From 95a3901935260048101556a186a2e26e760bc1ff Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 28 Jan 2024 03:29:39 +0100
Subject: [PATCH] certbot: add possibility to specify commands to run on new
 certs

This makes it possible to e.g. reload nginx when new certificates are
present.
---
 playbooks/roles/certbot/defaults/main.yaml      |  3 ++-
 .../roles/certbot/meta/argument_specs.yaml      |  8 ++++++++
 playbooks/roles/certbot/tasks/main.yaml         |  4 ++++
 .../certbot/tasks/main/new_cert_commands.yaml   | 17 +++++++++++++++++
 .../renewal_deploy_hook_commands.sh.j2          |  4 ++++
 5 files changed, 35 insertions(+), 1 deletion(-)
 create mode 100644 playbooks/roles/certbot/tasks/main/new_cert_commands.yaml
 create mode 100644 playbooks/roles/certbot/templates/renewal_deploy_hook_commands.sh.j2

diff --git a/playbooks/roles/certbot/defaults/main.yaml b/playbooks/roles/certbot/defaults/main.yaml
index c05e772..9b20634 100644
--- a/playbooks/roles/certbot/defaults/main.yaml
+++ b/playbooks/roles/certbot/defaults/main.yaml
@@ -1 +1,2 @@
-certbot__http_01_port: 31820
\ No newline at end of file
+certbot__http_01_port: 31820
+certbot__new_cert_commands: [ ]
diff --git a/playbooks/roles/certbot/meta/argument_specs.yaml b/playbooks/roles/certbot/meta/argument_specs.yaml
index 56f94cd..5e2da33 100644
--- a/playbooks/roles/certbot/meta/argument_specs.yaml
+++ b/playbooks/roles/certbot/meta/argument_specs.yaml
@@ -26,3 +26,11 @@ argument_specs:
         type: str
         required: false
         default: 31820
+      certbot__new_cert_commands:
+        description: >-
+          A list of commands to execute after getting a new certificate.
+          Will be added into a bash script.
+        type: list
+        elements: str
+        required: false
+        default: [ ]
diff --git a/playbooks/roles/certbot/tasks/main.yaml b/playbooks/roles/certbot/tasks/main.yaml
index 21f4207..e4749b4 100644
--- a/playbooks/roles/certbot/tasks/main.yaml
+++ b/playbooks/roles/certbot/tasks/main.yaml
@@ -2,6 +2,10 @@
   ansible.builtin.import_tasks:
     file: main/install.yaml
 
+- name: ensure new cert commands
+  ansible.builtin.import_tasks:
+    file: main/new_cert_commands.yaml
+
 - name: ensure certificates
   ansible.builtin.import_tasks:
     file: main/certs.yaml
diff --git a/playbooks/roles/certbot/tasks/main/new_cert_commands.yaml b/playbooks/roles/certbot/tasks/main/new_cert_commands.yaml
new file mode 100644
index 0000000..42bc255
--- /dev/null
+++ b/playbooks/roles/certbot/tasks/main/new_cert_commands.yaml
@@ -0,0 +1,17 @@
+- name: ensure existence of renewal deploy hooks directory
+  ansible.builtin.file:
+    path: /etc/letsencrypt/renewal-hooks/deploy
+    state: directory
+    owner: root
+    group: root
+    mode: "0755"
+  become: true
+
+- name: ensure renewal deploy hook commands
+  ansible.builtin.template:
+    src: renewal_deploy_hook_commands.sh.j2
+    dest: /etc/letsencrypt/renewal-hooks/deploy/ansible_commands.sh
+    owner: root
+    group: root
+    mode: "0770"
+  become: true
diff --git a/playbooks/roles/certbot/templates/renewal_deploy_hook_commands.sh.j2 b/playbooks/roles/certbot/templates/renewal_deploy_hook_commands.sh.j2
new file mode 100644
index 0000000..9feb68c
--- /dev/null
+++ b/playbooks/roles/certbot/templates/renewal_deploy_hook_commands.sh.j2
@@ -0,0 +1,4 @@
+#!/bin/bash
+{% for command in certbot__new_cert_commands %}
+{{ command }}
+{% endfor %}