deploy ssl-keys after a bunch of random fixups

* use run-parts to run the hooks, instead of embedding everything in
  dehydrated's hook scripts
* add the local hostname to the "domains" file
* no support for ssl cert request through ansible yet
Signed-off-by: Mattia Rizzolo <mattia@debian.org>

playbooks/roadhouse.yml

@@ -14,7 +14,7 @@
         - mattia
         - pietro
 
-#    - role: ssl-keys
+    - role: ssl-keys
 
     - role: nginx
       proxy:

roles/nginx/tasks/proxy.yml

@@ -12,11 +12,8 @@
 
 - name: Request an SSL certificate for the domains
   lineinfile:
-    path: /usr/local/share/ssl-keys/domains
+    path: "{{ ssl_home }}/domains"
     line: "{{ item }}"
     state: present
 
   with_items: "{{ proxy.keys() }}"
-
-  notify:
-    - ssl-keys.request

roles/nginx/tasks/setup.yml

@@ -43,9 +43,9 @@
 
 - name: Add an hook to reload nginx when there are new ssl keys
   template:
-    src: reload-nginx.sh
+    src: reload-nginx
     dest: "{{ ssl_home }}/hooks"
 
     mode: 0755
     owner: root
-    group: ssl-keys
+    group: ssl-cert

roles/ssl-keys/tasks/common.yml

 ---
 
+- apt:
+    name: ssl-cert
+
 - name: Create the ssl-keys user
   user:
     name: ssl-keys
@@ -17,7 +20,7 @@
     state: directory
     mode: 0755
     owner: root
-    group: ssl-cert
+    group: root
 
 - name: Create the ssl_home/hooks directory
   file:
@@ -25,7 +28,7 @@
     state: directory
     mode: 0755
     owner: root
-    group: ssl-keys
+    group: ssl-cert
 
 - name: Create the ssl_home/localcerts directory
   file:
@@ -35,12 +38,15 @@
     owner: ssl-keys
     group: ssl-cert
 
-- name: Ensure the ssl_home/domains file exists
-  file:
-    dest: "{{ ssl_home }}/domains"
-    force: no
+- name: Create the ssl_home/domains file, with the local hostname in it
+  lineinfile:
+    path: "{{ ssl_home }}/domains"
+    create: yes
     owner: root
     group: ssl-cert
+    mode: 0644
+    insertbefore: BOF
+    line: "{{ inventory_hostname }}"
 
 - name: configure sudo so cron can renew certs by itself
   template:

roles/ssl-keys/tasks/letsencrypt.yml

@@ -52,7 +52,7 @@
 - name: Create the acme-challenges directory
   file: path=/var/lib/dehydrated/acme-challenges
         owner=ssl-keys
-        group=ssl-keys
+        group=ssl-cert
         mode=0755
         state=directory
 

roles/ssl-keys/tasks/main.yml

 ---
 
+- set_fact:
+    ssl_home: "{{ ssl_home }}"
+
 - include_tasks: common.yml
 
 - include_tasks: self-signed.yml

roles/ssl-keys/templates/letsencrypt/config

@@ -4,7 +4,7 @@
 
 PRIVATE_KEY_RENEW="no"
 HOOK="/etc/dehydrated/hook.sh"
-CONTACT_EMAIL=" {{ letsencrypt_email }}"
+CONTACT_EMAIL="{{ letsencrypt_email }}"
 
 DOMAINS_TXT = "{{ ssl_home }}/domains"
 CERTDIR = "{{ ssl_home }}/localcerts"

roles/ssl-keys/templates/letsencrypt/hooks.sh

@@ -10,37 +10,10 @@ _log () {
     echo " + ($OP) $*"
 }
 
-reload_apache () {
-    _log "Reloading apache..."
-    sudo apache2ctl graceful
-    # the next cert challenge verification would timeout if attempted right after
-    # not sure what's wrong with it (I observe this behaviour only on magog), so
-    # let's just sleep a bit for now
-    sleep 10
-}
-
-reload_nginx () {
-    _log "Reloading nginx..."
-    sudo service nginx reload
-}
-
-reload_postfix () {
-    _log "Reloading postfix..."
-    sudo service postfix reload
-}
-
-
 case "$OP" in
     deploy_cert)
         DOMAIN="$1"
-{% if local_webserver == 'nginx' %}
-        reload_ngnix
-{% elif local_webserver == 'apache' %}
-        reload_apache
-{% endif %}
-        if [ "${DOMAIN}" = "$(hostname -f)" ]; then
-            reload_postfix
-        fi
+        run-parts --exit-on-error --arg="$DOMAIN" --report -- {{ ssl_home }}/hooks
         ;;
     *)
         ;;