From 3085c6b817fc153b157aad6a734caf494ce2052d Mon Sep 17 00:00:00 2001
From: Andrea Dell'Amico <adellam@sevenseas.org>
Date: Thu, 14 Apr 2016 19:31:02 +0200
Subject: [PATCH] library/roles/letsencrypt-acmetool-client/defaults/main.yml:
 Fix the hooks path library/roles/haproxy: Scripts and tasks to add support
 for the acme letsencrypt tool.

---
 haproxy/README                                | 16 +++++++++-
 haproxy/defaults/main.yml                     |  1 +
 haproxy/files/haproxy-letsencrypt-acme.sh     | 29 +++++++++++++++++++
 haproxy/tasks/haproxy-letsencrypt.yml         | 11 ++++++-
 letsencrypt-acmetool-client/defaults/main.yml |  2 +-
 5 files changed, 56 insertions(+), 3 deletions(-)
 create mode 100644 haproxy/files/haproxy-letsencrypt-acme.sh

diff --git a/haproxy/README b/haproxy/README
index 749369e1..bf2c67a9 100644
--- a/haproxy/README
+++ b/haproxy/README
@@ -23,4 +23,18 @@
 #
 # Hints to protect from DDOS or too many legitimate requests
 # http://www.loadbalancer.org/de/blog/black-friday-black-out-protection-with-haproxy
-#
\ No newline at end of file
+#
+
+When letsencrypt is enabled, the haproxy configurazion file needs to
+contain not only the https configuration, but also something like:
+
+frontend http
+         bind 80
+         acl letsencrypt-request path_beg -i /.well-known/acme-challenge/
+         use_backend letsencrypt if letsencrypt-request
+
+backend letsencrypt
+        mode http
+        server letsencrypt 127.0.0.1:9999
+
+Where 9999 is the port where the letsencrypt standalone client will listen to.
diff --git a/haproxy/defaults/main.yml b/haproxy/defaults/main.yml
index fa3d993c..e1b04b3d 100644
--- a/haproxy/defaults/main.yml
+++ b/haproxy/defaults/main.yml
@@ -13,3 +13,4 @@ haproxy_ssl_port: 443
 haproxy_admin_port: 8880
 
 haproxy_letsencrypt_managed: False
+
diff --git a/haproxy/files/haproxy-letsencrypt-acme.sh b/haproxy/files/haproxy-letsencrypt-acme.sh
new file mode 100644
index 00000000..80025b06
--- /dev/null
+++ b/haproxy/files/haproxy-letsencrypt-acme.sh
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+LE_SERVICES_SCRIPT_DIR=/usr/lib/acme/hooks
+LE_CERTS_DIR=/var/lib/acme/live/$HOSTNAME
+LE_LOG_DIR=/var/log/letsencrypt
+HAPROXY_CERTDIR=/etc/pki/certs
+HAPROXY_CERTFILE=$HAPROXY_CERTDIR/haproxy.pem
+DATE=$( date )
+
+[ ! -d $LE_LOG_DIR ] && mkdir $LE_LOG_DIR
+echo "$DATE" >> $LE_LOG_DIR/haproxy.log
+
+if [ -f /etc/default/letsencrypt ] ; then
+    . /etc/default/letsencrypt
+else
+    echo "No letsencrypt default file" >> $LE_LOG_DIR/haproxy.log
+fi
+
+echo "Building the new certificate file" >> $LE_LOG_DIR/haproxy.log
+cat ${LE_CERTS_DIR}/{fullchain,privkey} > ${HAPROXY_CERTFILE}
+chmod 440 ${HAPROXY_CERTFILE}
+chgrp haproxy ${HAPROXY_CERTFILE}
+
+echo "Reload the haproxy service" >> $LE_LOG_DIR/haproxy.log
+service haproxy reload >/dev/null 2>&1
+echo "Done." >> $LE_LOG_DIR/haproxy.log
+
+exit 0
+
diff --git a/haproxy/tasks/haproxy-letsencrypt.yml b/haproxy/tasks/haproxy-letsencrypt.yml
index 82212c34..d98dc8b3 100644
--- a/haproxy/tasks/haproxy-letsencrypt.yml
+++ b/haproxy/tasks/haproxy-letsencrypt.yml
@@ -1,6 +1,15 @@
 ---
 - name: Install a script that fix the letsencrypt certificate for haproxy and then reload the service
   copy: src=haproxy-letsencrypt.sh dest={{ letsencrypt_services_scripts_dir }}/haproxy owner=root group=root mode=0550
-  when: haproxy_letsencrypt_managed
+  when:
+    - haproxy_letsencrypt_managed
+    - letsencrypt_install
+  tags: [ 'haproxy', 'letsencrypt' ]
+
+- name: Install a script that fix the letsencrypt certificate for haproxy and then reload the service
+  copy: src=haproxy-letsencrypt-acme.sh dest={{ letsencrypt_acme_services_scripts_dir }}/haproxy owner=root group=root mode=4550
+  when:
+    - haproxy_letsencrypt_managed
+    - letsencrypt_acme_install
   tags: [ 'haproxy', 'letsencrypt' ]
 
diff --git a/letsencrypt-acmetool-client/defaults/main.yml b/letsencrypt-acmetool-client/defaults/main.yml
index f112a77a..80988198 100644
--- a/letsencrypt-acmetool-client/defaults/main.yml
+++ b/letsencrypt-acmetool-client/defaults/main.yml
@@ -10,7 +10,7 @@ letsencrypt_acme_command: acmetool
 letsencrypt_acme_command_opts: '--batch --xlog.syslog --xlog.severity=info'
 letsencrypt_acme_config_dir: '{{ letsencrypt_acme_user_home }}/conf'
 letsencrypt_acme_certsconf_dir: '{{ letsencrypt_acme_user_home }}/desired'
-letsencrypt_acme_certs_dir: '{{ letsencrypt_acme_config_dir }}/live/{{ ansible_fqdn }}'
+letsencrypt_acme_certs_dir: '{{ letsencrypt_acme_user_home }}/live/{{ ansible_fqdn }}'
 # The various services maintainers need to put the reconfigure/restart scripts there
 letsencrypt_acme_services_scripts_dir: /usr/lib/acme/hooks