diff --git a/inventories/chaosknoten/host_vars/grafana.yaml b/inventories/chaosknoten/host_vars/grafana.yaml index afca181..efa34aa 100644 --- a/inventories/chaosknoten/host_vars/grafana.yaml +++ b/inventories/chaosknoten/host_vars/grafana.yaml @@ -11,6 +11,8 @@ certbot__version_spec: "" certbot__acme_account_email_address: le-admin@hamburg.ccc.de certbot__certificate_domains: - "grafana.hamburg.ccc.de" +certbot__new_cert_commands: + - "systemctl reload nginx.service" nginx__version_spec: "" nginx__configurations: diff --git a/inventories/chaosknoten/host_vars/hackertours.yaml b/inventories/chaosknoten/host_vars/hackertours.yaml index 8346e5d..b7d24e0 100644 --- a/inventories/chaosknoten/host_vars/hackertours.yaml +++ b/inventories/chaosknoten/host_vars/hackertours.yaml @@ -5,6 +5,8 @@ certbot__version_spec: "" certbot__acme_account_email_address: le-admin@hamburg.ccc.de certbot__certificate_domains: - "hackertours.hamburg.ccc.de" +certbot__new_cert_commands: + - "systemctl reload nginx.service" nginx__version_spec: "" nginx__configurations: diff --git a/inventories/chaosknoten/host_vars/keycloak.yaml b/inventories/chaosknoten/host_vars/keycloak.yaml index e9b5b70..68f37ba 100644 --- a/inventories/chaosknoten/host_vars/keycloak.yaml +++ b/inventories/chaosknoten/host_vars/keycloak.yaml @@ -6,6 +6,8 @@ certbot__acme_account_email_address: j+letsencrypt-ccchh@jsts.xyz certbot__certificate_domains: - "id.hamburg.ccc.de" - "keycloak-admin.hamburg.ccc.de" +certbot__new_cert_commands: + - "systemctl reload nginx.service" nginx__version_spec: "" nginx__configurations: diff --git a/inventories/chaosknoten/host_vars/lists.yaml b/inventories/chaosknoten/host_vars/lists.yaml index 2175571..b856d49 100644 --- a/inventories/chaosknoten/host_vars/lists.yaml +++ b/inventories/chaosknoten/host_vars/lists.yaml @@ -5,6 +5,8 @@ certbot__version_spec: "" certbot__acme_account_email_address: j+letsencrypt-ccchh@jsts.xyz certbot__certificate_domains: - "lists.hamburg.ccc.de" +certbot__new_cert_commands: + - "systemctl reload nginx.service" nginx__version_spec: "" nginx__configurations: diff --git a/inventories/chaosknoten/host_vars/mumble.yaml b/inventories/chaosknoten/host_vars/mumble.yaml index 5545878..eeeeaeb 100644 --- a/inventories/chaosknoten/host_vars/mumble.yaml +++ b/inventories/chaosknoten/host_vars/mumble.yaml @@ -5,6 +5,8 @@ certbot__version_spec: "" certbot__acme_account_email_address: j+letsencrypt-ccchh@jsts.xyz certbot__certificate_domains: - "mumble.hamburg.ccc.de" +certbot__new_cert_commands: + - "systemctl reload nginx.service" nginx__version_spec: "" nginx__configurations: diff --git a/inventories/chaosknoten/host_vars/onlyoffice.yaml b/inventories/chaosknoten/host_vars/onlyoffice.yaml index 6b9858e..bf43f07 100644 --- a/inventories/chaosknoten/host_vars/onlyoffice.yaml +++ b/inventories/chaosknoten/host_vars/onlyoffice.yaml @@ -7,6 +7,8 @@ certbot__version_spec: "" certbot__acme_account_email_address: j+letsencrypt-ccchh@jsts.xyz certbot__certificate_domains: - "onlyoffice.hamburg.ccc.de" +certbot__new_cert_commands: + - "systemctl reload nginx.service" docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'chaosknoten/configs/onlyoffice/compose.yaml.j2') }}" docker_compose__configuration_files: [ ] diff --git a/inventories/chaosknoten/host_vars/pad.yaml b/inventories/chaosknoten/host_vars/pad.yaml index 768c98f..ea420a9 100644 --- a/inventories/chaosknoten/host_vars/pad.yaml +++ b/inventories/chaosknoten/host_vars/pad.yaml @@ -5,6 +5,8 @@ certbot__version_spec: "" certbot__acme_account_email_address: le-admin@hamburg.ccc.de certbot__certificate_domains: - "pad.hamburg.ccc.de" +certbot__new_cert_commands: + - "systemctl reload nginx.service" nginx__version_spec: "" nginx__configurations: diff --git a/inventories/chaosknoten/host_vars/wiki.yaml b/inventories/chaosknoten/host_vars/wiki.yaml index f1ac980..1a3e1c2 100644 --- a/inventories/chaosknoten/host_vars/wiki.yaml +++ b/inventories/chaosknoten/host_vars/wiki.yaml @@ -10,3 +10,5 @@ certbot__acme_account_email_address: j+letsencrypt-ccchh@jsts.xyz certbot__certificate_domains: - "wiki.ccchh.net" - "wiki.hamburg.ccc.de" +certbot__new_cert_commands: + - "systemctl reload nginx.service" diff --git a/inventories/chaosknoten/host_vars/zammad.yaml b/inventories/chaosknoten/host_vars/zammad.yaml index be2c445..d0e1ea8 100644 --- a/inventories/chaosknoten/host_vars/zammad.yaml +++ b/inventories/chaosknoten/host_vars/zammad.yaml @@ -10,3 +10,5 @@ nginx__version_spec: "" nginx__configurations: - name: zammad.hamburg.ccc.de content: "{{ lookup('ansible.builtin.file', 'chaosknoten/configs/zammad/nginx/zammad.hamburg.ccc.de.conf') }}" +certbot__new_cert_commands: + - "systemctl reload nginx.service" diff --git a/playbooks/roles/certbot/defaults/main.yaml b/playbooks/roles/certbot/defaults/main.yaml index c05e772..9b20634 100644 --- a/playbooks/roles/certbot/defaults/main.yaml +++ b/playbooks/roles/certbot/defaults/main.yaml @@ -1 +1,2 @@ -certbot__http_01_port: 31820 \ No newline at end of file +certbot__http_01_port: 31820 +certbot__new_cert_commands: [ ] diff --git a/playbooks/roles/certbot/meta/argument_specs.yaml b/playbooks/roles/certbot/meta/argument_specs.yaml index 56f94cd..5e2da33 100644 --- a/playbooks/roles/certbot/meta/argument_specs.yaml +++ b/playbooks/roles/certbot/meta/argument_specs.yaml @@ -26,3 +26,11 @@ argument_specs: type: str required: false default: 31820 + certbot__new_cert_commands: + description: >- + A list of commands to execute after getting a new certificate. + Will be added into a bash script. + type: list + elements: str + required: false + default: [ ] diff --git a/playbooks/roles/certbot/tasks/main.yaml b/playbooks/roles/certbot/tasks/main.yaml index 21f4207..e4749b4 100644 --- a/playbooks/roles/certbot/tasks/main.yaml +++ b/playbooks/roles/certbot/tasks/main.yaml @@ -2,6 +2,10 @@ ansible.builtin.import_tasks: file: main/install.yaml +- name: ensure new cert commands + ansible.builtin.import_tasks: + file: main/new_cert_commands.yaml + - name: ensure certificates ansible.builtin.import_tasks: file: main/certs.yaml diff --git a/playbooks/roles/certbot/tasks/main/new_cert_commands.yaml b/playbooks/roles/certbot/tasks/main/new_cert_commands.yaml new file mode 100644 index 0000000..42bc255 --- /dev/null +++ b/playbooks/roles/certbot/tasks/main/new_cert_commands.yaml @@ -0,0 +1,17 @@ +- name: ensure existence of renewal deploy hooks directory + ansible.builtin.file: + path: /etc/letsencrypt/renewal-hooks/deploy + state: directory + owner: root + group: root + mode: "0755" + become: true + +- name: ensure renewal deploy hook commands + ansible.builtin.template: + src: renewal_deploy_hook_commands.sh.j2 + dest: /etc/letsencrypt/renewal-hooks/deploy/ansible_commands.sh + owner: root + group: root + mode: "0770" + become: true diff --git a/playbooks/roles/certbot/templates/renewal_deploy_hook_commands.sh.j2 b/playbooks/roles/certbot/templates/renewal_deploy_hook_commands.sh.j2 new file mode 100644 index 0000000..9feb68c --- /dev/null +++ b/playbooks/roles/certbot/templates/renewal_deploy_hook_commands.sh.j2 @@ -0,0 +1,4 @@ +#!/bin/bash +{% for command in certbot__new_cert_commands %} +{{ command }} +{% endfor %} diff --git a/playbooks/roles/nextcloud/meta/main.yaml b/playbooks/roles/nextcloud/meta/main.yaml index a94e578..9138dfe 100644 --- a/playbooks/roles/nextcloud/meta/main.yaml +++ b/playbooks/roles/nextcloud/meta/main.yaml @@ -6,6 +6,8 @@ dependencies: certbot__acme_account_email_address: "{{ nextcloud__certbot_acme_account_email_address }}" certbot__certificate_domains: - "{{ nextcloud__fqdn }}" + certbot__new_cert_commands: + - "systemctl reload nginx.service" - role: nginx vars: nginx__version_spec: "{{ nextcloud__nginx_version_spec }}"