evolix/ansible-roles
22
2
Fork 2
Code Issues 61 Pull requests 18 Releases 33 Wiki Activity

improve hooks maintainability

Browse source
This commit is contained in:
Jérémy Lecour 2019-09-27 14:03:39 +02:00 committed by Jérémy Lecour
parent 44b2480e03
commit 68e6d6cb23
7 changed files with 194 additions and 124 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

46
certbot/files/hooks/apache.sh
View file

@ -1,9 +1,5 @@
#!/bin/sh #!/bin/sh
readonly PROGNAME=$(basename "$0")
readonly VERBOSE=${VERBOSE:-"0"}
readonly QUIET=${QUIET:-"0"}
error() { error() {
>&2 echo "${PROGNAME}: $1" >&2 echo "${PROGNAME}: $1"
exit 1 exit 1
@ -13,20 +9,36 @@ debug() {
>&2 echo "${PROGNAME}: $1" >&2 echo "${PROGNAME}: $1"
fi fi
} }
daemon_found_and_running() {
apache2ctl_bin=$(command -v apache2ctl) test -n "$(pidof apache2)" && test -n "${apache2ctl_bin}"
}
if [ -n "$(pidof apache2)" ] && [ -n "${apache2ctl_bin}" ]; then config_check() {
if grep -q -r -E "letsencrypt" /etc/apache2/; then ${apache2ctl_bin} configtest > /dev/null 2>&1
if ${apache2ctl_bin} configtest > /dev/null 2>&1; then }
debug "Apache detected... reloading" letsencrypt_used() {
systemctl reload apache2 grep -q -r -E "letsencrypt" /etc/apache2/
}
main() {
if daemon_found_and_running; then
if letsencrypt_used; then
if config_check; then
debug "Apache detected... reloading"
systemctl reload apache2
else
error "Apache config is broken, you must fix it !"
fi
else else
error "Apache config is broken, you must fix it !" debug "Apache doesn't use Let's Encrypt certificate. Skip."
fi fi
else else
debug "Apache doesn't use Let's Encrypt certificate. Skip." debug "Apache is not running or missing. Skip."
fi fi
else }
debug "Apache is not running or missing. Skip."
fi readonly PROGNAME=$(basename "$0")
readonly VERBOSE=${VERBOSE:-"0"}
readonly QUIET=${QUIET:-"0"}
readonly apache2ctl_bin=$(command -v apache2ctl)
main

42
certbot/files/hooks/commit-etc.sh
View file

@ -1,9 +1,5 @@
#!/bin/sh #!/bin/sh
readonly PROGNAME=$(basename "$0")
readonly VERBOSE=${VERBOSE:-"0"}
readonly QUIET=${QUIET:-"0"}
error() { error() {
>&2 echo "${PROGNAME}: $1" >&2 echo "${PROGNAME}: $1"
exit 1 exit 1
@ -13,21 +9,29 @@ debug() {
>&2 echo "${PROGNAME}: $1" >&2 echo "${PROGNAME}: $1"
fi fi
} }
main() {
export GIT_DIR="/etc/.git"
export GIT_WORK_TREE="/etc"
git_bin=$(command -v git) if test -x "${git_bin}" && test -d "${GIT_DIR}" && test -d "${GIT_WORK_TREE}"; then
letsencrypt_dir=/etc/letsencrypt changed_lines=$(${git_bin} status --porcelain -- ${letsencrypt_dir} | wc -l | tr -d ' ')
export GIT_DIR="/etc/.git"
export GIT_WORK_TREE="/etc"
if test -x "${git_bin}" && test -d "${GIT_DIR}" && test -d "${GIT_WORK_TREE}"; then if [ "${changed_lines}" != "0" ]; then
changed_lines=$(${git_bin} status --porcelain -- ${letsencrypt_dir} | wc -l | tr -d ' ') debug "Committing for ${RENEWED_DOMAINS}"
${git_bin} add --all ${letsencrypt_dir}
message="[letsencrypt] certificates renewal (${RENEWED_DOMAINS})"
${git_bin} commit --message "${message}" --quiet
else
error "Weird, nothing has changed but the hook has been executed for '${RENEWED_DOMAINS}'"
fi
fi
}
if [ "${changed_lines}" != "0" ]; then readonly PROGNAME=$(basename "$0")
debug "Committing for ${RENEWED_DOMAINS}" readonly VERBOSE=${VERBOSE:-"0"}
${git_bin} add --all ${letsencrypt_dir} readonly QUIET=${QUIET:-"0"}
message="[letsencrypt] certificates renewal (${RENEWED_DOMAINS})"
${git_bin} commit --message "${message}" --quiet readonly git_bin=$(command -v git)
else readonly letsencrypt_dir=/etc/letsencrypt
error "Weird, nothing has changed but the hook has been executed for '${RENEWED_DOMAINS}'"
fi main
fi

46
certbot/files/hooks/dovecot.sh
View file

@ -1,9 +1,5 @@
#!/bin/sh #!/bin/sh
readonly PROGNAME=$(basename "$0")
readonly VERBOSE=${VERBOSE:-"0"}
readonly QUIET=${QUIET:-"0"}
error() { error() {
>&2 echo "${PROGNAME}: $1" >&2 echo "${PROGNAME}: $1"
exit 1 exit 1
@ -13,20 +9,36 @@ debug() {
>&2 echo "${PROGNAME}: $1" >&2 echo "${PROGNAME}: $1"
fi fi
} }
daemon_found_and_running() {
doveconf_bin=$(command -v doveconf) test -n "$(pidof dovecot)" && test -n "${doveconf_bin}"
}
if [ -n "$(pidof dovecot)" ] && [ -n "${doveconf_bin}" ]; then config_check() {
if ${doveconf_bin} | grep -E "^ssl_cert[^_]" | grep -q "letsencrypt"; then ${doveconf_bin} > /dev/null 2>&1
if ${doveconf_bin} > /dev/null 2>&1; then }
debug "Dovecot detected... reloading" letsencrypt_used() {
systemctl reload dovecot ${doveconf_bin} | grep -E "^ssl_cert[^_]" | grep -q "letsencrypt"
}
main() {
if daemon_found_and_running; then
if letsencrypt_used; then
if config_check; then
debug "Dovecot detected... reloading"
systemctl reload dovecot
else
error "Dovecot config is broken, you must fix it !"
fi
else else
error "Dovecot config is broken, you must fix it !" debug "Dovecot doesn't use Let's Encrypt certificate. Skip."
fi fi
else else
debug "Dovecot doesn't use Let's Encrypt certificate. Skip." debug "Dovecot is not running or missing. Skip."
fi fi
else }
debug "Dovecot is not running or missing. Skip."
fi readonly PROGNAME=$(basename "$0")
readonly VERBOSE=${VERBOSE:-"0"}
readonly QUIET=${QUIET:-"0"}
readonly doveconf_bin=$(command -v doveconf)
main

90
certbot/files/hooks/haproxy.sh
View file

@ -1,9 +1,5 @@
#!/bin/sh #!/bin/sh
readonly PROGNAME=$(basename "$0")
readonly VERBOSE=${VERBOSE:-"0"}
readonly QUIET=${QUIET:-"0"}
error() { error() {
>&2 echo "${PROGNAME}: $1" >&2 echo "${PROGNAME}: $1"
exit 1 exit 1
@ -13,45 +9,67 @@ debug() {
>&2 echo "${PROGNAME}: $1" >&2 echo "${PROGNAME}: $1"
fi fi
} }
daemon_found_and_running() {
test -n "$(pidof haproxy)" && test -n "${haproxy_bin}"
}
found_renewed_lineage() {
test -f "${RENEWED_LINEAGE}/fullchain.pem" && test -f "${RENEWED_LINEAGE}/privkey.pem"
}
config_check() {
${haproxy_bin} -c -f /etc/haproxy/haproxy.cfg > /dev/null 2>&1
}
concat_files() {
# shellcheck disable=SC2174
mkdir --mode=700 --parents "${haproxy_cert_dir}"
chown root: "${haproxy_cert_dir}"
if [ -z "${RENEWED_LINEAGE}" ]; then debug "Concatenating certificate files to ${haproxy_cert_file}"
error "This script must be called only by certbot!" cat "${RENEWED_LINEAGE}/fullchain.pem" "${RENEWED_LINEAGE}/privkey.pem" > "${haproxy_cert_file}"
fi chmod 600 "${haproxy_cert_file}"
chown root: "${haproxy_cert_file}"
}
cert_and_key_mismatch() {
haproxy_cert_md5=$(openssl x509 -noout -modulus -in "${haproxy_cert_file}" | openssl md5)
haproxy_key_md5=$(openssl rsa -noout -modulus -in "${haproxy_cert_file}" | openssl md5)
haproxy_bin=$(command -v haproxy) test "${haproxy_cert_md5}" != "${haproxy_key_md5}"
haproxy_cert_dir="/etc/ssl/haproxy/" }
main() {
if [ -z "${RENEWED_LINEAGE}" ]; then
error "This script must be called only by certbot!"
fi
if [ -n "$(pidof haproxy)" ] && [ -n "${haproxy_bin}" ]; then if daemon_found_and_running; then
if [ -f "${RENEWED_LINEAGE}/fullchain.pem" ] && [ -f "${RENEWED_LINEAGE}/privkey.pem" ]; then if found_renewed_lineage; then
haproxy_cert_file="${haproxy_cert_dir}/$(basename "${RENEWED_LINEAGE}").pem" haproxy_cert_file="${haproxy_cert_dir}/$(basename "${RENEWED_LINEAGE}").pem"
failed_cert_file="/root/$(basename "${RENEWED_LINEAGE}").failed.pem" failed_cert_file="/root/$(basename "${RENEWED_LINEAGE}").failed.pem"
# shellcheck disable=SC2174 concat_files
mkdir --mode=700 --parents "${haproxy_cert_dir}"
chown root: "${haproxy_cert_dir}"
debug "Concatenating certificate files to ${haproxy_cert_file}" if cert_and_key_mismatch; then
cat "${RENEWED_LINEAGE}/fullchain.pem" "${RENEWED_LINEAGE}/privkey.pem" > "${haproxy_cert_file}" mv "${haproxy_cert_file}" "${failed_cert_file}"
chmod 600 "${haproxy_cert_file}" error "Key and cert don't match, we moved the file to ${failed_cert_file} for inspection"
chown root: "${haproxy_cert_file}" fi
haproxy_cert_md5=$(openssl x509 -noout -modulus -in "${haproxy_cert_file}" | openssl md5) if config_check; then
haproxy_key_md5=$(openssl rsa -noout -modulus -in "${haproxy_cert_file}" | openssl md5) debug "HAProxy detected... reloading"
systemctl reload apache2
if [ "${haproxy_cert_md5}" != "${haproxy_key_md5}" ]; then else
mv "${haproxy_cert_file}" "${failed_cert_file}" error "HAProxy config is broken, you must fix it !"
error "Key and cert don't match, we moved the file to ${failed_cert_file} for inspection" fi
fi
if ${haproxy_bin} -c -f /etc/haproxy/haproxy.cfg > /dev/null 2>&1; then
debug "HAProxy detected... reloading"
systemctl reload apache2
else else
error "HAProxy config is broken, you must fix it !" error "Couldn't find ${RENEWED_LINEAGE}/fullchain.pem or ${RENEWED_LINEAGE}/privkey.pem"
fi fi
else else
error "Couldn't find ${RENEWED_LINEAGE}/fullchain.pem or ${RENEWED_LINEAGE}/privkey.pem" debug "HAProxy is not running or missing. Skip."
fi fi
else }
debug "HAProxy is not running or missing. Skip."
fi readonly PROGNAME=$(basename "$0")
readonly VERBOSE=${VERBOSE:-"0"}
readonly QUIET=${QUIET:-"0"}
readonly haproxy_bin=$(command -v haproxy)
readonly haproxy_cert_dir="/etc/ssl/haproxy"
main

46
certbot/files/hooks/nginx.sh
View file

@ -1,9 +1,5 @@
#!/bin/sh #!/bin/sh
readonly PROGNAME=$(basename "$0")
readonly VERBOSE=${VERBOSE:-"0"}
readonly QUIET=${QUIET:-"0"}
error() { error() {
>&2 echo "${PROGNAME}: $1" >&2 echo "${PROGNAME}: $1"
exit 1 exit 1
@ -13,20 +9,36 @@ debug() {
>&2 echo "${PROGNAME}: $1" >&2 echo "${PROGNAME}: $1"
fi fi
} }
daemon_found_and_running() {
nginx_bin=$(command -v nginx) test -n "$(pidof nginx)" && test -n "${nginx_bin}"
}
if [ -n "$(pidof nginx)" ] && [ -n "${nginx_bin}" ]; then config_check() {
if grep -q --dereference-recursive -E "letsencrypt" /etc/nginx/sites-enabled; then ${nginx_bin} -t > /dev/null 2>&1
if ${nginx_bin} -t > /dev/null 2>&1; then }
debug "Nginx detected... reloading" letsencrypt_used() {
systemctl reload nginx grep -q --dereference-recursive -E "letsencrypt" /etc/nginx/sites-enabled
}
main() {
if daemon_found_and_running; then
if letsencrypt_used; then
if config_check; then
debug "Nginx detected... reloading"
systemctl reload nginx
else
error "Nginx config is broken, you must fix it !"
fi
else else
error "Nginx config is broken, you must fix it !" debug "Nginx doesn't use Let's Encrypt certificate. Skip."
fi fi
else else
debug "Nginx doesn't use Let's Encrypt certificate. Skip." debug "Nginx is not running or missing. Skip."
fi fi
else }
debug "Nginx is not running or missing. Skip."
fi readonly PROGNAME=$(basename "$0")
readonly VERBOSE=${VERBOSE:-"0"}
readonly QUIET=${QUIET:-"0"}
readonly nginx_bin=$(command -v nginx)
main

46
certbot/files/hooks/postfix.sh
View file

@ -1,9 +1,5 @@
#!/bin/sh #!/bin/sh
readonly PROGNAME=$(basename "$0")
readonly VERBOSE=${VERBOSE:-"0"}
readonly QUIET=${QUIET:-"0"}
error() { error() {
>&2 echo "${PROGNAME}: $1" >&2 echo "${PROGNAME}: $1"
exit 1 exit 1
@ -13,20 +9,36 @@ debug() {
>&2 echo "${PROGNAME}: $1" >&2 echo "${PROGNAME}: $1"
fi fi
} }
daemon_found_and_running() {
postconf_bin=$(command -v postconf) test -n "$(pidof master)" && test -n "${postconf_bin}"
}
if [ -n "$(pidof master)" ] && [ -n "${postconf_bin}" ]; then config_check() {
if ${postconf_bin} | grep -E "^smtpd_tls_cert_file" | grep -q "letsencrypt"; then ${postconf_bin} > /dev/null 2>&1
if ${postconf_bin} > /dev/null 2>&1; then }
debug "Postfix detected... reloading" letsencrypt_used() {
systemctl reload postfix ${postconf_bin} | grep -E "^smtpd_tls_cert_file" | grep -q "letsencrypt"
}
main() {
if daemon_found_and_running; then
if letsencrypt_used; then
if config_check; then
debug "Postfix detected... reloading"
systemctl reload postfix
else
error "Postfix config is broken, you must fix it !"
fi
else else
error "Postfix config is broken, you must fix it !" debug "Postfix doesn't use Let's Encrypt certificate. Skip."
fi fi
else else
debug "Postfix doesn't use Let's Encrypt certificate. Skip." debug "Postfix is not running or missing. Skip."
fi fi
else }
debug "Postfix is not running or missing. Skip."
fi readonly PROGNAME=$(basename "$0")
readonly VERBOSE=${VERBOSE:-"0"}
readonly QUIET=${QUIET:-"0"}
readonly postconf_bin=$(command -v postconf)
main

2
certbot/tasks/acme-challenge.yml
View file

@ -46,5 +46,5 @@
- name: ACME challenge for HAProxy is installed - name: ACME challenge for HAProxy is installed
debug: debug:
msg: "ACME challenge configuration for HAProxy should be configured manually" msg: "ACME challenge configuration for HAProxy must be configured manually"
when: is_haproxy.stat.exists when: is_haproxy.stat.exists