apps/mumble: add new generic certificate renewal support

1 files changed, 37 insertions, 0 deletions

diff --git a/roles/x509/acmetool/cert/prepare/tasks/main.yml b/roles/x509/acmetool/cert/prepare/tasks/main.yml
index 5bad1e5b..2db332b8 100644
--- a/roles/x509/acmetool/cert/prepare/tasks/main.yml
+++ b/roles/x509/acmetool/cert/prepare/tasks/main.yml
@@ -40,3 +40,40 @@
     x509_certificate_path_cert: "/var/lib/acme/live/{{ acmetool_cert_hostnames[0] }}/cert"
     x509_certificate_path_chain: "/var/lib/acme/live/{{ acmetool_cert_hostnames[0] }}/chain"
     x509_certificate_path_fullchain: "/var/lib/acme/live/{{ acmetool_cert_hostnames[0] }}/fullchain"
+
+- name: setup custom renewal script
+  when: x509_certificate_renewal is defined
+  block:
+  - name: install custom hook script
+    template:
+      src: reload.sh.j2
+      dest: "/etc/acme/hooks/{{ x509_certificate_name }}"
+      mode: 0755
+
+  - name: install acmetool systemd unit snippet
+    when: "'install' in x509_certificate_renewal"
+    copy:
+      dest: "/etc/systemd/system/acmetool.service.d/{{ x509_certificate_name }}.conf"
+      content: |
+        [Service]
+        {% for path in (x509_certificate_renewal.install | map(attribute='dest') | map('dirname') | unique | list) %}
+        ReadWritePaths={{ path }}
+        {% endfor %}
+    notify: reload systemd
+
+  - name: remove acmetool systemd unit snippet
+    when: "'install' not in x509_certificate_renewal"
+    file:
+      path: "/etc/systemd/system/acmetool.service.d/{{ x509_certificate_name }}.conf"
+      state: absent
+    notify: reload systemd
+
+- name: remove custom renewal script
+  when: x509_certificate_renewal is not defined
+  loop:
+  - "/etc/systemd/system/acmetool.service.d/{{ x509_certificate_name }}.conf"
+  - "/etc/acme/hooks/{{ x509_certificate_name }}"
+  file:
+    path: "{{ item }}"
+    state: absent
+  notify: reload systemd