From 5fed2b14a39c20867a0564f075d6e650c5e0c901 Mon Sep 17 00:00:00 2001 From: Andrew Vant Date: Tue, 5 Dec 2017 19:33:07 -0500 Subject: [PATCH] Add support for renewal hook scripts --- README.rst | 16 ++++++++++++++++ letsencrypt/client/init.sls | 17 +++++++++++++++++ 2 files changed, 33 insertions(+) diff --git a/README.rst b/README.rst index 6105e79..ccf87cb 100644 --- a/README.rst +++ b/README.rst @@ -191,6 +191,22 @@ You are able to use multidomain certificates: - awk.opensource-expert.com - www.awk.opensource-expert.com +You can add renewal hooks if needed; these can be useful for services that +don't run as root, to move certs somewhere they can access: + +.. code-block:: yaml + + letsencrypt: + client: + hooks: + pre: + - salt://path/to/prehook1.sh + - salt://path/to/prehook2.sh + deploy: + - salt://path/to/deployhook1.sh + post: + - salt://path/to/posthook1.sh + Legacy configuration -------------------- diff --git a/letsencrypt/client/init.sls b/letsencrypt/client/init.sls index 7806e64..fd93af4 100644 --- a/letsencrypt/client/init.sls +++ b/letsencrypt/client/init.sls @@ -107,4 +107,21 @@ certbot_cron: {%- endif %} +{%- for hookset, hooks in client.get("hooks", {}).items() %} +{%- for hook in hooks %} +{#- FIXME: Should probably complain if something other than + pre/post/deploy is given, but I'm not sure how. #} + +certbot_renewal_{{ hookset }}_hook_{{ loop.index }}: + file.managed: + - name: /etc/letsencrypt/renewal-hooks/{{ hookset }}/{{ hook.split("/") | last }} + - source: {{ hook }} + - template: jinja + - mode: 700 + - require: + - cmd: certbot_installed + +{%- endfor %} +{%- endfor %} + {%- endif %}