forked from evolix/ansible-roles
improve hooks maintainability
This commit is contained in:
parent
44b2480e03
commit
68e6d6cb23
|
@ -1,9 +1,5 @@
|
|||
#!/bin/sh
|
||||
|
||||
readonly PROGNAME=$(basename "$0")
|
||||
readonly VERBOSE=${VERBOSE:-"0"}
|
||||
readonly QUIET=${QUIET:-"0"}
|
||||
|
||||
error() {
|
||||
>&2 echo "${PROGNAME}: $1"
|
||||
exit 1
|
||||
|
@ -13,20 +9,36 @@ debug() {
|
|||
>&2 echo "${PROGNAME}: $1"
|
||||
fi
|
||||
}
|
||||
|
||||
apache2ctl_bin=$(command -v apache2ctl)
|
||||
|
||||
if [ -n "$(pidof apache2)" ] && [ -n "${apache2ctl_bin}" ]; then
|
||||
if grep -q -r -E "letsencrypt" /etc/apache2/; then
|
||||
if ${apache2ctl_bin} configtest > /dev/null 2>&1; then
|
||||
debug "Apache detected... reloading"
|
||||
systemctl reload apache2
|
||||
daemon_found_and_running() {
|
||||
test -n "$(pidof apache2)" && test -n "${apache2ctl_bin}"
|
||||
}
|
||||
config_check() {
|
||||
${apache2ctl_bin} configtest > /dev/null 2>&1
|
||||
}
|
||||
letsencrypt_used() {
|
||||
grep -q -r -E "letsencrypt" /etc/apache2/
|
||||
}
|
||||
main() {
|
||||
if daemon_found_and_running; then
|
||||
if letsencrypt_used; then
|
||||
if config_check; then
|
||||
debug "Apache detected... reloading"
|
||||
systemctl reload apache2
|
||||
else
|
||||
error "Apache config is broken, you must fix it !"
|
||||
fi
|
||||
else
|
||||
error "Apache config is broken, you must fix it !"
|
||||
debug "Apache doesn't use Let's Encrypt certificate. Skip."
|
||||
fi
|
||||
else
|
||||
debug "Apache doesn't use Let's Encrypt certificate. Skip."
|
||||
debug "Apache is not running or missing. Skip."
|
||||
fi
|
||||
else
|
||||
debug "Apache is not running or missing. Skip."
|
||||
fi
|
||||
}
|
||||
|
||||
readonly PROGNAME=$(basename "$0")
|
||||
readonly VERBOSE=${VERBOSE:-"0"}
|
||||
readonly QUIET=${QUIET:-"0"}
|
||||
|
||||
readonly apache2ctl_bin=$(command -v apache2ctl)
|
||||
|
||||
main
|
||||
|
|
|
@ -1,9 +1,5 @@
|
|||
#!/bin/sh
|
||||
|
||||
readonly PROGNAME=$(basename "$0")
|
||||
readonly VERBOSE=${VERBOSE:-"0"}
|
||||
readonly QUIET=${QUIET:-"0"}
|
||||
|
||||
error() {
|
||||
>&2 echo "${PROGNAME}: $1"
|
||||
exit 1
|
||||
|
@ -13,21 +9,29 @@ debug() {
|
|||
>&2 echo "${PROGNAME}: $1"
|
||||
fi
|
||||
}
|
||||
main() {
|
||||
export GIT_DIR="/etc/.git"
|
||||
export GIT_WORK_TREE="/etc"
|
||||
|
||||
git_bin=$(command -v git)
|
||||
letsencrypt_dir=/etc/letsencrypt
|
||||
export GIT_DIR="/etc/.git"
|
||||
export GIT_WORK_TREE="/etc"
|
||||
if test -x "${git_bin}" && test -d "${GIT_DIR}" && test -d "${GIT_WORK_TREE}"; then
|
||||
changed_lines=$(${git_bin} status --porcelain -- ${letsencrypt_dir} | wc -l | tr -d ' ')
|
||||
|
||||
if test -x "${git_bin}" && test -d "${GIT_DIR}" && test -d "${GIT_WORK_TREE}"; then
|
||||
changed_lines=$(${git_bin} status --porcelain -- ${letsencrypt_dir} | wc -l | tr -d ' ')
|
||||
if [ "${changed_lines}" != "0" ]; then
|
||||
debug "Committing for ${RENEWED_DOMAINS}"
|
||||
${git_bin} add --all ${letsencrypt_dir}
|
||||
message="[letsencrypt] certificates renewal (${RENEWED_DOMAINS})"
|
||||
${git_bin} commit --message "${message}" --quiet
|
||||
else
|
||||
error "Weird, nothing has changed but the hook has been executed for '${RENEWED_DOMAINS}'"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
if [ "${changed_lines}" != "0" ]; then
|
||||
debug "Committing for ${RENEWED_DOMAINS}"
|
||||
${git_bin} add --all ${letsencrypt_dir}
|
||||
message="[letsencrypt] certificates renewal (${RENEWED_DOMAINS})"
|
||||
${git_bin} commit --message "${message}" --quiet
|
||||
else
|
||||
error "Weird, nothing has changed but the hook has been executed for '${RENEWED_DOMAINS}'"
|
||||
fi
|
||||
fi
|
||||
readonly PROGNAME=$(basename "$0")
|
||||
readonly VERBOSE=${VERBOSE:-"0"}
|
||||
readonly QUIET=${QUIET:-"0"}
|
||||
|
||||
readonly git_bin=$(command -v git)
|
||||
readonly letsencrypt_dir=/etc/letsencrypt
|
||||
|
||||
main
|
||||
|
|
|
@ -1,9 +1,5 @@
|
|||
#!/bin/sh
|
||||
|
||||
readonly PROGNAME=$(basename "$0")
|
||||
readonly VERBOSE=${VERBOSE:-"0"}
|
||||
readonly QUIET=${QUIET:-"0"}
|
||||
|
||||
error() {
|
||||
>&2 echo "${PROGNAME}: $1"
|
||||
exit 1
|
||||
|
@ -13,20 +9,36 @@ debug() {
|
|||
>&2 echo "${PROGNAME}: $1"
|
||||
fi
|
||||
}
|
||||
|
||||
doveconf_bin=$(command -v doveconf)
|
||||
|
||||
if [ -n "$(pidof dovecot)" ] && [ -n "${doveconf_bin}" ]; then
|
||||
if ${doveconf_bin} | grep -E "^ssl_cert[^_]" | grep -q "letsencrypt"; then
|
||||
if ${doveconf_bin} > /dev/null 2>&1; then
|
||||
debug "Dovecot detected... reloading"
|
||||
systemctl reload dovecot
|
||||
daemon_found_and_running() {
|
||||
test -n "$(pidof dovecot)" && test -n "${doveconf_bin}"
|
||||
}
|
||||
config_check() {
|
||||
${doveconf_bin} > /dev/null 2>&1
|
||||
}
|
||||
letsencrypt_used() {
|
||||
${doveconf_bin} | grep -E "^ssl_cert[^_]" | grep -q "letsencrypt"
|
||||
}
|
||||
main() {
|
||||
if daemon_found_and_running; then
|
||||
if letsencrypt_used; then
|
||||
if config_check; then
|
||||
debug "Dovecot detected... reloading"
|
||||
systemctl reload dovecot
|
||||
else
|
||||
error "Dovecot config is broken, you must fix it !"
|
||||
fi
|
||||
else
|
||||
error "Dovecot config is broken, you must fix it !"
|
||||
debug "Dovecot doesn't use Let's Encrypt certificate. Skip."
|
||||
fi
|
||||
else
|
||||
debug "Dovecot doesn't use Let's Encrypt certificate. Skip."
|
||||
debug "Dovecot is not running or missing. Skip."
|
||||
fi
|
||||
else
|
||||
debug "Dovecot is not running or missing. Skip."
|
||||
fi
|
||||
}
|
||||
|
||||
readonly PROGNAME=$(basename "$0")
|
||||
readonly VERBOSE=${VERBOSE:-"0"}
|
||||
readonly QUIET=${QUIET:-"0"}
|
||||
|
||||
readonly doveconf_bin=$(command -v doveconf)
|
||||
|
||||
main
|
||||
|
|
|
@ -1,9 +1,5 @@
|
|||
#!/bin/sh
|
||||
|
||||
readonly PROGNAME=$(basename "$0")
|
||||
readonly VERBOSE=${VERBOSE:-"0"}
|
||||
readonly QUIET=${QUIET:-"0"}
|
||||
|
||||
error() {
|
||||
>&2 echo "${PROGNAME}: $1"
|
||||
exit 1
|
||||
|
@ -13,45 +9,67 @@ debug() {
|
|||
>&2 echo "${PROGNAME}: $1"
|
||||
fi
|
||||
}
|
||||
daemon_found_and_running() {
|
||||
test -n "$(pidof haproxy)" && test -n "${haproxy_bin}"
|
||||
}
|
||||
found_renewed_lineage() {
|
||||
test -f "${RENEWED_LINEAGE}/fullchain.pem" && test -f "${RENEWED_LINEAGE}/privkey.pem"
|
||||
}
|
||||
config_check() {
|
||||
${haproxy_bin} -c -f /etc/haproxy/haproxy.cfg > /dev/null 2>&1
|
||||
}
|
||||
concat_files() {
|
||||
# shellcheck disable=SC2174
|
||||
mkdir --mode=700 --parents "${haproxy_cert_dir}"
|
||||
chown root: "${haproxy_cert_dir}"
|
||||
|
||||
if [ -z "${RENEWED_LINEAGE}" ]; then
|
||||
error "This script must be called only by certbot!"
|
||||
fi
|
||||
debug "Concatenating certificate files to ${haproxy_cert_file}"
|
||||
cat "${RENEWED_LINEAGE}/fullchain.pem" "${RENEWED_LINEAGE}/privkey.pem" > "${haproxy_cert_file}"
|
||||
chmod 600 "${haproxy_cert_file}"
|
||||
chown root: "${haproxy_cert_file}"
|
||||
}
|
||||
cert_and_key_mismatch() {
|
||||
haproxy_cert_md5=$(openssl x509 -noout -modulus -in "${haproxy_cert_file}" | openssl md5)
|
||||
haproxy_key_md5=$(openssl rsa -noout -modulus -in "${haproxy_cert_file}" | openssl md5)
|
||||
|
||||
haproxy_bin=$(command -v haproxy)
|
||||
haproxy_cert_dir="/etc/ssl/haproxy/"
|
||||
test "${haproxy_cert_md5}" != "${haproxy_key_md5}"
|
||||
}
|
||||
main() {
|
||||
if [ -z "${RENEWED_LINEAGE}" ]; then
|
||||
error "This script must be called only by certbot!"
|
||||
fi
|
||||
|
||||
if [ -n "$(pidof haproxy)" ] && [ -n "${haproxy_bin}" ]; then
|
||||
if [ -f "${RENEWED_LINEAGE}/fullchain.pem" ] && [ -f "${RENEWED_LINEAGE}/privkey.pem" ]; then
|
||||
haproxy_cert_file="${haproxy_cert_dir}/$(basename "${RENEWED_LINEAGE}").pem"
|
||||
failed_cert_file="/root/$(basename "${RENEWED_LINEAGE}").failed.pem"
|
||||
if daemon_found_and_running; then
|
||||
if found_renewed_lineage; then
|
||||
haproxy_cert_file="${haproxy_cert_dir}/$(basename "${RENEWED_LINEAGE}").pem"
|
||||
failed_cert_file="/root/$(basename "${RENEWED_LINEAGE}").failed.pem"
|
||||
|
||||
# shellcheck disable=SC2174
|
||||
mkdir --mode=700 --parents "${haproxy_cert_dir}"
|
||||
chown root: "${haproxy_cert_dir}"
|
||||
concat_files
|
||||
|
||||
debug "Concatenating certificate files to ${haproxy_cert_file}"
|
||||
cat "${RENEWED_LINEAGE}/fullchain.pem" "${RENEWED_LINEAGE}/privkey.pem" > "${haproxy_cert_file}"
|
||||
chmod 600 "${haproxy_cert_file}"
|
||||
chown root: "${haproxy_cert_file}"
|
||||
if cert_and_key_mismatch; then
|
||||
mv "${haproxy_cert_file}" "${failed_cert_file}"
|
||||
error "Key and cert don't match, we moved the file to ${failed_cert_file} for inspection"
|
||||
fi
|
||||
|
||||
haproxy_cert_md5=$(openssl x509 -noout -modulus -in "${haproxy_cert_file}" | openssl md5)
|
||||
haproxy_key_md5=$(openssl rsa -noout -modulus -in "${haproxy_cert_file}" | openssl md5)
|
||||
|
||||
if [ "${haproxy_cert_md5}" != "${haproxy_key_md5}" ]; then
|
||||
mv "${haproxy_cert_file}" "${failed_cert_file}"
|
||||
error "Key and cert don't match, we moved the file to ${failed_cert_file} for inspection"
|
||||
fi
|
||||
|
||||
if ${haproxy_bin} -c -f /etc/haproxy/haproxy.cfg > /dev/null 2>&1; then
|
||||
debug "HAProxy detected... reloading"
|
||||
systemctl reload apache2
|
||||
if config_check; then
|
||||
debug "HAProxy detected... reloading"
|
||||
systemctl reload apache2
|
||||
else
|
||||
error "HAProxy config is broken, you must fix it !"
|
||||
fi
|
||||
else
|
||||
error "HAProxy config is broken, you must fix it !"
|
||||
error "Couldn't find ${RENEWED_LINEAGE}/fullchain.pem or ${RENEWED_LINEAGE}/privkey.pem"
|
||||
fi
|
||||
else
|
||||
error "Couldn't find ${RENEWED_LINEAGE}/fullchain.pem or ${RENEWED_LINEAGE}/privkey.pem"
|
||||
debug "HAProxy is not running or missing. Skip."
|
||||
fi
|
||||
else
|
||||
debug "HAProxy is not running or missing. Skip."
|
||||
fi
|
||||
}
|
||||
|
||||
readonly PROGNAME=$(basename "$0")
|
||||
readonly VERBOSE=${VERBOSE:-"0"}
|
||||
readonly QUIET=${QUIET:-"0"}
|
||||
|
||||
readonly haproxy_bin=$(command -v haproxy)
|
||||
readonly haproxy_cert_dir="/etc/ssl/haproxy"
|
||||
|
||||
main
|
||||
|
|
|
@ -1,9 +1,5 @@
|
|||
#!/bin/sh
|
||||
|
||||
readonly PROGNAME=$(basename "$0")
|
||||
readonly VERBOSE=${VERBOSE:-"0"}
|
||||
readonly QUIET=${QUIET:-"0"}
|
||||
|
||||
error() {
|
||||
>&2 echo "${PROGNAME}: $1"
|
||||
exit 1
|
||||
|
@ -13,20 +9,36 @@ debug() {
|
|||
>&2 echo "${PROGNAME}: $1"
|
||||
fi
|
||||
}
|
||||
|
||||
nginx_bin=$(command -v nginx)
|
||||
|
||||
if [ -n "$(pidof nginx)" ] && [ -n "${nginx_bin}" ]; then
|
||||
if grep -q --dereference-recursive -E "letsencrypt" /etc/nginx/sites-enabled; then
|
||||
if ${nginx_bin} -t > /dev/null 2>&1; then
|
||||
debug "Nginx detected... reloading"
|
||||
systemctl reload nginx
|
||||
daemon_found_and_running() {
|
||||
test -n "$(pidof nginx)" && test -n "${nginx_bin}"
|
||||
}
|
||||
config_check() {
|
||||
${nginx_bin} -t > /dev/null 2>&1
|
||||
}
|
||||
letsencrypt_used() {
|
||||
grep -q --dereference-recursive -E "letsencrypt" /etc/nginx/sites-enabled
|
||||
}
|
||||
main() {
|
||||
if daemon_found_and_running; then
|
||||
if letsencrypt_used; then
|
||||
if config_check; then
|
||||
debug "Nginx detected... reloading"
|
||||
systemctl reload nginx
|
||||
else
|
||||
error "Nginx config is broken, you must fix it !"
|
||||
fi
|
||||
else
|
||||
error "Nginx config is broken, you must fix it !"
|
||||
debug "Nginx doesn't use Let's Encrypt certificate. Skip."
|
||||
fi
|
||||
else
|
||||
debug "Nginx doesn't use Let's Encrypt certificate. Skip."
|
||||
debug "Nginx is not running or missing. Skip."
|
||||
fi
|
||||
else
|
||||
debug "Nginx is not running or missing. Skip."
|
||||
fi
|
||||
}
|
||||
|
||||
readonly PROGNAME=$(basename "$0")
|
||||
readonly VERBOSE=${VERBOSE:-"0"}
|
||||
readonly QUIET=${QUIET:-"0"}
|
||||
|
||||
readonly nginx_bin=$(command -v nginx)
|
||||
|
||||
main
|
||||
|
|
|
@ -1,9 +1,5 @@
|
|||
#!/bin/sh
|
||||
|
||||
readonly PROGNAME=$(basename "$0")
|
||||
readonly VERBOSE=${VERBOSE:-"0"}
|
||||
readonly QUIET=${QUIET:-"0"}
|
||||
|
||||
error() {
|
||||
>&2 echo "${PROGNAME}: $1"
|
||||
exit 1
|
||||
|
@ -13,20 +9,36 @@ debug() {
|
|||
>&2 echo "${PROGNAME}: $1"
|
||||
fi
|
||||
}
|
||||
|
||||
postconf_bin=$(command -v postconf)
|
||||
|
||||
if [ -n "$(pidof master)" ] && [ -n "${postconf_bin}" ]; then
|
||||
if ${postconf_bin} | grep -E "^smtpd_tls_cert_file" | grep -q "letsencrypt"; then
|
||||
if ${postconf_bin} > /dev/null 2>&1; then
|
||||
debug "Postfix detected... reloading"
|
||||
systemctl reload postfix
|
||||
daemon_found_and_running() {
|
||||
test -n "$(pidof master)" && test -n "${postconf_bin}"
|
||||
}
|
||||
config_check() {
|
||||
${postconf_bin} > /dev/null 2>&1
|
||||
}
|
||||
letsencrypt_used() {
|
||||
${postconf_bin} | grep -E "^smtpd_tls_cert_file" | grep -q "letsencrypt"
|
||||
}
|
||||
main() {
|
||||
if daemon_found_and_running; then
|
||||
if letsencrypt_used; then
|
||||
if config_check; then
|
||||
debug "Postfix detected... reloading"
|
||||
systemctl reload postfix
|
||||
else
|
||||
error "Postfix config is broken, you must fix it !"
|
||||
fi
|
||||
else
|
||||
error "Postfix config is broken, you must fix it !"
|
||||
debug "Postfix doesn't use Let's Encrypt certificate. Skip."
|
||||
fi
|
||||
else
|
||||
debug "Postfix doesn't use Let's Encrypt certificate. Skip."
|
||||
debug "Postfix is not running or missing. Skip."
|
||||
fi
|
||||
else
|
||||
debug "Postfix is not running or missing. Skip."
|
||||
fi
|
||||
}
|
||||
|
||||
readonly PROGNAME=$(basename "$0")
|
||||
readonly VERBOSE=${VERBOSE:-"0"}
|
||||
readonly QUIET=${QUIET:-"0"}
|
||||
|
||||
readonly postconf_bin=$(command -v postconf)
|
||||
|
||||
main
|
||||
|
|
|
@ -46,5 +46,5 @@
|
|||
|
||||
- name: ACME challenge for HAProxy is installed
|
||||
debug:
|
||||
msg: "ACME challenge configuration for HAProxy should be configured manually"
|
||||
msg: "ACME challenge configuration for HAProxy must be configured manually"
|
||||
when: is_haproxy.stat.exists
|
||||
|
|
Loading…
Reference in a new issue