x509/uacme: add support for special renewal actions

4 files changed, 54 insertions, 11 deletions

diff --git a/roles/x509/uacme/base/tasks/main.yml b/roles/x509/uacme/base/tasks/main.yml
index 17e6034f..3473d541 100644
--- a/roles/x509/uacme/base/tasks/main.yml
+++ b/roles/x509/uacme/base/tasks/main.yml
@@ -58,6 +58,11 @@
     src: "uacme-reconcile.{{ item }}.j2"
     dest: "/etc/systemd/system/uacme-reconcile.{{ item }}"
 
+- name: create system unit snippet directory
+  file:
+    path: /etc/systemd/system/uacme-reconcile.service.d/
+    state: directory
+
 - name: make sure systemd timer for automatic refresh is enabled and started
   systemd:
     daemon_reload: yes
diff --git a/roles/x509/uacme/cert/prepare/handlers/main.yml b/roles/x509/uacme/cert/prepare/handlers/main.yml
index b169d6ca..330bcd11 100644
--- a/roles/x509/uacme/cert/prepare/handlers/main.yml
+++ b/roles/x509/uacme/cert/prepare/handlers/main.yml
@@ -1,4 +1,8 @@
 ---
+- name: reload systemd
+  systemd:
+    daemon_reload: yes
+
 - name: reload services for x509 certificates
   loop: "{{ x509_certificate_reload_services | default([]) }}"
   service:
diff --git a/roles/x509/uacme/cert/prepare/tasks/main.yml b/roles/x509/uacme/cert/prepare/tasks/main.yml
index 426a5eee..a83651b3 100644
--- a/roles/x509/uacme/cert/prepare/tasks/main.yml
+++ b/roles/x509/uacme/cert/prepare/tasks/main.yml
@@ -80,15 +80,33 @@
       group: "{{ uacme_cert_config.cert.group | default(omit) }}"
     notify: reload services for x509 certificates
 
-- name: install script to be called when new certificate is generated
-  template:
-    src: updated.sh.j2
-    dest: "/var/lib/uacme.d/{{ uacme_cert_name }}/updated.sh"
-    mode: 0755
-
 - name: export paths to certificate files
   set_fact:
     x509_certificate_path_key: "/var/lib/uacme.d/{{ uacme_cert_name }}/key.pem"
     x509_certificate_path_cert: "/var/lib/uacme.d/{{ uacme_cert_name }}/crt.pem"
     x509_certificate_path_chain: "/var/lib/uacme.d/{{ uacme_cert_name }}/chain.pem"
     x509_certificate_path_fullchain: "/var/lib/uacme.d/{{ uacme_cert_name }}/{{ uacme_cert_name }}-cert.pem"
+
+- name: install script to be called when new certificate is generated
+  template:
+    src: updated.sh.j2
+    dest: "/var/lib/uacme.d/{{ uacme_cert_name }}/updated.sh"
+    mode: 0755
+
+- name: install systemd unit snippet
+  when: "x509_certificate_renewal is defined and 'install' in x509_certificate_renewal"
+  copy:
+    dest: "/etc/systemd/system/uacme-reconcile.service.d/{{ x509_certificate_name }}.conf"
+    content: |
+      [Service]
+      {% for path in (x509_certificate_renewal.install | map(attribute='dest') | map('dirname') | unique | list) %}
+      ReadWritePaths={{ path }}
+      {% endfor %}
+  notify: reload systemd
+
+- name: remove systemd unit snippet
+  when: "x509_certificate_renewal is undefined or 'install' not in x509_certificate_renewal"
+  file:
+    path: "/etc/systemd/system/uacme-reconcile.service.d/{{ x509_certificate_name }}.conf"
+    state: absent
+  notify: reload systemd
diff --git a/roles/x509/uacme/cert/prepare/templates/updated.sh.j2 b/roles/x509/uacme/cert/prepare/templates/updated.sh.j2
index b0fa705a..275ca189 100644
--- a/roles/x509/uacme/cert/prepare/templates/updated.sh.j2
+++ b/roles/x509/uacme/cert/prepare/templates/updated.sh.j2
@@ -1,17 +1,33 @@
 #!/bin/sh
 
+BASE_D="/var/lib/uacme.d/{{ uacme_cert_name }}"
+
 # split fullchain and fix permissions
-awk '{if(length($0) > 0) print} /-----END CERTIFICATE-----/ { exit }' "/var/lib/uacme.d/{{ uacme_cert_name }}/{{ uacme_cert_name }}-cert.pem" > "/var/lib/uacme.d/{{ uacme_cert_name }}/crt.pem"
-awk '(show==1) {if(length($0) > 0) print} /-----END CERTIFICATE-----/ { show=1 }' "/var/lib/uacme.d/{{ uacme_cert_name }}/{{ uacme_cert_name }}-cert.pem" > "/var/lib/uacme.d/{{ uacme_cert_name }}/chain.pem"
-chmod "{{ uacme_cert_config.cert.mode | default('0644') }}" /var/lib/uacme.d/{{ uacme_cert_name }}/{{ uacme_cert_name }}-cert.pem /var/lib/uacme.d/{{ uacme_cert_name }}/crt.pem /var/lib/uacme.d/{{ uacme_cert_name }}/chain.pem
+awk '{if(length($0) > 0) print} /-----END CERTIFICATE-----/ { exit }' "$BASE_D/{{ uacme_cert_name }}-cert.pem" > "$BASE_D/crt.pem"
+awk '(show==1) {if(length($0) > 0) print} /-----END CERTIFICATE-----/ { show=1 }' "$BASE_D/{{ uacme_cert_name }}-cert.pem" > "$BASE_D/chain.pem"
+chmod "{{ uacme_cert_config.cert.mode | default('0644') }}" $BASE_D/{{ uacme_cert_name }}-cert.pem $BASE_D/crt.pem $BASE_D/chain.pem
 {% if uacme_cert_config.cert.owner is defined %}
-chown "{{ uacme_cert_config.cert.owner }}" /var/lib/uacme.d/{{ uacme_cert_name }}/{{ uacme_cert_name }}-cert.pem /var/lib/uacme.d/{{ uacme_cert_name }}/crt.pem /var/lib/uacme.d/{{ uacme_cert_name }}/chain.pem
+chown "{{ uacme_cert_config.cert.owner }}" $BASE_D/{{ uacme_cert_name }}-cert.pem $BASE_D/crt.pem $BASE_D/chain.pem
 {% endif %}
 {% if uacme_cert_config.cert.group is defined %}
-chgrp "{{ uacme_cert_config.cert.group }}" /var/lib/uacme.d/{{ uacme_cert_name }}/{{ uacme_cert_name }}-cert.pem /var/lib/uacme.d/{{ uacme_cert_name }}/crt.pem /var/lib/uacme.d/{{ uacme_cert_name }}/chain.pem
+chgrp "{{ uacme_cert_config.cert.group }}" $BASE_D/{{ uacme_cert_name }}-cert.pem $BASE_D/crt.pem $BASE_D/chain.pem
+{% endif %}
+{% if x509_certificate_renewal is defined and 'install' in x509_certificate_renewal %}
+{%   for file in x509_certificate_renewal.install %}
+
+install{% if 'mode' in file %} -m {{ file.mode }}{% endif %}{% if 'owner' in file %} -o {{ file.owner }}{% endif %}{% if 'owner' in file %} -g {{ file.group }}{% endif %} /dev/null "{{ file.dest }}.new"
+{%     for src in file.src %}
+cat "{{ hostvars[inventory_hostname]['x509_certificate_path_' + src] }}" >> "{{ file.dest }}.new"
+mv "{{ file.dest }}.new" "{{ file.dest }}"
+{%     endfor %}
+{%   endfor %}
 {% endif %}
 
 ## reload services
 {% for service in (x509_certificate_reload_services | default([])) %}
 systemctl reload "{{ service }}.service"
 {% endfor %}
+{% if x509_certificate_renewal is defined and 'reload' in x509_certificate_renewal %}
+
+{{ x509_certificate_renewal.reload | trim }}
+{% endif %}