Add a cron job to reload nginx if the certificates have changed

Due to the multiple frontends we can't trigger the reload from the
ACME automation daemon.

roles/base/files/if-changed

+#!/bin/bash
+#
+# Returns true if one or more files have changed since the previous
+# invocation over the same set of files.
+#
+
+files_fp=$(echo "$@" | md5sum - | awk '{print $1}')
+state_file="/var/tmp/.if-changed.${files_fp}"
+
+max_ts=0
+for file in "$@"
+do
+    ts=$(stat -c %Y "$file")
+    if [ $ts -gt $max_ts ]; then
+        max_ts=$ts
+    fi
+done
+
+prev_ts=0
+if [ -e $state_file ]; then
+    prev_ts=$(cat $state_file)
+fi
+echo $max_ts > $state_file
+if [ $max_ts -gt $prev_ts ]; then
+    exit 0
+fi
+exit 1

roles/base/tasks/debian_misc.yml

@@ -24,6 +24,7 @@
     mode: 0755
   with_items:
     - splay
+    - if-changed
 
 - name: Configure sysctl
   template:

roles/nginx/files/acme-reload-nginx

+#!/bin/sh
+#
+# Reload NGINX when the certificates change.
+#
+
+# The grep/awk one-liner finds all certificate files referenced in
+# NGINX site configuration files.
+sites_dirs="/etc/nginx/sites-available /etc/nginx/sites-auto"
+certs=$(fgrep -r ssl_certificate $sites_dirs \
+            | awk '$2=="ssl_certificate" {print $3}' \
+            | sed -e 's/;$//')
+if-changed $certs && systemctl reload nginx
+exit 0

roles/nginx/files/acme-reload-nginx.cron

+45 3 * * * root /usr/local/bin/acme-reload-nginx

roles/nginx/tasks/nginx.yml

@@ -168,3 +168,14 @@
     dest: /etc/firewall/filter.d/20nginx
   notify: "reload firewall"
 
+# Misc setup.
+- name: Install acme-reload-nginx script
+  copy:
+    src: acme-reload-nginx
+    dest: /usr/local/bin/acme-reload-nginx
+    mode: 0755
+
+- name: Install acme-reload-nginx cron job
+  copy:
+    src: acme-reload-nginx.cron
+    dest: /etc/cron.d/acme-reload-nginx