certbot: add possibility to specify commands to run on new certs

This makes it possible to e.g. reload nginx when new certificates are
present.

playbooks/roles/certbot/defaults/main.yaml

@@ -1 +1,2 @@
-certbot__http_01_port: 31820
+certbot__http_01_port: 31820
+certbot__new_cert_commands: [ ]

playbooks/roles/certbot/meta/argument_specs.yaml

@@ -26,3 +26,11 @@ argument_specs:
         type: str
         required: false
         default: 31820
+      certbot__new_cert_commands:
+        description: >-
+          A list of commands to execute after getting a new certificate.
+          Will be added into a bash script.
+        type: list
+        elements: str
+        required: false
+        default: [ ]

playbooks/roles/certbot/tasks/main.yaml

@@ -2,6 +2,10 @@
   ansible.builtin.import_tasks:
     file: main/install.yaml
 
+- name: ensure new cert commands
+  ansible.builtin.import_tasks:
+    file: main/new_cert_commands.yaml
+
 - name: ensure certificates
   ansible.builtin.import_tasks:
     file: main/certs.yaml

playbooks/roles/certbot/tasks/main/new_cert_commands.yaml

@@ -0,0 +1,17 @@
+- name: ensure existence of renewal deploy hooks directory
+  ansible.builtin.file:
+    path: /etc/letsencrypt/renewal-hooks/deploy
+    state: directory
+    owner: root
+    group: root
+    mode: "0755"
+  become: true
+
+- name: ensure renewal deploy hook commands
+  ansible.builtin.template:
+    src: renewal_deploy_hook_commands.sh.j2
+    dest: /etc/letsencrypt/renewal-hooks/deploy/ansible_commands.sh
+    owner: root
+    group: root
+    mode: "0770"
+  become: true

playbooks/roles/certbot/templates/renewal_deploy_hook_commands.sh.j2

@@ -0,0 +1,4 @@
+#!/bin/bash
+{% for command in certbot__new_cert_commands %}
+{{ command }}
+{% endfor %}