пре 8 година · e8796ecd28
--- a/roles/common/files/etc_cron-monthly_letsencrypt-renew
+++ b/roles/common/files/etc_cron-monthly_letsencrypt-renew
@@ -18,5 +18,8 @@ for c in $(find /etc/letsencrypt/live/ -mindepth 1  -type d); do
 
				
				 done
			
 
				
				 service apache2 start
			
 
				
				 
			
 
				
				-# Services that rely on LE certificates will need restarted.
			
 
				
				-
			
 
				
				+# Services that rely on LE certificates may need restarted and/or other actions.
			
 
				
				+for script in $(find /etc/letsencrypt/postrenew/ -maxdepth 1 -type f); do
			
 
				
				+  echo "Executing ${script}."
			
 
				
				+  $script
			
 
				
				+done
			
--- a/roles/common/tasks/letsencrypt.yml
+++ b/roles/common/tasks/letsencrypt.yml
@@ -17,6 +17,9 @@
 
				
				 - name: Install LetsEncrypt package dependencies
			
 
				
				   command: /root/letsencrypt/letsencrypt-auto --help
			
 
				
				 
			
 
				
				+- name: Create directory for post-renewal scripts
			
 
				
				+  file: state=directory path=/etc/letsencrypt/postrenew group=root owner=root
			
 
				
				+
			
 
				
				 - name: Install crontab entry for LetsEncrypt
			
 
				
				   copy:
			
 
				
				     src=etc_cron-monthly_letsencrypt-renew
			
--- a/roles/ircbouncer/tasks/znc.yml
+++ b/roles/ircbouncer/tasks/znc.yml
@@ -24,10 +24,13 @@
 
				
				     creates=/usr/lib/znc/znc.pem
			
 
				
				   notify: restart znc
			
 
				
				 
			
 
				
				-- name: Update certificate renwal cron job
			
 
				
				-  lineinfile: dest=/etc/cron.monthly/letsencrypt-renew state=present
			
 
				
				-    line="cat /etc/letsencrypt/live/{{ domain }}/{privkey,fullchain}.pem > /usr/lib/znc/znc.pem; chown znc.znc /usr/lib/znc/znc.pem; chmod 640 /usr/lib/znc/znc.pem; service znc restart"
			
 
				
				-    insertafter="EOF"
			
 
				
				+- name: Update post-certificate-renewal task
			
 
				
				+  template:
			
 
				
				+    src: etc_letsencrypt_postrenew_znc.sh.j2
			
 
				
				+    dest: /etc/letsencrypt/postrenew/znc.sh
			
 
				
				+    owner: root
			
 
				
				+    group: root
			
 
				
				+    mode: 0755
			
 
				
				 
			
 
				
				 - name: Ensure znc user and group can read cert
			
 
				
				   file: path=/usr/lib/znc/znc.pem group=znc owner=znc mode=640
			
--- a/roles/ircbouncer/templates/etc_letsencrypt_postrenew_znc.sh.j2
+++ b/roles/ircbouncer/templates/etc_letsencrypt_postrenew_znc.sh.j2
@@ -0,0 +1,7 @@
 
				
				+#!/bin/bash
			
 
				
				+# Executed by /etc/cron.monthly/letsencrypt-renew
			
 
				
				+
			
 
				
				+cat /etc/letsencrypt/live/{{ domain }}/{privkey,fullchain}.pem > /usr/lib/znc/znc.pem
			
 
				
				+chown znc.znc /usr/lib/znc/znc.pem
			
 
				
				+chmod 640 /usr/lib/znc/znc.pem
			
 
				
				+service znc restart
			
--- a/roles/mailserver/tasks/dovecot.yml
+++ b/roles/mailserver/tasks/dovecot.yml
@@ -65,7 +65,10 @@
 
				
				     - pop3s
			
 
				
				   tags: ufw
			
 
				
				 
			
 
				
				-- name: Update certificate renwal cron job
			
 
				
				-  lineinfile: dest=/etc/cron.monthly/letsencrypt-renew state=present
			
 
				
				-    line="service dovecot restart"
			
 
				
				-    insertafter="EOF"
			
 
				
				+- name: Update post-certificate-renewal task
			
 
				
				+  copy:
			
 
				
				+    content: "#!/bin/bash\n\nservice dovecot restart\n"
			
 
				
				+    dest: /etc/letsencrypt/postrenew/dovecot.sh
			
 
				
				+    mode: 0755
			
 
				
				+    owner: root
			
 
				
				+    group: root