ansible-collection/roles/common/templates/post-renewal-exec.sh.j2

#!/bin/sh

# Ansible Roles for managing Auengun.net Infrastructure & Testing/Learning.
# Source available at git.auengun.net/homelab/ansible-collection
# Copyright (C) 2023  GregoryDosh

# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.

# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.

# You should have received a copy of the GNU Affero General Public License
# along with this program.  If not, see <https://www.gnu.org/licenses/>.

# SPDX-License-Identifier: AGPL-3.0-or-later
# SPDX-FileCopyrightText: 2023 GregoryDosh

set +x

if [ "$1" = "-e" ]; then
  set -x
  logger="command echo"
  shift
else
  logger="command logger -t {{ CERT_RENEWAL_SERVICE_NAME }}"
fi

HEALTHCHECK_TMP_FILE=$({{ MKTEMP_BIN_ABSOLUTE_PATH }} /tmp/hc_log_{{CERT_RENEWAL_SERVICE_NAME}}.XXXXXX)

# From the following link, this removes the file for effectively most things
# except through the file descriptor or something like /proc/$PID/fd/$FD.
# It should be cleaned up after the process dies through any means (crash/close/exit/etc.)
# https://unix.stackexchange.com/questions/181937/how-create-a-temporary-file-in-shell-script
exec 3>"$HEALTHCHECK_TMP_FILE" # For Writing: echo -n 'Foo' >&3
exec 4<"$HEALTHCHECK_TMP_FILE" # For Reading: cat <&4
rm "$HEALTHCHECK_TMP_FILE"

HC_START_RESPONSE=$({{ CURL_BIN_ABSOLUTE_PATH }} --write-out '%{http_code}' --silent --output /dev/null -m 10 --retry 5 "{{ _hc_ping_url }}/start")
if [ "$HC_START_RESPONSE" -ne 200 ]; then
  $logger "WARN: Unable to contact healthchecks for status updates."
  $logger "WARN: Check will continue without healthcheck logging."
fi

HEALTHCHECK_CONTENT_HEADER="Content-Type: text/plain"
EXIT_STATUS=0

{% raw %}{{% endraw %}

  BUNDLE=$(STEPPATH={{ STEP_PATH }} {{ STEP_BIN_ABSOLUTE_PATH }} certificate bundle --force {{ STEP_CERTS_PATH }}{{ STEP_CERTS_ROOT_CRT }} {{ STEP_CERTS_PATH }}{{ STEP_CERTS_ACME_CRT }} {{ STEP_CERTS_PATH }}{{ STEP_CERTS_BUNDLE_CRT }} 2>&1)
  EXIT_STATUS="$?"
  if [ "$EXIT_STATUS" -ne 0 ]; then
    $logger "ERROR: unable to bundle: $BUNDLE"
    exit "$EXIT_STATUS"
  else
    $logger "INFO: Renewed CA Certificate bundle: {{ STEP_CERTS_PATH }}{{ STEP_CERTS_BUNDLE_CRT }}"
  fi

  {% if CERT_RENEWAL_RESTART_SYSTEMD_SERVICES -%}
  SYSTEMD_RESTART=$({{ SYSTEMCTL_BIN_ABSOLUTE_PATH }} {% if (_systemd_version | int) < 229  %}reload-or-try-restart{% else %}try-reload-or-restart{% endif %} {{ CERT_RENEWAL_RESTART_SYSTEMD_SERVICES | join(' ') }})
  EXIT_STATUS="$?"
  if [ "$EXIT_STATUS" -ne 0 ]; then
    $logger "ERROR: unable to restart systemd services: $SYSTEMD_RESTART"
    exit "$EXIT_STATUS"
  else
    $logger "INFO: Restarted systemd services to pick up changes"
  fi
  {% endif %}

  {% if STEP_CERTS_SYSTEMD_EXTRA_CONFIG -%}
  ###################################
  # Conditional Host Specific Logic #
  ###################################
  {{ STEP_CERTS_SYSTEMD_EXTRA_CONFIG }}
  ###################################
  {% endif -%}
{% raw %}}{% endraw %} 2>&3 1>&3

HC_STOP_RESPONSE=$({{ CURL_BIN_ABSOLUTE_PATH }} --write-out '%{http_code}' --silent --output /dev/null -m 10 --retry 5 --header "${HEALTHCHECK_CONTENT_HEADER}" --data "$(cat <&4)" "{{ _hc_ping_url }}/$EXIT_STATUS")
if [ "$HC_STOP_RESPONSE" -ne 200 ]; then
  $logger "WARN: Unable to contact healthchecks for status update."
fi

if [ "$EXIT_STATUS" -ne 0 ]; then
  $logger "ERROR: user script failure"
  exit "$EXIT_STATUS"
fi