From 628e6bfef4840064a1a6bb9b5a7ab233087eb159 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Hertzog?= Date: Mon, 12 Dec 2016 20:47:14 +0100 Subject: [PATCH] Add support for a default hook script The default hook script can be used to reload the webserver when a new certificate has been installed. --- CHANGELOG.rst | 4 ++++ letsencrypt-sh/config.sls | 20 +++++++++++++++++++- letsencrypt-sh/defaults.yaml | 3 +++ letsencrypt-sh/files/config | 3 +++ letsencrypt-sh/files/hook | 15 +++++++++++++++ pillar.example | 2 ++ 6 files changed, 46 insertions(+), 1 deletion(-) create mode 100644 letsencrypt-sh/files/hook diff --git a/CHANGELOG.rst b/CHANGELOG.rst index c3f47ed..f808e53 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -1,6 +1,10 @@ letsencrypt-sh formula ====================== +0.3.1 (UNRELEASED) + +- Add support for hook script reloading a service. + 0.3.0 (2016-12-12) - Updated for version 0.3.0 of the client. diff --git a/letsencrypt-sh/config.sls b/letsencrypt-sh/config.sls index 08f88fe..51f469a 100644 --- a/letsencrypt-sh/config.sls +++ b/letsencrypt-sh/config.sls @@ -3,7 +3,12 @@ {% from "letsencrypt-sh/map.jinja" import letsencrypt_sh with context %} -letsencrypth-sh-config: +{% set install_hook = False %} +{% if letsencrypt_sh.hook_script_src != 'salt://letsencrypt-sh/files/hook' or letsencrypt_sh.hook_service_to_reload %} +{% set install_hook = True %} +{% endif %} + +letsencrypt-sh-config: file.managed: - name: {{ letsencrypt_sh.config_file }} - source: salt://letsencrypt-sh/files/config @@ -11,6 +16,19 @@ letsencrypth-sh-config: - user: root - group: root - template: jinja + - context: + use_default_hook: {{ install_hook }} + +{% if install_hook %} +letsencrypt-sh-hook: + file.managed: + - name: {{ letsencrypt_sh.hook_script }} + - source: {{ letsencrypt_sh.hook_script_src }} + - mode: 755 + - user: root + - group: root + - template: jinja +{% endif %} letsencrypt-sh-domains: file.managed: diff --git a/letsencrypt-sh/defaults.yaml b/letsencrypt-sh/defaults.yaml index 6e99868..0aba25d 100644 --- a/letsencrypt-sh/defaults.yaml +++ b/letsencrypt-sh/defaults.yaml @@ -11,3 +11,6 @@ letsencrypt_sh: cron_hour: random cron_dayweek: random cron_enabled: True + hook_script: '/etc/letsencrypt.sh/hook' + hook_script_src: 'salt://letsencrypt-sh/files/hook' + hook_service_to_reload: '' diff --git a/letsencrypt-sh/files/config b/letsencrypt-sh/files/config index 47bde5f..8bbf0c7 100644 --- a/letsencrypt-sh/files/config +++ b/letsencrypt-sh/files/config @@ -5,6 +5,9 @@ 'domains-txt': letsencrypt_sh.domains_txt, }) -%} +{%- if use_default_hook -%} +{%- do cfg_client.setdefault('hook', letsencrypt_sh.hook_script) -%} +{%- endif -%} {%- macro get_config(configname, default_value) -%} {%- set varname = configname.replace("-", "_") -%} {%- if configname in cfg_client -%} diff --git a/letsencrypt-sh/files/hook b/letsencrypt-sh/files/hook new file mode 100644 index 0000000..2094e2b --- /dev/null +++ b/letsencrypt-sh/files/hook @@ -0,0 +1,15 @@ +#!/bin/sh +# File managed by Salt (salt://letsencrypt-sh/files/hook). Do not edit by +# hand! + +{% from "letsencrypt-sh/map.jinja" import letsencrypt_sh with context %} +{% if letsencrypt_sh.hook_service_to_reload %} +if [ "$1" = "deploy_cert" ]; then + service {{ letsencrypt_sh.hook_service_to_reload }} reload +fi +{% else %} +# Empty file because pillar letsencrypt-sh:lookup:hook_service_to_reload +# was not set for this minion. Alternatively you can set +# letsencrypt-sh:lookup:hook_script_src to point to another source +# file. +{% endif %} diff --git a/pillar.example b/pillar.example index 82f45a2..c34e76a 100644 --- a/pillar.example +++ b/pillar.example @@ -19,4 +19,6 @@ letsencrypt-sh: pkg: letsencrypt.sh pkg_apache: letsencrypt.sh-apache2 cron_command: cronic letsencrypt.sh --cron + # Service to reload after install of new cert + hook_service_to_reload: nginx # see defaults.yaml for full list