Merge pull request #10 from roles-ansible/hook

improve acmetool hook configuration

README.md

@@ -5,6 +5,8 @@
 
 Install and configure the `acmetool` LE client.
 
+Currently this role is designed to work with the [do1jlr.nginx](https://github.com/do1jlr/ansible_role_nginx.git) ansible role. Maybe there will be a standalone version of this role someday...
+
 
  Variables
 -----------
@@ -12,6 +14,13 @@ Install and configure the `acmetool` LE client.
 * ``acme_notification_email:`` (Default: ``root@example.org``):
   LE account email. The default needs to be changed!
 
+* ``acme_reload_services:`` (Default: ``[]``):
+  Services that need a reload by certificat change
+  *(There are some services pre-defined in the [files/reload](files/reload) file)*
+
+* ``acme_restart_services:`` (Default: ``[]``):
+  Services that need a restart by certificat change
+
 * ``submodules_versioncheck:`` (Default: ``false``):
   Enable basic versionscheck. *(``true`` is recomended)*
 
@@ -30,6 +39,11 @@ Install and configure the `acmetool` LE client.
     - "files/{{ inventory_hostname }}"
     - 'templates'
 ```
+This file is configuring the acmetool behaviour like certificate type, challange methode, acme notification email and so on. Change the values by providing your own ``response-file.yml.j2``.
+
+* We search the ``reload`` and ``restart`` hook using the [first_found_loopup](https://docs.ansible.com/ansible/latest/collections/ansible/builtin/first_found_lookup.html) with the config defined in ``vars/main.yml``.
+
+* We deploy the ``acme-reload`` and ``acme-restart`` configuration based on the ``acme_reload_services:`` and ``acme_restart_services:`` variables
 
  References
 ------------

defaults/main.yml

@@ -1,5 +1,9 @@
 ---
 acme_notification_email: 'root@example.org'
 
+# services that need reload or restart
+acme_reload_services: []
+acme_restart_services: []
+
 # should we do a version check? (recomended)
 submodules_versioncheck: false

files/reload

@@ -0,0 +1,47 @@
+#!/bin/sh
+## this file is managed by https://github.com/roles-ansible/ansible_role_acmetool.git
+#
+# This file reloads services when the preferred certificate for a hostname
+# changes. A list of commonly used daemons is preconfigured. You can override
+# this list by setting $SERVICES in /etc/{default,conf.d}/acme-reload.
+#
+# Configuration options:
+#   /etc/{default,conf.d}/acme-reload
+#     Sourced if they exist. Specify variables here.
+#     Please note that most of the time, you don't need to specify anything.
+#
+#   $SERVICES
+#     Space-separated list of daemons to reload.
+#     Append with SERVICES="$SERVICES mydaemon".
+
+###############################################################################
+set -e
+EVENT_NAME="$1"
+[ "$EVENT_NAME" = "live-updated" ] || exit 42
+
+SERVICES="httpd apache2 apache nginx tengine lighttpd postfix dovecot exim exim4 haproxy hitch quassel quasselcore opensmtpd freeswitch"
+[ -e "/etc/default/acme-reload" ] && . /etc/default/acme-reload
+[ -e "/etc/conf.d/acme-reload" ] && . /etc/conf.d/acme-reload
+[ -z "$ACME_STATE_DIR" ] && ACME_STATE_DIR="/var/lib/acme"
+
+# Restart services.
+if which service >/dev/null 2>/dev/null; then
+  for x in $SERVICES; do
+    service "$x" reload >/dev/null 2>/dev/null || true
+  done
+  exit 0
+fi
+
+if which systemctl >/dev/null 2>/dev/null; then
+  for x in $SERVICES; do
+    [ -e "/lib/systemd/system/$x.service" -o -e "/etc/systemd/system/$x.service" ] && systemctl reload "$x.service" >/dev/null 2>/dev/null || true
+  done
+  exit 0
+fi
+
+if [ -e "/etc/init.d" ]; then
+  for x in $SERVICES; do
+    /etc/init.d/$x reload >/dev/null 2>/dev/null || true
+  done
+  exit 0
+fi

files/restart

@@ -1,4 +1,6 @@
 #!/bin/sh
+## this file is managed by https://github.com/roles-ansible/ansible_role_acmetool.git
+#
 ## This script is similar to the default 'reload' script by acmetool but
 ## for services that need a full restart.
 

meta/main.yml

@@ -2,7 +2,7 @@
 galaxy_info:
   role_name: acmetool
   author: do1jlr
-  description: Install acmetool and get it working together with the do1jlr.nginx role.
+  description: Install acmetool, an easy-to-use command line tool for automatically acquiring certificates from ACME servers (eg. Let's Encrypt)
   license: "MIT"
   min_ansible_version: 2.11
   github_branch: main

tasks/hook.yml

@@ -1,9 +1,36 @@
 ---
-- name: Copy hook to enable acmetool to restart services
+- name: Copy hook to enable acmetool to reload services
   become: true
   ansible.builtin.copy:
-    src: 'files/restart'
+    src: "{{ lookup('first_found', acmetool__reload_hook ) }}"
     dest: '/etc/acme/hooks/'
     owner: root
     group: root
     mode: 'u=rx,g=rx,o=rx'
+
+- name: create hook configuration to reload services via ansible
+  become: true
+  ansible.builtin.template:
+    src: 'templates/acmetool_reload.j2'
+    dest: '/etc/default/acme-reload'
+    owner: root
+    group: root
+    mode: 'u=rx,g=rx,o=rx'
+
+- name: Copy hook to enable acmetool to restart services
+  become: true
+  ansible.builtin.copy:
+    src: "{{ lookup('first_found', acmetool__restart_hook ) }}"
+    dest: '/etc/acme/hooks/'
+    owner: root
+    group: root
+    mode: 'u=rx,g=rx,o=rx'
+
+- name: create hook configuration to restart services via ansible
+  become: true
+  ansible.builtin.template:
+    src: 'templates/acmetool_restart.j2'
+    dest: '/etc/default/acme-restart'
+    owner: root
+    group: root
+    mode: 'u=rx,g=rx,o=rx'

templates/acmetool_reload.j2

@@ -0,0 +1,10 @@
+# {{ ansible_managed }}
+# https://github.com/roles-ansible/ansible_role_acmetool.git
+#
+# reload hook configuration file
+# adding the service to the list of services to be reloaded by acmetool.
+SERVICES="$SERVICES
+  {%- for service in acme_reload_services -%}
+    {{- ' ' -}}
+    {{- service -}}
+  {%- endfor -%}"

templates/acmetool_restart.j2

@@ -0,0 +1,10 @@
+# {{ ansible_managed }}
+# https://github.com/roles-ansible/ansible_role_acmetool.git
+#
+# restart hook configuration file
+# adding the service to the list of services to be restarted.
+SERVICES="$SERVICES
+  {%- for service in acme_restart_services -%}
+    {{- ' ' -}}
+    {{- service -}}
+  {%- endfor -%}"

vars/main.yml

@@ -10,6 +10,28 @@ acmetool__response_file:
     - "files/{{ inventory_hostname }}"
     - 'templates'
 
+acmetool__reload_hook:
+  files:
+    - "{{ inventory_hostname }}.restart"
+    - 'restart'
+  paths:
+    - 'files/acmetool'
+    - "files/{{ inventory_hostname }}"
+    - 'templates/acmetool'
+    - "templates/{{ inventory_hostname }}"
+    - 'files'
+
+acmetool__restart_hook:
+  files:
+    - "{{ inventory_hostname }}.restart"
+    - 'restart'
+  paths:
+    - 'files/acmetool'
+    - "files/{{ inventory_hostname }}"
+    - 'templates/acmetool'
+    - "templates/{{ inventory_hostname }}"
+    - 'files'
+
 # versionscheck
-playbook_version_number: 26   # should be a integer
+playbook_version_number: 27   # should be a integer
 playbook_version_path: 'do1jlr.role-acmetool.version'