From dae57df8d747bb602ab9ef13007949b43e88df10 Mon Sep 17 00:00:00 2001
From: Dmitry Ilvokhin <d@ilvokhin.com>
Date: Sun, 31 Mar 2024 12:34:38 +0100
Subject: Migrate to certbot hook scripts

Make hooks usage a bit more generic, to apply hooks for services
different from nginx.
---
 roles/certbot/files/certbot.service | 2 +-
 roles/nginx/files/nginx.sh          | 3 +++
 roles/nginx/tasks/main.yml          | 8 ++++++++
 3 files changed, 12 insertions(+), 1 deletion(-)
 create mode 100644 roles/nginx/files/nginx.sh

diff --git a/roles/certbot/files/certbot.service b/roles/certbot/files/certbot.service
index bea307c..26cf2fd 100644
--- a/roles/certbot/files/certbot.service
+++ b/roles/certbot/files/certbot.service
@@ -3,4 +3,4 @@ Description=Let's Encrypt renewal
 
 [Service]
 Type=oneshot
-ExecStart=/usr/bin/certbot renew --agree-tos --deploy-hook "systemctl reload nginx"
+ExecStart=/usr/bin/certbot renew --agree-tos
diff --git a/roles/nginx/files/nginx.sh b/roles/nginx/files/nginx.sh
new file mode 100644
index 0000000..ca022f8
--- /dev/null
+++ b/roles/nginx/files/nginx.sh
@@ -0,0 +1,3 @@
+#! /bin/sh
+
+systemctl reload nginx
diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml
index acfb8c1..8c32be3 100644
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@@ -48,3 +48,11 @@
     name: nginx
     enabled: yes
     state: started
+
+- name: Copy nginx certificate renewal hook
+  ansible.builtin.copy:
+    src: files/nginx.sh
+    dest: /etc/letsencrypt/renewal-hooks/deploy/nginx.sh
+    owner: root
+    group: root
+    mode: u+rwx,g+r,o+r
-- 
cgit v1.2.3-70-g09d2