stefanux/letsencrypt-fix-deployhooks-loop.yml

## gistfile1.txt
---
# fixes renewal config-files to include deploy_hook depending on authentificator
# you can override letsencrypt_deployhook in host_vars/group_vars
# and set letsencrypt_pre_hook or letsencrypt_post_hook (if needed)

- hosts: all
  gather_facts: False
  become: yes

  vars:
    apache_deployhook: "systemctl restart apache2"
    nginx_deployhook: "systemctl restart nginx"
    standalone_servicename: "{{ letsencrypt_deployhook }}"
    webroot_servicename: "{{ letsencrypt_deployhook }}"
    # use in overrides or host_vars:
    # letsencrypt_deployhook: ''

  tasks:
  - name: Use a single pattern that contains a comma formatted as a list
    find:
      paths: /etc/letsencrypt/renewal
      file_type: file
      patterns: '*.conf'
    # returns a dictionary with the files
    register: filelist
    tags:
    - letsencrypt_deployhook_count
    - letsencrypt_show_renewalfile_only

  - name: Loop over files
    include_tasks: letsencrypt-fix-deployhooks-loop.yml
    loop: "{{ filelist.files }}"
    tags:
    - letsencrypt_deployhook_count
    - letsencrypt_show_renewalfile_only

## letsencrypt-fix-deployhooks-loop.yml
---
# tasks to execute on renewal-configs of letsencrypt
# note: insertafter only works if there is no entry for deploy_hook already

  - name: "Display current file"
    debug: msg="processing {{ item.path }}"
    tags:
    - letsencrypt_deployhook_count

  - name: "Searching for authenticator apache"
    ansible.builtin.command: "grep -i '^authenticator = apache' {{ item.path }}"
    register: apache
    ignore_errors: true
    failed_when: apache.rc > 1
    changed_when: false
    check_mode: no
    tags:
    - letsencrypt_deployhook_count

  - name: "Authenticator apache present"
    debug: msg="authenticator is apache"
    when: apache.rc == 0
    tags:
    - letsencrypt_deployhook_count

  - name: "Set deployhook for authenticator apache"
    ansible.builtin.lineinfile:
      path: "{{ item.path }}"
      regexp: '^deploy_hook ='
      insertafter: '^authenticator = apache'
      line: 'deploy_hook = {{ letsencrypt_deployhook | default(apache_deployhook) }}'
      backup: yes
    when: apache.rc == 0

  - name: "Searching for authenticator nginx"
    ansible.builtin.command: "grep -i '^authenticator = nginx' {{ item.path }}"
    register: nginx
    ignore_errors: true
    failed_when: nginx.rc > 1
    changed_when: false
    check_mode: no
    tags:
    - letsencrypt_deployhook_count

  - name: "Authenticator nginx present"
    debug: msg="authenticator is nginx"
    when:
    - nginx.rc == 0
    tags:
    - letsencrypt_deployhook_count

  - name: "Set deployhook for authenticator nginx"
    ansible.builtin.lineinfile:
      path: "{{ item.path }}"
      regexp: '^deploy_hook ='
      insertafter: '^authenticator = nginx'
      line: 'deploy_hook = {{ letsencrypt_deployhook | default(nginx_deployhook) }}'
      backup: yes
    when:
    - nginx.rc == 0

  - name: "Searching for authenticator standalone"
    ansible.builtin.command: "grep -i '^authenticator = standalone' {{ item.path }}"
    register: standalone
    ignore_errors: true
    failed_when: standalone.rc > 1
    changed_when: false
    check_mode: no
    tags:
    - letsencrypt_deployhook_count

  - name: "Authenticator standalone present"
    debug: msg="authenticator is standalone"
    when: standalone.rc == 0
    tags:
    - letsencrypt_deployhook_count

  - name: "Set deployhook for authenticator standalone"
    ansible.builtin.lineinfile:
      path: "{{ item.path }}"
      regexp: '^deploy_hook ='
      insertafter: '^authenticator = standalone'
      line: 'deploy_hook = {{ letsencrypt_deployhook }}'
      backup: yes
    when:
    - standalone.rc == 0
    - letsencrypt_deployhook is defined
    - letsencrypt_deployhook|length > 0

  - name: "Searching for authenticator webroot"
    ansible.builtin.command: "grep -i '^authenticator = webroot' {{ item.path }}"
    register: webroot
    ignore_errors: true
    failed_when: webroot.rc > 1
    changed_when: false
    check_mode: no
    tags:
    - letsencrypt_deployhook_count

  - name: "Authenticator webroot present"
    debug: msg="authenticator is webroot"
    when: webroot.rc == 0
    tags:
    - letsencrypt_deployhook_count

  - name: "Set deployhook for authenticator webroot"
    ansible.builtin.lineinfile:
      path: "{{ item.path }}"
      regexp: '^deploy_hook ='
      insertafter: '^authenticator = webroot'
      line: 'deploy_hook = {{ letsencrypt_deployhook }}'
      backup: yes
    when:
    - standalone.rc == 0
    - letsencrypt_deployhook is defined
    - letsencrypt_deployhook|length > 0

  - name: "Counting deployhook lines"
    ansible.builtin.command: "grep -c '^deploy_hook' {{ item.path }}"
    register: count
    failed_when: count.rc > 1
    changed_when: false
    check_mode: no
    tags:
    - letsencrypt_deployhook_count

  - name: "Output deployhook lines"
    ansible.builtin.command: "grep '^deploy_hook' {{ item.path }}"
    register: countoutput
    failed_when: countoutput.rc > 1
    changed_when: false
    check_mode: no
    when: count.stdout != "1"
    tags:
    - letsencrypt_deployhook_count

  - name: "Not exactly one deployhook line"
    ansible.builtin.fail:
      msg: "Not exactly one deployhook line (count is {{ count.stdout }}: content: {{ countoutput.stdout_lines }} ) in {{ item.path }}"
    when: count.stdout != "1"
    ignore_errors: "{{ ansible_check_mode }}"
    tags:
    - letsencrypt_deployhook_count
    - letsencrypt_ignore_deployhook_line_count

  - name: "Set pre_hook"
    ansible.builtin.lineinfile:
      path: "{{ item.path }}"
      line: 'pre_hook = {{ letsencrypt_pre_hook }}'
      backup: yes
    when:
    - letsencrypt_pre_hook is defined
    - letsencrypt_pre_hook|length > 0

  - name: "Set post_hook"
    ansible.builtin.lineinfile:
      path: "{{ item.path }}"
      line: 'post_hook = {{ letsencrypt_post_hook }}'
      backup: yes
    when:
    - letsencrypt_post_hook is defined
    - letsencrypt_post_hook|length > 0

  - name: "Read renewal file"
    ansible.builtin.slurp:
      src: "{{ item.path }}"
    register: filecontent
    tags:
    - letsencrypt_show_renewalfile_only

  - name: "Output renewal file"
    ansible.builtin.debug:
      msg: "file: {{ item.path }}: content: {{ filecontent['content'] | b64decode }}"
    tags:
    - letsencrypt_show_renewalfile_only
	---
	# fixes renewal config-files to include deploy_hook depending on authentificator
	# you can override letsencrypt_deployhook in host_vars/group_vars
	# and set letsencrypt_pre_hook or letsencrypt_post_hook (if needed)

	- hosts: all
	gather_facts: False
	become: yes

	vars:
	apache_deployhook: "systemctl restart apache2"
	nginx_deployhook: "systemctl restart nginx"
	standalone_servicename: "{{ letsencrypt_deployhook }}"
	webroot_servicename: "{{ letsencrypt_deployhook }}"
	# use in overrides or host_vars:
	# letsencrypt_deployhook: ''

	tasks:
	- name: Use a single pattern that contains a comma formatted as a list
	find:
	paths: /etc/letsencrypt/renewal
	file_type: file
	patterns: '*.conf'
	# returns a dictionary with the files
	register: filelist
	tags:
	- letsencrypt_deployhook_count
	- letsencrypt_show_renewalfile_only

	- name: Loop over files
	include_tasks: letsencrypt-fix-deployhooks-loop.yml
	loop: "{{ filelist.files }}"
	tags:
	- letsencrypt_deployhook_count
	- letsencrypt_show_renewalfile_only
	---
	# tasks to execute on renewal-configs of letsencrypt
	# note: insertafter only works if there is no entry for deploy_hook already

	- name: "Display current file"
	debug: msg="processing {{ item.path }}"
	tags:
	- letsencrypt_deployhook_count

	- name: "Searching for authenticator apache"
	ansible.builtin.command: "grep -i '^authenticator = apache' {{ item.path }}"
	register: apache
	ignore_errors: true
	failed_when: apache.rc > 1
	changed_when: false
	check_mode: no
	tags:
	- letsencrypt_deployhook_count

	- name: "Authenticator apache present"
	debug: msg="authenticator is apache"
	when: apache.rc == 0
	tags:
	- letsencrypt_deployhook_count

	- name: "Set deployhook for authenticator apache"
	ansible.builtin.lineinfile:
	path: "{{ item.path }}"
	regexp: '^deploy_hook ='
	insertafter: '^authenticator = apache'
	line: 'deploy_hook = {{ letsencrypt_deployhook \| default(apache_deployhook) }}'
	backup: yes
	when: apache.rc == 0

	- name: "Searching for authenticator nginx"
	ansible.builtin.command: "grep -i '^authenticator = nginx' {{ item.path }}"
	register: nginx
	ignore_errors: true
	failed_when: nginx.rc > 1
	changed_when: false
	check_mode: no
	tags:
	- letsencrypt_deployhook_count

	- name: "Authenticator nginx present"
	debug: msg="authenticator is nginx"
	when:
	- nginx.rc == 0
	tags:
	- letsencrypt_deployhook_count

	- name: "Set deployhook for authenticator nginx"
	ansible.builtin.lineinfile:
	path: "{{ item.path }}"
	regexp: '^deploy_hook ='
	insertafter: '^authenticator = nginx'
	line: 'deploy_hook = {{ letsencrypt_deployhook \| default(nginx_deployhook) }}'
	backup: yes
	when:
	- nginx.rc == 0

	- name: "Searching for authenticator standalone"
	ansible.builtin.command: "grep -i '^authenticator = standalone' {{ item.path }}"
	register: standalone
	ignore_errors: true
	failed_when: standalone.rc > 1
	changed_when: false
	check_mode: no
	tags:
	- letsencrypt_deployhook_count

	- name: "Authenticator standalone present"
	debug: msg="authenticator is standalone"
	when: standalone.rc == 0
	tags:
	- letsencrypt_deployhook_count

	- name: "Set deployhook for authenticator standalone"
	ansible.builtin.lineinfile:
	path: "{{ item.path }}"
	regexp: '^deploy_hook ='
	insertafter: '^authenticator = standalone'
	line: 'deploy_hook = {{ letsencrypt_deployhook }}'
	backup: yes
	when:
	- standalone.rc == 0
	- letsencrypt_deployhook is defined
	- letsencrypt_deployhook\|length > 0

	- name: "Searching for authenticator webroot"
	ansible.builtin.command: "grep -i '^authenticator = webroot' {{ item.path }}"
	register: webroot
	ignore_errors: true
	failed_when: webroot.rc > 1
	changed_when: false
	check_mode: no
	tags:
	- letsencrypt_deployhook_count

	- name: "Authenticator webroot present"
	debug: msg="authenticator is webroot"
	when: webroot.rc == 0
	tags:
	- letsencrypt_deployhook_count

	- name: "Set deployhook for authenticator webroot"
	ansible.builtin.lineinfile:
	path: "{{ item.path }}"
	regexp: '^deploy_hook ='
	insertafter: '^authenticator = webroot'
	line: 'deploy_hook = {{ letsencrypt_deployhook }}'
	backup: yes
	when:
	- standalone.rc == 0
	- letsencrypt_deployhook is defined
	- letsencrypt_deployhook\|length > 0

	- name: "Counting deployhook lines"
	ansible.builtin.command: "grep -c '^deploy_hook' {{ item.path }}"
	register: count
	failed_when: count.rc > 1
	changed_when: false
	check_mode: no
	tags:
	- letsencrypt_deployhook_count

	- name: "Output deployhook lines"
	ansible.builtin.command: "grep '^deploy_hook' {{ item.path }}"
	register: countoutput
	failed_when: countoutput.rc > 1
	changed_when: false
	check_mode: no
	when: count.stdout != "1"
	tags:
	- letsencrypt_deployhook_count

	- name: "Not exactly one deployhook line"
	ansible.builtin.fail:
	msg: "Not exactly one deployhook line (count is {{ count.stdout }}: content: {{ countoutput.stdout_lines }} ) in {{ item.path }}"
	when: count.stdout != "1"
	ignore_errors: "{{ ansible_check_mode }}"
	tags:
	- letsencrypt_deployhook_count
	- letsencrypt_ignore_deployhook_line_count

	- name: "Set pre_hook"
	ansible.builtin.lineinfile:
	path: "{{ item.path }}"
	line: 'pre_hook = {{ letsencrypt_pre_hook }}'
	backup: yes
	when:
	- letsencrypt_pre_hook is defined
	- letsencrypt_pre_hook\|length > 0

	- name: "Set post_hook"
	ansible.builtin.lineinfile:
	path: "{{ item.path }}"
	line: 'post_hook = {{ letsencrypt_post_hook }}'
	backup: yes
	when:
	- letsencrypt_post_hook is defined
	- letsencrypt_post_hook\|length > 0

	- name: "Read renewal file"
	ansible.builtin.slurp:
	src: "{{ item.path }}"
	register: filecontent
	tags:
	- letsencrypt_show_renewalfile_only

	- name: "Output renewal file"
	ansible.builtin.debug:
	msg: "file: {{ item.path }}: content: {{ filecontent['content'] \| b64decode }}"
	tags:
	- letsencrypt_show_renewalfile_only