x509/uacme: add support for special renewal actions

1 files changed, 24 insertions, 6 deletions

diff --git a/roles/x509/uacme/cert/prepare/tasks/main.yml b/roles/x509/uacme/cert/prepare/tasks/main.yml
index 426a5eee..a83651b3 100644
--- a/roles/x509/uacme/cert/prepare/tasks/main.yml
+++ b/roles/x509/uacme/cert/prepare/tasks/main.yml
@@ -80,15 +80,33 @@
       group: "{{ uacme_cert_config.cert.group | default(omit) }}"
     notify: reload services for x509 certificates
 
-- name: install script to be called when new certificate is generated
-  template:
-    src: updated.sh.j2
-    dest: "/var/lib/uacme.d/{{ uacme_cert_name }}/updated.sh"
-    mode: 0755
-
 - name: export paths to certificate files
   set_fact:
     x509_certificate_path_key: "/var/lib/uacme.d/{{ uacme_cert_name }}/key.pem"
     x509_certificate_path_cert: "/var/lib/uacme.d/{{ uacme_cert_name }}/crt.pem"
     x509_certificate_path_chain: "/var/lib/uacme.d/{{ uacme_cert_name }}/chain.pem"
     x509_certificate_path_fullchain: "/var/lib/uacme.d/{{ uacme_cert_name }}/{{ uacme_cert_name }}-cert.pem"
+
+- name: install script to be called when new certificate is generated
+  template:
+    src: updated.sh.j2
+    dest: "/var/lib/uacme.d/{{ uacme_cert_name }}/updated.sh"
+    mode: 0755
+
+- name: install systemd unit snippet
+  when: "x509_certificate_renewal is defined and 'install' in x509_certificate_renewal"
+  copy:
+    dest: "/etc/systemd/system/uacme-reconcile.service.d/{{ x509_certificate_name }}.conf"
+    content: |
+      [Service]
+      {% for path in (x509_certificate_renewal.install | map(attribute='dest') | map('dirname') | unique | list) %}
+      ReadWritePaths={{ path }}
+      {% endfor %}
+  notify: reload systemd
+
+- name: remove systemd unit snippet
+  when: "x509_certificate_renewal is undefined or 'install' not in x509_certificate_renewal"
+  file:
+    path: "/etc/systemd/system/uacme-reconcile.service.d/{{ x509_certificate_name }}.conf"
+    state: absent
+  notify: reload systemd