add hook support

defaults/main.yml

@@ -10,9 +10,17 @@ lego_key_type: "ec256"
 
 # @var lego_certificates:example:
 # lego_certificates:
-#   - domains:
+#   - name: example
+#     domains:
 #       - example.com
 #       - www.example.com
+#     hook: |
+#       #!/bin/env bash
+
+#       install -m 0640 "$LEGO_CERT_PATH" /etc/pki/tls/certs/ucs.pem
+#       install -m 0600 "$LEGO_CERT_KEY_PATH" /etc/pki/tls/private/ucs.pem
+
+#       systemctl reload apache2.service
 #     skip_create: False
 # @end
 lego_certificates: []

tasks/main.yml

@@ -25,13 +25,27 @@
     mode: "0700"
     recurse: True
 
+- name: Create hook scripts
+  ansible.builtin.copy:
+    content: "{{ item.hook }}"
+    dest: "{{ __lego_base_dir }}/bin/hook-{{ item.name }}.sh"
+    owner: root
+    group: root
+    mode: "0600"
+  when: item.hook is defined
+  loop: "{{ lego_certificates }}"
+  loop_control:
+    label: "{{ item.name }}"
+
 - name: Obtain certificates for domains
   ansible.builtin.command: >-
-    {{ __lego_bin_file }} run
+    {{ __lego_bin_file }}
     --email="{{ lego_acme_account_email }}"
     --domains {{ " --domains ".join(item.domains) }}
     --key-type="{{ lego_key_type }}"
     --dns="cloudflare"
+    run
+    {{ '--run-hook="{{ __lego_base_dir }}/bin/hook-{{ item.name }}.sh"' if item.hook is defined else '' }}
   args:
     creates: "{{ __lego_base_dir }}/.lego/certificates/{{ item.domains[0] }}.crt"
   environment:
@@ -41,19 +55,19 @@
   when: not item.skip_create | default(False) | bool
   loop: "{{ lego_certificates }}"
   loop_control:
-    label: "{{ item.domains[0] }}"
+    label: "{{ item.name }}"
 
 - name: Add cron scipt to renew certificates
   ansible.builtin.template:
-    dest: "{{ __lego_base_dir }}/bin/cron_lego_renew.sh"
+    dest: "{{ __lego_base_dir }}/bin/cron-lego-renew.sh"
     mode: "0755"
-    src: cron_lego_renew.sh.j2
+    src: cron-lego-renew.sh.j2
 
 - name: Add cron job to renew certificates
   ansible.builtin.cron:
     name: "lego-renew"
     cron_file: "lego-renew"
-    job: "{{ __lego_base_dir }}/bin/cron_lego_renew.sh >> {{ __lego_base_dir }}/cron_lego_renew.log 2>&1"
+    job: "{{ __lego_base_dir }}/bin/cron-lego-renew.sh >> {{ __lego_base_dir }}/cron_lego_renew.log 2>&1"
     hour: "{{ lego_cron_hour }}"
     minute: "{{ lego_cron_minute }}"
     user: root

templates/cron-lego-renew.sh.j2

@@ -8,6 +8,6 @@ export CLOUDFLARE_API_TOKEN="{{ lego_cloudflare_api_token }}"
 
 {% for cert in lego_certificates %}
 echo "$(date) checking for cert update for {{ ', '.join(cert.domains) }}."
-{{ __lego_bin_file }} --email="{{ lego_acme_account_email }}" --domains {{ ' --domains '.join(cert.domains) }} --key-type="{{ lego_key_type }}" --dns="cloudflare" renew --days 30
+{{ __lego_bin_file }} --email="{{ lego_acme_account_email }}" --domains {{ ' --domains '.join(cert.domains) }} --key-type="{{ lego_key_type }}" --dns="cloudflare" renew {{ '--run-hook="hook-{{ item.name }}.sh"' if item.hook is defined else '' }} --days 30
 
 {% endfor %}