certbot: add possibility to specify commands to run on new certs

This makes it possible to e.g. reload nginx when new certificates are
present.
This commit is contained in:
June 2024-01-28 03:29:39 +01:00
parent e53da90160
commit 95a3901935
Signed by: june
SSH key fingerprint: SHA256:o9EAq4Y9N9K0pBQeBTqhSDrND5E7oB+60ZNx0U1yPe0
5 changed files with 35 additions and 1 deletions

View file

@ -1 +1,2 @@
certbot__http_01_port: 31820 certbot__http_01_port: 31820
certbot__new_cert_commands: [ ]

View file

@ -26,3 +26,11 @@ argument_specs:
type: str type: str
required: false required: false
default: 31820 default: 31820
certbot__new_cert_commands:
description: >-
A list of commands to execute after getting a new certificate.
Will be added into a bash script.
type: list
elements: str
required: false
default: [ ]

View file

@ -2,6 +2,10 @@
ansible.builtin.import_tasks: ansible.builtin.import_tasks:
file: main/install.yaml file: main/install.yaml
- name: ensure new cert commands
ansible.builtin.import_tasks:
file: main/new_cert_commands.yaml
- name: ensure certificates - name: ensure certificates
ansible.builtin.import_tasks: ansible.builtin.import_tasks:
file: main/certs.yaml file: main/certs.yaml

View file

@ -0,0 +1,17 @@
- name: ensure existence of renewal deploy hooks directory
ansible.builtin.file:
path: /etc/letsencrypt/renewal-hooks/deploy
state: directory
owner: root
group: root
mode: "0755"
become: true
- name: ensure renewal deploy hook commands
ansible.builtin.template:
src: renewal_deploy_hook_commands.sh.j2
dest: /etc/letsencrypt/renewal-hooks/deploy/ansible_commands.sh
owner: root
group: root
mode: "0770"
become: true

View file

@ -0,0 +1,4 @@
#!/bin/bash
{% for command in certbot__new_cert_commands %}
{{ command }}
{% endfor %}