library/roles/letsencrypt-acmetool-client/defaults/main.yml: Fix the hooks path

library/roles/haproxy: Scripts and tasks to add support for the acme letsencrypt tool.

haproxy/README

@@ -23,4 +23,18 @@
 #
 # Hints to protect from DDOS or too many legitimate requests
 # http://www.loadbalancer.org/de/blog/black-friday-black-out-protection-with-haproxy
-#
+#
+
+When letsencrypt is enabled, the haproxy configurazion file needs to
+contain not only the https configuration, but also something like:
+
+frontend http
+         bind 80
+         acl letsencrypt-request path_beg -i /.well-known/acme-challenge/
+         use_backend letsencrypt if letsencrypt-request
+
+backend letsencrypt
+        mode http
+        server letsencrypt 127.0.0.1:9999
+
+Where 9999 is the port where the letsencrypt standalone client will listen to.

haproxy/defaults/main.yml

@@ -13,3 +13,4 @@ haproxy_ssl_port: 443
 haproxy_admin_port: 8880
 
 haproxy_letsencrypt_managed: False
+

haproxy/files/haproxy-letsencrypt-acme.sh

@@ -0,0 +1,29 @@
+#!/bin/bash
+
+LE_SERVICES_SCRIPT_DIR=/usr/lib/acme/hooks
+LE_CERTS_DIR=/var/lib/acme/live/$HOSTNAME
+LE_LOG_DIR=/var/log/letsencrypt
+HAPROXY_CERTDIR=/etc/pki/certs
+HAPROXY_CERTFILE=$HAPROXY_CERTDIR/haproxy.pem
+DATE=$( date )
+
+[ ! -d $LE_LOG_DIR ] && mkdir $LE_LOG_DIR
+echo "$DATE" >> $LE_LOG_DIR/haproxy.log
+
+if [ -f /etc/default/letsencrypt ] ; then
+    . /etc/default/letsencrypt
+else
+    echo "No letsencrypt default file" >> $LE_LOG_DIR/haproxy.log
+fi
+
+echo "Building the new certificate file" >> $LE_LOG_DIR/haproxy.log
+cat ${LE_CERTS_DIR}/{fullchain,privkey} > ${HAPROXY_CERTFILE}
+chmod 440 ${HAPROXY_CERTFILE}
+chgrp haproxy ${HAPROXY_CERTFILE}
+
+echo "Reload the haproxy service" >> $LE_LOG_DIR/haproxy.log
+service haproxy reload >/dev/null 2>&1
+echo "Done." >> $LE_LOG_DIR/haproxy.log
+
+exit 0
+

haproxy/tasks/haproxy-letsencrypt.yml

@@ -1,6 +1,15 @@
 ---
 - name: Install a script that fix the letsencrypt certificate for haproxy and then reload the service
   copy: src=haproxy-letsencrypt.sh dest={{ letsencrypt_services_scripts_dir }}/haproxy owner=root group=root mode=0550
-  when: haproxy_letsencrypt_managed
+  when:
+    - haproxy_letsencrypt_managed
+    - letsencrypt_install
+  tags: [ 'haproxy', 'letsencrypt' ]
+
+- name: Install a script that fix the letsencrypt certificate for haproxy and then reload the service
+  copy: src=haproxy-letsencrypt-acme.sh dest={{ letsencrypt_acme_services_scripts_dir }}/haproxy owner=root group=root mode=4550
+  when:
+    - haproxy_letsencrypt_managed
+    - letsencrypt_acme_install
   tags: [ 'haproxy', 'letsencrypt' ]
 

letsencrypt-acmetool-client/defaults/main.yml

@@ -10,7 +10,7 @@ letsencrypt_acme_command: acmetool
 letsencrypt_acme_command_opts: '--batch --xlog.syslog --xlog.severity=info'
 letsencrypt_acme_config_dir: '{{ letsencrypt_acme_user_home }}/conf'
 letsencrypt_acme_certsconf_dir: '{{ letsencrypt_acme_user_home }}/desired'
-letsencrypt_acme_certs_dir: '{{ letsencrypt_acme_config_dir }}/live/{{ ansible_fqdn }}'
+letsencrypt_acme_certs_dir: '{{ letsencrypt_acme_user_home }}/live/{{ ansible_fqdn }}'
 # The various services maintainers need to put the reconfigure/restart scripts there
 letsencrypt_acme_services_scripts_dir: /usr/lib/acme/hooks