From 2a8449ea7accaec58b97699ae96fa1d49f27aa59 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Mon, 20 Apr 2020 00:45:05 +0200
Subject: finalize acme-reload script for coturn

---
 roles/apps/coturn/tasks/main.yml                  | 20 +++++++++++++++++---
 roles/apps/coturn/templates/acmetool-reload.sh.j2 | 19 ++++++++++++-------
 roles/apps/nextcloud/templates/nextcloud-occ.j2   |  2 +-
 3 files changed, 30 insertions(+), 11 deletions(-)

diff --git a/roles/apps/coturn/tasks/main.yml b/roles/apps/coturn/tasks/main.yml
index 29a87d6f..132e4847 100644
--- a/roles/apps/coturn/tasks/main.yml
+++ b/roles/apps/coturn/tasks/main.yml
@@ -27,16 +27,17 @@
   file:
     path: "{{ coturn_base_path }}/{{ coturn_realm }}/config/ssl"
     state: directory
-    owner: coturn
+    owner: root
     group: coturn
-    mode: 0700
+    mode: 0750
 
 - name: generate Diffie-Hellman parameters
   openssl_dhparam:
     path: "{{ coturn_base_path }}/{{ coturn_realm }}/config/ssl/dhparams.pem"
     size: "{{ coturn_dhparam_size }}"
-    owner: coturn
+    owner: root
     group: coturn
+    mode: 0644
 
 - name: install acmetool hook script
   template:
@@ -44,6 +45,19 @@
     dest: "/etc/acme/hooks/coturn-{{ coturn_realm }}"
     mode: 0755
 
+- name: install acmetool systemd unit snippet
+  copy:
+    dest: "/etc/systemd/system/acmetool.service.d/coturn-{{ coturn_realm }}.conf"
+    content: |
+      [Service]
+      ReadWritePaths={{ coturn_base_path }}/{{ coturn_realm }}/config/ssl
+  register: coturn_acmetool_snippet
+
+- name: reload systemd
+  when: coturn_acmetool_snippet is changed
+  systemd:
+    daemon_reload: yes
+
 - name: configure nginx vhost
   vars:
     nginx_vhost:
diff --git a/roles/apps/coturn/templates/acmetool-reload.sh.j2 b/roles/apps/coturn/templates/acmetool-reload.sh.j2
index 70e0b686..1eff1ad3 100644
--- a/roles/apps/coturn/templates/acmetool-reload.sh.j2
+++ b/roles/apps/coturn/templates/acmetool-reload.sh.j2
@@ -5,8 +5,6 @@ EVENT_NAME="$1"
 
 MAIN_HOSTNAME="{{ coturn_hostnames[0] }}"
 SSL_D="{{ coturn_base_path }}/{{ coturn_realm }}/config/ssl"
-USER="coturn"
-GROUP="coturn"
 
 while read name; do
   certdir="$ACME_STATE_DIR/live/$name"
@@ -17,10 +15,17 @@ while read name; do
     continue
   fi
 
-  cp "$certdir/fullchain" "$SSL_D/cert.pem"
-  cp "$certdir/privkey" "$SSL_D/privkey.pem"
-  chown "$USER:$GROUP" "$SSL_D/cert.pem"  "$SSL_D/privkey.pem"
-  break
+  install -m 0644 -o root -g coturn "$certdir/fullchain" "$SSL_D/cert.pem"
+  install -m 0640 -o root -g coturn "$certdir/privkey" "$SSL_D/privkey.pem"
+
+{% if kubernetes_cri_socket is defined %}
+  export CONTAINER_RUNTIME_ENDPOINT="{{ kubernetes_cri_socket }}"
+{% endif %}
+  pod_id=$(crictl pods -q --state ready --name "^coturn-{{ coturn_realm }}-{{ ansible_nodename }}$")
+  [ -n "$pod_id" ] || exit 42
+  container_id=$(crictl ps -q --name '^coturn$' -p "$pod_id")
+  [ -n "$container_id" ] || exit 42
+  crictl stop "$container_id"
 
-  ## TODO: trigger restart of coturn!!!
+  break
 done
diff --git a/roles/apps/nextcloud/templates/nextcloud-occ.j2 b/roles/apps/nextcloud/templates/nextcloud-occ.j2
index a79c5335..571aecc4 100755
--- a/roles/apps/nextcloud/templates/nextcloud-occ.j2
+++ b/roles/apps/nextcloud/templates/nextcloud-occ.j2
@@ -13,7 +13,7 @@ set -eu
 export CONTAINER_RUNTIME_ENDPOINT="{{ kubernetes_cri_socket }}"
 {% endif %}
 
-pod_id=$(crictl pods -q --state ready --name "$INST_NAME-{{ ansible_nodename }}")
+pod_id=$(crictl pods -q --state ready --name "^nextcloud-$INST_NAME-{{ ansible_nodename }}$")
 if [ -z "$pod_id" ]; then echo "Pod not found"; exit 1; fi
 
 container_id=$(crictl ps -q --name '^nextcloud$' -p "$pod_id")
-- 
cgit v1.2.3