Here's something else I'd like to model.
I was thinking of using Ansible to provision SSL certificates. I can start a host out on a self-signed cert, then just push out a real one once I buy it.
The problem I'm anticipating is restarting a variety of services across disparate machine types when the SSL certificate updates. My app servers may only need Nginx restarted, whereas my personal VPS may need Nginx, Postfix, Dovecot and Prosody. I don't want to call each and every service handler when a SSL certificate updates, because I don't know that a given service will even be running on a certain system.
Is there any way to model this? Would tagging help? I'd be fine with tagging certain tasks with ssl, not running them by default, then having the SSL copy run them on change. Or maybe handlers can be aliased/merged such that "restart nginx" also means "update ssl", and the handler merges everything currently loaded with the "update ssl" alias? None of that seems particularly clean, so I'm wondering if this is even possible?
Thanks.