diff --git a/library/roles/haproxy/README b/library/roles/haproxy/README
deleted file mode 100644
index bf2c67a..0000000
--- a/library/roles/haproxy/README
+++ /dev/null
@@ -1,40 +0,0 @@
-#
-# The user of this role will need to write a haproxy.cfg template and install it with a dedicated task. Something like
-
-- name: Configure haproxy
- template: src=haproxy.cfg.j2 dest=/etc/haproxy/haproxy.cfg owner=root group=haproxy mode=0440
- notify: Reload haproxy
- tags: [ 'haproxy', 'haproxy_conf' ]
-
-#
-# Very complex setup that involves varnish. Taken here:
-# https://alohalb.wordpress.com/2012/08/25/haproxy-varnish-and-the-single-hostname-website/
-# For a ssl setup, check here:
-# http://seanmcgary.com/posts/using-sslhttps-with-haproxy
-# https://alohalb.wordpress.com/haproxy/haproxy-and-ssl/
-# https://alohalb.wordpress.com/2013/01/21/mitigating-the-ssl-beast-attack-using-the-aloha-load-balancer-haproxy/
-# http://blog.haproxy.com/2015/05/06/haproxys-load-balancing-algorithm-for-static-content-delivery-with-varnish/
-# http://blog.haproxy.com/2012/09/10/how-to-get-ssl-with-haproxy-getting-rid-of-stunnel-stud-nginx-or-pound/
-# https://serversforhackers.com/using-ssl-certificates-with-haproxy
-#
-# Session management workarounds:
-# http://blog.haproxy.com/2012/03/29/load-balancing-affinity-persistence-sticky-sessions-what-you-need-to-know/
-# http://serverfault.com/questions/439445/haproxy-my-sessions-are-sort-of-sticky
-#
-# Hints to protect from DDOS or too many legitimate requests
-# http://www.loadbalancer.org/de/blog/black-friday-black-out-protection-with-haproxy
-#
-
-When letsencrypt is enabled, the haproxy configurazion file needs to
-contain not only the https configuration, but also something like:
-
-frontend http
- bind 80
- acl letsencrypt-request path_beg -i /.well-known/acme-challenge/
- use_backend letsencrypt if letsencrypt-request
-
-backend letsencrypt
- mode http
- server letsencrypt 127.0.0.1:9999
-
-Where 9999 is the port where the letsencrypt standalone client will listen to.
diff --git a/library/roles/haproxy/defaults/main.yml b/library/roles/haproxy/defaults/main.yml
deleted file mode 100644
index 9725f4d..0000000
--- a/library/roles/haproxy/defaults/main.yml
+++ /dev/null
@@ -1,29 +0,0 @@
----
-haproxy_latest_release: True
-haproxy_version: 1.8
-haproxy_repo_key: 'http://haproxy.debian.net/bernat.debian.org.gpg'
-haproxy_debian_latest_repo: "deb http://haproxy.debian.net {{ ansible_lsb.codename }}-backports-{{ haproxy_version }} main"
-haproxy_ubuntu_latest_repo: "ppa:vbernat/haproxy-{{ haproxy_version }}"
-haproxy_pkg_state: latest
-haproxy_enabled: True
-haproxy_k_bind_non_local_ip: True
-
-haproxy_default_port: 80
-haproxy_terminate_tls: False
-haproxy_ssl_port: 443
-haproxy_admin_port: 8880
-haproxy_admin_socket: /run/haproxy/admin.sock
-
-haproxy_letsencrypt_managed: False
-haproxy_cert_dir: '{{ pki_dir }}/haproxy'
-
-haproxy_nagios_check: False
-# It's a percentage
-haproxy_nagios_check_w: 70
-haproxy_nagios_check_c: 90
-
-haproxy_check_interval: 3s
-haproxy_backend_maxconn: 2048
-
-haproxy_sysctl_conntrack_max: 131072
-
diff --git a/library/roles/haproxy/files/check_haproxy_stats b/library/roles/haproxy/files/check_haproxy_stats
deleted file mode 100644
index aed3ce3..0000000
--- a/library/roles/haproxy/files/check_haproxy_stats
+++ /dev/null
@@ -1,225 +0,0 @@
-#!/usr/bin/env perl
-# vim: se et ts=4:
-
-#
-# Copyright (C) 2012, Giacomo Montagner <giacomo@entirelyunlike.net>
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the same terms as Perl 5.10.1.
-# For more details, see http://dev.perl.org/licenses/artistic.html
-#
-# This program is distributed in the hope that it will be
-# useful, but without any warranty; without even the implied
-# warranty of merchantability or fitness for a particular purpose.
-#
-
-our $VERSION = "1.0.1";
-
-# CHANGELOG:
-# 1.0.0 - first release
-# 1.0.1 - fixed empty message if all proxies are OK
-#
-
-use strict;
-use warnings;
-use 5.010.001;
-use File::Basename qw/basename/;
-use IO::Socket::UNIX;
-use Getopt::Long;
-
-sub usage {
- my $me = basename $0;
- print <<EOU;
-NAME
- $me - check haproxy stats for errors, using UNIX socket interface
-
-SYNOPSIS
- $me [OPTIONS]
-
-DESCRIPTION
- Get haproxy statistics via UNIX socket and parse information searching for errors.
-
- OPTIONS
- -c, --critical
- Set critical threshold for sessions number (chacks current number of sessions
- against session limit, if enforced) to the specified percentage.
- If no session limit (slim) was specified for the given proxy, this option has
- no effect.
-
- -d, --dump
- Just dump haproxy stats and exit;
-
- -h, --help
- Print this message.
-
- -p, --proxy
- Check only named proxies, not every one. Use comma to separate proxies
- in list.
-
- -s, --sock, --socket
- Use named UNIX socket instead of default (/run/haproxy/admin.sock)
-
- -w, --warning
- Set warning threshold for sessions number to the specified percentage (see -c)
-
-CHECKS AND OUTPUT
- $me checks every proxy (or the named ones, if -p was given)
- for status. It returns an error if any of the checked FRONTENDs is not OPEN,
- any of the checked BACKENDs is not UP, or any of the checkes servers is not UP;
- $me reports any problem it found.
-
-EXAMPLES
- $me -s /var/spool/haproxy/sock
- Use /var/spool/haproxy/sock to communicate with haproxy.
-
- $me -p proxy1,proxy2 -w 60 -c 80
- Check only proxies named "proxy1" and "proxy2", and set sessions number
- thresholds to 60% and 80%.
-
-AUTHOR
- Written by Giacomo Montagner
-
-REPORTING BUGS
- Please report any bug to bugs\@entirelyunlike.net
-
-COPYRIGHT
- Copyright (C) 2012 Giacomo Montagner <giacomo\@entirelyunlike.net>.
- $me is distributed under GPL and the Artistic License 2.0
-
-SEE ALSO
- Check out online haproxy documentation at <http://haproxy.1wt.eu/>
-
-EOU
-}
-
-my %check_statuses = (
- UNK => "unknown",
- INI => "initializing",
- SOCKERR => "socket error",
- L4OK => "layer 4 check OK",
- L4CON => "connection error",
- L4TMOUT => "layer 1-4 timeout",
- L6OK => "layer 6 check OK",
- L6TOUT => "layer 6 (SSL) timeout",
- L6RSP => "layer 6 protocol error",
- L7OK => "layer 7 check OK",
- L7OKC => "layer 7 conditionally OK",
- L7TOUT => "layer 7 (HTTP/SMTP) timeout",
- L7RSP => "layer 7 protocol error",
- L7STS => "layer 7 status error",
-);
-
-my @status_names = (qw/OK WARNING CRITICAL UNKNOWN/);
-
-# Defaults
-my $swarn = 80.0;
-my $scrit = 90.0;
-my $sock = "/run/haproxy/admin.sock";
-my $dump;
-my $proxy;
-my $help;
-
-# Read command line
-Getopt::Long::Configure ("bundling");
-GetOptions (
- "c|critical=i" => \$scrit,
- "d|dump" => \$dump,
- "h|help" => \$help,
- "p|proxy=s" => \$proxy,
- "s|sock|socket=s" => \$sock,
- "w|warning=i" => \$swarn,
-);
-
-# Want help?
-if ($help) {
- usage;
- exit 3;
-}
-
-# Connect to haproxy socket and get stats
-my $haproxy = new IO::Socket::UNIX (
- Peer => $sock,
- Type => SOCK_STREAM,
-);
-die "Unable to connect to haproxy socket: $@" unless $haproxy;
-print $haproxy "show stat\n" or die "Print to socket failed: $!";
-
-# Dump stats and exit if requested
-if ($dump) {
- while (<$haproxy>) {
- print;
- }
- exit 0;
-}
-
-# Get labels from first output line and map them to their position in the line
-my $labels = <$haproxy>;
-chomp($labels);
-$labels =~ s/^# // or die "Data format not supported.";
-my @labels = split /,/, $labels;
-{
- no strict "refs";
- my $idx = 0;
- map { $$_ = $idx++ } @labels;
-}
-
-# Variables I will use from here on:
-our $pxname;
-our $svname;
-our $status;
-
-my @proxies = split ',', $proxy if $proxy;
-my $exitcode = 0;
-my $msg;
-my $checked = 0;
-while (<$haproxy>) {
- chomp;
- next if /^[[:space:]]*$/;
- my @data = split /,/, $_;
- if (@proxies) { next unless grep {$data[$pxname] eq $_} @proxies; };
-
- # Is session limit enforced?
- our $slim;
- if ($data[$slim]) {
- # Check current session # against limit
- our $scur;
- my $sratio = $data[$scur]/$data[$slim];
- if ($sratio >= $scrit || $sratio >= $swarn) {
- $exitcode = $sratio >= $scrit ? 2 :
- $exitcode < 2 ? 1 : $exitcode;
- $msg .= sprintf "%s:%s sessions: %.2f%%; ", $data[$pxname], $data[$svname], $sratio;
- }
- }
-
- # Check of BACKENDS
- if ($data[$svname] eq 'BACKEND') {
- if ($data[$status] ne 'UP') {
- $msg .= sprintf "BACKEND: %s is %s; ", $data[$pxname], $data[$status];
- $exitcode = 2;
- }
- # Check of FRONTENDS
- } elsif ($data[$svname] eq 'FRONTEND') {
- if ($data[$status] ne 'OPEN') {
- $msg .= sprintf "FRONTEND: %s is %s; ", $data[$pxname], $data[$status];
- $exitcode = 2;
- }
- # Check of servers
- } else {
- if ($data[$status] ne 'UP') {
- next if $data[$status] eq 'no check'; # Ignore server if no check is configured to be run
- $exitcode = 2;
- our $check_status;
- $msg .= sprintf "server: %s:%s is %s", $data[$pxname], $data[$svname], $data[$status];
- $msg .= sprintf " (check status: %s)", $check_statuses{$data[$check_status]} if $check_statuses{$data[$check_status]};
- $msg .= "; ";
- }
- }
- ++$checked;
-}
-
-unless ($msg) {
- $msg = @proxies ? sprintf("checked proxies: %s", join ', ', sort @proxies) : "checked $checked proxies.";
-}
-say "Check haproxy $status_names[$exitcode] - $msg";
-exit $exitcode;
-
diff --git a/library/roles/haproxy/files/haproxy-letsencrypt.sh b/library/roles/haproxy/files/haproxy-letsencrypt.sh
deleted file mode 100644
index a540458..0000000
--- a/library/roles/haproxy/files/haproxy-letsencrypt.sh
+++ /dev/null
@@ -1,29 +0,0 @@
-#!/bin/bash
-
-LE_SERVICES_SCRIPT_DIR=/usr/local/lib/letsencrypt
-LE_CERTS_DIR=/etc/letsencrypt/live/$HOSTNAME
-LE_LOG_DIR=/var/log/letsencrypt
-HAPROXY_CERTDIR=/etc/pki/haproxy
-HAPROXY_CERTFILE=$HAPROXY_CERTDIR/haproxy.pem
-DATE=$( date )
-echo "$DATE" >> $LE_LOG_DIR/haproxy.log
-
-if [ -f /etc/default/letsencrypt ] ; then
- . /etc/default/letsencrypt
-else
- echo "No letsencrypt default file" >> $LE_LOG_DIR/haproxy.log
-fi
-
-[ ! -d $HAPROXY_CERTDIR ] && mkdir $HAPROXY_CERTDIR
-
-echo "Building the new certificate file" >> $LE_LOG_DIR/haproxy.log
-cat ${LE_CERTS_DIR}/{fullchain.pem,privkey.pem} > ${HAPROXY_CERTFILE}
-chmod 440 ${HAPROXY_CERTFILE}
-chgrp haproxy ${HAPROXY_CERTFILE}
-
-echo "Reload the haproxy service" >> $LE_LOG_DIR/haproxy.log
-service haproxy reload >/dev/null 2>&1
-echo "Done." >> $LE_LOG_DIR/haproxy.log
-
-exit 0
-
diff --git a/library/roles/haproxy/handlers/main.yml b/library/roles/haproxy/handlers/main.yml
deleted file mode 100644
index a3cb82b..0000000
--- a/library/roles/haproxy/handlers/main.yml
+++ /dev/null
@@ -1,13 +0,0 @@
----
-- name: Restart haproxy
- service: name=haproxy state=restarted
- when: haproxy_enabled
-
-- name: Reload haproxy
- service: name=haproxy state=reloaded
- when: haproxy_enabled
-
-- name: Reload rsyslog
- service: name=rsyslog state=reloaded
- when: haproxy_enabled
-
diff --git a/library/roles/haproxy/tasks/haproxy-letsencrypt-acme-sh.yml b/library/roles/haproxy/tasks/haproxy-letsencrypt-acme-sh.yml
deleted file mode 100644
index aa0cb5b..0000000
--- a/library/roles/haproxy/tasks/haproxy-letsencrypt-acme-sh.yml
+++ /dev/null
@@ -1,16 +0,0 @@
----
-- block:
- - name: Create the acme hooks directory if it does not yet exist
- file: dest={{ letsencrypt_acme_sh_services_scripts_dir }} state=directory owner=root group=root
-
- - name: Install a script that fix the letsencrypt certificate for haproxy and then reload the service
- template: src=haproxy-letsencrypt-acme.sh.j2 dest={{ letsencrypt_acme_sh_services_scripts_dir }}/haproxy owner=root group=root mode=4555
-
- - name: When we are going to install letsencrypt certificates, create a preliminary path and a self signed cert. Now handle the haproxy special case
- shell: mkdir {{ pki_dir }}/haproxy ; cat {{ letsencrypt_acme_user_home | default(omit) }}/live/{{ ansible_fqdn }}/privkey {{ letsencrypt_acme_user_home | default(omit) }}/live/{{ ansible_fqdn }}/cert > {{ pki_dir }}/haproxy/haproxy.pem
- args:
- creates: '{{ pki_dir }}/haproxy/haproxy.pem'
- tags: [ 'pki', 'ssl', 'letsencrypt', 'haproxy', 'letsencrypt_acme_sh' ]
-
- when: letsencrypt_acme_sh_install
- tags: [ 'haproxy', 'letsencrypt', 'letsencrypt_acme_sh' ]
diff --git a/library/roles/haproxy/tasks/haproxy-letsencrypt-acmetool.yml b/library/roles/haproxy/tasks/haproxy-letsencrypt-acmetool.yml
deleted file mode 100644
index b8c92de..0000000
--- a/library/roles/haproxy/tasks/haproxy-letsencrypt-acmetool.yml
+++ /dev/null
@@ -1,16 +0,0 @@
----
-- block:
- - name: Create the acme hooks directory if it does not yet exist
- file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root
-
- - name: Install a script that fix the letsencrypt certificate for haproxy and then reload the service
- template: src=haproxy-letsencrypt-acme.sh.j2 dest={{ letsencrypt_acme_services_scripts_dir }}/haproxy owner=root group=root mode=4555
-
- - name: When we are going to install letsencrypt certificates, create a preliminary path and a self signed cert. Now handle the haproxy special case
- shell: mkdir {{ pki_dir }}/haproxy ; cat {{ letsencrypt_acme_user_home | default(omit) }}/live/{{ ansible_fqdn }}/privkey {{ letsencrypt_acme_user_home | default(omit) }}/live/{{ ansible_fqdn }}/cert > {{ pki_dir }}/haproxy/haproxy.pem
- args:
- creates: '{{ pki_dir }}/haproxy/haproxy.pem'
- tags: [ 'pki', 'ssl', 'letsencrypt', 'haproxy' ]
-
- when: letsencrypt_acme_install
- tags: [ 'haproxy', 'letsencrypt' ]
diff --git a/library/roles/haproxy/tasks/haproxy-nagios.yml b/library/roles/haproxy/tasks/haproxy-nagios.yml
deleted file mode 100644
index 272e0e0..0000000
--- a/library/roles/haproxy/tasks/haproxy-nagios.yml
+++ /dev/null
@@ -1,10 +0,0 @@
----
-- name: Install the haproxy NRPE nagios check
- copy: src=check_haproxy_stats dest={{ nagios_local_plugdir }}/check_haproxy_stats owner=root group=root mode=0555
- when: haproxy_nagios_check
-
-- name: Install the haproxy NRPE command configuration
- template: src=lb.cfg.j2 dest={{ nrpe_include_dir }}/lb.cfg owner=root group=root mode=0444
- notify: Reload NRPE server
- when: haproxy_nagios_check
-
diff --git a/library/roles/haproxy/tasks/haproxy-service.yml b/library/roles/haproxy/tasks/haproxy-service.yml
deleted file mode 100644
index d310add..0000000
--- a/library/roles/haproxy/tasks/haproxy-service.yml
+++ /dev/null
@@ -1,63 +0,0 @@
----
-- name: Get the haproxy repo key
- apt_key: url={{ haproxy_repo_key }} state=present
- when: haproxy_latest_release
- tags: haproxy
-
-- name: Define the haproxy repository
- apt_repository: repo='{{ haproxy_ubuntu_latest_repo }}' state=present update_cache=yes
- when:
- - haproxy_latest_release
- - is_ubuntu
- tags: haproxy
-
-- name: Define the haproxy repository
- apt_repository: repo='{{ haproxy_debian_latest_repo }}' state=present update_cache=yes
- when:
- - haproxy_latest_release
- - is_debian
- tags: haproxy
-
-- name: Install the haproxy package
- apt: name=haproxy state=present default_release={{ ansible_lsb.codename }}-backports update_cache=yes cache_valid_time=3600
- when: not haproxy_latest_release
- register: install_haproxy
- tags: haproxy
-
-- name: Install the haproxy package
- apt: name=haproxy state=latest default_release={{ ansible_lsb.codename }}-backports-{{ haproxy_version }} update_cache=yes cache_valid_time=3600
- when:
- - haproxy_latest_release
- - is_debian
- register: install_haproxy
- tags: haproxy
-
-- name: Install the haproxy package
- apt: name=haproxy state=latest update_cache=yes cache_valid_time=3600
- when:
- - haproxy_latest_release
- - is_ubuntu
- register: install_haproxy
- tags: haproxy
-
-- name: Enable kernel binding non local IP addresses
- sysctl: name={{ item }} value=1 reload=yes state=present
- with_items:
- - net.ipv4.ip_nonlocal_bind
- when: haproxy_k_bind_non_local_ip
- tags: [ 'haproxy', 'haproxy_sysctl' ]
-
-- name: Disable kernel binding non local IP addresses
- sysctl: name={{ item }} value=0 reload=yes state=present
- with_items:
- - net.ipv4.ip_nonlocal_bind
- when: not haproxy_k_bind_non_local_ip
- tags: [ 'haproxy', 'haproxy_sysctl' ]
-
-- name: Increase the connection tracking table capacity
- sysctl: name={{ item }} value={{ haproxy_sysctl_conntrack_max }} reload=yes state=present
- with_items:
- - net.nf_conntrack_max
- when: is_not_debian9
- tags: [ 'haproxy', 'haproxy_sysctl' ]
-
diff --git a/library/roles/haproxy/tasks/haproxy-ssl.yml b/library/roles/haproxy/tasks/haproxy-ssl.yml
deleted file mode 100644
index f873d46..0000000
--- a/library/roles/haproxy/tasks/haproxy-ssl.yml
+++ /dev/null
@@ -1,17 +0,0 @@
----
-- block:
- - name: Install the socat binary needed to talk to the haproxy socket
- apt: name=socat state=latest update_cache=yes cache_valid_time=3600
-
- - name: Install a script that refreshes the OCSP configuration and reloads haproxy if needed
- template: src=hapos-upd.j2 dest=/usr/local/bin/hapos-upd owner=root group=root mode=0755
-
- - name: Install a cron job that refreshes the OCSP configuration
- cron:
- name: "Refresh the haproxy OCSP information"
- user: root
- special_time: daily
- job: "/usr/local/bin/hapos-upd --cert {{ haproxy_cert_dir }}/haproxy.pem -v {{ letsencrypt_acme_certs_dir }}/fullchain -s {{ haproxy_admin_socket }} >/var/log/hapos-upd.log 2>&1"
-
- tags: [ 'haproxy', 'letsencrypt', 'ssl', 'ssl_ocsp' ]
-
diff --git a/library/roles/haproxy/tasks/main.yml b/library/roles/haproxy/tasks/main.yml
deleted file mode 100644
index 7b1c7f4..0000000
--- a/library/roles/haproxy/tasks/main.yml
+++ /dev/null
@@ -1,36 +0,0 @@
----
-- import_tasks: haproxy-service.yml
-- import_tasks: haproxy-letsencrypt-acme-sh.yml
- when:
- - haproxy_letsencrypt_managed
- - letsencrypt_acme_sh_install
-- import_tasks: haproxy-letsencrypt-acmetool.yml
- when:
- - haproxy_letsencrypt_managed
- - letsencrypt_acme_install
-- import_tasks: haproxy-ssl.yml
- when:
- - haproxy_letsencrypt_managed
-
-- import_tasks: haproxy-nagios.yml
- when:
- - nagios_enabled is defined
- - nagios_enabled
-
-- name: Ensure that haproxy is enabled and started
- service: name=haproxy state=restarted enabled=yes
- when: haproxy_enabled
- ignore_errors: True
- tags: haproxy
-
-- name: Haproxy puts a new rsyslog directive. Restart rsyslog to activate it. Reload is not sufficient
- service: name=rsyslog state=restarted
- when:
- - haproxy_enabled
- - install_haproxy is changed
- tags: haproxy
-
-- name: Ensure that haproxy is stopped and disabled if needed
- service: name=haproxy state=stopped enabled=no
- when: not haproxy_enabled
- tags: haproxy
diff --git a/library/roles/haproxy/templates/hapos-upd.j2 b/library/roles/haproxy/templates/hapos-upd.j2
deleted file mode 100644
index 4b399bd..0000000
--- a/library/roles/haproxy/templates/hapos-upd.j2
+++ /dev/null
@@ -1,571 +0,0 @@
-#!/bin/bash
-
-# HAProxy OCSP Stapling Updater
-# Copyright (c) 2015 Pier Carlo Chiodi - http://www.pierky.com
-#
-# https://github.com/pierky/haproxy-ocsp-stapling-updater
-
-set -o nounset
-
-VERSION="0.4.1-pre1"
-
-PROGNAME="hapos-upd"
-
-if [ -z ${OPENSSL_BIN+x} ]; then
- OPENSSL_BIN="openssl"
-fi
-
-SOCAT_BIN="socat"
-
-CERT=""
-VAFILE=""
-HAPROXY_ADMIN_SOCKET_DEFAULT="/run/haproxy/admin.sock"
-HAPROXY_ADMIN_SOCKET="$HAPROXY_ADMIN_SOCKET_DEFAULT"
-GOOD_ONLY=0
-SYSLOG_PRIO=""
-DEBUG=0
-KEEP_TEMP=0
-OCSP_URL=""
-OCSP_HOST=""
-VERIFY=1
-TMP=""
-SKIP_UPDATE=0
-PARTIAL_CHAIN=""
-
-function Quit() {
- if [ $KEEP_TEMP -eq 0 ]; then
- if [ -n "$TMP" ]; then
- rm -r $TMP &>/dev/null
- fi
- fi
- exit $1
-}
-
-function LogError() {
- MSG="$1"
-
- if [ -z "$SYSLOG_PRIO" ]; then
- echo "$MSG" >&2
- else
- logger -p "$SYSLOG_PRIO" -s -- "$PROGNAME - $MSG"
- fi
-
- echo "$MSG" >>$TMP/log
-}
-
-function Error() {
- if [ $1 -eq 9 ]; then
- MSG="Error: $2"
- else
- MSG="Error processing '$CERT': $2"
- fi
-
- LogError "$MSG"
-
- if [ $1 -eq 9 ]; then
- echo "Run $PROGNAME -h for help" >&2
- fi
-
- Quit $1
-}
-
-function Debug() {
- if [ $DEBUG -eq 1 ]; then
- echo "$1"
- fi
- echo "$1" >>$TMP/log
-}
-
-function Trap() {
- Debug "Aborting"
- Quit 9
-}
-
-function Usage() {
- echo "
-HAProxy OCSP Stapling Updater - $VERSION
-Copyright (c) 2015 Pier Carlo Chiodi - http://www.pierky.com
-
-https://github.com/pierky/haproxy-ocsp-stapling-updater
-
-Usage:
- $PROGNAME [options] --cert crt_full_path
-
-This script extracts and queries the OCSP server present in a
-certificate to obtain its revocation status, then updates HAProxy by
-writing the '.issuer' and the '.ocsp' files and by sending it the
-'set ssl ocsp-response' command through the local UNIX admin socket.
-
-The crt_full_path argument is the full path to the certificate bundle
-used in haproxy 'crt' setting. End-entity (EE) certificate plus any
-intermediate CA certificates must be concatenated there.
-An OCSP query is sent to the OCSP server given on the command line
-(--ocsp-url and --ocsp-host argument); if these arguments are missing,
-URL and Host header values are automatically extracted from the
-certificate.
-If the '.issuer' file already exists it's used to build the OCSP
-request, otherwise the chain is extracted from crt_full_path and used
-to identify the issuer.
-Finally, it writes the related '.issuer' and .'ocsp' files and updates
-haproxy, using 'socat' and the local UNIX socket (--socket argument,
-default $HAPROXY_ADMIN_SOCKET_DEFAULT).
-
-Exit codes:
- 0 OK
- 1 openssl certificates handling error
- 2 OCSP server URL not found
- 3 string parsing / PEM manipulation error
- 4 OCSP error
- 5 haproxy management error
- 9 program error (wrong arguments, missing dependencies)
-
-Options:
-
- -d, --debug : don't do anything, print debug messages only.
-
- --keep-temp : keep temporary directory after exiting (for
- debug purposes).
-
- -g, --good-only : do not update haproxy if OCSP response
- certificate status value is not 'good'.
-
- -l, --syslog priority : log errors to syslog system log module.
- The priority may be specified numerically
- or as a facility.level pair (e.g.
- local7.error).
-
- --ocsp-url url : OCSP server URL; use this instead of the
- one in the EE certificate.
-
- --ocsp-host host : OCSP server hostname to be used in the
- 'Host:' header; use this instead of the one
- extracted from the OCSP server URL.
-
- --partial-chain : Allow partial certificate chain if at least one certificate
- is in trusted store. Useful when validating an intermediate
- certificate without the root CA.
-
- -s, --socket file : haproxy admin socket. If omitted,
- $HAPROXY_ADMIN_SOCKET_DEFAULT is used by default.
- This script is distributed with only one
- method to update haproxy: using 'socat'
- with a local admin-level UNIX socket.
- Feel free to implement other mechanisms as
- needed! The right section in the code is
- \"UPDATE HAPROXY\", at the end of the script.
-
- -v, --VAfile file : same as the openssl ocsp -VAfile option
- with 'file' as argument. For more details:
- 'man ocsp'.
- If file = \"-\" then the chain extracted
- from the certificate's bundle (or .issuer
- file) is used (useful for OCSP responses
- that don't include the signer certificate).
-
- --noverify : Do not verify OCSP response.
-
- -S, --skip-update : Do not notify haproxy of the new OCSP response.
-
- -h, --help : this help."
-}
-
-trap Trap INT TERM
-
-TMP="`mktemp -d -q -t $PROGNAME.XXXXXXXXXX`"
-
-# COMMAND LINE PROCESSING
-# ----------------------------------
-
-while [[ $# > 0 ]]
-do
-
- case "$1" in
- -h|--help)
- Usage
- Quit 0
- ;;
-
- -d|--debug)
- DEBUG=1
- ;;
-
- --keep-temp)
- KEEP_TEMP=1
- ;;
-
- -g|--good-only)
- GOOD_ONLY=1
- ;;
-
- --noverify)
- VERIFY=0
- ;;
-
- --partial-chain)
- PARTIAL_CHAIN="-partial_chain"
- ;;
-
- -l|--syslog)
- if [ $# -le 1 ]; then
- Error 9 "mandatory value is missing for $1 argument"
- fi
- SYSLOG_PRIO="$2"
- shift
- ;;
-
- --ocsp-url)
- if [ $# -le 1 ]; then
- Error 9 "mandatory value is missing for $1 argument"
- fi
- OCSP_URL="$2"
- shift
- ;;
-
- --ocsp-host)
- if [ $# -le 1 ]; then
- Error 9 "mandatory value is missing for $1 argument"
- fi
- OCSP_HOST="$2"
- shift
- ;;
-
- -c|--cert)
- if [ $# -le 1 ]; then
- Error 9 "mandatory value is missing for $1 argument"
- fi
- CERT="$2"
- shift
- ;;
-
- -v|--VAfile)
- if [ $# -le 1 ]; then
- Error 9 "mandatory value is missing for $1 argument"
- fi
- VAFILE="$2"
- if [ "$VAFILE" == "-" ]; then
- VAFILE="$TMP/chain.pem"
- else
- if [ ! -e "$VAFILE" ]; then
- Error 9 "VAfile does not exists: $VAFILE"
- fi
- fi
- shift
- ;;
-
- -s|--socket)
- if [ $# -le 1 ]; then
- Error 9 "mandatory value is missing for $1 argument"
- fi
- HAPROXY_ADMIN_SOCKET="$2"
- shift
- ;;
-
- -S|--skip-update)
- SKIP_UPDATE=1
- ;;
-
- *)
- Error 9 "unknown option: $1"
- esac
-
- shift
-done
-
-Debug "Temporary directory: $TMP"
-
-$OPENSSL_BIN version | grep OpenSSL &>>$TMP/log
-
-if [ $? -ne 0 ]; then
- Error 9 "openssl binary not found; adjust OPENSSL_BIN variable in the script"
-fi
-
-$SOCAT_BIN -V | grep socat &>>$TMP/log
-
-if [ $? -ne 0 ]; then
- Error 9 "socat binary not found; adjust SOCAT_BIN variable in the script"
-fi
-
-if [ -z "$CERT" ]; then
- Error 9 "certificate not provided (--cert argument)"
-fi
-
-# CURRENT RESPONSE EXPIRED?
-# ----------------------------------
-
-ISNEW=1
-if [ -e $CERT.ocsp ]; then
- ISNEW=0
- Debug "An OCSP response already exists: checking its expiration."
-
- $OPENSSL_BIN ocsp -respin $CERT.ocsp -text -noverify | \
- grep "Next Update:" &>>$TMP/log
-
- if [ $? -eq 0 ]; then
- CURR_EXP=`$OPENSSL_BIN ocsp -respin $CERT.ocsp -text -noverify | grep "Next Update:" | cut -d ':' -f 2-`
- CURR_EXP_EPOCH=`date --date="$CURR_EXP" +%s`
-
- if [ $? -ne 0 ]; then
- Error 3 "can't parse Next Update from current OCSP response"
- fi
-
- if [ $CURR_EXP_EPOCH -lt `date +%s` ]; then
- Debug "Current OCSP response expiration: $CURR_EXP - expired"
- LogError "current OCSP response is expired: please consider running this script more frequently"
- else
- Debug "Current OCSP response expiration: $CURR_EXP - NOT expired"
- fi
- fi
-fi
-
-# EXTRACT EE CERTIFICATE INFO
-# ----------------------------------
-
-# extract EE certificate
-$OPENSSL_BIN x509 -in $CERT -outform PEM -out $TMP/ee.pem &>>$TMP/log
-
-if [ $? -ne 0 ]; then
- Error 1 "can't extract EE certificate from $CERT"
-fi
-
-# get OCSP server URL
-if [ -z "$OCSP_URL" ]; then
- OCSP_URL="`$OPENSSL_BIN x509 -in $TMP/ee.pem -ocsp_uri -noout`"
-
- if [ $? -ne 0 ]; then
- Error 1 "can't obtain OCSP server URL from $CERT"
- fi
-
- if [ -z "$OCSP_URL" ]; then
- Error 2 "OCSP server URL not found in the EE certificate"
- fi
-
- Debug "OCSP server URL found: $OCSP_URL"
-else
- Debug "Using OCSP server URL from command line: $OCSP_URL"
-fi
-
-# check OCSP server URL format (http:// or https://)
-echo "$OCSP_URL" | egrep -i "(http://|https://)" &>/dev/null
-
-if [ $? -ne 0 ]; then
- Error 3 "OCSP server URL not in http[s]:// format"
-fi
-
-# get OCSP server URL host name
-if [ -z "$OCSP_HOST" ]; then
- OCSP_HOST="`echo "$OCSP_URL" | egrep -i "(http://|https://)" | cut -d'/' -f 3`"
-
- if [ $? -ne 0 -o -z "$OCSP_HOST" ]; then
- Error 3 "can't extract hostname from OCSP server URL $OCSP_URL"
- fi
-
- Debug "OCSP server hostname: $OCSP_HOST"
-else
- Debug "Using OCSP server hostname from command line: $OCSP_HOST"
-fi
-
-# EXTRACT CHAIN INFO
-# ----------------------------------
-
-if [ -e $CERT.issuer ]; then
- Debug "Using existing chain ($CERT.issuer)"
-
- # copy .issuer file to temporary chain.pem
- cp $CERT.issuer $TMP/chain.pem &>>$TMP/log
-
- if [ $? -ne 0 ]; then
- Error 3 "can't copy current chain from $CERT.issuer"
- fi
-else
- Debug "Extracting chain from certificates bundle"
-
- # get EE certificate's fingerprint
- FP_EE="`$OPENSSL_BIN x509 -fingerprint -noout -in $TMP/ee.pem`"
-
- if [ $? -ne 0 -o -z "$FP_EE" ]; then
- Error 1 "can't obtain EE certificate's fingerprint"
- fi
-
- Debug "EE certificate's fingerprint: $FP_EE"
-
- # get BEGIN CERTIFICATE and END CERTIFICATE separators
- PEM_BEGIN_CERT="`head $TMP/ee.pem -n 1`"
- PEM_END_CERT="`tail $TMP/ee.pem -n 1`"
-
- # get number of certificates in the bundle file
- NUM_OF_CERTS=`cat $CERT | grep -e "$PEM_BEGIN_CERT" | wc -l`
-
- if [ $NUM_OF_CERTS -le 1 ]; then
- Error 3 "can't obtain the number of certificates in the chain"
- fi
-
- Debug "$NUM_OF_CERTS certificates found in the bundle"
-
- # save each certificate in the bundle into $TMP/chain-X.pem
- cat $CERT | \
- sed -n -e "/$PEM_BEGIN_CERT/,/$PEM_END_CERT/p" | \
- awk "/$PEM_BEGIN_CERT/{x=\"$TMP/chain-\" ++i \".pem\";}{print > x;}" &>>$TMP/log
-
- if [ $? -ne 0 ]; then
- Error 3 "can't extract certificates from bundle"
- fi
-
- # for each certificate that is extracted from the bundle check if
- # it's the EE certificate, otherwise uses it to build the chain file
- for c in `seq 1 $NUM_OF_CERTS`;
- do
- # check fingerprint of current and EE certificates
- FP="`$OPENSSL_BIN x509 -fingerprint -noout -in $TMP/chain-$c.pem`"
- if [ $? -ne 0 -o -z "$FP" ]; then
- Error 1 "can't obtain the fingerprint of the certificate n. $c in the bundle"
- else
- if [ ! "$FP" == "$FP_EE" ]; then
- Debug "Bundle certificate n. $c fingerprint: $FP - it's part of the chain"
-
- # current certificate is not the same as the EE; append to the chain
- cat $TMP/chain-$c.pem >> $TMP/chain.pem
- else
- Debug "Bundle certificate n. $c fingerprint: $FP - EE certificate"
- fi
- fi
- done
-fi
-
-# check if the EE certificate validates against the chain
-$OPENSSL_BIN verify $PARTIAL_CHAIN -CAfile $TMP/chain.pem $TMP/ee.pem &>>$TMP/log
-
-if [ $? -ne 0 ]; then
- if [ -e $CERT.issuer ]; then
- Error 1 "can't validate the EE certificate against the existing chain; if it has been changed recently consider removing the current $CERT.issuer file and let this script to figure out a new one"
- else
- Error 1 "can't validate the EE certificate against the extracted chain"
- fi
-fi
-
-# OCSP
-# ----------------------------------
-
-# query the OCSP server and save its response
-
-$OPENSSL_BIN version | grep "OpenSSL 1.0" &>/dev/null
-if [ $? -eq 0 ]; then
- # OpenSSL 1.0.x
-
- $OPENSSL_BIN ocsp $PARTIAL_CHAIN -issuer $TMP/chain.pem -cert $TMP/ee.pem \
- -respout $TMP/ocsp.der -noverify \
- -no_nonce -url $OCSP_URL -header "Host" "$OCSP_HOST" &>>$TMP/log
-else
- $OPENSSL_BIN ocsp $PARTIAL_CHAIN -issuer $TMP/chain.pem -cert $TMP/ee.pem \
- -respout $TMP/ocsp.der -noverify \
- -no_nonce -url $OCSP_URL -header "Host=$OCSP_HOST" &>>$TMP/log
-fi
-
-if [ $? -ne 0 ]; then
- Error 1 "can't receive the OCSP server response"
-fi
-
-# process the OCSP response
-VERIFYOPT=""
-if [ $VERIFY -eq 0 ]; then
- VERIFYOPT="-noverify"
-fi
-if [ -z "$VAFILE" ]; then
- $OPENSSL_BIN ocsp $PARTIAL_CHAIN $VERIFYOPT -issuer $TMP/chain.pem -cert $TMP/ee.pem \
- -respin $TMP/ocsp.der -no_nonce -CAfile $TMP/chain.pem \
- -out $TMP/ocsp.txt &>>$TMP/ocsp-verify.txt
-else
- $OPENSSL_BIN ocsp $PARTIAL_CHAIN $VERIFYOPT -issuer $TMP/chain.pem -cert $TMP/ee.pem \
- -respin $TMP/ocsp.der -no_nonce -CAfile $TMP/chain.pem \
- -VAfile $VAFILE \
- -out $TMP/ocsp.txt &>>$TMP/ocsp-verify.txt
-fi
-
-if [ $? -ne 0 ]; then
- Error 1 "can't receive OCSP response"
-fi
-
-if [ $VERIFY -eq 1 ]; then
- Debug "OCSP response verification results: `cat $TMP/ocsp-verify.txt`"
-
- cat $TMP/ocsp-verify.txt | grep "Response verify OK" &>>$TMP/log
-
- if [ $? -ne 0 ]; then
- grep "signer certificate not found" $TMP/ocsp-verify.txt &>/dev/null
-
- if [ $? -eq 0 ]; then
- Error 4 "OCSP response verification failure: signer certificate not found; try with '--VAfile -' or '--VAfile OCSP-response-signing-certificate-file' arguments"
- else
- Error 4 "OCSP response verification failure."
- fi
- fi
-fi
-
-Debug "OCSP response: `cat $TMP/ocsp.txt`"
-
-if [ $GOOD_ONLY -eq 1 ]; then
- cat $TMP/ocsp.txt | head -n 1 | grep ": good" &>>$TMP/log
-
- if [ $? -ne 0 ]; then
- Error 4 "OCSP response, certificate status not good"
- fi
-fi
-
-# UPDATE HAPROXY
-# ----------------------------------
-
-# Status:
-# - $TMP/ocsp.der contains the OCSP response, DER format
-# - $TMP/ocsp.txt contains the textual OCSP response as produced
-# by openssl
-# - the OCSP response has been verified against the chain or
-# the --VAfile
-
-if [ $DEBUG -eq 0 ]; then
- # update .ocsp and .issuer files
-
- cp $TMP/ocsp.der $CERT.ocsp &>>$TMP/log
-
- if [ $? -ne 0 ]; then
- Error 5 "can't update $CERT.ocsp file"
- fi
-
- if [ ! -e $CERT.issuer ]; then
- cp $TMP/chain.pem $CERT.issuer &>>$TMP/log
-
- if [ $? -ne 0 ]; then
- Error 5 "can't update $CERT.issuer file"
- fi
- fi
-
- if [ $SKIP_UPDATE -eq 0 ]; then
- if [ $ISNEW -eq 1 ]; then
- # no .ocsp file found, maybe it's an initial run
- Debug "Reloading haproxy."
-
- service haproxy reload
-
- if [ $? -ne 0 ]; then
- Error 5 "can't reload haproxy with 'service haproxy reload'"
- fi
- else
- # update haproxy via local UNIX socket
- Debug "Updating haproxy."
-
- echo "set ssl ocsp-response `base64 -w 0 $TMP/ocsp.der`" | $SOCAT_BIN stdio $HAPROXY_ADMIN_SOCKET &>>$TMP/log
-
- if [ $? -ne 0 ]; then
- Error 5 "can't update haproxy ssl ocsp-response using $HAPROXY_ADMIN_SOCKET socket"
- fi
- fi
- else
- Debug "Not notifying haproxy because skip-update is set."
- fi
-
-else
- Debug "Debug mode: haproxy update skipped."
-fi
-
-# remove temporary files and quit with success
-Quit 0
-
-# vim: set tabstop=4 shiftwidth=4 expandtab:
diff --git a/library/roles/haproxy/templates/haproxy-letsencrypt-acme.sh.j2 b/library/roles/haproxy/templates/haproxy-letsencrypt-acme.sh.j2
deleted file mode 100644
index 1aaa92b..0000000
--- a/library/roles/haproxy/templates/haproxy-letsencrypt-acme.sh.j2
+++ /dev/null
@@ -1,50 +0,0 @@
-#!/bin/bash
-
-H_NAME="{{ letsencrypt_acme_sh_certs_data_prefix }}"
-LE_SERVICES_SCRIPT_DIR=/usr/lib/acme/hooks
-LE_CERTS_DIR=/var/lib/acme/live/$H_NAME
-LE_LOG_DIR=/var/log/letsencrypt
-HAPROXY_CERTDIR=/etc/pki/haproxy
-HAPROXY_CERTFILE=$HAPROXY_CERTDIR/haproxy.pem
-DATE=$( date )
-
-[ ! -d $HAPROXY_CERTDIR ] && mkdir -p $HAPROXY_CERTDIR
-[ ! -d $LE_LOG_DIR ] && mkdir $LE_LOG_DIR
-echo "$DATE" >> $LE_LOG_DIR/haproxy.log
-
-{% if letsencrypt_acme_install %}
-LE_ENV_FILE=/etc/default/letsencrypt
-{% endif %}
-{% if letsencrypt_acme_sh_install %}
-LE_ENV_FILE=/etc/default/acme_sh_request_env
-{% endif %}
-if [ -f "$LE_ENV_FILE" ] ; then
- . "$LE_ENV_FILE"
-else
- echo "No letsencrypt default file" >> $LE_LOG_DIR/haproxy.log
-fi
-
-echo "Building the new certificate file" >> $LE_LOG_DIR/haproxy.log
-cat ${LE_CERTS_DIR}/{fullchain,privkey} > ${HAPROXY_CERTFILE}
-chmod 440 ${HAPROXY_CERTFILE}
-chgrp haproxy ${HAPROXY_CERTFILE}
-
-echo "Reload the haproxy service" >> $LE_LOG_DIR/haproxy.log
-if [ -x /bin/systemctl ] ; then
- systemctl reload haproxy >> $LE_LOG_DIR/haproxy.log 2>&1
-else
- service haproxy reload >> $LE_LOG_DIR/haproxy.log 2>&1
-fi
-
-# Run the OCSP stapling script
-if [ -x /usr/local/bin/hapos-upd ] ; then
- echo "Run the OCSP stapling updater script" >> $LE_LOG_DIR/haproxy.log
- /usr/local/bin/hapos-upd --cert {{ haproxy_cert_dir }}/haproxy.pem -v ${LE_CERTS_DIR}/fullchain -s {{ haproxy_admin_socket }} -v - >> $LE_LOG_DIR/haproxy.log 2>&1
-else
- echo "No OCPS stapling updater script" >> $LE_LOG_DIR/haproxy.log
-fi
-
-echo "Done." >> $LE_LOG_DIR/haproxy.log
-
-exit 0
-
diff --git a/library/roles/haproxy/templates/lb.cfg.j2 b/library/roles/haproxy/templates/lb.cfg.j2
deleted file mode 100644
index 509d441..0000000
--- a/library/roles/haproxy/templates/lb.cfg.j2
+++ /dev/null
@@ -1,4 +0,0 @@
-# Check the haproxy backends status
-command[lb_check_bk_status]=/usr/bin/sudo {{ nagios_local_plugdir }}/check_haproxy_stats -s {{ haproxy_admin_socket }} -w {{ haproxy_nagios_check_w }} -c {{ haproxy_nagios_check_c }}
-
-
diff --git a/library/roles/mediawiki/defaults/main.yml b/library/roles/mediawiki/defaults/main.yml
deleted file mode 100644
index e9cc4a0..0000000
--- a/library/roles/mediawiki/defaults/main.yml
+++ /dev/null
@@ -1,73 +0,0 @@
----
-#
-# This playbook depends on the php-fpm, mysql role and nginx
-#
-mw_install_from_package: False
-# Distribution packages are always obsolete
-mw_install_from_tar: True
-mw_version: 1.33
-mw_minor_minor: 0
-mw_download_url: http://releases.wikimedia.org/mediawiki/{{ mw_version }}/mediawiki-{{ mw_version }}.{{ mw_minor_minor }}.tar.gz
-mw_download_dir: /srv/mediawiki
-mw_install_dir: /var/www/html
-mw_conf_dir: /etc/mediawiki
-mw_servername: '{{ ansible_fqdn }}'
-mw_db_host: localhost
-mw_db_table_prefix: 'mw_'
-
-mw_local_nginx_virtualhost: '{{ mw_local_nginx }}'
-mw_context: wiki
-mw_doc_root: '{{ mw_install_dir }}/{{ mw_context }}'
-mw_wiki_servername: '{{ ansible_fqdn }}'
-mw_wiki_name: 'Mediawiki Installation'
-
-mw_upload_subdirs:
- - archive
- - thumb
- - temp
-
-mw_local_mysql: True
-mw_local_nginx: True
-mw_local_memcached: True
-mw_memcached_hosts: '"127.0.0.1:11211"'
-
-mw_db_name: mediawiki
-mw_db_user: mediawiki_u
-# mw_db_pwd: 'use a vault file'
-mw_system_user: mwiki
-# mw_admin_pwd: 'use a vault file'
-# mw_secret_key: 'use a vault file'
-
-mw_mysql_db_data:
- - { name: '{{ mw_db_name }}', user: '{{ mw_db_user }}', pwd: '{{ mw_db_pwd }}', collation: '{{ mysql_default_collation }}', encoding: '{{ mysql_default_encoding }}', user_grant: 'ALL', allowed_hosts: [ '{{ ansible_fqdn }}/32', '127.0.0.1/8', 'localhost' ] }
-
-mw_id: 'wiki'
-mw_uri: '/wiki'
-mw_http_port: 80
-mw_https_port: 443
-
-mw_php_version: 7.2
-
-mw_php_additional_packages:
- - 'php{{ php_version }}-mbstring'
- - 'php{{ php_version }}-xmlrpc'
- - 'php{{ php_version }}-soap'
- - 'php{{ php_version }}-gd'
- - 'php{{ php_version }}-xml'
- - 'php{{ php_version }}-intl'
- - 'php{{ php_version }}-mysql'
- - 'php{{ php_version }}-cli'
- - 'php{{ php_version }}-zip'
- - 'php{{ php_version }}-curl'
- - php-apcu
- - php-wikidiff2
- - imagemagick
- - php-imagick
-
-mw_phpfpm_pools:
- - { pool_name: '{{ phpfpm_default_pool_name }}', app_context: '{{ phpfpm_default_context }}', user: '{{ phpfpm_default_user }}', group: '{{ phpfpm_default_group }}', listen: '{{ phpfpm_default_listen }}', allowed_clients: '{{ phpfpm_default_allowed_clients }}', pm: '{{ phpfpm_default_pm }}', pm_max_children: '{{ phpfpm_default_pm_max_children }}', pm_start_servers: '{{ phpfpm_default_pm_start_servers }}', pm_min_spare: '{{ phpfpm_default_pm_min_spare_servers }}', pm_max_spare: '{{ phpfpm_default_pm_max_spare_servers }}', pm_max_requests: '{{ phpfpm_default_pm_max_requests }}', pm_status_enabled: '{{ phpfpm_default_pm_status_enabled }}', pm_status_path: '{{ phpfpm_default_pm_status_path }}', ping_enabled: '{{ phpfpm_default_ping_enabled }}', ping_path: '{{ phpfpm_default_ping_path }}', ping_response: '{{ phpfpm_default_ping_response }}', display_errors: '{{ phpfpm_default_display_errors }}', log_errors: '{{ phpfpm_default_log_errors }}', memory_limit: '{{ phpfpm_default_memory_limit }}', slowlog_timeout: '{{ phpfpm_default_slowlog_timeout }}', rlimit_files: '{{ phpfpm_default_rlimit_files }}', php_extensions: '{{ phpfpm_default_extensions }}', define_custom_variables: '{{ phpfpm_default_define_custom_variables }}', admin_write: True, doc_root: '{{ mw_doc_root }}', virthost: '{{ mw_context }}' }
-
-# This choice is not recommended. The package has a poor list of dependencies. We do not want to deal with those
-mw_package:
- - mediawiki
-
diff --git a/library/roles/mediawiki/meta/main.yml b/library/roles/mediawiki/meta/main.yml
deleted file mode 100644
index 0fc58a0..0000000
--- a/library/roles/mediawiki/meta/main.yml
+++ /dev/null
@@ -1,6 +0,0 @@
----
-dependencies:
- - { role: '../../library/roles/mysql', when: mw_local_mysql | bool }
- - role: '../../library/roles/php-fpm'
- - { role: '../../library/roles/memcached', when: mw_local_memcached | bool }
- - { role: '../../library/roles/nginx', when: mw_local_nginx | bool }
diff --git a/library/roles/mediawiki/tasks/main.yml b/library/roles/mediawiki/tasks/main.yml
deleted file mode 100644
index 93bae4e..0000000
--- a/library/roles/mediawiki/tasks/main.yml
+++ /dev/null
@@ -1,65 +0,0 @@
----
-- name: Ensure that the download and install dirs exist
- file: path={{ item }} state=directory
- with_items:
- - '{{ mw_download_dir }}'
- - '{{ mw_install_dir }}'
- tags: mediawiki
-
-- name: Download the mediawiki tar file
- get_url: url={{ mw_download_url }} dest={{ mw_download_dir }}
- when:
- - not mw_install_from_package
- - mw_install_from_tar
- tags: mediawiki
-
-- name: Unpack the mediawiki tar file
- unarchive: copy=no src={{ mw_download_dir }}/mediawiki-{{ mw_version }}.{{ mw_minor_minor }}.tar.gz dest={{ mw_download_dir }}
- args:
- creates: '{{ mw_download_dir }}/mediawiki-{{ mw_version }}.{{ mw_minor_minor }}/INSTALL'
- when: mw_install_from_tar
- tags: mediawiki
-
-- name: Move the mediawiki files to the right place
- command: cp -a {{ mw_download_dir }}/mediawiki-{{ mw_version }}.{{ mw_minor_minor }} {{ mw_doc_root }}
- args:
- creates: '{{ mw_doc_root }}/index.php'
- when: mw_install_from_tar
- tags: mediawiki
-
-- name: Create the images subdirs
- file: dest={{ mw_doc_root }}/images/{{ item }} state=directory
- with_items: '{{ mw_upload_subdirs }}'
- tags: mediawiki
-
-- name: Set the correct ownership of the mediawiki files
- file: dest={{ mw_doc_root }} owner={{ item.user }} group={{ item.group }} recurse=yes state=directory
- with_items: '{{ phpfpm_pools }}'
- tags: mediawiki
-
-- name: Create the mediawiki conf dir
- file: path={{ mw_conf_dir }} state=directory
- tags: mediawiki
-
-- block:
-
- - name: Check if the mediawiki instance has been initialized already
- stat: path={{ mw_doc_root }}/.mwinitialized
- register: mw_init
-
- tags: [ 'mediawiki', 'mediawiki_init' ]
-
-- block:
- - name: Create a file with the DB password
- template: src=mw_db_passwd.j2 dest=/tmp/mw_db_passwd owner=root group=root mode=0400
-
- - name: Create a file with the admin password
- template: src=mw_admin_passwd.j2 dest=/tmp/mw_admin_passwd owner=root group=root mode=0400
-
- - name: Initialize the mediawiki instance
- shell: cd {{ mw_doc_root }} ; php maintenance/install.php --confpath {{ mw_conf_dir }} --dbname {{ mw_db_name }} --dbprefix {{ mw_db_table_prefix }} --dbuser {{ mw_db_user }} --dbpassfile /tmp/mw_db_passwd --with-extensions --scriptpath {{ mw_uri }} --passfile /tmp/mw_admin_passwd --wiki {{ mw_id }} --dbserver {{ mw_db_host }} --dbtype mysql --server https://{{ mw_wiki_servername }} "{{ mw_wiki_name }}" {{ mw_system_user }} && touch {{ mw_doc_root }}/.mwinitialized ; rm -f /tmp/mw_db_passwd /tmp/mw_admin_passwd
- args:
- creates: '{{ mw_doc_root }}/.mwinitialized'
-
- when: mw_init.stat.exists is defined and not mw_init.stat.exists
- tags: [ 'mediawiki', 'mediawiki_init' ]
diff --git a/library/roles/mediawiki/templates/mw_admin_passwd.j2 b/library/roles/mediawiki/templates/mw_admin_passwd.j2
deleted file mode 100644
index 6feb1bd..0000000
--- a/library/roles/mediawiki/templates/mw_admin_passwd.j2
+++ /dev/null
@@ -1 +0,0 @@
-{{ mw_admin_pwd }}
diff --git a/library/roles/mediawiki/templates/mw_db_passwd.j2 b/library/roles/mediawiki/templates/mw_db_passwd.j2
deleted file mode 100644
index 3ba0cf3..0000000
--- a/library/roles/mediawiki/templates/mw_db_passwd.j2
+++ /dev/null
@@ -1 +0,0 @@
-{{ mw_db_pwd }}
diff --git a/library/roles/mediawiki/vars/main.yml b/library/roles/mediawiki/vars/main.yml
deleted file mode 100644
index 0c9fd81..0000000
--- a/library/roles/mediawiki/vars/main.yml
+++ /dev/null
@@ -1,14 +0,0 @@
----
-http_port: '{{ mw_http_port }}'
-https_port: '{{ mw_https_port }}'
-
-php_version: '{{ mw_php_version }}'
-
-php_additional_packages: '{{ mw_php_additional_packages }}'
-
-mysql_db_data: '{{ mw_mysql_db_data }}'
-
-phpfpm_default_pool_name: '{{ mw_system_user }}'
-phpfpm_default_user: '{{ mw_system_user }}'
-
-phpfpm_pools: '{{ mw_phpfpm_pools }}'
diff --git a/library/roles/prometheus-haproxy-exporter/defaults/main.yml b/library/roles/prometheus-haproxy-exporter/defaults/main.yml
deleted file mode 100644
index ca053ce..0000000
--- a/library/roles/prometheus-haproxy-exporter/defaults/main.yml
+++ /dev/null
@@ -1,18 +0,0 @@
----
-prometheus_h_e_install: True
-prometheus_h_e_version: 0.9.0
-prometheus_h_e_dir: 'haproxy_exporter-{{ prometheus_h_e_version }}.linux-amd64'
-prometheus_h_e_file: '{{ prometheus_h_e_dir }}.tar.gz'
-prometheus_h_e_download_url: 'https://github.com/prometheus/haproxy_exporter/releases/download/v{{ prometheus_h_e_version }}/{{ prometheus_h_e_file }}'
-prometheus_h_e_user: prometheus
-prometheus_h_e_home: /opt/prometheus
-prometheus_h_e_dist_dir: '{{ prometheus_h_e_home }}/dist'
-prometheus_h_e_logdir: '/var/log/prometheus-haproxy-exporter'
-prometheus_h_e_cmd: '{{ prometheus_h_e_dist_dir }}/{{ prometheus_h_e_dir }}/haproxy_exporter'
-prometheus_h_e_port: 9101
-prometheus_h_e_loglevel: info
-prometheus_h_e_haproxy_pid: '/run/haproxy.pid'
-prometheus_h_e_haproxy_stats_port: 8881
-prometheus_h_e_opts: '--web.listen-address=":{{ prometheus_h_e_port }}" --log.level={{ prometheus_h_e_loglevel }} --haproxy.pid-file="{{ prometheus_h_e_haproxy_pid }}" --haproxy.scrape-uri="http://localhost:{{ prometheus_h_e_haproxy_stats_port }}/;csv"'
-# List the additional options here
-prometheus_h_e_additional_opts: ''
diff --git a/library/roles/prometheus-haproxy-exporter/handlers/main.yml b/library/roles/prometheus-haproxy-exporter/handlers/main.yml
deleted file mode 100644
index a07bf56..0000000
--- a/library/roles/prometheus-haproxy-exporter/handlers/main.yml
+++ /dev/null
@@ -1,7 +0,0 @@
----
-- name: systemd reload
- command: systemctl daemon-reload
-
-- name: Restart haproxy exporter
- service: name=haproxy_exporter state=restarted
-
diff --git a/library/roles/prometheus-haproxy-exporter/tasks/main.yml b/library/roles/prometheus-haproxy-exporter/tasks/main.yml
deleted file mode 100644
index 6c33256..0000000
--- a/library/roles/prometheus-haproxy-exporter/tasks/main.yml
+++ /dev/null
@@ -1,53 +0,0 @@
----
-- block:
- - name: Create the user under the haproxy exporter will run
- user: name={{ prometheus_h_e_user }} home={{ prometheus_h_e_home }} createhome=no shell=/usr/sbin/nologin system=yes
-
- - name: Create the prometheus haproxy exporter base directory
- file: dest={{ item }} state=directory owner=root group=root
- with_items:
- - '{{ prometheus_h_e_home }}'
- - '{{ prometheus_h_e_dist_dir }}'
-
- - name: Create the prometheus haproxy exporter log directory
- file: dest={{ prometheus_h_e_logdir }} state=directory owner={{ prometheus_h_e_user }} group={{ prometheus_h_e_user }}
-
- - name: Download the prometheus haproxy exporter
- get_url: url={{ prometheus_h_e_download_url }} dest=/srv/
-
- - name: Unarchive the prometheus distribution
- unarchive: src=/srv/{{ prometheus_h_e_file }} dest={{ prometheus_h_e_dist_dir }} remote_src=yes owner=root group=root
- args:
- creates: '{{ prometheus_h_e_dist_dir }}/{{ prometheus_h_e_dir }}/haproxy_exporter'
- notify: Restart haproxy exporter
-
- - name: Install the prometheus haproxy exporter upstart script
- template: src=haproxy_exporter.upstart.j2 dest=/etc/init/haproxy_exporter.conf mode=0644 owner=root group=root
- when: ansible_service_mgr != 'systemd'
-
- - name: Install the prometheus haproxy exporter systemd unit
- template: src=haproxy_exporter.systemd.j2 dest=/etc/systemd/system/haproxy_exporter.service mode=0644 owner=root group=root
- when: ansible_service_mgr == 'systemd'
- notify: systemd reload
-
- - name: Ensure that prometheus haproxy_exporter is started and enabled
- service: name=haproxy_exporter state=started enabled=yes
-
- tags: [ 'prometheus', 'haproxy_exporter' ]
- when: prometheus_h_e_install
-
-- block:
- - name: Ensure that prometheus haproxy_exporter is stopped and disabled
- service: name=haproxy_exporter state=stopped enabled=no
-
- - name: Remove prometheus haproxy exporter upstart script
- file: dest=/etc/init/haproxy_exporter.conf state=absent
- when: ansible_service_mgr != 'systemd'
-
- - name: Remove the prometheus haproxy exporter systemd unit
- file: dest=/etc/systemd/system/haproxy_exporter.service state=absent
- when: ansible_service_mgr == 'systemd'
- notify: systemd reload
-
- tags: [ 'prometheus', 'haproxy_exporter' ]
- when: not prometheus_h_e_install
diff --git a/library/roles/prometheus-haproxy-exporter/templates/haproxy_exporter.systemd.j2 b/library/roles/prometheus-haproxy-exporter/templates/haproxy_exporter.systemd.j2
deleted file mode 100644
index b070374..0000000
--- a/library/roles/prometheus-haproxy-exporter/templates/haproxy_exporter.systemd.j2
+++ /dev/null
@@ -1,17 +0,0 @@
-[Unit]
-Description=haproxy_exporter - Prometheus exporter for haproxy metrics and stats.
-After=network.target
-
-[Service]
-Type=simple
-Restart=on-failure
-
-User={{ prometheus_h_e_user }}
-Group={{ prometheus_h_e_user }}
-
-ExecStart={{ prometheus_h_e_cmd }} {{ prometheus_h_e_opts }} {{ prometheus_h_e_additional_opts }}
-
-[Install]
-WantedBy=multi-user.target
-Alias=prometheus_haproxy_exporter.service
-
diff --git a/library/roles/prometheus-haproxy-exporter/templates/haproxy_exporter.upstart.j2 b/library/roles/prometheus-haproxy-exporter/templates/haproxy_exporter.upstart.j2
deleted file mode 100644
index f95929f..0000000
--- a/library/roles/prometheus-haproxy-exporter/templates/haproxy_exporter.upstart.j2
+++ /dev/null
@@ -1,12 +0,0 @@
-description "Prometheus haproxy exporter"
-start on (local-filesystems and net-device-up IFACE!=lo)
-stop on runlevel [016]
-
-respawn
-respawn limit 10 5
-setuid {{ prometheus_h_e_user }}
-setgid {{ prometheus_h_e_user }}
-
-script
- exec {{ prometheus_h_e_cmd }} {{ prometheus_h_e_opts }} {{ prometheus_h_e_additional_opts }} > {{ prometheus_h_e_logdir }}/haproxy_exporter.log 2>&1
-end script