forked from ISTI-ansible-roles/ansible-roles
library/roles/letsencrypt-client: Various fixes to the scripts.
library/roles/haproxy: callback that manages the certificates renewal from letsencrypt. Fixes https://support.d4science.org/issues/3258
This commit is contained in:
Andrea Dell'Amico
parent
fd5a10b0e8
commit
5fc3c9964d
|
|
@ -11,3 +11,5 @@ haproxy_default_port: 80
|
|||
haproxy_terminate_tls: False
|
||||
haproxy_ssl_port: 443
|
||||
haproxy_admin_port: 8880
|
||||
|
||||
haproxy_letsencrypt_managed: False
|
||||
|
|
|
|||
|
|
@ -0,0 +1,27 @@
|
|||
#!/bin/bash
|
||||
|
||||
LE_SERVICES_SCRIPT_DIR=/usr/local/lib/letsencrypt
|
||||
LE_CERTS_DIR=/etc/letsencrypt/live/$HOSTNAME
|
||||
LE_LOG_DIR=/var/log/letsencrypt
|
||||
HAPROXY_CERTDIR=/etc/pki/certs
|
||||
HAPROXY_CERTFILE=$HAPROXY_CERTDIR/haproxy.pem
|
||||
DATE=$( date )
|
||||
echo "$DATE" >> $LE_LOG_DIR/haproxy.log
|
||||
|
||||
if [ -f /etc/default/letsencrypt ] ; then
|
||||
. /etc/default/letsencrypt
|
||||
else
|
||||
echo "No letsencrypt default file" >> $LE_LOG_DIR/haproxy.log
|
||||
fi
|
||||
|
||||
echo "Building the new certificate file" >> $LE_LOG_DIR/haproxy.log
|
||||
cat ${LE_CERTS_DIR}/{fullchain.pem,privkey.pem} > ${HAPROXY_CERTFILE}
|
||||
chmod 440 ${HAPROXY_CERTFILE}
|
||||
chgrp haproxy ${HAPROXY_CERTFILE}
|
||||
|
||||
echo "Reload the haproxy service" >> $LE_LOG_DIR/haproxy.log
|
||||
service haproxy reload >/dev/null 2>&1
|
||||
echo "Done." >> $LE_LOG_DIR/haproxy.log
|
||||
|
||||
exit 0
|
||||
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
- name: Install a script that fix the letsencrypt certificate for haproxy and then reload the service
|
||||
copy: src=haproxy-letsencrypt.sh dest={{ letsencrypt_services_scripts_dir }}/haproxy owner=root group=root mode=0550
|
||||
when: haproxy_letsencrypt_managed
|
||||
tags: [ 'haproxy', 'letsencrypt' ]
|
||||
|
||||
|
|
@ -0,0 +1,47 @@
|
|||
---
|
||||
- name: Get the haproxy repo key
|
||||
apt_key: url=http://haproxy.debian.net/bernat.debian.org.gpg state=present
|
||||
when: haproxy_latest_release
|
||||
register: haproxy_repo
|
||||
tags: haproxy
|
||||
|
||||
- name: Define the haproxy repository
|
||||
apt_repository: repo='{{ haproxy_latest_repo }}' state=present update_cache=yes
|
||||
when: haproxy_latest_release
|
||||
register: haproxy_repo
|
||||
tags: haproxy
|
||||
|
||||
- name: Install the haproxy package
|
||||
apt: name=haproxy state=present default_release={{ ansible_lsb.codename }}-backports
|
||||
when: not haproxy_latest_release
|
||||
tags: haproxy
|
||||
|
||||
- name: Install the haproxy package
|
||||
apt: name=haproxy state=latest default_release={{ ansible_lsb.codename }}-backports-{{ haproxy_version }}
|
||||
when:
|
||||
- haproxy_latest_release
|
||||
- is_debian
|
||||
tags: haproxy
|
||||
|
||||
- name: Install the haproxy package
|
||||
apt: name=haproxy state=latest
|
||||
when:
|
||||
- haproxy_latest_release
|
||||
- is_ubuntu
|
||||
tags: haproxy
|
||||
|
||||
- name: Ensure that haproxy is enabled and started
|
||||
service: name=haproxy state=restarted enabled=yes
|
||||
when: haproxy_enabled
|
||||
ignore_errors: True
|
||||
tags: haproxy
|
||||
|
||||
- name: Haproxy puts a new rsyslog directive. Restart rsyslog to activate it. Reload is not sufficient
|
||||
service: name=rsyslog state=restarted
|
||||
when: haproxy_enabled
|
||||
tags: haproxy
|
||||
|
||||
- name: Ensure that haproxy is stopped and disabled if needed
|
||||
service: name=haproxy state=stopped enabled=no
|
||||
when: not haproxy_enabled
|
||||
tags: haproxy
|
||||
|
|
@ -1,47 +1,4 @@
|
|||
---
|
||||
- name: Get the haproxy repo key
|
||||
apt_key: url=http://haproxy.debian.net/bernat.debian.org.gpg state=present
|
||||
when: haproxy_latest_release
|
||||
register: haproxy_repo
|
||||
tags: haproxy
|
||||
|
||||
- name: Define the haproxy repository
|
||||
apt_repository: repo='{{ haproxy_latest_repo }}' state=present update_cache=yes
|
||||
when: haproxy_latest_release
|
||||
register: haproxy_repo
|
||||
tags: haproxy
|
||||
|
||||
- name: Install the haproxy package
|
||||
apt: name=haproxy state=present default_release={{ ansible_lsb.codename }}-backports
|
||||
when: not haproxy_latest_release
|
||||
tags: haproxy
|
||||
|
||||
- name: Install the haproxy package
|
||||
apt: name=haproxy state=latest default_release={{ ansible_lsb.codename }}-backports-{{ haproxy_version }}
|
||||
when:
|
||||
- haproxy_latest_release
|
||||
- is_debian
|
||||
tags: haproxy
|
||||
|
||||
- name: Install the haproxy package
|
||||
apt: name=haproxy state=latest
|
||||
when:
|
||||
- haproxy_latest_release
|
||||
- is_ubuntu
|
||||
tags: haproxy
|
||||
|
||||
- name: Ensure that haproxy is enabled and started
|
||||
service: name=haproxy state=restarted enabled=yes
|
||||
when: haproxy_enabled
|
||||
ignore_errors: True
|
||||
tags: haproxy
|
||||
|
||||
- name: Haproxy puts a new rsyslog directive. Reload rsyslog to activate it
|
||||
service: name=rsyslog state=reloaded
|
||||
when: haproxy_enabled
|
||||
tags: haproxy
|
||||
|
||||
- name: Ensure that haproxy is stopped and disabled if needed
|
||||
service: name=haproxy state=stopped enabled=no
|
||||
when: not haproxy_enabled
|
||||
tags: haproxy
|
||||
- include: haproxy-service.yml
|
||||
- include: haproxy-letsencrypt.yml
|
||||
when: haproxy_letsencrypt_managed
|
||||
|
|
|
|||
|
|
@ -30,3 +30,4 @@ letsencrypt_text_interface: True
|
|||
letsencrypt_domains: '{{ ansible_fqdn }} example.com example.org'
|
||||
letsencrypt_renew_by_default: True
|
||||
letsencrypt_standalone_port: 9999
|
||||
|
||||
|
|
|
|||
|
|
@ -33,6 +33,11 @@
|
|||
when: letsencrypt_install
|
||||
tags: letsencrypt
|
||||
|
||||
- name: Install a default file that shell scripts can include
|
||||
template: src=letsencrypt-default.j2 dest=/etc/default/letsencrypt owner=root group=root mode=0644
|
||||
when: letsencrypt_install
|
||||
tags: letsencrypt
|
||||
|
||||
- name: Install the command that asks for the certificates and their renewal
|
||||
template: src=letsencrypt-cert-request.sh.j2 dest=/usr/local/sbin/letsencrypt-cert-request owner=root group=root mode=0550
|
||||
when: letsencrypt_install
|
||||
|
|
|
|||
|
|
@ -37,7 +37,7 @@ RETVAL=$?
|
|||
for f in $( /bin/ls -1 $LE_SERVICES_SCRIPT_DIR ) ; do
|
||||
if [ -x $LE_SERVICES_SCRIPT_DIR/$f ] ; then
|
||||
echo "Running $LE_SERVICES_SCRIPT_DIR/$f" >> $LOG_DIR/letsencrypt_request.log
|
||||
$f >> $LOG_DIR/letsencrypt_request.log 2>&1
|
||||
$LE_SERVICES_SCRIPT_DIR/$f >> $LOG_DIR/letsencrypt_request.log 2>&1
|
||||
fi
|
||||
done
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,8 @@
|
|||
RSA_KEY_SIZE={{ letsencrypt_rsa_key_size }}
|
||||
LE_EMAIL={{ letsencrypt_email }}
|
||||
LE_AUTHENTICATOR={{ letsencrypt_authenticator }}
|
||||
LE_STANDALONE_SUPPORTED_CHALLENGES={{ letsencrypt_standalone_supp_challenges }}
|
||||
LE_SERVICES_SCRIPT_DIR={{ letsencrypt_services_scripts_dir }}
|
||||
LE_COMMAND={{ letsencrypt_auto }}
|
||||
LE_CERTS_DIR={{ letsencrypt_certs_dir }}
|
||||
LE_LOG_DIR={{ letsencrypt_logdir }}
|
||||
Loading…
Reference in New Issue