From ff313525c86c91bbe9dcf194d1249ba56d198d03 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kosmos.org>
Date: Wed, 5 Jun 2024 16:43:20 +0200
Subject: [PATCH] Reload postfix and dovecot on cert renewal
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

closes #552

Co-authored-by: Greg Karékinian <greg@karekinian.com>
---
 .../kosmos-base/resources/tls_cert_for.rb        | 16 +++++++++++++++-
 site-cookbooks/kosmos_email/recipes/default.rb   |  1 +
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/site-cookbooks/kosmos-base/resources/tls_cert_for.rb b/site-cookbooks/kosmos-base/resources/tls_cert_for.rb
index 0f56f29..c633166 100644
--- a/site-cookbooks/kosmos-base/resources/tls_cert_for.rb
+++ b/site-cookbooks/kosmos-base/resources/tls_cert_for.rb
@@ -3,6 +3,7 @@ provides :tls_cert_for
 
 property :domain, [String, Array], name_property: true
 property :auth, [String, NilClass], default: nil
+property :deploy_hook, [String, NilClass], default: nil
 property :acme_domain, [String, NilClass], default: nil
 
 default_action :create
@@ -36,6 +37,19 @@ action :create do
       sensitive true
     end
 
+    if new_resource.deploy_hook
+      deploy_hook_path = "/etc/letsencrypt/renewal-hooks/#{domains.first}"
+
+      file deploy_hook_path do
+        content new_resource.deploy_hook
+        mode 0755
+        owner "root"
+        group "root"
+      end
+    elsif node.run_list.roles.include?("openresty_proxy")
+      deploy_hook_path = "/etc/letsencrypt/renewal-hooks/post/openresty"
+    end
+
     # Generate a Let's Encrypt cert (only if no cert has been generated before).
     # The systemd timer will take care of renewing
     execute "letsencrypt cert for #{domains.join(', ')}" do
@@ -47,7 +61,7 @@ action :create do
         --manual-auth-hook '#{hook_auth_command}' \
         --manual-cleanup-hook '#{hook_cleanup_command}' \
         --email ops@kosmos.org \
-        #{node.run_list.roles.include?("openresty_proxy") ? '--deploy-hook /etc/letsencrypt/renewal-hooks/post/openresty' : nil } \
+        #{"--deploy-hook #{deploy_hook_path}" if defined?(deploy_hook_path)} \
         #{domains.map {|d| "-d #{d}" }.join(" ")}
       CMD
       not_if do
diff --git a/site-cookbooks/kosmos_email/recipes/default.rb b/site-cookbooks/kosmos_email/recipes/default.rb
index 462ea1a..01f85a3 100644
--- a/site-cookbooks/kosmos_email/recipes/default.rb
+++ b/site-cookbooks/kosmos_email/recipes/default.rb
@@ -26,6 +26,7 @@ end
 tls_cert_for hostname do
   domain ([hostname]+extra_hostnames)
   auth "gandi_dns"
+  deploy_hook "systemctl reload postfix.service && systemctl reload dovecot.service"
   action :create
 end