: Cretae cronjob to list expiring certificates
+  ansible.builtin.cron:
+    name: check-certs
+    job: /usr/local/bin/check-certs
+    user: certbot
+    hour: "05"
+    minute: "00"
+  when: inventory_hostname == "adm01.home.foo.sh"