diff options
Diffstat (limited to 'ansible/roles/certreload/tasks/main.yml')
| -rw-r--r-- | ansible/roles/certreload/tasks/main.yml | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/ansible/roles/certreload/tasks/main.yml b/ansible/roles/certreload/tasks/main.yml new file mode 100644 index 0000000..0e4fcc7 --- /dev/null +++ b/ansible/roles/certreload/tasks/main.yml | |||
| @@ -0,0 +1,21 @@ | |||
| 1 | --- | ||
| 2 | # This is a hack because ansible can't trigger handlers if they don't | ||
| 3 | # exist, so we can't have our 'certs' role unconditionally fire things | ||
| 4 | # like "reload nginx" and "reload postfix" because those don't exist | ||
| 5 | # in every deployment. | ||
| 6 | # As a hack, just check if /etc/ssl was recently modified then reload | ||
| 7 | - name: check certificate update recency | ||
| 8 | stat: | ||
| 9 | path: /etc/ssl | ||
| 10 | register: statSSL | ||
| 11 | |||
| 12 | # Have to mock a command resulting in some "changed" status so ansible | ||
| 13 | # allows itself to trigger handlers. | ||
| 14 | # The actual restriction on this handler is the 'when' clause, not | ||
| 15 | # the command itself. | ||
| 16 | - name: reload because certs are newish | ||
| 17 | command: /bin/true | ||
| 18 | when: ((ansible_date_time.epoch |int) - (statSSL.stat.mtime |int)) < 300 | ||
| 19 | notify: | ||
| 20 | - "{{ item }}" | ||
| 21 | loop: "{{ certreload.notifiers }}" | ||