Add deploy hook feature

README.md

@@ -166,6 +166,22 @@ acme_sh_default_dns_provider: "dns_dgon"
 #      "DO_API_KEY": "THE_API_SECRET_TOKEN_FROM_THE_DO_DASHBOARD"
 acme_sh_default_dns_provider_api_keys: {}
 
+# What are your the Deploy ENV Vars?
+# The key names to use can be found at:
+#   https://github.com/acmesh-official/acme.sh/wiki/deployhooks
+# Just add them as key / value pairs here
+# without the "export ".
+#
+# For example if you were using haproxy as deploy hook you would enter:
+#    acme_sh_default_deploy_env_vars:
+#       "DEPLOY_HAPROXY_PEM_PATH": "/etc/haproxy"
+#       "DEPLOY_HAPROXY_RELOAD":"/usr/sbin/service haproxy restart"
+acme_sh_default_deploy_env_vars: {}
+
+# When set to a non-empty string, this hook will be executed after issuing a certificate.
+# Examples: https://github.com/acmesh-official/acme.sh/wiki/deployhooks
+acme_sh_default_deploy_hook: ""
+
 # How long should acme.sh sleep after attempting to set the TXT record to your
 # DNS records? Some DNS providers do not update as fast as others.
 #
@@ -198,6 +214,13 @@ acme_sh_default_extra_flags_renew: ""
 # Installing is different than issuing and we'll cover that later.
 acme_sh_default_extra_flags_install_cert: ""
 
+# When deploying certificates via `deploy` command, you can choose to add additional flags that
+# are not present here by default. Supply them just as you would on the command
+# line, such as "--help".
+#
+# Installing is different than issuing and we'll cover that later.
+acme_sh_default_extra_flags_deploy_cert: ""
+
 # When a certificate is issued or renewed, acme.sh will attempt to run a command
 # of your choosing. This could be to restart or reload your web server or proxy.
 #
@@ -260,6 +283,9 @@ acme_sh_domains:
 #    force_renew: False
 #    # Optionally turn on debug mode.
 #    debug: True
+#    # Optionally override the default environment variables used by deploy command.
+#    deploy_env_vars:
+#     "DEPLOY_HAPROXY_PEM_PATH": "/etc/haproxy"
 #    # Optionally override the default DNS provider.
 #    dns_provider: "dns_namesilo"
 #    # Optionally override the default DNS API keys.
@@ -267,10 +293,11 @@ acme_sh_domains:
 #     "Namesilo_Key": "THE_API_SECRET_TOKEN_FROM_THE_NAMESILO_DASHBOARD"
 #    # Optionally override the default DNS sleep time.
 #    dns_sleep: 900
-#    # Optionally add extra flags to any of these 3 actions:
+#    # Optionally add extra flags to any of these 4 actions:
 #    extra_flags_issue: ""
 #    extra_flags_renew: ""
 #    extra_flags_install_cert: ""
+#    extra_flags_deploy_cert: ""
 #    # Optionally set a different reload command.
 #    install_cert_reloadcmd: "whoami"
 #    # Optionally run commands during different points in the cert issue process:
@@ -279,6 +306,8 @@ acme_sh_domains:
 #    extra_issue_renew_hook: ""
 #    # Optionally remove and disable the certificate.
 #    remove: True
+#    # Optionally call a deploy_hook see : https://github.com/acmesh-official/acme.sh/wiki/deployhooks
+#    deploy_hook: ""
 ```
 
 ## Example usage
@@ -377,6 +406,19 @@ acme_sh_domains:
     force_renew: True
 ```
 
+# ------------------------------------------------------------------------------
+
+# 2 certificate files using the same example, with a different deploy hook for each.
+# This will product the following result for domain :
+# - example.com the hook will deploy the cert (well formated) to a local haproxy server
+# - admin.example.com the hook will deploy certificates to a remote host using SSH  
+acme_sh_domains:
+  - domains: ["example.com", "www.example.com"]
+    deploy_hook: "haproxy"
+  - domains: ["admin.example.com"]
+    deploy_hook: "ssh"
+```
+
 *If you're looking for an Ansible role to create users, then check out my
 [user role](https://github.com/nickjj/ansible-user)*.
 

defaults/main.yml

@@ -34,6 +34,10 @@ acme_sh_default_dns_sleep: 120
 acme_sh_default_extra_flags_issue: ""
 acme_sh_default_extra_flags_renew: ""
 acme_sh_default_extra_flags_install_cert: ""
+acme_sh_default_extra_flags_deploy_cert: ""
+
+acme_sh_default_deploy_env_vars: {}
+acme_sh_default_deploy_hook: ""
 
 acme_sh_default_install_cert_reloadcmd: "sudo service nginx reload"
 

tasks/main.yml

@@ -210,6 +210,7 @@
   when:
     - acme_sh_domains and item.domains is defined and item.domains
     - item.custom_command is undefined or not item.custom_command
+    - item.deploy_hook is undefined or not item.deploy_hook or acme_sh_default_deploy_hook
     - item.remove is undefined or not item.remove
     - not acme_sh_uninstall
   become_user: "{{ acme_sh_become_user }}"
@@ -217,6 +218,31 @@
   changed_when: issue_result.results[domains_index].changed or renew_result.results[domains_index].changed
   failed_when: install_cert_result.rc != 0 and "Reload error for" not in install_cert_result.stderr
 
+- name: Deploy acme.sh certificate(s)
+  command: >-
+    ./acme.sh --deploy -d {{ item.domains | first }}
+    --deploy-hook {{ item.deploy_hook | default(acme_sh_default_deploy_hook)}}
+    {{ "--debug" if item.debug | default(acme_sh_default_debug) else "" }}
+    {{ item.extra_flags_deploy_cert | default(acme_sh_default_extra_flags_deploy_cert) }}
+  args:
+    chdir: "~/.acme.sh"
+  loop: "{{ acme_sh_domains }}"
+  loop_control:
+    index_var: domains_index
+  environment: "{{ item.deploy_env_vars | default(acme_sh_default_deploy_env_vars) }}"
+  when:
+    - acme_sh_domains and item.domains is defined and item.domains
+    - (item.deploy_hook is defined and item.deploy_hook) or acme_sh_default_deploy_hook
+    - item.deploy_env_vars | default(acme_sh_default_deploy_env_vars)
+    - item.custom_command is undefined or not item.custom_command
+    - item.remove is undefined or not item.remove
+    - not acme_sh_uninstall
+  become_user: "{{ acme_sh_become_user }}"
+  register: deploy_cert_result
+  changed_when: issue_result.results[domains_index].changed or renew_result.results[domains_index].changed
+  failed_when: deploy_cert_result.rc != 0 and "Reload error for" not in deploy_cert_result.stderr
+
+
 - name: Register acme.sh certificate information
   command: ./acme.sh --list
   args: