From d1cdc8bfc3d81d45d4f3f2f2e3dc295f4dd5c522 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Sat, 26 Dec 2020 10:38:17 -0600
Subject: [PATCH] roles/cert: Add handler topic notification

Changing/renewing a certificate generally requires restarting or
reloading some service.  Since the *cert* role is intended to be generic
and reusable, it naturally does not know what action to take to effect
the change.  It works well for the initial deployment of a new
application, since the service is reloaded anyway in order for the new
configuration to be applied.  It fails, however, for continuous
enforcement, when a certificate is renewed automatically (i.e. by
`lego`) but no other changes are being made.  This has caused a number
of disruptions when some certificate expires and its replacement is
available but has not yet been loaded.

To address this issue, I have added a handler "topic" notification to
the *certs* role.  When either the certificate or private key file is
replaced, the relevant task will "notify" a generic handler "topic."
This allows some other role to define a specific handler, which
"listens" for these notifications, and takes the appropriate action for
its respective service.

For this mechanism to work, though, the *cert* role can only be used as
a dependency of another role.  That role must define the handler and
configure it to listen to the generic "certificate changed" topic.  As
such, each of the roles that are associated with a certificate deployed
by the *cert* role now declare it as a dependency, and the top-level
playbooks only include those roles.
---
 nextcloud.yml                                 |  5 ----
 roles/cert/tasks/main.yml                     |  2 ++
 roles/nextcloud/handlers/main.yml             |  1 +
 roles/nextcloud/meta/main.yml                 |  9 +++++++
 roles/websites/chmod777.sh/meta/main.yml      |  9 +++++++
 .../darkchestofwonders.us/meta/main.yml       |  9 +++++++
 .../pyrocufflink.net/handlers/main.yml        |  5 ++--
 roles/websites/pyrocufflink.net/meta/main.yml |  9 +++++++
 websites.yml                                  | 25 -------------------
 9 files changed, 42 insertions(+), 32 deletions(-)
 create mode 100644 roles/nextcloud/meta/main.yml
 create mode 100644 roles/websites/chmod777.sh/meta/main.yml
 create mode 100644 roles/websites/darkchestofwonders.us/meta/main.yml
 create mode 100644 roles/websites/pyrocufflink.net/meta/main.yml

diff --git a/nextcloud.yml b/nextcloud.yml
index 24c2783..0f6739a 100644
--- a/nextcloud.yml
+++ b/nextcloud.yml
@@ -2,10 +2,5 @@
   vars_files:
   - vault/nextcloud
   roles:
-  - role: cert
-    cert_src: lego/_.pyrocufflink.net.crt
-    cert_dest: '{{ apache_ssl_certificate }}'
-    cert_key_src: lego/_.pyrocufflink.net.key
-    cert_key_dest: '{{ apache_ssl_certificate_key }}'
   - apache
   - nextcloud
diff --git a/roles/cert/tasks/main.yml b/roles/cert/tasks/main.yml
index 36d0ae8..491e1ce 100644
--- a/roles/cert/tasks/main.yml
+++ b/roles/cert/tasks/main.yml
@@ -3,10 +3,12 @@
     src: certs/{{ cert_src }}
     dest: '{{ cert_dest }}'
     mode: '{{ cert_mode|d("0644") }}'
+  notify: certificate changed
 - name: ensure server private key is installed
   copy:
     src: certs/{{ cert_key_src }}
     dest: '{{ cert_key_dest }}'
     mode: '{{ cert_key_mode|d("0600") }}'
   diff: false
+  notify: certificate changed
   when: cert_key_src is defined
diff --git a/roles/nextcloud/handlers/main.yml b/roles/nextcloud/handlers/main.yml
index fe3d91d..89f5421 100644
--- a/roles/nextcloud/handlers/main.yml
+++ b/roles/nextcloud/handlers/main.yml
@@ -2,6 +2,7 @@
   service:
     name: httpd
     state: reloaded
+  listen: certificate changed
 - name: upgrade nextcloud
   become: true
   become_user: apache
diff --git a/roles/nextcloud/meta/main.yml b/roles/nextcloud/meta/main.yml
new file mode 100644
index 0000000..40484c6
--- /dev/null
+++ b/roles/nextcloud/meta/main.yml
@@ -0,0 +1,9 @@
+dependencies:
+- role: cert
+  vars:
+    cert_src: lego/_.pyrocufflink.net.crt
+    cert_dest: '{{ apache_ssl_certificate }}'
+    cert_key_src: lego/_.pyrocufflink.net.key
+    cert_key_dest: '{{ apache_ssl_certificate_key }}'
+  tags:
+  - nextcloud
\ No newline at end of file
diff --git a/roles/websites/chmod777.sh/meta/main.yml b/roles/websites/chmod777.sh/meta/main.yml
new file mode 100644
index 0000000..23a3cf9
--- /dev/null
+++ b/roles/websites/chmod777.sh/meta/main.yml
@@ -0,0 +1,9 @@
+dependencies:
+- role: cert
+  vars:
+    cert_src: websites/chmod777.sh.cer
+    cert_dest: /etc/pki/tls/certs/chmod777.sh.cer
+    cert_key_src: websites/chmod777.sh.key
+    cert_key_dest: /etc/pki/tls/private/chmod777.sh.key
+  tags:
+  - websites/chmod777.sh
\ No newline at end of file
diff --git a/roles/websites/darkchestofwonders.us/meta/main.yml b/roles/websites/darkchestofwonders.us/meta/main.yml
new file mode 100644
index 0000000..ffa06dc
--- /dev/null
+++ b/roles/websites/darkchestofwonders.us/meta/main.yml
@@ -0,0 +1,9 @@
+dependencies:
+- role: cert
+  vars:
+    cert_src: websites/darkchestofwonders.us.cer
+    cert_dest: /etc/pki/tls/certs/darkchestofwonders.us.cer
+    cert_key_src: websites/darkchestofwonders.us.key
+    cert_key_dest: /etc/pki/tls/private/darkchestofwonders.us.key
+  tags:
+  - websites/darkchestofwonders.us
\ No newline at end of file
diff --git a/roles/websites/pyrocufflink.net/handlers/main.yml b/roles/websites/pyrocufflink.net/handlers/main.yml
index 09fd3c8..acae895 100644
--- a/roles/websites/pyrocufflink.net/handlers/main.yml
+++ b/roles/websites/pyrocufflink.net/handlers/main.yml
@@ -1,4 +1,5 @@
 - name: reload httpd
   service:
-    name=httpd
-    state=reloaded
+    name: httpd
+    state: reloaded
+  listen: certificate changed
diff --git a/roles/websites/pyrocufflink.net/meta/main.yml b/roles/websites/pyrocufflink.net/meta/main.yml
new file mode 100644
index 0000000..94c0a30
--- /dev/null
+++ b/roles/websites/pyrocufflink.net/meta/main.yml
@@ -0,0 +1,9 @@
+dependencies:
+- role: cert
+  vars:
+    cert_src: websites/pyrocufflink.net.cer
+    cert_dest: /etc/pki/tls/certs/pyrocufflink.net.cer
+    cert_key_src: websites/pyrocufflink.net.key
+    cert_key_dest: /etc/pki/tls/private/pyrocufflink.net.key
+  tags:
+  - websites/pyrocufflink.net
\ No newline at end of file
diff --git a/websites.yml b/websites.yml
index be89b63..542853a 100644
--- a/websites.yml
+++ b/websites.yml
@@ -3,20 +3,6 @@
     apache_default_ssl_vhost: false
   roles:
   - apache
-  - role: cert
-    vars:
-      cert_src: websites/pyrocufflink.net.cer
-      cert_dest: /etc/pki/tls/certs/pyrocufflink.net.cer
-      cert_key_src: websites/pyrocufflink.net.key
-      cert_key_dest: /etc/pki/tls/private/pyrocufflink.net.key
-    tags:
-    - websites/pyrocufflink.net
-    - websites/proxy
-    - websites/proxy-bitwarden
-    - websites/proxy-gitea
-    - websites/proxy-jenkins
-    - websites/proxy-nextcloud
-    - websites/proxy-openvpn
   - role: websites/pyrocufflink.net
     tags: websites/pyrocufflink.net
   - role: websites/dustin.hatch.name
@@ -25,19 +11,8 @@
     tags: websites/ebonfire.com
   - role: websites/nratonpass.com
     tags: websites/nratonpass.com
-  - role: cert
-    cert_src: websites/darkchestofwonders.us.cer
-    cert_dest: /etc/pki/tls/certs/darkchestofwonders.us.cer
-    cert_key_src: websites/darkchestofwonders.us.key
-    cert_key_dest: /etc/pki/tls/private/darkchestofwonders.us.key
   - role: websites/darkchestofwonders.us
     tags: websites/darkchestofwonders.us
-  - role: cert
-    cert_src: websites/chmod777.sh.cer
-    cert_dest: /etc/pki/tls/certs/chmod777.sh.cer
-    cert_key_src: websites/chmod777.sh.key
-    cert_key_dest: /etc/pki/tls/private/chmod777.sh.key
-    tags: websites/chmod777.sh
   - role: websites/chmod777.sh
     tags: websites/chmod777.sh
   - role: websites/proxy-bitwarden