rewrite lego role

roles/lego/templates/renew-hook.sh.j2

@@ -0,0 +1,134 @@
+#!/usr/bin/bash
+
+## Managed by Ansible ##
+
+# Variables set by Ansible
+cert_src_path="{{ lego_cert_dir }}"
+
+# Certificate destination variables (if defined)
+cert_dest_path="{{ lego_certificate_destination.path | default('') }}"
+cert_owner="{{ lego_certificate_destination.owner | default('') }}"
+cert_group="{{ lego_certificate_destination.group | default('') }}"
+
+# Service reload variables (if defined)
+service_name="{{ lego_services_reload.name | default('') }}"
+service_command="{{ lego_services_reload.command | default('') }}"
+
+copy_certificate_files() {
+  local domain="$1"
+  local success=true
+  
+  # Check if destination is defined
+  if [ -z "$cert_dest_path" ]; then
+    echo "No certificate destination defined, skipping copy"
+    return 0
+  fi
+  
+  echo "Copying certificate files for $domain..."
+  echo "Copying to $cert_dest_path..."
+  
+  # Create destination directory if it doesn't exist
+  mkdir -p "$cert_dest_path"
+  
+  # Copy certificate files
+  cp "$cert_src_path/${domain}.crt" "$cert_dest_path/${domain}.crt" || success=false
+  cp "$cert_src_path/${domain}.key" "$cert_dest_path/${domain}.key" || success=false
+  
+  # Copy issuer cert if it exists
+  if [ -f "$cert_src_path/${domain}.issuer.crt" ]; then
+    cp "$cert_src_path/${domain}.issuer.crt" "$cert_dest_path/${domain}.issuer.crt" || success=false
+  fi
+  
+  # Set standard secure permissions
+  # 644 for certificates, 600 for keys
+  chmod 644 "$cert_dest_path/${domain}.crt" || success=false
+  chmod 600 "$cert_dest_path/${domain}.key" || success=false
+  
+  # Set issuer cert permissions if it exists
+  if [ -f "$cert_dest_path/${domain}.issuer.crt" ]; then
+    chmod 644 "$cert_dest_path/${domain}.issuer.crt" || success=false
+  fi
+  
+  # Set ownership if specified
+  if [ -n "$cert_owner" ] && [ -n "$cert_group" ]; then
+    if [ -f "$cert_dest_path/${domain}.issuer.crt" ]; then
+      chown "$cert_owner":"$cert_group" "$cert_dest_path/${domain}.crt" "$cert_dest_path/${domain}.key" "$cert_dest_path/${domain}.issuer.crt" || success=false
+    else
+      chown "$cert_owner":"$cert_group" "$cert_dest_path/${domain}.crt" "$cert_dest_path/${domain}.key" || success=false
+    fi
+  fi
+  
+  if $success; then
+    echo "Certificate files copied successfully"
+    return 0
+  else
+    echo "Error copying certificate files"
+    return 1
+  fi
+}
+
+reload_service() {
+  local domain="$1"
+  local success=true
+  
+  # Check if service reload is defined
+  if [ -z "$service_name" ] && [ -z "$service_command" ]; then
+    echo "No service reload defined, skipping reload"
+    return 0
+  fi
+  
+  echo "Reloading service..."
+  
+  if [ -n "$service_command" ]; then
+    echo "Running command: $service_command"
+    eval "$service_command" || success=false
+  elif [ -n "$service_name" ]; then
+    echo "Reloading $service_name..."
+    systemctl reload "$service_name" || systemctl restart "$service_name" || success=false
+  fi
+  
+  if $success; then
+    echo "Service reloaded successfully"
+    return 0
+  else
+    echo "Error reloading service"
+    return 1
+  fi
+}
+
+# Check if domain is provided as parameter
+if [ $# -lt 1 ]; then
+  echo "Error: Domain parameter is required"
+  echo "Usage: $0 <domain>"
+  exit 1
+fi
+
+# Get domain from parameter
+domain="$1"
+
+# Main execution
+echo "Certificate renewal hook triggered for $domain"
+
+# Call the functions
+copy_certificate_files "$domain"
+copy_result=$?
+
+reload_service "$domain"
+reload_result=$?
+
+# Send webhook notification
+message="$domain certificate was successfully renewed"
+
+if [ -n "$cert_dest_path" ]; then
+  message="${message}, files copied"
+fi
+
+if [ -n "$service_name" ] || [ -n "$service_command" ]; then
+  message="${message}, and service reloaded"
+fi
+
+if [ $copy_result -eq 0 ] && [ $reload_result -eq 0 ]; then
+  echo "$message"
+else
+  echo "$domain certificate was renewed but post-renewal tasks failed"
+fi