feat(roles/lego): Run hooks with bash -c

ref #13
2025-11-28 12:20:16 +01:00
1 changed files with 4 additions and 7 deletions
--- a/roles/lego/files/lego_run.sh
+++ b/roles/lego/files/lego_run.sh
@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-set -xeuo pipefail
+set -euo pipefail

 LEGO_BINARY=$(/usr/bin/env which lego)

@@ -8,17 +8,14 @@ if [[ -n "${LEGO_HTTP_FALLBACK_PORT:-}" ]]; then
    echo "nc not found (in PATH), exiting"
    exit 1
  fi
-  set +e
  nc -z 127.0.0.1 $LEGO_HTTP_PORT;
-  nc_exit_code=$?;
-  set -e
-  if [[ $nc_exit_code -eq 0 ]]; then
+  if [[ $? -eq 0 ]]; then
      LEGO_HTTP_PORT=$LEGO_HTTP_FALLBACK_PORT
  fi
 fi

 if [[ -n "${LEGO_PRE_RENEWAL_HOOK:-}" ]]; then
-  $LEGO_PRE_RENEWAL_HOOK
+  /usr/bin/env bash -c "$LEGO_PRE_RENEWAL_HOOK"
 fi

 LEGO_COMMAND_ARGS_EXPANDED=$(bash -c "echo $LEGO_COMMAND_ARGS") # This is a bit icky
@@ -34,5 +31,5 @@ find "$LEGO_CERT_STORE_PATH/certificates" -type f | xargs -I{} -n 1 chmod "$LEGO
 find "$LEGO_CERT_STORE_PATH/certificates" -type f | xargs -I{} -n 1 chown "${LEGO_CERT_USER}:${LEGO_CERT_GROUP}" "{}"

 if [[ -n "${LEGO_POST_RENEWAL_HOOK:-}" ]]; then
-  $LEGO_POST_RENEWAL_HOOK
+  /usr/bin/env bash -c "$LEGO_POST_RENEWAL_HOOK"
 fi