diff options
| author | Christian Pointner <equinox@spreadspace.org> | 2023-09-22 20:13:19 +0200 |
|---|---|---|
| committer | Christian Pointner <equinox@spreadspace.org> | 2023-09-22 20:13:19 +0200 |
| commit | 4b9d4a0810d79be50fb1e550dcc38c44f527bc96 (patch) | |
| tree | e74d484d073c6fd4a48fd26e732e75513d610f40 /roles/x509/selfsigned | |
| parent | fix smartctl text collector and add some alerts for nvme metrics (diff) | |
x509/(selfsigned|ownca): add support for custom post-renewal scripts
Diffstat (limited to 'roles/x509/selfsigned')
| -rw-r--r-- | roles/x509/selfsigned/cert/prepare/tasks/main.yml | 15 | ||||
| -rw-r--r-- | roles/x509/selfsigned/cert/prepare/templates/updated.sh.j2 | 15 |
2 files changed, 30 insertions, 0 deletions
diff --git a/roles/x509/selfsigned/cert/prepare/tasks/main.yml b/roles/x509/selfsigned/cert/prepare/tasks/main.yml index dead5dd5..a5ac8159 100644 --- a/roles/x509/selfsigned/cert/prepare/tasks/main.yml +++ b/roles/x509/selfsigned/cert/prepare/tasks/main.yml @@ -21,6 +21,7 @@ type: "{{ selfsigned_cert_config.key.type | default(omit) }}" size: "{{ selfsigned_cert_config.key.size | default(omit) }}" notify: reload services for x509 certificates + register: _selfsigned_key_ - name: generate csr for selfsigned certificate community.crypto.openssl_csr: @@ -74,6 +75,7 @@ selfsigned_not_after: "{{ selfsigned_cert_config.cert.not_after | default(omit) }}" force: "{{ _selfsigned_cert_file_.stat.exists and (not _selfsigned_cert_info_.valid_at.renew_margin) }}" notify: reload services for x509 certificates + register: _selfsigned_cert_ - name: export paths to certificate files set_fact: @@ -81,3 +83,16 @@ x509_certificate_path_cert: "{{ selfsigned_cert_path }}/{{ selfsigned_cert_name }}-crt.pem" x509_certificate_path_chain: "" x509_certificate_path_fullchain: "{{ selfsigned_cert_path }}/{{ selfsigned_cert_name }}-crt.pem" + +- name: generate custom post-renewal script + when: x509_certificate_renewal is defined + template: + src: updated.sh.j2 + dest: "{{ selfsigned_cert_path }}/updated.sh" + mode: 0755 + +- name: call custom post-renewal script + when: + - x509_certificate_renewal is defined + - (_selfsigned_key_ is changed) or (_selfsigned_cert_ is changed) + command: "{{ selfsigned_cert_path }}/updated.sh" diff --git a/roles/x509/selfsigned/cert/prepare/templates/updated.sh.j2 b/roles/x509/selfsigned/cert/prepare/templates/updated.sh.j2 new file mode 100644 index 00000000..15f68cd9 --- /dev/null +++ b/roles/x509/selfsigned/cert/prepare/templates/updated.sh.j2 @@ -0,0 +1,15 @@ +#!/bin/sh +{% if 'install' in x509_certificate_renewal %} +{% for file in x509_certificate_renewal.install %} + +install{% if 'mode' in file %} -m {{ file.mode }}{% endif %}{% if 'owner' in file %} -o {{ file.owner }}{% endif %}{% if 'owner' in file %} -g {{ file.group }}{% endif %} /dev/null "{{ file.dest }}.new" +{% for src in file.src %} +cat "{{ lookup('vars', 'x509_certificate_path_' + src) }}" >> "{{ file.dest }}.new" +mv "{{ file.dest }}.new" "{{ file.dest }}" +{% endfor %} +{% endfor %} +{% endif %} +{% if 'reload' in x509_certificate_renewal %} + +{{ x509_certificate_renewal.reload | trim }} +{% endif %} |