From 4b9d4a0810d79be50fb1e550dcc38c44f527bc96 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Fri, 22 Sep 2023 20:13:19 +0200
Subject: x509/(selfsigned|ownca): add support for custom post-renewal scripts

---
 roles/x509/ownca/cert/prepare/tasks/main.yml          | 15 +++++++++++++++
 roles/x509/ownca/cert/prepare/templates/updated.sh.j2 | 15 +++++++++++++++
 2 files changed, 30 insertions(+)
 create mode 100644 roles/x509/ownca/cert/prepare/templates/updated.sh.j2

(limited to 'roles/x509/ownca')

diff --git a/roles/x509/ownca/cert/prepare/tasks/main.yml b/roles/x509/ownca/cert/prepare/tasks/main.yml
index dc8b68a6..7f81d125 100644
--- a/roles/x509/ownca/cert/prepare/tasks/main.yml
+++ b/roles/x509/ownca/cert/prepare/tasks/main.yml
@@ -21,6 +21,7 @@
     type: "{{ ownca_cert_config.key.type | default(omit) }}"
     size: "{{ ownca_cert_config.key.size | default(omit) }}"
   notify: reload services for x509 certificates
+  register: _ownca_key_
 
 - name: generate csr for ownca certificate
   community.crypto.openssl_csr:
@@ -75,6 +76,7 @@
     ownca_not_after: "{{ ownca_cert_config.cert.not_after | default(omit) }}"
     force: "{{ _ownca_cert_file_.stat.exists and (not _ownca_cert_info_.valid_at.renew_margin) }}"
   notify: reload services for x509 certificates
+  register: _ownca_cert_
 
 - name: export paths to certificate files
   set_fact:
@@ -82,3 +84,16 @@
     x509_certificate_path_cert: "{{ ownca_cert_path }}/{{ ownca_cert_name }}-crt.pem"
     x509_certificate_path_chain: ""
     x509_certificate_path_fullchain: "{{ ownca_cert_path }}/{{ ownca_cert_name }}-crt.pem"
+
+- name: generate custom post-renewal script
+  when: x509_certificate_renewal is defined
+  template:
+    src: updated.sh.j2
+    dest: "{{ ownca_cert_path }}/updated.sh"
+    mode: 0755
+
+- name: call custom post-renewal script
+  when:
+  - x509_certificate_renewal is defined
+  - (_ownca_key_ is changed) or (_ownca_cert_ is changed)
+  command: "{{ ownca_cert_path }}/updated.sh"
diff --git a/roles/x509/ownca/cert/prepare/templates/updated.sh.j2 b/roles/x509/ownca/cert/prepare/templates/updated.sh.j2
new file mode 100644
index 00000000..15f68cd9
--- /dev/null
+++ b/roles/x509/ownca/cert/prepare/templates/updated.sh.j2
@@ -0,0 +1,15 @@
+#!/bin/sh
+{% if 'install' in x509_certificate_renewal %}
+{%   for file in x509_certificate_renewal.install %}
+
+install{% if 'mode' in file %} -m {{ file.mode }}{% endif %}{% if 'owner' in file %} -o {{ file.owner }}{% endif %}{% if 'owner' in file %} -g {{ file.group }}{% endif %} /dev/null "{{ file.dest }}.new"
+{%     for src in file.src %}
+cat "{{ lookup('vars', 'x509_certificate_path_' + src) }}" >> "{{ file.dest }}.new"
+mv "{{ file.dest }}.new" "{{ file.dest }}"
+{%     endfor %}
+{%   endfor %}
+{% endif %}
+{% if 'reload' in x509_certificate_renewal %}
+
+{{ x509_certificate_renewal.reload | trim }}
+{% endif %}
-- 
cgit v1.2.3