From 8164566c4f36b3132946411d5514a42ef08ab070 Mon Sep 17 00:00:00 2001
From: Wout van Heeswijk <wout.van.heeswijk+github@gmail.com>
Date: Fri, 19 Apr 2019 10:30:48 +0200
Subject: [PATCH] create pre and post hooks

* Move 'stop' services to pre-hook and post-hook. This way they will also be stopped and started when renewing.

- remove service stop/start tasks
- add pre-hook/post-hook templates
- add pre-hook/pos-hook template tasks
- create missing directories at first run
- run pre and post hook during first manual run
---
 defaults/main.yml                |  6 +++++
 tasks/create-cert-standalone.yml | 41 ++++++++++++++++++++++----------
 templates/start_services.j2      | 15 ++++++++++++
 templates/stop_services.j2       | 15 ++++++++++++
 4 files changed, 64 insertions(+), 13 deletions(-)
 create mode 100644 templates/start_services.j2
 create mode 100644 templates/stop_services.j2

diff --git a/defaults/main.yml b/defaults/main.yml
index 3186d8e..0322e0f 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -21,6 +21,12 @@ certbot_create_command: >-
   {{ certbot_script }} certonly --standalone --noninteractive --agree-tos
   --email {{ cert_item.email | default(certbot_admin_email) }}
   -d {{ cert_item.domains | join(',') }}
+  {{ '--pre-hook /etc/letsencrypt/renewal-hooks/pre/stop_services'
+    if certbot_create_standalone_stop_services
+  else '' }}
+  {{ '--post-hook /etc/letsencrypt/renewal-hooks/post/start_services'
+    if certbot_create_standalone_stop_services
+  else '' }}
 
 certbot_create_standalone_stop_services:
   - nginx
diff --git a/tasks/create-cert-standalone.yml b/tasks/create-cert-standalone.yml
index 6f25b8a..afd0794 100644
--- a/tasks/create-cert-standalone.yml
+++ b/tasks/create-cert-standalone.yml
@@ -4,20 +4,35 @@
     path: /etc/letsencrypt/live/{{ cert_item.domains | first | replace('*.', '') }}/cert.pem
   register: letsencrypt_cert
 
-- name: Stop services to allow certbot to generate a cert.
-  service:
-    name: "{{ item }}"
-    state: stopped
-  when: not letsencrypt_cert.stat.exists
-  with_items: "{{ certbot_create_standalone_stop_services }}"
+- name: create pre and post hook folders because those don't exist yet on a fresh install
+  file:
+    path: /etc/letsencrypt/renewal-hooks/{{ item }}
+    state: directory
+    mode: 0755
+    owner: root
+    group: root
+  with_items:
+    - pre
+    - post
+
+- name: Create pre hook to stop services
+  template:
+    src: stop_services.j2
+    dest: /etc/letsencrypt/renewal-hooks/pre/stop_services
+    owner: root
+    group: root
+    mode: 0750
+  when: certbot_create_standalone_stop_services is defined and certbot_create_standalone_stop_services
+
+- name: create post hook to start services
+  template:
+    src: start_services.j2
+    dest: /etc/letsencrypt/renewal-hooks/post/start_services
+    owner: root
+    group: root
+    mode: 0750
+  when: certbot_create_standalone_stop_services is defined and certbot_create_standalone_stop_services
 
 - name: Generate new certificate if one doesn't exist.
   command: "{{ certbot_create_command }}"
   when: not letsencrypt_cert.stat.exists
-
-- name: Start services after cert has been generated.
-  service:
-    name: "{{ item }}"
-    state: started
-  when: not letsencrypt_cert.stat.exists
-  with_items: "{{ certbot_create_standalone_stop_services }}"
diff --git a/templates/start_services.j2 b/templates/start_services.j2
new file mode 100644
index 0000000..ff1a21d
--- /dev/null
+++ b/templates/start_services.j2
@@ -0,0 +1,15 @@
+#!/bin/bash
+# {{ ansible_managed }}
+
+{% for item in certbot_create_standalone_stop_services %}
+echo "starting service {{ item }}"
+{% if ansible_service_mgr == 'systemd' %}
+systemctl start {{ item }}
+{% elif ansible_service_mgr == 'upstart' %}
+initctl start {{ item }}
+{% elif ansible_service_mgr == 'openrc' %}
+rc-service {{ item }} start
+{% else %}
+service {{ item }} start
+{% endif %}
+{% endfor %}
diff --git a/templates/stop_services.j2 b/templates/stop_services.j2
new file mode 100644
index 0000000..f087768
--- /dev/null
+++ b/templates/stop_services.j2
@@ -0,0 +1,15 @@
+#!/bin/bash
+# {{ ansible_managed }}
+
+{% for item in certbot_create_standalone_stop_services %}
+echo "stopping service {{ item }}"
+{% if ansible_service_mgr == 'systemd' %}
+systemctl stop {{ item }}
+{% elif ansible_service_mgr == 'upstart' %}
+initctl stop {{ item }}
+{% elif ansible_service_mgr == 'openrc' %}
+rc-service {{ item }} stop
+{% else %}
+service {{ item }} stop
+{% endif %}
+{% endfor %}