feat(systemd): Run acme client whenever CSR file changed (#36)

certhub · May 9, 2019 · 1a136f8 · 1a136f8
1 parent 3904850
commit 1a136f8
Show file tree

Hide file tree

Showing 8 changed files with 14 additions and 3 deletions.
diff --git a/doc/certhub-certbot-run@.service.8.rst b/doc/certhub-certbot-run@.service.8.rst
@@ -17,7 +17,7 @@ config directory. The resulting fullchain certificate is committed to the
 repository. A commit message is generated automatically.
 
 A path unit which runs the service unit if the expiry status file managed by
-:program:`certhub-cert-expiry@.service` exists.
+:program:`certhub-cert-expiry@.service` exists or if the CSR file changed.
 
 The instance name (systemd instance string specifier ``%i``) is used as the
 basename of the configuration and the resulting certificate file.

diff --git a/doc/certhub-dehydrated-run@.service.8.rst b/doc/certhub-dehydrated-run@.service.8.rst
@@ -17,7 +17,7 @@ config directory. The resulting fullchain certificate is committed to the
 repository. A commit message is generated automatically.
 
 A path unit which runs the service unit if the expiry status file managed by
-:program:`certhub-cert-expiry@.service` exists.
+:program:`certhub-cert-expiry@.service` exists or if the CSR file changed.
 
 The instance name (systemd instance string specifier ``%i``) is used as the
 basename of the configuration and the resulting certificate file.

diff --git a/doc/certhub-lego-run@.service.8.rst b/doc/certhub-lego-run@.service.8.rst
@@ -17,7 +17,7 @@ config directory. The resulting fullchain certificate is committed to the
 repository. A commit message is generated automatically.
 
 A path unit which runs the service unit if the expiry status file managed by
-:program:`certhub-cert-expiry@.service` exists.
+:program:`certhub-cert-expiry@.service` exists or if the CSR file changed.
 
 The instance name (systemd instance string specifier ``%i``) is used as the
 basename of the configuration and the resulting certificate file.

diff --git a/doc/overview.rst b/doc/overview.rst
@@ -85,6 +85,7 @@ service reload.
       [Expiry Path Unit] --> [Expiry Service Unit] : run
       [Expiry Timer Unit] --> [Expiry Service Unit] : run
       [Expiry Service Unit] --> [Expiry Status File] : create\ndelete
+      [CSR File] <.. [ACME Client Path Unit] : observe
       [Expiry Status File] <.. [ACME Client Path Unit] : observe
       [ACME Client Path Unit] --> [ACME Client Service Unit] : run
       [Principal Git Repository] <-- [ACME Client Service Unit] : commit

diff --git a/lib/systemd/certhub-certbot-run@.path.d/csr.path.conf b/lib/systemd/certhub-certbot-run@.path.d/csr.path.conf
@@ -0,0 +1 @@
+../dropins/csr.path.conf
diff --git a/lib/systemd/certhub-dehydrated-run@.path.d/csr.path.conf b/lib/systemd/certhub-dehydrated-run@.path.d/csr.path.conf
@@ -0,0 +1 @@
+../dropins/csr.path.conf
diff --git a/lib/systemd/certhub-lego-run@.path.d/csr.path.conf b/lib/systemd/certhub-lego-run@.path.d/csr.path.conf
@@ -0,0 +1 @@
+../dropins/csr.path.conf
diff --git a/lib/systemd/dropins/csr.path.conf b/lib/systemd/dropins/csr.path.conf
@@ -0,0 +1,7 @@
+[Path]
+
+# CSR path watched by:
+# - certhub-certbot-run@.path
+# - certhub-dehydrated-run@.path
+# - certhub-lego-run@.path
+PathChanged=/etc/certhub/%i.csr.pem