web/acme: refactor certificates deployment

3 files changed, 49 insertions, 14 deletions

diff --git a/roles/web/files/acme/acme-client.sh b/roles/web/files/acme/acme-client.sh
index 20e1106..d929cbb 100755
--- a/roles/web/files/acme/acme-client.sh
+++ b/roles/web/files/acme/acme-client.sh
@@ -9,12 +9,16 @@
 #     $ ./acme-client.sh
 # which can be called by periodic(8).
 #
-# This script will be weekly executed in order to renew the certificate(s).
-# See "/etc/periodic.conf".
+# This script will be weekly executed in order to renew the certificate(s)
+# by adding such configurations to "/etc/periodic.conf":
+#     weekly_acme_client_enable="YES"
+#     weekly_acme_client_renewscript="/usr/local/etc/acme/acme-client.sh"
+#     weekly_acme_client_deployscript="/usr/local/etc/acme/deploy.sh"
 #
 # Output files:
-#   * .../etc/acme/privkey.pem : account private key
-#   * .../etc/ssl/acme/private/<domain>.pem : domain private key
+#   * etc/acme/privkey.pem : account private key
+#   * etc/ssl/acme/private/<domain>.pem : domain private key
+#   * etc/ssl/acme/<domain>/fullchain.pem : domain certificate
 #
 # XXX/TODO:
 #   * How to remove/revoke a SAN from the certificate?
diff --git a/roles/web/files/acme/deploy.d/nginx b/roles/web/files/acme/deploy.d/nginx
new file mode 100644
index 0000000..17b571d
--- /dev/null
+++ b/roles/web/files/acme/deploy.d/nginx
@@ -0,0 +1,6 @@
+#!/bin/sh
+#
+# ACME deployment script
+#
+
+reload nginx
diff --git a/roles/web/files/acme/deploy.sh b/roles/web/files/acme/deploy.sh
index 5e5ad4d..7464d02 100755
--- a/roles/web/files/acme/deploy.sh
+++ b/roles/web/files/acme/deploy.sh
@@ -1,22 +1,47 @@
 #!/bin/sh -e
 #
-# Restart the services after renewing the certificate(s) to deploy the
-# changed certificate(s).
-#
-# This script will be weekly executed.  See "/etc/periodic.conf".
+# Deploy the renewed certificate(s) to services.
 #
 # Aaron LI
 #
 
-# Services to be restarted after ACME certificate update
-SERVICES="nginx dovecot postfix"
+reload() {
+    local srv="$1"
+    local rv=0
+    if service ${srv} status >/dev/null 2>&1; then
+        echo "Reloading service ${srv} ..."
+        service ${srv} reload
+        echo "ok"
+    else
+        echo "WARNING: service ${srv} is not running" >&2
+        rv=1
+    fi
+    return ${rv}
+}
+
 
-printf "-------------------------------------------------------------\n"
-for srv in ${SERVICES}; do
+restart() {
+    local srv="$1"
+    local rv=0
     if service ${srv} status >/dev/null 2>&1; then
-        echo "ACME deploy: restarting ${srv} ..."
+        echo "Restarting service ${srv} ..."
         service ${srv} restart
+        echo "ok"
     else
-        echo "ACME deploy: service ${srv} not running"
+        echo "WARNING: service ${srv} is not running" >&2
+        rv=1
+    fi
+    return ${rv}
+}
+
+
+echo "============================================================="
+dir="${0%/*}"
+rv=0
+for f in ${dir}/deploy.d/*; do
+    if [ -f "${f}" ]; then
+        echo "Deploying [${f##*/}] ..."
+        . "${f}" || rv=$?
     fi
 done
+exit ${rv}