From 5fc3c9964d11902fade916ab4d68b523952ec11c Mon Sep 17 00:00:00 2001
From: Andrea Dell'Amico <adellam@sevenseas.org>
Date: Wed, 13 Apr 2016 19:52:10 +0200
Subject: [PATCH] library/roles/letsencrypt-client: Various fixes to the
 scripts. library/roles/haproxy: callback that manages the certificates
 renewal from letsencrypt. Fixes https://support.d4science.org/issues/3258

---
 haproxy/defaults/main.yml                     |  2 +
 haproxy/files/haproxy-letsencrypt.sh          | 27 ++++++++++
 haproxy/tasks/haproxy-letsencrypt.yml         |  6 +++
 haproxy/tasks/haproxy-service.yml             | 47 ++++++++++++++++++
 haproxy/tasks/main.yml                        | 49 ++-----------------
 letsencrypt-client/defaults/main.yml          |  1 +
 letsencrypt-client/tasks/main.yml             |  5 ++
 .../templates/letsencrypt-cert-request.sh.j2  |  2 +-
 .../templates/letsencrypt-default.j2          |  8 +++
 9 files changed, 100 insertions(+), 47 deletions(-)
 create mode 100644 haproxy/files/haproxy-letsencrypt.sh
 create mode 100644 haproxy/tasks/haproxy-letsencrypt.yml
 create mode 100644 haproxy/tasks/haproxy-service.yml
 create mode 100644 letsencrypt-client/templates/letsencrypt-default.j2

diff --git a/haproxy/defaults/main.yml b/haproxy/defaults/main.yml
index 0cb8858b..fa3d993c 100644
--- a/haproxy/defaults/main.yml
+++ b/haproxy/defaults/main.yml
@@ -11,3 +11,5 @@ haproxy_default_port: 80
 haproxy_terminate_tls: False
 haproxy_ssl_port: 443
 haproxy_admin_port: 8880
+
+haproxy_letsencrypt_managed: False
diff --git a/haproxy/files/haproxy-letsencrypt.sh b/haproxy/files/haproxy-letsencrypt.sh
new file mode 100644
index 00000000..de6ee66a
--- /dev/null
+++ b/haproxy/files/haproxy-letsencrypt.sh
@@ -0,0 +1,27 @@
+#!/bin/bash
+
+LE_SERVICES_SCRIPT_DIR=/usr/local/lib/letsencrypt
+LE_CERTS_DIR=/etc/letsencrypt/live/$HOSTNAME
+LE_LOG_DIR=/var/log/letsencrypt
+HAPROXY_CERTDIR=/etc/pki/certs
+HAPROXY_CERTFILE=$HAPROXY_CERTDIR/haproxy.pem
+DATE=$( date )
+echo "$DATE" >> $LE_LOG_DIR/haproxy.log
+
+if [ -f /etc/default/letsencrypt ] ; then
+    . /etc/default/letsencrypt
+else
+    echo "No letsencrypt default file" >> $LE_LOG_DIR/haproxy.log
+fi
+
+echo "Building the new certificate file" >> $LE_LOG_DIR/haproxy.log
+cat ${LE_CERTS_DIR}/{fullchain.pem,privkey.pem} > ${HAPROXY_CERTFILE}
+chmod 440 ${HAPROXY_CERTFILE}
+chgrp haproxy ${HAPROXY_CERTFILE}
+
+echo "Reload the haproxy service" >> $LE_LOG_DIR/haproxy.log
+service haproxy reload >/dev/null 2>&1
+echo "Done." >> $LE_LOG_DIR/haproxy.log
+
+exit 0
+
diff --git a/haproxy/tasks/haproxy-letsencrypt.yml b/haproxy/tasks/haproxy-letsencrypt.yml
new file mode 100644
index 00000000..82212c34
--- /dev/null
+++ b/haproxy/tasks/haproxy-letsencrypt.yml
@@ -0,0 +1,6 @@
+---
+- name: Install a script that fix the letsencrypt certificate for haproxy and then reload the service
+  copy: src=haproxy-letsencrypt.sh dest={{ letsencrypt_services_scripts_dir }}/haproxy owner=root group=root mode=0550
+  when: haproxy_letsencrypt_managed
+  tags: [ 'haproxy', 'letsencrypt' ]
+
diff --git a/haproxy/tasks/haproxy-service.yml b/haproxy/tasks/haproxy-service.yml
new file mode 100644
index 00000000..51087dab
--- /dev/null
+++ b/haproxy/tasks/haproxy-service.yml
@@ -0,0 +1,47 @@
+---
+- name: Get the haproxy repo key
+  apt_key: url=http://haproxy.debian.net/bernat.debian.org.gpg state=present
+  when: haproxy_latest_release
+  register: haproxy_repo
+  tags: haproxy
+
+- name: Define the haproxy repository
+  apt_repository: repo='{{ haproxy_latest_repo }}' state=present update_cache=yes
+  when: haproxy_latest_release
+  register: haproxy_repo
+  tags: haproxy
+
+- name: Install the haproxy package
+  apt: name=haproxy state=present default_release={{ ansible_lsb.codename }}-backports
+  when: not haproxy_latest_release
+  tags: haproxy
+
+- name: Install the haproxy package
+  apt: name=haproxy state=latest default_release={{ ansible_lsb.codename }}-backports-{{ haproxy_version }}
+  when:
+    - haproxy_latest_release
+    - is_debian
+  tags: haproxy
+
+- name: Install the haproxy package
+  apt: name=haproxy state=latest
+  when:
+    - haproxy_latest_release
+    - is_ubuntu
+  tags: haproxy
+
+- name: Ensure that haproxy is enabled and started
+  service: name=haproxy state=restarted enabled=yes
+  when: haproxy_enabled
+  ignore_errors: True
+  tags: haproxy
+
+- name: Haproxy puts a new rsyslog directive. Restart rsyslog to activate it. Reload is not sufficient
+  service: name=rsyslog state=restarted
+  when: haproxy_enabled
+  tags: haproxy
+
+- name: Ensure that haproxy is stopped and disabled if needed
+  service: name=haproxy state=stopped enabled=no
+  when: not haproxy_enabled
+  tags: haproxy
diff --git a/haproxy/tasks/main.yml b/haproxy/tasks/main.yml
index ba53d9b9..cdf9d555 100644
--- a/haproxy/tasks/main.yml
+++ b/haproxy/tasks/main.yml
@@ -1,47 +1,4 @@
 ---
-- name: Get the haproxy repo key
-  apt_key: url=http://haproxy.debian.net/bernat.debian.org.gpg state=present
-  when: haproxy_latest_release
-  register: haproxy_repo
-  tags: haproxy
-
-- name: Define the haproxy repository
-  apt_repository: repo='{{ haproxy_latest_repo }}' state=present update_cache=yes
-  when: haproxy_latest_release
-  register: haproxy_repo
-  tags: haproxy
-
-- name: Install the haproxy package
-  apt: name=haproxy state=present default_release={{ ansible_lsb.codename }}-backports
-  when: not haproxy_latest_release
-  tags: haproxy
-
-- name: Install the haproxy package
-  apt: name=haproxy state=latest default_release={{ ansible_lsb.codename }}-backports-{{ haproxy_version }}
-  when:
-    - haproxy_latest_release
-    - is_debian
-  tags: haproxy
-
-- name: Install the haproxy package
-  apt: name=haproxy state=latest
-  when:
-    - haproxy_latest_release
-    - is_ubuntu
-  tags: haproxy
-
-- name: Ensure that haproxy is enabled and started
-  service: name=haproxy state=restarted enabled=yes
-  when: haproxy_enabled
-  ignore_errors: True
-  tags: haproxy
-
-- name: Haproxy puts a new rsyslog directive. Reload rsyslog to activate it
-  service: name=rsyslog state=reloaded
-  when: haproxy_enabled
-  tags: haproxy
-
-- name: Ensure that haproxy is stopped and disabled if needed
-  service: name=haproxy state=stopped enabled=no
-  when: not haproxy_enabled
-  tags: haproxy
+- include: haproxy-service.yml
+- include: haproxy-letsencrypt.yml
+  when: haproxy_letsencrypt_managed
diff --git a/letsencrypt-client/defaults/main.yml b/letsencrypt-client/defaults/main.yml
index 89de955b..b740b07b 100644
--- a/letsencrypt-client/defaults/main.yml
+++ b/letsencrypt-client/defaults/main.yml
@@ -30,3 +30,4 @@ letsencrypt_text_interface: True
 letsencrypt_domains: '{{ ansible_fqdn }} example.com example.org'
 letsencrypt_renew_by_default: True
 letsencrypt_standalone_port: 9999
+
diff --git a/letsencrypt-client/tasks/main.yml b/letsencrypt-client/tasks/main.yml
index f838a1c4..6f5b2810 100644
--- a/letsencrypt-client/tasks/main.yml
+++ b/letsencrypt-client/tasks/main.yml
@@ -33,6 +33,11 @@
   when: letsencrypt_install
   tags: letsencrypt
   
+- name: Install a default file that shell scripts can include
+  template: src=letsencrypt-default.j2 dest=/etc/default/letsencrypt owner=root group=root mode=0644
+  when: letsencrypt_install
+  tags: letsencrypt
+  
 - name: Install the command that asks for the certificates and their renewal
   template: src=letsencrypt-cert-request.sh.j2 dest=/usr/local/sbin/letsencrypt-cert-request owner=root group=root mode=0550
   when: letsencrypt_install
diff --git a/letsencrypt-client/templates/letsencrypt-cert-request.sh.j2 b/letsencrypt-client/templates/letsencrypt-cert-request.sh.j2
index a911306d..bd57ebd8 100644
--- a/letsencrypt-client/templates/letsencrypt-cert-request.sh.j2
+++ b/letsencrypt-client/templates/letsencrypt-cert-request.sh.j2
@@ -37,7 +37,7 @@ RETVAL=$?
 for f in $( /bin/ls -1 $LE_SERVICES_SCRIPT_DIR ) ; do
     if [ -x $LE_SERVICES_SCRIPT_DIR/$f ] ; then
         echo "Running $LE_SERVICES_SCRIPT_DIR/$f" >> $LOG_DIR/letsencrypt_request.log
-        $f >> $LOG_DIR/letsencrypt_request.log 2>&1
+        $LE_SERVICES_SCRIPT_DIR/$f >> $LOG_DIR/letsencrypt_request.log 2>&1
     fi
 done
 
diff --git a/letsencrypt-client/templates/letsencrypt-default.j2 b/letsencrypt-client/templates/letsencrypt-default.j2
new file mode 100644
index 00000000..1ee49c46
--- /dev/null
+++ b/letsencrypt-client/templates/letsencrypt-default.j2
@@ -0,0 +1,8 @@
+RSA_KEY_SIZE={{ letsencrypt_rsa_key_size }}
+LE_EMAIL={{ letsencrypt_email }}
+LE_AUTHENTICATOR={{ letsencrypt_authenticator }}
+LE_STANDALONE_SUPPORTED_CHALLENGES={{ letsencrypt_standalone_supp_challenges }}
+LE_SERVICES_SCRIPT_DIR={{ letsencrypt_services_scripts_dir }}
+LE_COMMAND={{ letsencrypt_auto }}
+LE_CERTS_DIR={{ letsencrypt_certs_dir }}
+LE_LOG_DIR={{ letsencrypt_logdir }}