Force reload on all rsync operations

Update the forced command in authorized_keys to reload NGINX after
termination of the rsync session.

This ensures that after key updates complete they will be reloaded and
pushed to NGINX.

2 files changed, 20 insertions, 2 deletions

diff --git a/roles/certbot/files/rsync.sh b/roles/certbot/files/rsync.sh
new file mode 100644
index 0000000..fa9b27b
--- /dev/null
+++ b/roles/certbot/files/rsync.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+# Start the rsync server and perform the transfer
+rrsync -wo /etc/letsencrypt/live
+
+# Reload NGINX
+systemctl reload nginx
diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml
index 19d5e1e..371df64 100644
--- a/roles/certbot/tasks/main.yml
+++ b/roles/certbot/tasks/main.yml
@@ -54,6 +54,17 @@
   tags:
     - role::certbot
 
+- name: Install rsync + nginx reload script to replica servers
+  when: inventory_hostname != ansible_play_hosts[0]
+  copy:
+    src: rsync.sh
+    dest: /opt/cert_rsync.sh
+    owner: root
+    group: root
+    mode: 0500
+  tags:
+    - role::certbot
+
 - name: Install certificate distribution keys to other NGINX nodes
   when: inventory_hostname != ansible_play_hosts[0]
   ansible.posix.authorized_key:
@@ -65,7 +76,7 @@
       | map(attribute='public_key')
       | first }}
     comment: "certificate distribution key"
-    key_options: 'from="{{ hostvars[ansible_play_hosts_all[0]]["wireguard_subnet"] }}",restrict,command="/usr/bin/rrsync -wo /etc/letsencrypt/live"'
+    key_options: 'from="{{ hostvars[ansible_play_hosts_all[0]]["wireguard_subnet"] }}",restrict,command="/opt/cert_rsync.sh"'
   tags:
     - role::certbot
 
@@ -76,7 +87,7 @@
     dest: /etc/letsencrypt/renewal-hooks/deploy/distribute-certs
     owner: root
     group: root
-    mode: 0500
+    mode: 0700
   tags:
     - role::certbot