added consul reload back, with env variable file

README.md

@@ -28,6 +28,13 @@ renew_consul_certificates_consul_group: consul # by default, set to consul
 ```
 This variable defines the group that'll be running the certificate renewal service. Defaults to `consul`, and should be present on the host prior to playing this role (ideally when installing consul).
 
+```yaml
+renew_consul_certificates_service_env_variables:
+  consul_http_addr: http://127.0.0.1:8500
+  # consul_http_token:
+```
+This variable sets the environment variables for the consul-certs services (notably the address and token to use for the `consul reload` command).
+
 ```yaml
 renew_consul_certificates_vault_addr: https://vault.example.com # by default, set to https://vault.example.com
 ```

defaults/main.yml

@@ -3,6 +3,9 @@
 renew_consul_certificates_config_dir: /etc/consul-template.d/consul
 renew_consul_certificates_consul_user: consul
 renew_consul_certificates_consul_group: consul
+renew_consul_certificates_service_env_variables:
+  consul_http_addr: http://127.0.0.1:8500
+  # consul_http_token:
 renew_consul_certificates_vault_addr: "https://vault.example.com"
 renew_consul_certificates_vault_token: mysupersecretconsultokenthatyoushouldchange
 renew_consul_certificates_vault_token_unwrap: false

defaults/renew_consul_certificates.yml.sample

@@ -2,6 +2,9 @@
 # renew_consul_certificates_config_dir: /etc/consul-template.d/consul
 # renew_consul_certificates_consul_user: consul
 # renew_consul_certificates_consul_group: consul
+# renew_consul_certificates_service_env_variables:
+#   consul_http_addr: http://127.0.0.1:8500
+#   # consul_http_token:
 # renew_consul_certificates_vault_addr: "https://consul.example.com"
 # renew_consul_certificates_vault_token: mysupersecretconsultokenthatyoushouldchange
 # renew_consul_certificates_vault_token_unwrap: false

molecule/with_custom_config/group_vars/all.yml

@@ -2,6 +2,9 @@
 renew_consul_certificates_config_dir: /etc/consul-template.d/consul
 renew_consul_certificates_consul_user: consul
 renew_consul_certificates_consul_group: consul
+renew_consul_certificates_service_env_variables:
+  consul_http_addr: http://127.0.0.1:8500
+  # consul_http_token:
 renew_consul_certificates_vault_addr: "https://consul.example.com"
 renew_consul_certificates_vault_token: mysupersecretconsultokenthatyoushouldchange
 renew_consul_certificates_vault_token_unwrap: false

tasks/configure.yml

@@ -38,11 +38,21 @@
         mode: '0600'
 
 - name: "Configure consul-certs systemd service"
+  notify:
+    - "systemctl-daemon-reload"
+  block:
+    - name: "Configure consul-certs env file"
+      ansible.builtin.template:
+        src: consul-certs.env.j2
+        dest: "{{ renew_consul_certificates_config_dir }}/consul-certs.env"
+        owner: root
+        group: root
+        mode: '0644'
+
+    - name: "Configure consul-certs systemd service"
       ansible.builtin.template:
         src: consul-certs.service.j2
         dest: /etc/systemd/system/consul-certs.service
         owner: root
         group: root
         mode: '0644'
-  notify:
-    - "systemctl-daemon-reload"

templates/consul-certs.env.j2

@@ -0,0 +1,4 @@
+# {{ ansible_managed }}
+{% for item in renew_consul_certificates_service_env_variables %}
+{{ item|upper }}="{{ renew_consul_certificates_service_env_variables[item] }}"
+{% endfor %}

templates/consul-certs.service.j2

@@ -5,6 +5,7 @@ After=network-online.target consul.service
 ConditionFileNotEmpty={{ renew_consul_certificates_config_dir }}/consul_config.hcl
 
 [Service]
+EnvironmentFile=-{{ renew_consul_certificates_config_dir }}/consul-certs.env
 User={{ renew_consul_certificates_consul_user }}
 Group={{ renew_consul_certificates_consul_group }}
 ExecStart=/usr/bin/consul-template $OPTIONS -config={{ renew_consul_certificates_config_dir }}/consul_config.hcl