Add support for renewal hook scripts #20
Conversation
|
Hrm. Not entirely sure why the CI build failed, or if it has anything to do with my addition. Its log seems to think the letsencrypt state isn't there. |
letsencrypt/client/init.sls
Outdated
|
|
||
| certbot_renewal_{{ hookset }}_hook_{{ loop.index }}: | ||
| file.managed: | ||
| - name: /etc/letsencrypt/renewal-hooks/{{ hookset }}/{{ hook.split("/") | last }} |
There was a problem hiding this comment.
I think you should be able to supply whole scripts in model and not only source on salt filesystem.
There was a problem hiding this comment.
I'm not sure I understand the request. Could you give an example?
There was a problem hiding this comment.
I would suggest using metadata like this:
letsencrypt:
client:
hook:
pre:
# Use salt fileserver
- source: salt://path/to/prehook1.sh
# Or generate file by script as a content
- script: |
#!/bin/bash
echo "Triggered pre-hook"
So you can supply scripts on salt filesystem or pass them directly.
There was a problem hiding this comment.
Putting scripts directly in pillar fills me with fear and loathing, but I don't really have a good argument against supporting it, except perhaps that it would make the state more complicated. I'll see what I can do and then update the PR.
|
Updated with hook literals. I chose a slightly different pillar structure than suggested. I am still not sure why the CI check is failing. |
|
Any further thoughts on this? |
| certbot_renewal_{{ hookset }}_phook_{{ loop.index }}: | ||
| file.managed: | ||
| - name: /etc/letsencrypt/renewal-hooks/{{ hookset }}/{{ basename }} | ||
| - contents_pillar: letsencrypt:client:pillarhooks:{{ hookset }}:{{ basename }} |
There was a problem hiding this comment.
I would prefer structure that I proposed before:
letsencrypt:
client:
hook:
pre:
- source: salt://path/to/prehook1.sh
deploy:
- script: |
#!/bin/bash
echo "blahblah"
There was a problem hiding this comment.
I thought about it, but it seems awkward. First because the jinja logic gets tangled (lists of single-element dictionaries that require different file.managed arguments) and second because the - script notation has no way to specify a filename, so you're stuck with 'script1.sh', etc.
#17 notes that support for renewal hooks would be useful. This manages the directories under /etc/letsencrypt/renewal-hooks.
I find something like this necessary for making certs available to non-root daemons -- in my case ejabberd.