Debsecan: set cron job

CHANGELOG.md

@@ -2,4 +2,4 @@
 
 ### Features
 * Install debsecan
-* Debsecan: Configuration
+* Debsecan: Configuration and cron job

README.md

@@ -21,7 +21,11 @@ A role that provide some security tools for Debian.
 * **deb_sec__debsecan_suite** : Suite name used to produce more informative output [default : `{{ ansible_distribution_release }}`].
 * **deb_sec__debsecan_mailto** : Mail address to which reports are sent [default : `root`].
 * **deb_sec__debsecan_source** : The URL from which vulnerability data is downloaded [default : `''`].
-*
+* **deb_sec__debsecan_cron_disabled** : If the Debsecan job should be disabled [default : `false`].
+* **deb_sec__debsecan_cron_job** : The command to execute for Debsecan cron [default : `test -x /usr/bin/debsecan && /usr/bin/debsecan --cron`].
+* **deb_sec__debsecan_cron_special_time** : Periodicity of the cron job for Debsecan [default : `daily`].
+* **deb_sec__debsecan_cron_user** : User whose run the job [default : `daemon`].
+
 ## Example Playbook
 
 * Default behaviour :
@@ -36,7 +40,7 @@ A role that provide some security tools for Debian.
 
 This role will :
 * Install some security tools (eg. Debsecan,…).
-* Configure Debsecan.
+* Configure and set a cron job for Debsecan.
 
 ## Development
 

defaults/main.yml

@@ -64,10 +64,49 @@ deb_sec__debsecan_mailto: 'root'
 # .. envvar:: deb_sec__debsecan_source [[[
 #
 # The URL from which vulnerability data is downloaded.
-
+#
 # ``''``
 #   Default. Empty for the built-in default.
 #
 deb_sec__debsecan_source: ''
                                                                    # ]]]
+# .. envvar:: deb_sec__debsecan_cron_disabled [[[
+#
+# If the Debsecan job should be disabled. Possible options :
+#
+# ``false``
+#   Default. According to Debsecan package.
+#
+# ``true``
+#   Comment the job in the cron file.
+#
+deb_sec__debsecan_cron_disabled: false
+                                                                   # ]]]
+# .. envvar:: deb_sec__debsecan_cron_job [[[
+#
+# The command to execute for Debsecan cron.
+#
+# ``test -x /usr/bin/debsecan && /usr/bin/debsecan --cron``
+#   Default. According to Debsecan package.
+#
+deb_sec__debsecan_cron_job: 'test -x /usr/bin/debsecan && /usr/bin/debsecan --cron'
+                                                                   # ]]]
+# .. envvar:: deb_sec__debsecan_cron_special_time [[[
+#
+# Periodicity of the cron job for Debsecan.
+#
+# ``daily``
+#   Default. Run the job everyday.
+#
+deb_sec__debsecan_cron_special_time: 'daily'
+                                                                   # ]]]
+# .. envvar:: deb_sec__debsecan_cron_user [[[
+#
+# User whose run the job.
+#
+# ``daemon``
+#   Default. According to Debsecan package.
+#
+deb_sec__debsecan_cron_user: 'daemon'
+                                                                   # ]]]
                                                                    # ]]]

tasks/main.yml

@@ -13,6 +13,7 @@
   with_flattened:
     - '{{ deb_sec__required_packages }}'
 # Debsecan [[[1
+# Configuration [[[
 - name: Debsecan configuration
   template:
     src: 'etc/default/debsecan.j2'
@@ -21,3 +22,26 @@
     group: 'root'
     mode: '0644'
   when: (deb_sec__deploy_state == "present")
+                                                                   # ]]]
+# Cron job [[[
+- name: Debsecan disable default cron file
+  file:
+    path: '/etc/cron.d/debsecan'
+    state: absent
+
+- name: Debsecan manage cron job
+  cron:
+    cron_file: '/etc/cron.d/debsecan_ansible'
+    name: 'debsecan_ansible'
+    job: '{{ deb_sec__debsecan_cron_job }}'
+    disabled: '{{ deb_sec__debsecan_cron_disabled }}'
+    special_time: '{{ deb_sec__debsecan_cron_special_time }}'
+    user: '{{ deb_sec__debsecan_cron_user }}'
+  when: (deb_sec__deploy_state == "present")
+
+- name: Debsecan purge cron job
+  file:
+    path: '/etc/cron.d/debsecan_ansible'
+    state: absent
+  when: (deb_sec__deploy_state == "absent")
+                                                                   # ]]]