Add nginx reload command on new cert for all VMs with certbot and nginx

This makes it possible to e.g. reload nginx when new certificates are
present.

inventories/chaosknoten/host_vars/grafana.yaml

@@ -11,6 +11,8 @@ certbot__version_spec: ""
 certbot__acme_account_email_address: le-admin@hamburg.ccc.de
 certbot__certificate_domains:
   - "grafana.hamburg.ccc.de"
+certbot__new_cert_commands:
+  - "systemctl reload nginx.service"
 
 nginx__version_spec: ""
 nginx__configurations:

inventories/chaosknoten/host_vars/hackertours.yaml

@@ -5,6 +5,8 @@ certbot__version_spec: ""
 certbot__acme_account_email_address: le-admin@hamburg.ccc.de
 certbot__certificate_domains:
   - "hackertours.hamburg.ccc.de"
+certbot__new_cert_commands:
+  - "systemctl reload nginx.service"
 
 nginx__version_spec: ""
 nginx__configurations:

inventories/chaosknoten/host_vars/keycloak.yaml

@@ -6,6 +6,8 @@ certbot__acme_account_email_address: j+letsencrypt-ccchh@jsts.xyz
 certbot__certificate_domains:
   - "id.hamburg.ccc.de"
   - "keycloak-admin.hamburg.ccc.de"
+certbot__new_cert_commands:
+  - "systemctl reload nginx.service"
 
 nginx__version_spec: ""
 nginx__configurations:

inventories/chaosknoten/host_vars/lists.yaml

@@ -5,6 +5,8 @@ certbot__version_spec: ""
 certbot__acme_account_email_address: j+letsencrypt-ccchh@jsts.xyz
 certbot__certificate_domains:
   - "lists.hamburg.ccc.de"
+certbot__new_cert_commands:
+  - "systemctl reload nginx.service"
 
 nginx__version_spec: ""
 nginx__configurations:

inventories/chaosknoten/host_vars/mumble.yaml

@@ -5,6 +5,8 @@ certbot__version_spec: ""
 certbot__acme_account_email_address: j+letsencrypt-ccchh@jsts.xyz
 certbot__certificate_domains:
   - "mumble.hamburg.ccc.de"
+certbot__new_cert_commands:
+  - "systemctl reload nginx.service"
 
 nginx__version_spec: ""
 nginx__configurations:

inventories/chaosknoten/host_vars/onlyoffice.yaml

@@ -7,6 +7,8 @@ certbot__version_spec: ""
 certbot__acme_account_email_address: j+letsencrypt-ccchh@jsts.xyz
 certbot__certificate_domains:
   - "onlyoffice.hamburg.ccc.de"
+certbot__new_cert_commands:
+  - "systemctl reload nginx.service"
 
 docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'chaosknoten/configs/onlyoffice/compose.yaml.j2') }}"
 docker_compose__configuration_files: [ ]

inventories/chaosknoten/host_vars/pad.yaml

@@ -5,6 +5,8 @@ certbot__version_spec: ""
 certbot__acme_account_email_address: le-admin@hamburg.ccc.de
 certbot__certificate_domains:
   - "pad.hamburg.ccc.de"
+certbot__new_cert_commands:
+  - "systemctl reload nginx.service"
 
 nginx__version_spec: ""
 nginx__configurations:

inventories/chaosknoten/host_vars/wiki.yaml

@@ -10,3 +10,5 @@ certbot__acme_account_email_address: j+letsencrypt-ccchh@jsts.xyz
 certbot__certificate_domains:
   - "wiki.ccchh.net"
   - "wiki.hamburg.ccc.de"
+certbot__new_cert_commands:
+  - "systemctl reload nginx.service"

inventories/chaosknoten/host_vars/zammad.yaml

@@ -10,3 +10,5 @@ nginx__version_spec: ""
 nginx__configurations:
   - name: zammad.hamburg.ccc.de
     content: "{{ lookup('ansible.builtin.file', 'chaosknoten/configs/zammad/nginx/zammad.hamburg.ccc.de.conf') }}"
+certbot__new_cert_commands:
+  - "systemctl reload nginx.service"

playbooks/roles/certbot/defaults/main.yaml

@@ -1 +1,2 @@
-certbot__http_01_port: 31820
+certbot__http_01_port: 31820
+certbot__new_cert_commands: [ ]

playbooks/roles/certbot/meta/argument_specs.yaml

@@ -26,3 +26,11 @@ argument_specs:
         type: str
         required: false
         default: 31820
+      certbot__new_cert_commands:
+        description: >-
+          A list of commands to execute after getting a new certificate.
+          Will be added into a bash script.
+        type: list
+        elements: str
+        required: false
+        default: [ ]

playbooks/roles/certbot/tasks/main.yaml

@@ -2,6 +2,10 @@
   ansible.builtin.import_tasks:
     file: main/install.yaml
 
+- name: ensure new cert commands
+  ansible.builtin.import_tasks:
+    file: main/new_cert_commands.yaml
+
 - name: ensure certificates
   ansible.builtin.import_tasks:
     file: main/certs.yaml

playbooks/roles/certbot/tasks/main/new_cert_commands.yaml

@@ -0,0 +1,17 @@
+- name: ensure existence of renewal deploy hooks directory
+  ansible.builtin.file:
+    path: /etc/letsencrypt/renewal-hooks/deploy
+    state: directory
+    owner: root
+    group: root
+    mode: "0755"
+  become: true
+
+- name: ensure renewal deploy hook commands
+  ansible.builtin.template:
+    src: renewal_deploy_hook_commands.sh.j2
+    dest: /etc/letsencrypt/renewal-hooks/deploy/ansible_commands.sh
+    owner: root
+    group: root
+    mode: "0770"
+  become: true

playbooks/roles/certbot/templates/renewal_deploy_hook_commands.sh.j2

@@ -0,0 +1,4 @@
+#!/bin/bash
+{% for command in certbot__new_cert_commands %}
+{{ command }}
+{% endfor %}

playbooks/roles/nextcloud/meta/main.yaml

@@ -6,6 +6,8 @@ dependencies:
       certbot__acme_account_email_address: "{{ nextcloud__certbot_acme_account_email_address }}"
       certbot__certificate_domains:
         - "{{ nextcloud__fqdn }}"
+      certbot__new_cert_commands:
+        - "systemctl reload nginx.service"
   - role: nginx
     vars:
       nginx__version_spec: "{{ nextcloud__nginx_version_spec }}"