Enhancement: More flexible per-domain hooks

Added per-domain deploy hooks Added possibility to add arbitrary content to pre/post/deploy hook shell scripts per domain
Salvoxia · Dec 30, 2024 · dc221e7 · dc221e7
1 parent 7b1e315
commit dc221e7
Show file tree

Hide file tree

Showing 8 changed files with 99 additions and 35 deletions.
diff --git a/README.md b/README.md
@@ -96,6 +96,10 @@ certbot_netcup_certs: []
   #   email: [email protected]
   #   services:
   #     - nginx
+  #   pre_hook_additional_content: ""
+  #   post_hook_additional_content: ""
+  #   deploy_hook_additional_content: |
+  #     postfix reload
   # - domains:
   #     - example2.com
 ```
@@ -109,6 +113,8 @@ One certificate file will be created per entry in `certbot_netcup_certs`.
 
 `services` is a list of services to stop before certificate renewal and start again after. From these services a shell script as `pre` and `post` hook is created.
 
+`pre_hook_additional_content`, `post_hook_additional_content`, `deploy_hook_additional_content` are strings that represent additional content to be written to the corresponding hook shell scripts. This gives the flexibility to perform tasks other than starting or stopping services. The example above reloads the Postfix configfuration to refresh TLS certificates after renewal without Postfix downtime.
+
 ```yaml
 certbot_cloudflare_acme_server: "{{ certbot_cloudflare_acme_test }}"
 ```

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -24,6 +24,10 @@ certbot_netcup_certs: []
   # - email: [email protected]
   #   services:
   #     - nginx
+  #   pre_hook_additional_content: ""
+  #   post_hook_additional_content: ""
+  #   deploy_hook_additional_content: |
+  #     postfix reload
   #   domains:
   #     - local.example.com
   #     - *.local.example.com
@@ -44,11 +48,14 @@ certbot_create_command: >-
   --email {{ cert_item.email | default(certbot_netcup_admin_email) }}
   {{ certbot_netcup_create_extra_args }}
   -d {{ cert_item.domains | join(',') }}
-  {{ '--pre-hook /etc/letsencrypt/domain-renewal-hooks/' + first_domain + '/stop_services.sh'
-    if cert_item.services is defined and cert_item.services
+  {{ '--pre-hook /etc/letsencrypt/domain-renewal-hooks/' + first_domain + '/pre_hook.sh'
+    if (cert_item.services is defined and cert_item.services) or (cert_item.pre_hook_additional_content is defined and cert_item.pre_hook_additional_content | length > 0)
   else '' }}
-  {{ '--post-hook /etc/letsencrypt/domain-renewal-hooks/' + first_domain + '/stop_services.sh'
-    if cert_item.services is defined and cert_item.services
+  {{ '--post-hook /etc/letsencrypt/domain-renewal-hooks/' + first_domain + '/post_hook.sh'
+    if (cert_item.services is defined and cert_item.services) or (cert_item.post_hook_additional_content is defined and cert_item.post_hook_additional_content | length > 0)
+  else '' }}
+  {{ '--deploy-hook /etc/letsencrypt/domain-renewal-hooks/' + first_domain + '/deploy_hook.sh'
+    if cert_item.deploy_hook_additional_content is defined and cert_item.deploy_hook_additional_content | length > 0
   else '' }}
 
 # Extra arguments to pass to certbot when creating a certificate

diff --git a/molecule/install_from_pip/converge.yml b/molecule/install_from_pip/converge.yml
@@ -14,5 +14,7 @@
           - "*.example.com"
         services:
           - nginx
+        deploy_hook_additional_content: |
+          echo "I am printed at deploy-time!"
   roles:
     - role: "salvoxia.certbot_netcup"
diff --git a/molecule/install_from_pip/verify.yml b/molecule/install_from_pip/verify.yml
@@ -28,8 +28,12 @@
 
     - name: "Verify pre hook script existing"
       ansible.builtin.file:
-        path: "/etc/letsencrypt/domain-renewal-hooks/example.com/stop_services.sh"
+        path: "/etc/letsencrypt/domain-renewal-hooks/example.com/pre_hook.sh"
 
     - name: "Verify post hook script existing"
       ansible.builtin.file:
-        path: "/etc/letsencrypt/domain-renewal-hooks/example.com/start_services.sh"
+        path: "/etc/letsencrypt/domain-renewal-hooks/example.com/post_hook.sh"
+
+    - name: "Verify deploy hook script existing"
+      ansible.builtin.file:
+        path: "/etc/letsencrypt/domain-renewal-hooks/example.com/deploy_hook.sh"
diff --git a/tasks/create-cert.yml b/tasks/create-cert.yml
@@ -8,38 +8,75 @@
     path: /etc/letsencrypt/live/{{ first_domain }}/cert.pem
   register: letsencrypt_cert
 
-- name: "Create pre and post hooks for domain"
+- name: "Ensure domain-specific renewal hook folder exists."
+  ansible.builtin.file:
+    path: /etc/letsencrypt/domain-renewal-hooks/{{ first_domain }}
+    state: directory
+    owner: root
+    group: root
+    mode: "0755"
+  when: cert_item.services is defined and cert_item.services
+        or cert_item.pre_hook_additional_content is defined and cert_item.pre_hook_additional_content | length > 0
+        or cert_item.post_hook_additional_content is defined and cert_item.post_hook_additional_content | length > 0
+        or cert_item.deploy_hook_additional_content is defined and cert_item.deploy_hook_additional_content | length > 0
+
+- name: "Set domain services fact"
+  ansible.builtin.set_fact:
+    certbot_netcup_domain_services: "{{ cert_item.services }}"
   when:
     - cert_item.services is defined
     - cert_item.services
-  block:
-    - name: "Ensure pre and post hook folders exist."
-      ansible.builtin.file:
-        path: /etc/letsencrypt/domain-renewal-hooks/{{ first_domain }}
-        state: directory
-        owner: root
-        group: root
-        mode: "0755"
-
-    - name: "Set domain services fact"
-      ansible.builtin.set_fact:
-        certbot_netcup_domain_services: "{{ cert_item.services }}"
-
-    - name: "Create hook to stop services."
-      ansible.builtin.template:
-        src: stop_services.sh.j2
-        dest: /etc/letsencrypt/domain-renewal-hooks/{{ first_domain }}/stop_services.sh
-        owner: root
-        group: root
-        mode: "0750"
-
-    - name: "Create hook to start services."
-      ansible.builtin.template:
-        src: start_services.sh.j2
-        dest: /etc/letsencrypt/domain-renewal-hooks/{{ first_domain }}/start_services.sh
-        owner: root
-        group: root
-        mode: "0750"
+
+- name: "Set domain pre hook additional content fact"
+  ansible.builtin.set_fact:
+    certbot_netcup_domain_pre_hook_additional_content: "{{ cert_item.pre_hook_additional_content }}"
+  when:
+    - cert_item.pre_hook_additional_content is defined
+    - cert_item.pre_hook_additional_content | length > 0
+
+- name: "Set domain post hook additional content fact"
+  ansible.builtin.set_fact:
+    certbot_netcup_domain_post_hook_additional_content: "{{ cert_item.post_hook_additional_content }}"
+  when:
+    - cert_item.post_hook_additional_content is defined
+    - cert_item.post_hook_additional_content | length > 0
+
+- name: "Set domain deploy hook additional content fact"
+  ansible.builtin.set_fact:
+    certbot_netcup_domain_deploy_hook_additional_content: "{{ cert_item.deploy_hook_additional_content }}"
+  when:
+    - cert_item.deploy_hook_additional_content is defined
+    - cert_item.deploy_hook_additional_content | length > 0
+
+- name: "Create pre hook script."
+  ansible.builtin.template:
+    src: pre_hook.sh.j2
+    dest: /etc/letsencrypt/domain-renewal-hooks/{{ first_domain }}/pre_hook.sh
+    owner: root
+    group: root
+    mode: "0750"
+  when: certbot_netcup_domain_services is defined and certbot_netcup_domain_services 
+        or certbot_netcup_domain_pre_hook_additional_content is defined and certbot_netcup_domain_pre_hook_additional_content | length > 0
+
+- name: "Create post hook script."
+  ansible.builtin.template:
+    src: post_hook.sh.j2
+    dest: /etc/letsencrypt/domain-renewal-hooks/{{ first_domain }}/post_hook.sh
+    owner: root
+    group: root
+    mode: "0750"
+  when: certbot_netcup_domain_services is defined and certbot_netcup_domain_services 
+      or certbot_netcup_domain_post_hook_additional_content is defined and certbot_netcup_domain_post_hook_additional_content | length > 0
+
+- name: "Create deploy hook script."
+  ansible.builtin.template:
+    src: post_hook.sh.j2
+    dest: /etc/letsencrypt/domain-renewal-hooks/{{ first_domain }}/deploy_hook.sh
+    owner: root
+    group: root
+    mode: "0750"
+  when: certbot_netcup_domain_services is defined and certbot_netcup_domain_services 
+      or certbot_netcup_domain_deploy_hook_additional_content is defined and certbot_netcup_domain_deploy_hook_additional_content | length > 0
 
 - name: 'Log certbot command'
   ansible.builtin.debug:

diff --git a/templates/deploy_hook.sh.j2 b/templates/deploy_hook.sh.j2
@@ -0,0 +1,4 @@
+#!/bin/sh
+# {{ ansible_managed }}
+
+{{ certbot_netcup_domain_deploy_hook_additional_content }}
diff --git a/templates/start_services.sh.j2 → templates/post_hook.sh.j2 b/templates/start_services.sh.j2 → templates/post_hook.sh.j2
@@ -13,3 +13,5 @@ rc-service {{ item }} start
 service {{ item }} start
 {% endif %}
 {% endfor %}
+
+{{ certbot_netcup_domain_post_hook_additional_content | default('') }}
diff --git a/templates/stop_services.sh.j2 → templates/pre_hook.sh.j2 b/templates/stop_services.sh.j2 → templates/pre_hook.sh.j2
@@ -13,3 +13,5 @@ rc-service {{ item }} stop
 service {{ item }} stop
 {% endif %}
 {% endfor %}
+
+{{ certbot_netcup_domain_pre_hook_additional_content | default('') }}