Adapt the haproxy role so that it supports both letsencrypt acmetool and acme.sh
This commit is contained in:
parent
c35ab07597
commit
708f8027ef
|
@ -0,0 +1,18 @@
|
||||||
|
---
|
||||||
|
- block:
|
||||||
|
- name: Create the acme hooks directory if it does not yet exist
|
||||||
|
file: dest={{ letsencrypt_acme_sh_services_scripts_dir }} state=directory owner=root group=root
|
||||||
|
|
||||||
|
- name: Install a script that fix the letsencrypt certificate for haproxy and then reload the service
|
||||||
|
template: src=haproxy-letsencrypt-acme.sh.j2 dest={{ letsencrypt_acme_sh_services_scripts_dir }}/haproxy owner=root group=root mode=4555
|
||||||
|
|
||||||
|
- name: When we are going to install letsencrypt certificates, create a preliminary path and a self signed cert. Now handle the haproxy special case
|
||||||
|
shell: mkdir {{ pki_dir }}/haproxy ; cat {{ letsencrypt_acme_user_home | default(omit) }}/live/{{ ansible_fqdn }}/privkey {{ letsencrypt_acme_user_home | default(omit) }}/live/{{ ansible_fqdn }}/cert > {{ pki_dir }}/haproxy/haproxy.pem
|
||||||
|
args:
|
||||||
|
creates: '{{ pki_dir }}/haproxy/haproxy.pem'
|
||||||
|
tags: [ 'pki', 'ssl', 'letsencrypt', 'haproxy', 'letsencrypt_acme_sh' ]
|
||||||
|
|
||||||
|
when:
|
||||||
|
- haproxy_letsencrypt_managed
|
||||||
|
- letsencrypt_acme_sh_install
|
||||||
|
tags: [ 'haproxy', 'letsencrypt', 'letsencrypt_acme_sh' ]
|
|
@ -1,15 +1,18 @@
|
||||||
---
|
---
|
||||||
|
- block:
|
||||||
- name: Create the acme hooks directory if it does not yet exist
|
- name: Create the acme hooks directory if it does not yet exist
|
||||||
file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root
|
file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root
|
||||||
when:
|
|
||||||
- haproxy_letsencrypt_managed
|
|
||||||
- letsencrypt_acme_install
|
|
||||||
tags: [ 'haproxy', 'letsencrypt' ]
|
|
||||||
|
|
||||||
- name: Install a script that fix the letsencrypt certificate for haproxy and then reload the service
|
- name: Install a script that fix the letsencrypt certificate for haproxy and then reload the service
|
||||||
template: src=haproxy-letsencrypt-acme.sh.j2 dest={{ letsencrypt_acme_services_scripts_dir }}/haproxy owner=root group=root mode=4555
|
template: src=haproxy-letsencrypt-acme.sh.j2 dest={{ letsencrypt_acme_services_scripts_dir }}/haproxy owner=root group=root mode=4555
|
||||||
|
|
||||||
|
- name: When we are going to install letsencrypt certificates, create a preliminary path and a self signed cert. Now handle the haproxy special case
|
||||||
|
shell: mkdir {{ pki_dir }}/haproxy ; cat {{ letsencrypt_acme_user_home | default(omit) }}/live/{{ ansible_fqdn }}/privkey {{ letsencrypt_acme_user_home | default(omit) }}/live/{{ ansible_fqdn }}/cert > {{ pki_dir }}/haproxy/haproxy.pem
|
||||||
|
args:
|
||||||
|
creates: '{{ pki_dir }}/haproxy/haproxy.pem'
|
||||||
|
tags: [ 'pki', 'ssl', 'letsencrypt', 'haproxy' ]
|
||||||
|
|
||||||
when:
|
when:
|
||||||
- haproxy_letsencrypt_managed
|
- haproxy_letsencrypt_managed
|
||||||
- letsencrypt_acme_install
|
- letsencrypt_acme_install
|
||||||
tags: [ 'haproxy', 'letsencrypt' ]
|
tags: [ 'haproxy', 'letsencrypt' ]
|
||||||
|
|
||||||
|
|
|
@ -1,7 +0,0 @@
|
||||||
---
|
|
||||||
- name: Install a script that fix the letsencrypt certificate for haproxy and then reload the service
|
|
||||||
copy: src=haproxy-letsencrypt.sh dest={{ letsencrypt_services_scripts_dir }}/haproxy owner=root group=root mode=0550
|
|
||||||
when:
|
|
||||||
- haproxy_letsencrypt_managed
|
|
||||||
- letsencrypt_install
|
|
||||||
tags: [ 'haproxy', 'letsencrypt' ]
|
|
|
@ -1,13 +1,13 @@
|
||||||
---
|
---
|
||||||
- import_tasks: haproxy-service.yml
|
- import_tasks: haproxy-service.yml
|
||||||
- import_tasks: haproxy-letsencrypt.yml
|
- import_tasks: haproxy-letsencrypt-acme-sh.yml
|
||||||
when:
|
when:
|
||||||
- haproxy_letsencrypt_managed
|
- haproxy_letsencrypt_managed
|
||||||
- letsencrypt_install is defined
|
- letsencrypt_acme_sh_install is defined and letsencrypt_acme_sh_install
|
||||||
- import_tasks: haproxy-letsencrypt-acmetool.yml
|
- import_tasks: haproxy-letsencrypt-acmetool.yml
|
||||||
when:
|
when:
|
||||||
- haproxy_letsencrypt_managed
|
- haproxy_letsencrypt_managed
|
||||||
- letsencrypt_acme_install is defined
|
- letsencrypt_acme_install is defined and letsencrypt_acme_install
|
||||||
- import_tasks: haproxy-ssl.yml
|
- import_tasks: haproxy-ssl.yml
|
||||||
when:
|
when:
|
||||||
- haproxy_letsencrypt_managed
|
- haproxy_letsencrypt_managed
|
||||||
|
@ -18,7 +18,7 @@
|
||||||
- nagios_enabled
|
- nagios_enabled
|
||||||
|
|
||||||
- name: Ensure that haproxy is enabled and started
|
- name: Ensure that haproxy is enabled and started
|
||||||
service: name=haproxy state=started enabled=yes
|
service: name=haproxy state=restarted enabled=yes
|
||||||
when: haproxy_enabled
|
when: haproxy_enabled
|
||||||
ignore_errors: True
|
ignore_errors: True
|
||||||
tags: haproxy
|
tags: haproxy
|
||||||
|
|
|
@ -12,8 +12,14 @@ DATE=$( date )
|
||||||
[ ! -d $LE_LOG_DIR ] && mkdir $LE_LOG_DIR
|
[ ! -d $LE_LOG_DIR ] && mkdir $LE_LOG_DIR
|
||||||
echo "$DATE" >> $LE_LOG_DIR/haproxy.log
|
echo "$DATE" >> $LE_LOG_DIR/haproxy.log
|
||||||
|
|
||||||
if [ -f /etc/default/letsencrypt ] ; then
|
{% if letsencrypt_acme_install %}
|
||||||
. /etc/default/letsencrypt
|
LE_ENV_FILE=/etc/default/letsencrypt
|
||||||
|
{% endif %}
|
||||||
|
{% if letsencrypt_acme_sh_install %}
|
||||||
|
LE_ENV_FILE=/etc/default/acme_sh_request_env
|
||||||
|
{% endif %}
|
||||||
|
if [ -f "$LE_ENV_FILE" ] ; then
|
||||||
|
. "$LE_ENV_FILE"
|
||||||
else
|
else
|
||||||
echo "No letsencrypt default file" >> $LE_LOG_DIR/haproxy.log
|
echo "No letsencrypt default file" >> $LE_LOG_DIR/haproxy.log
|
||||||
fi
|
fi
|
||||||
|
@ -33,7 +39,7 @@ fi
|
||||||
# Run the OCSP stapling script
|
# Run the OCSP stapling script
|
||||||
if [ -x /usr/local/bin/hapos-upd ] ; then
|
if [ -x /usr/local/bin/hapos-upd ] ; then
|
||||||
echo "Run the OCSP stapling updater script" >> $LE_LOG_DIR/haproxy.log
|
echo "Run the OCSP stapling updater script" >> $LE_LOG_DIR/haproxy.log
|
||||||
/usr/local/bin/hapos-upd --cert {{ haproxy_cert_dir }}/haproxy.pem -v {{ letsencrypt_acme_certs_dir }}/fullchain -s {{ haproxy_admin_socket }} -v - >> $LE_LOG_DIR/haproxy.log 2>&1
|
/usr/local/bin/hapos-upd --cert {{ haproxy_cert_dir }}/haproxy.pem -v ${LE_CERTS_DIR}/fullchain -s {{ haproxy_admin_socket }} -v - >> $LE_LOG_DIR/haproxy.log 2>&1
|
||||||
else
|
else
|
||||||
echo "No OCPS stapling updater script" >> $LE_LOG_DIR/haproxy.log
|
echo "No OCPS stapling updater script" >> $LE_LOG_DIR/haproxy.log
|
||||||
fi
|
fi
|
||||||
|
|
Loading…
Reference in New Issue