Merge in pull request salt-formulas#20

NixM0nk3y · Aug 3, 2018 · 20673c6 · 20673c6
2 parents 4635aac + 5ac07b9
commit 20673c6
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 0 deletions.
diff --git a/README.rst b/README.rst
@@ -191,6 +191,28 @@ You are able to use multidomain certificates:
             - awk.opensource-expert.com
             - www.awk.opensource-expert.com
 
+You can add renewal hooks if needed; these can be useful for services that
+don't run as root, to move certs somewhere they can access:
+
+.. code-block:: yaml
+
+    letsencrypt:
+      client:
+        hooks:
+          pre:
+            - salt://path/to/prehook1.sh
+            - salt://path/to/prehook2.sh
+          deploy:
+            - salt://path/to/deployhook1.sh
+          post:
+            - salt://path/to/posthook1.sh
+        # You can define hooks literally in pillar too
+        pillarhooks:
+          deploy:
+            deployhook1.sh: |
+              #!/bin/bash
+              echo "Triggered deploy hook"
+
 Legacy configuration
 --------------------
 

diff --git a/letsencrypt/client/init.sls b/letsencrypt/client/init.sls
@@ -107,4 +107,32 @@ certbot_cron:
 
 {%- endif %}
 
+{%- for hookset, hooks in client.get("hooks", {}).items() %}
+{%- for hook in hooks %}
+{#- FIXME: Should probably complain if something other than
+    pre/post/deploy is given, but I'm not sure how. #}
+{%- set basename = hook.split("/") | last %}
+certbot_renewal_{{ hookset }}_hook_{{ basename }}:
+  file.managed:
+    - name: /etc/letsencrypt/renewal-hooks/{{ hookset }}/{{ basename }}
+    - source: {{ hook }}
+    - template: jinja
+    - mode: 700
+    - require:
+      - cmd: certbot_installed
+{%- endfor %}
+{%- endfor %}
+
+{%- for hookset, hooks in client.get("pillarhooks", {}).items() %}
+{%- for basename in hooks.keys() %}
+certbot_renewal_{{ hookset }}_phook_{{ loop.index }}:
+  file.managed:
+    - name: /etc/letsencrypt/renewal-hooks/{{ hookset }}/{{ basename }}
+    - contents_pillar: letsencrypt:client:pillarhooks:{{ hookset }}:{{ basename }}
+    - mode: 700
+    - require:
+      - cmd: certbot_installed
+{%- endfor %}
+{%- endfor %}
+
 {%- endif %}