roles/cert: Add handler topic notification

Changing/renewing a certificate generally requires restarting or reloading some service. Since the *cert* role is intended to be generic and reusable, it naturally does not know what action to take to effect the change. It works well for the initial deployment of a new application, since the service is reloaded anyway in order for the new configuration to be applied. It fails, however, for continuous enforcement, when a certificate is renewed automatically (i.e. by `lego`) but no other changes are being made. This has caused a number of disruptions when some certificate expires and its replacement is available but has not yet been loaded. To address this issue, I have added a handler "topic" notification to the *certs* role. When either the certificate or private key file is replaced, the relevant task will "notify" a generic handler "topic." This allows some other role to define a specific handler, which "listens" for these notifications, and takes the appropriate action for its respective service. For this mechanism to work, though, the *cert* role can only be used as a dependency of another role. That role must define the handler and configure it to listen to the generic "certificate changed" topic. As such, each of the roles that are associated with a certificate deployed by the *cert* role now declare it as a dependency, and the top-level playbooks only include those roles.
2020-12-26 10:38:17 -06:00 · 2020-12-26 10:38:17 -06:00 · d1cdc8bfc3
parent 8a18c92730
commit d1cdc8bfc3
9 changed files with 42 additions and 32 deletions
--- a/nextcloud.yml
+++ b/nextcloud.yml
@ -2,10 +2,5 @@
  vars_files:
  - vault/nextcloud
  roles:
-  - role: cert
-    cert_src: lego/_.pyrocufflink.net.crt
-    cert_dest: '{{ apache_ssl_certificate }}'
-    cert_key_src: lego/_.pyrocufflink.net.key
-    cert_key_dest: '{{ apache_ssl_certificate_key }}'
  - apache
  - nextcloud
--- a/roles/cert/tasks/main.yml
+++ b/roles/cert/tasks/main.yml
@ -3,10 +3,12 @@
    src: certs/{{ cert_src }}
    dest: '{{ cert_dest }}'
    mode: '{{ cert_mode|d("0644") }}'
+  notify: certificate changed
 - name: ensure server private key is installed
  copy:
    src: certs/{{ cert_key_src }}
    dest: '{{ cert_key_dest }}'
    mode: '{{ cert_key_mode|d("0600") }}'
  diff: false
+  notify: certificate changed
  when: cert_key_src is defined
--- a/roles/nextcloud/handlers/main.yml
+++ b/roles/nextcloud/handlers/main.yml
@ -2,6 +2,7 @@
  service:
    name: httpd
    state: reloaded
+  listen: certificate changed
 - name: upgrade nextcloud
  become: true
  become_user: apache
--- a/roles/nextcloud/meta/main.yml
+++ b/roles/nextcloud/meta/main.yml
@ -0,0 +1,9 @@
+dependencies:
+- role: cert
+  vars:
+    cert_src: lego/_.pyrocufflink.net.crt
+    cert_dest: '{{ apache_ssl_certificate }}'
+    cert_key_src: lego/_.pyrocufflink.net.key
+    cert_key_dest: '{{ apache_ssl_certificate_key }}'
+  tags:
+  - nextcloud
--- a/roles/websites/chmod777.sh/meta/main.yml
+++ b/roles/websites/chmod777.sh/meta/main.yml
@ -0,0 +1,9 @@
+dependencies:
+- role: cert
+  vars:
+    cert_src: websites/chmod777.sh.cer
+    cert_dest: /etc/pki/tls/certs/chmod777.sh.cer
+    cert_key_src: websites/chmod777.sh.key
+    cert_key_dest: /etc/pki/tls/private/chmod777.sh.key
+  tags:
+  - websites/chmod777.sh
--- a/roles/websites/darkchestofwonders.us/meta/main.yml
+++ b/roles/websites/darkchestofwonders.us/meta/main.yml
@ -0,0 +1,9 @@
+dependencies:
+- role: cert
+  vars:
+    cert_src: websites/darkchestofwonders.us.cer
+    cert_dest: /etc/pki/tls/certs/darkchestofwonders.us.cer
+    cert_key_src: websites/darkchestofwonders.us.key
+    cert_key_dest: /etc/pki/tls/private/darkchestofwonders.us.key
+  tags:
+  - websites/darkchestofwonders.us
--- a/roles/websites/pyrocufflink.net/handlers/main.yml
+++ b/roles/websites/pyrocufflink.net/handlers/main.yml
@ -1,4 +1,5 @@
 - name: reload httpd
  service:
-    name=httpd
-    state=reloaded
+    name: httpd
+    state: reloaded
+  listen: certificate changed
--- a/roles/websites/pyrocufflink.net/meta/main.yml
+++ b/roles/websites/pyrocufflink.net/meta/main.yml
@ -0,0 +1,9 @@
+dependencies:
+- role: cert
+  vars:
+    cert_src: websites/pyrocufflink.net.cer
+    cert_dest: /etc/pki/tls/certs/pyrocufflink.net.cer
+    cert_key_src: websites/pyrocufflink.net.key
+    cert_key_dest: /etc/pki/tls/private/pyrocufflink.net.key
+  tags:
+  - websites/pyrocufflink.net
--- a/websites.yml
+++ b/websites.yml
@ -3,20 +3,6 @@
    apache_default_ssl_vhost: false
  roles:
  - apache
-  - role: cert
-    vars:
-      cert_src: websites/pyrocufflink.net.cer
-      cert_dest: /etc/pki/tls/certs/pyrocufflink.net.cer
-      cert_key_src: websites/pyrocufflink.net.key
-      cert_key_dest: /etc/pki/tls/private/pyrocufflink.net.key
-    tags:
-    - websites/pyrocufflink.net
-    - websites/proxy
-    - websites/proxy-bitwarden
-    - websites/proxy-gitea
-    - websites/proxy-jenkins
-    - websites/proxy-nextcloud
-    - websites/proxy-openvpn
  - role: websites/pyrocufflink.net
    tags: websites/pyrocufflink.net
  - role: websites/dustin.hatch.name
@ -25,19 +11,8 @@
    tags: websites/ebonfire.com
  - role: websites/nratonpass.com
    tags: websites/nratonpass.com
-  - role: cert
-    cert_src: websites/darkchestofwonders.us.cer
-    cert_dest: /etc/pki/tls/certs/darkchestofwonders.us.cer
-    cert_key_src: websites/darkchestofwonders.us.key
-    cert_key_dest: /etc/pki/tls/private/darkchestofwonders.us.key
  - role: websites/darkchestofwonders.us
    tags: websites/darkchestofwonders.us
-  - role: cert
-    cert_src: websites/chmod777.sh.cer
-    cert_dest: /etc/pki/tls/certs/chmod777.sh.cer
-    cert_key_src: websites/chmod777.sh.key
-    cert_key_dest: /etc/pki/tls/private/chmod777.sh.key
-    tags: websites/chmod777.sh
  - role: websites/chmod777.sh
    tags: websites/chmod777.sh
  - role: websites/proxy-bitwarden