Merge pull request #405 from bastelfreak/cleanup

(#396) Add support for adding hooks after cert creation

Author: bastelfreak

manifests/certonly.pp

@@ -257,6 +257,10 @@
     }
   }
 
+  # certbot uses --cert-name to generate the file path
+  $live_path_certname = regsubst($cert_name, '^\*\.', '')
+  $live_path = "${config_dir}/live/${live_path_certname}/cert.pem"
+
   $hook_args = ['pre', 'post', 'deploy'].map | String $type | {
     $commands = getvar("${type}_hook_commands")
     if (!empty($commands)) {
@@ -267,17 +271,27 @@
         commands  => $commands,
         before    => Exec["letsencrypt certonly ${title}"],
       }
+      # if ensure is set to present, ensure that the hooks exist in the config file for the domain
+      # this has to happen after the exec, because `certbot certonly` creates the initial config file
+      # certbot won't update the config. But an update is required if new hooks are added afterwards
+      #
+      # we cannot add it to letsencrypt::hook because the defined resource runs before the Exec, not afterwards
+      ini_setting { "${title}-${type}":
+        ensure  => $ensure,
+        path    => "${config_dir}/renewal/${live_path_certname}.conf",
+        section => 'renewalparams',
+        setting => "${type}_hook",
+        value   => $hook_file,
+        require => Exec["letsencrypt certonly ${title}"],
+      }
+
       "--${type}-hook \"${hook_file}\""
     }
     else {
       undef
     }
   }
 
-  # certbot uses --cert-name to generate the file path
-  $live_path_certname = regsubst($cert_name, '^\*\.', '')
-  $live_path = "${config_dir}/live/${live_path_certname}/cert.pem"
-
   $_command = flatten(
     [
       $letsencrypt_command,

spec/defines/letsencrypt_certonly_spec.rb

@@ -285,6 +285,7 @@ class { 'letsencrypt::plugin::dns_linode':
           it do
             is_expected.to compile.with_all_deps
             is_expected.to contain_letsencrypt__hook('foo.example.com-pre').with_hook_file('/etc/letsencrypt/renewal-hooks-puppet/foo.example.com-pre.sh')
+            is_expected.to contain_ini_setting('foo.example.com-pre')
           end
         end
 
@@ -295,6 +296,7 @@ class { 'letsencrypt::plugin::dns_linode':
           it do
             is_expected.to compile.with_all_deps
             is_expected.to contain_letsencrypt__hook('*.example.com-pre').with_hook_file('/etc/letsencrypt/renewal-hooks-puppet/example.com-pre.sh')
+            is_expected.to contain_ini_setting('*.example.com-pre')
           end
         end
 
@@ -305,6 +307,7 @@ class { 'letsencrypt::plugin::dns_linode':
           it do
             is_expected.to compile.with_all_deps
             is_expected.to contain_letsencrypt__hook('foo.example.com-post').with_hook_file('/etc/letsencrypt/renewal-hooks-puppet/foo.example.com-post.sh')
+            is_expected.to contain_ini_setting('foo.example.com-post')
           end
         end
 
@@ -315,6 +318,7 @@ class { 'letsencrypt::plugin::dns_linode':
           it do
             is_expected.to compile.with_all_deps
             is_expected.to contain_letsencrypt__hook('foo.example.com-deploy').with_hook_file('/etc/letsencrypt/renewal-hooks-puppet/foo.example.com-deploy.sh')
+            is_expected.to contain_ini_setting('foo.example.com-deploy')
           end
         end
       end
@@ -566,6 +570,9 @@ class { 'letsencrypt::plugin::dns_linode':
         it { is_expected.to contain_letsencrypt__hook('foo.example.com-pre') }
         it { is_expected.to contain_letsencrypt__hook('foo.example.com-post') }
         it { is_expected.to contain_letsencrypt__hook('foo.example.com-deploy') }
+        it { is_expected.to contain_ini_setting('foo.example.com-pre') }
+        it { is_expected.to contain_ini_setting('foo.example.com-post') }
+        it { is_expected.to contain_ini_setting('foo.example.com-deploy') }
         it { is_expected.to have_letsencrypt__hook_resource_count(3) }
       end
     end