From 775492cc28346ea86396a947e1371b8aa0784380 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Thu, 17 Aug 2023 00:23:01 +0200
Subject: revamp x509 service reloading

---
 roles/nginx/vhost/tasks/main.yml                      | 16 +++++++++-------
 roles/x509/acmetool/cert/prepare/handlers/main.yml    |  6 ++++++
 roles/x509/acmetool/cert/prepare/tasks/main.yml       |  1 +
 roles/x509/selfsigned/cert/prepare/handlers/main.yml  |  6 ++++++
 roles/x509/selfsigned/cert/prepare/tasks/main.yml     |  6 +++---
 roles/x509/static/cert/prepare/handlers/main.yml      |  6 ++++++
 roles/x509/static/cert/prepare/tasks/main.yml         | 12 ++++++------
 roles/x509/uacme/base/templates/uacme-reconcile.sh.j2 |  6 +++---
 roles/x509/uacme/cert/prepare/handlers/main.yml       |  6 ++++++
 roles/x509/uacme/cert/prepare/tasks/main.yml          | 14 ++++++++++----
 roles/x509/uacme/cert/prepare/templates/updated.sh.j2 | 17 +++++++++++++++++
 11 files changed, 73 insertions(+), 23 deletions(-)
 create mode 100644 roles/x509/acmetool/cert/prepare/handlers/main.yml
 create mode 100644 roles/x509/selfsigned/cert/prepare/handlers/main.yml
 create mode 100644 roles/x509/static/cert/prepare/handlers/main.yml
 create mode 100644 roles/x509/uacme/cert/prepare/handlers/main.yml
 create mode 100644 roles/x509/uacme/cert/prepare/templates/updated.sh.j2

diff --git a/roles/nginx/vhost/tasks/main.yml b/roles/nginx/vhost/tasks/main.yml
index 55544733..2c1f0f29 100644
--- a/roles/nginx/vhost/tasks/main.yml
+++ b/roles/nginx/vhost/tasks/main.yml
@@ -1,13 +1,14 @@
 ---
 - name: ensure certificate exists (fake it, until you make it)
   when: "'tls' in nginx_vhost"
-  include_role:
-    name: "x509/{{ nginx_vhost.tls.certificate_provider }}/cert/prepare"
-    public: true
   vars:
     x509_certificate_name: "{{ nginx_vhost.name }}"
     x509_certificate_hostnames: "{{ nginx_vhost.hostnames }}"
-    x509_notify_on_change: reload nginx
+    x509_certificate_reload_services:
+    - nginx
+  include_role:
+    name: "x509/{{ nginx_vhost.tls.certificate_provider }}/cert/prepare"
+    public: true
 
 - name: install nginx configs from template
   when: "'template' in nginx_vhost"
@@ -39,9 +40,10 @@
     meta: flush_handlers
 
   - name: actually request the certificate
-    include_role:
-      name: "x509/{{ nginx_vhost.tls.certificate_provider }}/cert/finalize"
     vars:
       x509_certificate_name: "{{ nginx_vhost.name }}"
       x509_certificate_hostnames: "{{ nginx_vhost.hostnames }}"
-      x509_notify_on_change: reload nginx
+      x509_certificate_reload_services:
+      - nginx
+    include_role:
+      name: "x509/{{ nginx_vhost.tls.certificate_provider }}/cert/finalize"
diff --git a/roles/x509/acmetool/cert/prepare/handlers/main.yml b/roles/x509/acmetool/cert/prepare/handlers/main.yml
new file mode 100644
index 00000000..b169d6ca
--- /dev/null
+++ b/roles/x509/acmetool/cert/prepare/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: reload services for x509 certificates
+  loop: "{{ x509_certificate_reload_services | default([]) }}"
+  service:
+    name: "{{ item }}"
+    state: reloaded
diff --git a/roles/x509/acmetool/cert/prepare/tasks/main.yml b/roles/x509/acmetool/cert/prepare/tasks/main.yml
index 146c5ac4..5bad1e5b 100644
--- a/roles/x509/acmetool/cert/prepare/tasks/main.yml
+++ b/roles/x509/acmetool/cert/prepare/tasks/main.yml
@@ -32,6 +32,7 @@
       src: "../certs/{{ selfsigned_interim_cert_id }}"
       dest: "/var/lib/acme/live/{{ acme_missing_hostname }}"
       state: link
+    notify: reload services for x509 certificates
 
 - name: export paths to certificate files
   set_fact:
diff --git a/roles/x509/selfsigned/cert/prepare/handlers/main.yml b/roles/x509/selfsigned/cert/prepare/handlers/main.yml
new file mode 100644
index 00000000..b169d6ca
--- /dev/null
+++ b/roles/x509/selfsigned/cert/prepare/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: reload services for x509 certificates
+  loop: "{{ x509_certificate_reload_services | default([]) }}"
+  service:
+    name: "{{ item }}"
+    state: reloaded
diff --git a/roles/x509/selfsigned/cert/prepare/tasks/main.yml b/roles/x509/selfsigned/cert/prepare/tasks/main.yml
index 1af6ef5e..e7a47742 100644
--- a/roles/x509/selfsigned/cert/prepare/tasks/main.yml
+++ b/roles/x509/selfsigned/cert/prepare/tasks/main.yml
@@ -10,7 +10,7 @@
     mode: "{{ selfsigned_cert_config.mode | default('0700') }}"
     owner: "{{ selfsigned_cert_config.owner | default(omit) }}"
     group: "{{ selfsigned_cert_config.group | default(omit) }}"
-  notify: "{{ x509_notify_on_change | default(omit) }}"
+  notify: reload services for x509 certificates
 
 - name: generate key for selfsigned certificate
   openssl_privatekey:
@@ -20,7 +20,7 @@
     group: "{{ selfsigned_cert_config.key.group | default(omit) }}"
     type: "{{ selfsigned_cert_config.key.type | default(omit) }}"
     size: "{{ selfsigned_cert_config.key.size | default(omit) }}"
-  notify: "{{ x509_notify_on_change | default(omit) }}"
+  notify: reload services for x509 certificates
 
 - name: generate csr for selfsigned certificate
   community.crypto.openssl_csr:
@@ -59,7 +59,7 @@
     selfsigned_digest: "{{ selfsigned_cert_config.cert.digest | default(omit) }}"
     selfsigned_not_before: "{{ selfsigned_cert_config.cert.not_before | default(omit) }}"
     selfsigned_not_after: "{{ selfsigned_cert_config.cert.not_after | default(omit) }}"
-  notify: "{{ x509_notify_on_change | default(omit) }}"
+  notify: reload services for x509 certificates
 
 - name: export paths to certificate files
   set_fact:
diff --git a/roles/x509/static/cert/prepare/handlers/main.yml b/roles/x509/static/cert/prepare/handlers/main.yml
new file mode 100644
index 00000000..b169d6ca
--- /dev/null
+++ b/roles/x509/static/cert/prepare/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: reload services for x509 certificates
+  loop: "{{ x509_certificate_reload_services | default([]) }}"
+  service:
+    name: "{{ item }}"
+    state: reloaded
diff --git a/roles/x509/static/cert/prepare/tasks/main.yml b/roles/x509/static/cert/prepare/tasks/main.yml
index 1327c3b3..03df7542 100644
--- a/roles/x509/static/cert/prepare/tasks/main.yml
+++ b/roles/x509/static/cert/prepare/tasks/main.yml
@@ -10,7 +10,7 @@
     mode: "{{ static_cert_config.mode | default('0700') }}"
     owner: "{{ static_cert_config.owner | default(omit) }}"
     group: "{{ static_cert_config.group | default(omit) }}"
-  notify: "{{ x509_notify_on_change | default(omit) }}"
+  notify: reload services for x509 certificates
 
 - name: install key for static certificate
   copy:
@@ -19,7 +19,7 @@
     mode: "{{ static_cert_config.key.mode | default('0600') }}"
     owner: "{{ static_cert_config.key.owner | default(omit) }}"
     group: "{{ static_cert_config.key.group | default(omit) }}"
-  notify: "{{ x509_notify_on_change | default(omit) }}"
+  notify: reload services for x509 certificates
 
 - name: install static certificate
   copy:
@@ -28,7 +28,7 @@
     mode: "{{ static_cert_config.cert.mode | default('0644') }}"
     owner: "{{ static_cert_config.cert.owner | default(omit) }}"
     group: "{{ static_cert_config.cert.group | default(omit) }}"
-  notify: "{{ x509_notify_on_change | default(omit) }}"
+  notify: reload services for x509 certificates
 
 - name: export paths to basic certificate files
   set_fact:
@@ -46,7 +46,7 @@
       mode: "{{ static_cert_config.chain.mode | default('0644') }}"
       owner: "{{ static_cert_config.chain.owner | default(omit) }}"
       group: "{{ static_cert_config.chain.group | default(omit) }}"
-    notify: "{{ x509_notify_on_change | default(omit) }}"
+    notify: reload services for x509 certificates
 
   - name: install fullchain for static certificate
     copy:
@@ -57,7 +57,7 @@
       mode: "{{ static_cert_config.cert.mode | default('0644') }}"
       owner: "{{ static_cert_config.cert.owner | default(omit) }}"
       group: "{{ static_cert_config.cert.group | default(omit) }}"
-    notify: "{{ x509_notify_on_change | default(omit) }}"
+    notify: reload services for x509 certificates
 
   - name: export paths to additional certificate files
     set_fact:
@@ -74,7 +74,7 @@
     file:
       path: "{{ static_cert_path }}/{{ static_cert_name }}-{{ item }}.pem"
       state: absent
-    notify: "{{ x509_notify_on_change | default(omit) }}"
+    notify: reload services for x509 certificates
 
   - name: make sure variable that points to the chain certificate file is unset
     set_fact:
diff --git a/roles/x509/uacme/base/templates/uacme-reconcile.sh.j2 b/roles/x509/uacme/base/templates/uacme-reconcile.sh.j2
index 73a7f4a3..ea02841d 100644
--- a/roles/x509/uacme/base/templates/uacme-reconcile.sh.j2
+++ b/roles/x509/uacme/base/templates/uacme-reconcile.sh.j2
@@ -16,9 +16,9 @@ for csr_file in "${csr_files[@]}"; do
   case $? in
     0)
       echo "$id successfully (re)issued."
-      awk '{if(length($0) > 0) print} /-----END CERTIFICATE-----/ { exit }' "/var/lib/uacme.d/$id/$id-cert.pem" > "/var/lib/uacme.d/$id/crt.pem"
-      awk '(show==1) {if(length($0) > 0) print} /-----END CERTIFICATE-----/ { show=1 }' "/var/lib/uacme.d/$id/$id-cert.pem" > "/var/lib/uacme.d/$id/chain.pem"
-      ## TODO: reload services
+      if [ -x "/var/lib/uacme.d/$id/updated.sh" ]; then
+        /var/lib/uacme.d/$id/updated.sh
+      fi
       ;;
     1)
       echo "$id not updated."
diff --git a/roles/x509/uacme/cert/prepare/handlers/main.yml b/roles/x509/uacme/cert/prepare/handlers/main.yml
new file mode 100644
index 00000000..b169d6ca
--- /dev/null
+++ b/roles/x509/uacme/cert/prepare/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: reload services for x509 certificates
+  loop: "{{ x509_certificate_reload_services | default([]) }}"
+  service:
+    name: "{{ item }}"
+    state: reloaded
diff --git a/roles/x509/uacme/cert/prepare/tasks/main.yml b/roles/x509/uacme/cert/prepare/tasks/main.yml
index 06b9f146..426a5eee 100644
--- a/roles/x509/uacme/cert/prepare/tasks/main.yml
+++ b/roles/x509/uacme/cert/prepare/tasks/main.yml
@@ -12,7 +12,7 @@
     group: "{{ uacme_cert_config.key.group | default(omit) }}"
     type: "{{ uacme_cert_config.key.type | default(omit) }}"
     size: "{{ uacme_cert_config.key.size | default(omit) }}"
-  notify: "{{ x509_notify_on_change | default(omit) }}"
+  notify: reload services for x509 certificates
 
 - name: generate csr for uacme-controlled certificate
   community.crypto.openssl_csr:
@@ -60,7 +60,7 @@
       selfsigned_not_after: "{{ remote_datetime_now.stdout }}"
       return_content: yes
     register: uacme_cert_selfsigned
-    notify: "{{ x509_notify_on_change | default(omit) }}"
+    notify: reload services for x509 certificates
 
   - name: make sure cert-only file exists
     copy:
@@ -69,7 +69,7 @@
       mode: "{{ uacme_cert_config.cert.mode | default('0644') }}"
       owner: "{{ uacme_cert_config.cert.owner | default(omit) }}"
       group: "{{ uacme_cert_config.cert.group | default(omit) }}"
-    notify: "{{ x509_notify_on_change | default(omit) }}"
+    notify: reload services for x509 certificates
 
   - name: make sure the chain file exists
     copy:
@@ -78,7 +78,13 @@
       mode: "{{ uacme_cert_config.cert.mode | default('0644') }}"
       owner: "{{ uacme_cert_config.cert.owner | default(omit) }}"
       group: "{{ uacme_cert_config.cert.group | default(omit) }}"
-    notify: "{{ x509_notify_on_change | default(omit) }}"
+    notify: reload services for x509 certificates
+
+- name: install script to be called when new certificate is generated
+  template:
+    src: updated.sh.j2
+    dest: "/var/lib/uacme.d/{{ uacme_cert_name }}/updated.sh"
+    mode: 0755
 
 - name: export paths to certificate files
   set_fact:
diff --git a/roles/x509/uacme/cert/prepare/templates/updated.sh.j2 b/roles/x509/uacme/cert/prepare/templates/updated.sh.j2
new file mode 100644
index 00000000..b0fa705a
--- /dev/null
+++ b/roles/x509/uacme/cert/prepare/templates/updated.sh.j2
@@ -0,0 +1,17 @@
+#!/bin/sh
+
+# split fullchain and fix permissions
+awk '{if(length($0) > 0) print} /-----END CERTIFICATE-----/ { exit }' "/var/lib/uacme.d/{{ uacme_cert_name }}/{{ uacme_cert_name }}-cert.pem" > "/var/lib/uacme.d/{{ uacme_cert_name }}/crt.pem"
+awk '(show==1) {if(length($0) > 0) print} /-----END CERTIFICATE-----/ { show=1 }' "/var/lib/uacme.d/{{ uacme_cert_name }}/{{ uacme_cert_name }}-cert.pem" > "/var/lib/uacme.d/{{ uacme_cert_name }}/chain.pem"
+chmod "{{ uacme_cert_config.cert.mode | default('0644') }}" /var/lib/uacme.d/{{ uacme_cert_name }}/{{ uacme_cert_name }}-cert.pem /var/lib/uacme.d/{{ uacme_cert_name }}/crt.pem /var/lib/uacme.d/{{ uacme_cert_name }}/chain.pem
+{% if uacme_cert_config.cert.owner is defined %}
+chown "{{ uacme_cert_config.cert.owner }}" /var/lib/uacme.d/{{ uacme_cert_name }}/{{ uacme_cert_name }}-cert.pem /var/lib/uacme.d/{{ uacme_cert_name }}/crt.pem /var/lib/uacme.d/{{ uacme_cert_name }}/chain.pem
+{% endif %}
+{% if uacme_cert_config.cert.group is defined %}
+chgrp "{{ uacme_cert_config.cert.group }}" /var/lib/uacme.d/{{ uacme_cert_name }}/{{ uacme_cert_name }}-cert.pem /var/lib/uacme.d/{{ uacme_cert_name }}/crt.pem /var/lib/uacme.d/{{ uacme_cert_name }}/chain.pem
+{% endif %}
+
+## reload services
+{% for service in (x509_certificate_reload_services | default([])) %}
+systemctl reload "{{ service }}.service"
+{% endfor %}
-- 
cgit v1.2.3