From 70e61b9184dfa81a39926e66722ed3c1743a91c3 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Mon, 21 Aug 2023 00:38:34 +0200
Subject: apps/mumble: add new generic certificate renewal support

---
 .../x509/acmetool/cert/finalize/handlers/main.yml  |  1 +
 roles/x509/acmetool/cert/prepare/handlers/main.yml |  4 +++
 roles/x509/acmetool/cert/prepare/tasks/main.yml    | 37 ++++++++++++++++++++++
 .../acmetool/cert/prepare/templates/reload.sh.j2   | 31 ++++++++++++++++++
 4 files changed, 73 insertions(+)
 create mode 100644 roles/x509/acmetool/cert/prepare/templates/reload.sh.j2

(limited to 'roles/x509/acmetool/cert')

diff --git a/roles/x509/acmetool/cert/finalize/handlers/main.yml b/roles/x509/acmetool/cert/finalize/handlers/main.yml
index a7fc43ed..02ffa598 100644
--- a/roles/x509/acmetool/cert/finalize/handlers/main.yml
+++ b/roles/x509/acmetool/cert/finalize/handlers/main.yml
@@ -2,5 +2,6 @@
 - name: reconcile acmetool
   when: not acmetool_reconcile_disabled
   systemd:
+    daemon_reload: yes
     name: acmetool.service
     state: started
diff --git a/roles/x509/acmetool/cert/prepare/handlers/main.yml b/roles/x509/acmetool/cert/prepare/handlers/main.yml
index b169d6ca..330bcd11 100644
--- a/roles/x509/acmetool/cert/prepare/handlers/main.yml
+++ b/roles/x509/acmetool/cert/prepare/handlers/main.yml
@@ -1,4 +1,8 @@
 ---
+- name: reload systemd
+  systemd:
+    daemon_reload: yes
+
 - name: reload services for x509 certificates
   loop: "{{ x509_certificate_reload_services | default([]) }}"
   service:
diff --git a/roles/x509/acmetool/cert/prepare/tasks/main.yml b/roles/x509/acmetool/cert/prepare/tasks/main.yml
index 5bad1e5b..2db332b8 100644
--- a/roles/x509/acmetool/cert/prepare/tasks/main.yml
+++ b/roles/x509/acmetool/cert/prepare/tasks/main.yml
@@ -40,3 +40,40 @@
     x509_certificate_path_cert: "/var/lib/acme/live/{{ acmetool_cert_hostnames[0] }}/cert"
     x509_certificate_path_chain: "/var/lib/acme/live/{{ acmetool_cert_hostnames[0] }}/chain"
     x509_certificate_path_fullchain: "/var/lib/acme/live/{{ acmetool_cert_hostnames[0] }}/fullchain"
+
+- name: setup custom renewal script
+  when: x509_certificate_renewal is defined
+  block:
+  - name: install custom hook script
+    template:
+      src: reload.sh.j2
+      dest: "/etc/acme/hooks/{{ x509_certificate_name }}"
+      mode: 0755
+
+  - name: install acmetool systemd unit snippet
+    when: "'install' in x509_certificate_renewal"
+    copy:
+      dest: "/etc/systemd/system/acmetool.service.d/{{ x509_certificate_name }}.conf"
+      content: |
+        [Service]
+        {% for path in (x509_certificate_renewal.install | map(attribute='dest') | map('dirname') | unique | list) %}
+        ReadWritePaths={{ path }}
+        {% endfor %}
+    notify: reload systemd
+
+  - name: remove acmetool systemd unit snippet
+    when: "'install' not in x509_certificate_renewal"
+    file:
+      path: "/etc/systemd/system/acmetool.service.d/{{ x509_certificate_name }}.conf"
+      state: absent
+    notify: reload systemd
+
+- name: remove custom renewal script
+  when: x509_certificate_renewal is not defined
+  loop:
+  - "/etc/systemd/system/acmetool.service.d/{{ x509_certificate_name }}.conf"
+  - "/etc/acme/hooks/{{ x509_certificate_name }}"
+  file:
+    path: "{{ item }}"
+    state: absent
+  notify: reload systemd
diff --git a/roles/x509/acmetool/cert/prepare/templates/reload.sh.j2 b/roles/x509/acmetool/cert/prepare/templates/reload.sh.j2
new file mode 100644
index 00000000..f4b8259e
--- /dev/null
+++ b/roles/x509/acmetool/cert/prepare/templates/reload.sh.j2
@@ -0,0 +1,31 @@
+#!/bin/sh
+set -e
+EVENT_NAME="$1"
+[ "$EVENT_NAME" = "live-updated" ] || exit 42
+
+MAIN_HOSTNAME="{{ acmetool_cert_hostnames[0] }}"
+
+while read name; do
+  certdir="$ACME_STATE_DIR/live/$name"
+  if [ -z "$name" -o ! -e "$certdir" ]; then
+    continue
+  fi
+  if [ "$name" != "$MAIN_HOSTNAME" ]; then
+    continue
+  fi
+{% if 'install' in x509_certificate_renewal %}
+
+{%   for file in x509_certificate_renewal.install %}
+  install{% if 'mode' in file %} -m {{ file.mode }}{% endif %}{% if 'owner' in file %} -o {{ file.owner }}{% endif %}{% if 'owner' in file %} -g {{ file.group }}{% endif %} /dev/null "{{ file.dest }}.new"
+{%     for src in file.src %}
+  cat "{{ hostvars[inventory_hostname]['x509_certificate_path_' + src] }}" >> "{{ file.dest }}.new"
+  mv "{{ file.dest }}.new" "{{ file.dest }}"
+{%     endfor %}
+{%   endfor %}
+{% endif %}
+{% if 'reload' in x509_certificate_renewal %}
+
+  {{ x509_certificate_renewal.reload | trim | indent(2) }}
+{% endif %}
+  break
+done
-- 
cgit v1.2.3