refactor(RENEWAL): prefer deploy-hook

Dockerfile

@@ -13,7 +13,14 @@ ARG PROVIDER="aws"
 LABEL org.opencontainers.image.source="https://github.com/niallbyrne-ca/smtp"
 LABEL org.opencontainers.image.description="Wraps docker.io/cisagov/postfix with SSL and DKIM automation."
 
-RUN mkdir -p certbot /usr/local/share/certs/providers /usr/local/share/certs/scripts /run/secrets
+RUN mkdir -p                            \
+    certbot                             \
+    /run/secrets                        \
+    /usr/local/share/certs/hooks        \
+    /usr/local/share/certs/providers    \
+    /usr/local/share/certs/scripts
+
+COPY hooks/*.bash /usr/local/share/certs/hooks
 COPY providers/"${PROVIDER}".bash /usr/local/share/certs/providers
 COPY scripts/*.bash /usr/local/share/certs/scripts
 
@@ -39,7 +46,8 @@ RUN apt-get update                                              \
 WORKDIR /root
 
 COPY entrypoint.sh entrypoint.sh
-RUN chmod +x entrypoint.sh
+
+RUN chmod +x entrypoint.sh /usr/local/share/certs/hooks/*.bash
 
 EXPOSE 25/TCP 587/TCP 993/TCP
 

entrypoint.sh

@@ -4,6 +4,9 @@ set -eo pipefail
 
 trap terminate SIGINT SIGTERM ERR EXIT
 
+# shellcheck disable=SC1091
+source /usr/local/share/certs/scripts/import.bash
+
 env_file() {
   if [[ -n "${ENV_FILE}" ]]; then
     set -a
@@ -13,16 +16,6 @@ env_file() {
   fi
 }
 
-import() {
-  # $1 - path to scripts
-  # $2 - description of import
-  for SCRIPT in "${1}"/*.bash; do
-    echo "CONTAINER > Import ${2}: ${SCRIPT}"
-    # shellcheck disable=SC1090
-    source "${SCRIPT}"
-  done
-}
-
 terminate() {
   ERROR_CODE="$?"
   echo "CONTAINER > ERROR CODE: ${ERROR_CODE}"

hooks/deploy.bash

@@ -0,0 +1,15 @@
+#!/bin/bash
+
+# shellcheck disable=SC1091
+source /usr/local/share/certs/scripts/import.bash
+
+main() {
+  echo "CONTAINER > 'deploy' hook has been called."
+  import /usr/local/share/certs/scripts "Script Library"
+  install_certificates
+  echo "CONTAINER > Reloading dovecot and postfix ..."
+  dovecot reload
+  postfix reload
+}
+
+main "$@"

providers/README.md

@@ -24,5 +24,6 @@ provider_dkim() {
 
 provider_renew() {
   # Call certbot to renew existing certificates.
+  # The '--deploy-hook' argument should be set to: /usr/local/share/certs/hooks/deploy.bash
 }
 ```

providers/aws.bash

@@ -39,5 +39,5 @@ provider_dkim() {
 }
 
 provider_renew() {
-  certbot renew "${TEST_MODE}" --dns-route53 --dns-route53-propagation-seconds "${DNS_PROPAGATION_DELAY}"
+  certbot renew "${TEST_MODE}" --dns-route53 --dns-route53-propagation-seconds "${DNS_PROPAGATION_DELAY}" --deploy-hook=/usr/local/share/certs/hooks/deploy.bash
 }

providers/cloudflare.bash

@@ -98,7 +98,7 @@ provider_dkim() {
 
 provider_renew() {
   write_credential_file
-  certbot renew "${TEST_MODE}" --dns_cloudflare --dns-cloudflare-credentials /tmp/cloudflare --dns-cloudflare-propagation-seconds "${DNS_PROPAGATION_DELAY}"
+  certbot renew "${TEST_MODE}" --dns_cloudflare --dns-cloudflare-credentials /tmp/cloudflare --dns-cloudflare-propagation-seconds "${DNS_PROPAGATION_DELAY}" --deploy-hook=/usr/local/share/certs/hooks/deploy.bash
 }
 
 write_credential_file() {

scripts/import.bash

@@ -0,0 +1,11 @@
+#!/bin/bash
+
+import() {
+  # $1 - path to scripts
+  # $2 - description of import
+  for SCRIPT in "${1}"/*.bash; do
+    echo "CONTAINER > Import ${2}: ${SCRIPT}"
+    # shellcheck disable=SC1090
+    source "${SCRIPT}"
+  done
+}

scripts/renew.bash

@@ -7,13 +7,7 @@ function renew() {
     sleep $((3600 * 24 * RENEW_INTERVAL_IN_DAYS))
     echo "CONTAINER > Attempting to renew certificates ..."
     pushd "certbot" || exit 127
-    if provider_renew; then
-      install_certificates
-    fi
+    provider_renew
     popd || exit 127
-
-    echo "CONTAINER > Reloading dovecot and postfix ..."
-    dovecot reload
-    postfix reload
   done
 }