ouranos/ansible/certbot/renewal-hook.sh.j2

#!/bin/bash
# Certbot post-renewal hook for HAProxy
# Managed by Ansible - DO NOT EDIT MANUALLY
#
# This script:
# 1. Combines fullchain.pem + privkey.pem into HAProxy format
# 2. Sets correct permissions
# 3. Reloads HAProxy via Docker
# 4. Updates certificate metrics for Prometheus

set -euo pipefail

CERT_NAME="{{ certbot_cert_name }}"
CERT_DIR="{{ certbot_directory }}/config/live/${CERT_NAME}"
HAPROXY_CERT="{{ haproxy_cert_path }}"
HAPROXY_DIR="{{ haproxy_directory }}"

echo "[$(date '+%Y-%m-%d %H:%M:%S')] Starting renewal hook for ${CERT_NAME}"

# Check if certificate files exist
if [[ ! -f "${CERT_DIR}/fullchain.pem" ]] || [[ ! -f "${CERT_DIR}/privkey.pem" ]]; then
    echo "ERROR: Certificate files not found in ${CERT_DIR}"
    exit 1
fi

# Combine certificate and private key for HAProxy
# HAProxy requires both in a single PEM file
cat "${CERT_DIR}/fullchain.pem" "${CERT_DIR}/privkey.pem" > "${HAPROXY_CERT}.tmp"

# Atomic move to avoid HAProxy reading partial file
mv "${HAPROXY_CERT}.tmp" "${HAPROXY_CERT}"

# Set permissions
chown {{ certbot_user }}:{{ haproxy_group }} "${HAPROXY_CERT}"
chmod 640 "${HAPROXY_CERT}"

echo "[$(date '+%Y-%m-%d %H:%M:%S')] Certificate combined and written to ${HAPROXY_CERT}"

# Reload HAProxy if running
if docker ps --format '{{ '{{' }}.Names{{ '}}' }}' | grep -q haproxy; then
    echo "[$(date '+%Y-%m-%d %H:%M:%S')] Reloading HAProxy..."
    cd "${HAPROXY_DIR}"
    docker compose kill -s HUP haproxy || docker-compose kill -s HUP haproxy
    echo "[$(date '+%Y-%m-%d %H:%M:%S')] HAProxy reloaded"
else
    echo "[$(date '+%Y-%m-%d %H:%M:%S')] HAProxy not running, skipping reload"
fi

# Update certificate metrics
{{ certbot_directory }}/hooks/cert-metrics.sh

echo "[$(date '+%Y-%m-%d %H:%M:%S')] Renewal hook completed successfully"