files/run_ansible.service

@@ -0,0 +1,10 @@
+[Unit]
+Description=Runs ansible playbook
+
+[Service]
+Type=oneshot
+RemainAfterExit=no
+ExecStart=/scripts/run_ansible.sh
+
+[Install]
+WantedBy=multi-user.target

tasks/main.yml

@@ -1,3 +1,27 @@
 #SPDX-License-Identifier: MIT-0
 ---
 # tasks file for ansible-update
+- name: deploy ansible update script
+  ansible.builtin.template:
+    src: templates/ansible-update.sh
+    dest: /scripts/ansible-update.sh
+    mode: '0754'
+
+- name: deploy ansible update service
+  ansible.builtin.copy:
+    src: files/ansible-update.service
+    dest: /usr/lib/systemd/system/ansible-update.service
+    mode: '0644'
+
+- name: deploy ansible update timer
+  ansible.builtin.copy:
+    src: files/ansible-update.timer
+    dest: /usr/lib/systemd/system/cansible-update.timer
+    mode: '0644'
+
+- name: ensure ansible update script is running
+  service:
+    name: ansible-update.timer
+    state: started
+    daemon_reload: true
+    enabled: yes

templates/run_ansible.timer

@@ -0,0 +1,9 @@
+[Unit]
+Description=Runs run ansible playbook once per day (hour is determined based on ansible id)
+
+[Timer]
+OnCalendar=*-*-* {{ansible_machine_id | int(base=16) % 24}}:00:00
+Unit=certbot-renewal.service
+
+[Install]
+WantedBy=multi-user.target