3 files changed, 33 insertions, 4 deletions

diff --git a/roles/x509/uacme/cert/prepare/handlers/main.yml b/roles/x509/uacme/cert/prepare/handlers/main.yml
new file mode 100644
index 00000000..b169d6ca
--- /dev/null
+++ b/roles/x509/uacme/cert/prepare/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: reload services for x509 certificates
+  loop: "{{ x509_certificate_reload_services | default([]) }}"
+  service:
+    name: "{{ item }}"
+    state: reloaded
diff --git a/roles/x509/uacme/cert/prepare/tasks/main.yml b/roles/x509/uacme/cert/prepare/tasks/main.yml
index 06b9f146..426a5eee 100644
--- a/roles/x509/uacme/cert/prepare/tasks/main.yml
+++ b/roles/x509/uacme/cert/prepare/tasks/main.yml
@@ -12,7 +12,7 @@
     group: "{{ uacme_cert_config.key.group | default(omit) }}"
     type: "{{ uacme_cert_config.key.type | default(omit) }}"
     size: "{{ uacme_cert_config.key.size | default(omit) }}"
-  notify: "{{ x509_notify_on_change | default(omit) }}"
+  notify: reload services for x509 certificates
 
 - name: generate csr for uacme-controlled certificate
   community.crypto.openssl_csr:
@@ -60,7 +60,7 @@
       selfsigned_not_after: "{{ remote_datetime_now.stdout }}"
       return_content: yes
     register: uacme_cert_selfsigned
-    notify: "{{ x509_notify_on_change | default(omit) }}"
+    notify: reload services for x509 certificates
 
   - name: make sure cert-only file exists
     copy:
@@ -69,7 +69,7 @@
       mode: "{{ uacme_cert_config.cert.mode | default('0644') }}"
       owner: "{{ uacme_cert_config.cert.owner | default(omit) }}"
       group: "{{ uacme_cert_config.cert.group | default(omit) }}"
-    notify: "{{ x509_notify_on_change | default(omit) }}"
+    notify: reload services for x509 certificates
 
   - name: make sure the chain file exists
     copy:
@@ -78,7 +78,13 @@
       mode: "{{ uacme_cert_config.cert.mode | default('0644') }}"
       owner: "{{ uacme_cert_config.cert.owner | default(omit) }}"
       group: "{{ uacme_cert_config.cert.group | default(omit) }}"
-    notify: "{{ x509_notify_on_change | default(omit) }}"
+    notify: reload services for x509 certificates
+
+- name: install script to be called when new certificate is generated
+  template:
+    src: updated.sh.j2
+    dest: "/var/lib/uacme.d/{{ uacme_cert_name }}/updated.sh"
+    mode: 0755
 
 - name: export paths to certificate files
   set_fact:
diff --git a/roles/x509/uacme/cert/prepare/templates/updated.sh.j2 b/roles/x509/uacme/cert/prepare/templates/updated.sh.j2
new file mode 100644
index 00000000..b0fa705a
--- /dev/null
+++ b/roles/x509/uacme/cert/prepare/templates/updated.sh.j2
@@ -0,0 +1,17 @@
+#!/bin/sh
+
+# split fullchain and fix permissions
+awk '{if(length($0) > 0) print} /-----END CERTIFICATE-----/ { exit }' "/var/lib/uacme.d/{{ uacme_cert_name }}/{{ uacme_cert_name }}-cert.pem" > "/var/lib/uacme.d/{{ uacme_cert_name }}/crt.pem"
+awk '(show==1) {if(length($0) > 0) print} /-----END CERTIFICATE-----/ { show=1 }' "/var/lib/uacme.d/{{ uacme_cert_name }}/{{ uacme_cert_name }}-cert.pem" > "/var/lib/uacme.d/{{ uacme_cert_name }}/chain.pem"
+chmod "{{ uacme_cert_config.cert.mode | default('0644') }}" /var/lib/uacme.d/{{ uacme_cert_name }}/{{ uacme_cert_name }}-cert.pem /var/lib/uacme.d/{{ uacme_cert_name }}/crt.pem /var/lib/uacme.d/{{ uacme_cert_name }}/chain.pem
+{% if uacme_cert_config.cert.owner is defined %}
+chown "{{ uacme_cert_config.cert.owner }}" /var/lib/uacme.d/{{ uacme_cert_name }}/{{ uacme_cert_name }}-cert.pem /var/lib/uacme.d/{{ uacme_cert_name }}/crt.pem /var/lib/uacme.d/{{ uacme_cert_name }}/chain.pem
+{% endif %}
+{% if uacme_cert_config.cert.group is defined %}
+chgrp "{{ uacme_cert_config.cert.group }}" /var/lib/uacme.d/{{ uacme_cert_name }}/{{ uacme_cert_name }}-cert.pem /var/lib/uacme.d/{{ uacme_cert_name }}/crt.pem /var/lib/uacme.d/{{ uacme_cert_name }}/chain.pem
+{% endif %}
+
+## reload services
+{% for service in (x509_certificate_reload_services | default([])) %}
+systemctl reload "{{ service }}.service"
+{% endfor %}