From b0ba70f06ce97db5ed4b0b56f1a291db51302ece Mon Sep 17 00:00:00 2001
From: Ludovic Poujol <lpoujol@evolix.fr>
Date: Wed, 21 Feb 2024 12:27:18 +0100
Subject: [PATCH] certbot: Renewal hook for NRPE

---
 CHANGELOG.md                       |  1 +
 certbot/files/hooks/deploy/nrpe.sh | 44 ++++++++++++++++++++++++++++++
 2 files changed, 45 insertions(+)
 create mode 100644 certbot/files/hooks/deploy/nrpe.sh

diff --git a/CHANGELOG.md b/CHANGELOG.md
index fd0d602e..b8c50622 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -13,6 +13,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
 
 ### Added
 
+* certbot: Renewal hook for NRPE
 * kvm-host: add minifirewall rules if DRBD interface is configured
 
 ### Changed
diff --git a/certbot/files/hooks/deploy/nrpe.sh b/certbot/files/hooks/deploy/nrpe.sh
new file mode 100644
index 00000000..578d6764
--- /dev/null
+++ b/certbot/files/hooks/deploy/nrpe.sh
@@ -0,0 +1,44 @@
+#!/bin/sh
+
+error() {
+    >&2 echo "${PROGNAME}: $1"
+    exit 1
+}
+debug() {
+    if [ "${VERBOSE}" = "1" ] && [ "${QUIET}" != "1" ]; then
+        >&2 echo "${PROGNAME}: $1"
+    fi
+}
+daemon_found_and_running() {
+    test -n "$(pidof nrpe)"
+}
+letsencrypt_lineaged_used() {
+    grep -r "^ssl_cert_file" /etc/nagios/ | grep "letsencrypt" | grep -q "$(basename "${RENEWED_LINEAGE}")"
+}
+copy_letsencrypt_cert() {
+    DEST_CERTIFICATE=$(grep -r "^ssl_cert_file" /etc/nagios/ | awk -F'=' '{print $2}')
+    DEST_PRIVATE_KEY=$(grep -r "^ssl_privatekey_file" /etc/nagios/ | awk -F'=' '{print $2}')
+
+    install --mode 440 --group nagios ${RENEWED_LINEAGE}/fullchain.pem ${DEST_CERTIFICATE}
+    install --mode 440 --group nagios ${RENEWED_LINEAGE}/privkey.pem ${DEST_PRIVATE_KEY}
+}
+main() {
+    if daemon_found_and_running; then
+        if letsencrypt_lineaged_used; then
+            debug "NRPE detected... Copying certificates to the right place & permissions"
+            copy_letsencrypt_cert
+            debug "Restarting NRPE"
+            systemctl restart nagios-nrpe-server
+        else
+            debug "NRPE doesn't use the given Let's Encrypt certificate. Skip."
+        fi
+    else
+        debug "NRPE is not running or missing. Skip."
+    fi
+}
+
+readonly PROGNAME=$(basename "$0")
+readonly VERBOSE=${VERBOSE:-"0"}
+readonly QUIET=${QUIET:-"0"}
+
+main
\ No newline at end of file