forked from ISTI-ansible-roles/ansible-roles
library/roles/letsencrypt-client: Various fixes to the scripts.
library/roles/haproxy: callback that manages the certificates renewal from letsencrypt. Fixes https://support.d4science.org/issues/3258
This commit is contained in:
parent
fd5a10b0e8
commit
5fc3c9964d
|
@ -11,3 +11,5 @@ haproxy_default_port: 80
|
||||||
haproxy_terminate_tls: False
|
haproxy_terminate_tls: False
|
||||||
haproxy_ssl_port: 443
|
haproxy_ssl_port: 443
|
||||||
haproxy_admin_port: 8880
|
haproxy_admin_port: 8880
|
||||||
|
|
||||||
|
haproxy_letsencrypt_managed: False
|
||||||
|
|
|
@ -0,0 +1,27 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
LE_SERVICES_SCRIPT_DIR=/usr/local/lib/letsencrypt
|
||||||
|
LE_CERTS_DIR=/etc/letsencrypt/live/$HOSTNAME
|
||||||
|
LE_LOG_DIR=/var/log/letsencrypt
|
||||||
|
HAPROXY_CERTDIR=/etc/pki/certs
|
||||||
|
HAPROXY_CERTFILE=$HAPROXY_CERTDIR/haproxy.pem
|
||||||
|
DATE=$( date )
|
||||||
|
echo "$DATE" >> $LE_LOG_DIR/haproxy.log
|
||||||
|
|
||||||
|
if [ -f /etc/default/letsencrypt ] ; then
|
||||||
|
. /etc/default/letsencrypt
|
||||||
|
else
|
||||||
|
echo "No letsencrypt default file" >> $LE_LOG_DIR/haproxy.log
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "Building the new certificate file" >> $LE_LOG_DIR/haproxy.log
|
||||||
|
cat ${LE_CERTS_DIR}/{fullchain.pem,privkey.pem} > ${HAPROXY_CERTFILE}
|
||||||
|
chmod 440 ${HAPROXY_CERTFILE}
|
||||||
|
chgrp haproxy ${HAPROXY_CERTFILE}
|
||||||
|
|
||||||
|
echo "Reload the haproxy service" >> $LE_LOG_DIR/haproxy.log
|
||||||
|
service haproxy reload >/dev/null 2>&1
|
||||||
|
echo "Done." >> $LE_LOG_DIR/haproxy.log
|
||||||
|
|
||||||
|
exit 0
|
||||||
|
|
|
@ -0,0 +1,6 @@
|
||||||
|
---
|
||||||
|
- name: Install a script that fix the letsencrypt certificate for haproxy and then reload the service
|
||||||
|
copy: src=haproxy-letsencrypt.sh dest={{ letsencrypt_services_scripts_dir }}/haproxy owner=root group=root mode=0550
|
||||||
|
when: haproxy_letsencrypt_managed
|
||||||
|
tags: [ 'haproxy', 'letsencrypt' ]
|
||||||
|
|
|
@ -0,0 +1,47 @@
|
||||||
|
---
|
||||||
|
- name: Get the haproxy repo key
|
||||||
|
apt_key: url=http://haproxy.debian.net/bernat.debian.org.gpg state=present
|
||||||
|
when: haproxy_latest_release
|
||||||
|
register: haproxy_repo
|
||||||
|
tags: haproxy
|
||||||
|
|
||||||
|
- name: Define the haproxy repository
|
||||||
|
apt_repository: repo='{{ haproxy_latest_repo }}' state=present update_cache=yes
|
||||||
|
when: haproxy_latest_release
|
||||||
|
register: haproxy_repo
|
||||||
|
tags: haproxy
|
||||||
|
|
||||||
|
- name: Install the haproxy package
|
||||||
|
apt: name=haproxy state=present default_release={{ ansible_lsb.codename }}-backports
|
||||||
|
when: not haproxy_latest_release
|
||||||
|
tags: haproxy
|
||||||
|
|
||||||
|
- name: Install the haproxy package
|
||||||
|
apt: name=haproxy state=latest default_release={{ ansible_lsb.codename }}-backports-{{ haproxy_version }}
|
||||||
|
when:
|
||||||
|
- haproxy_latest_release
|
||||||
|
- is_debian
|
||||||
|
tags: haproxy
|
||||||
|
|
||||||
|
- name: Install the haproxy package
|
||||||
|
apt: name=haproxy state=latest
|
||||||
|
when:
|
||||||
|
- haproxy_latest_release
|
||||||
|
- is_ubuntu
|
||||||
|
tags: haproxy
|
||||||
|
|
||||||
|
- name: Ensure that haproxy is enabled and started
|
||||||
|
service: name=haproxy state=restarted enabled=yes
|
||||||
|
when: haproxy_enabled
|
||||||
|
ignore_errors: True
|
||||||
|
tags: haproxy
|
||||||
|
|
||||||
|
- name: Haproxy puts a new rsyslog directive. Restart rsyslog to activate it. Reload is not sufficient
|
||||||
|
service: name=rsyslog state=restarted
|
||||||
|
when: haproxy_enabled
|
||||||
|
tags: haproxy
|
||||||
|
|
||||||
|
- name: Ensure that haproxy is stopped and disabled if needed
|
||||||
|
service: name=haproxy state=stopped enabled=no
|
||||||
|
when: not haproxy_enabled
|
||||||
|
tags: haproxy
|
|
@ -1,47 +1,4 @@
|
||||||
---
|
---
|
||||||
- name: Get the haproxy repo key
|
- include: haproxy-service.yml
|
||||||
apt_key: url=http://haproxy.debian.net/bernat.debian.org.gpg state=present
|
- include: haproxy-letsencrypt.yml
|
||||||
when: haproxy_latest_release
|
when: haproxy_letsencrypt_managed
|
||||||
register: haproxy_repo
|
|
||||||
tags: haproxy
|
|
||||||
|
|
||||||
- name: Define the haproxy repository
|
|
||||||
apt_repository: repo='{{ haproxy_latest_repo }}' state=present update_cache=yes
|
|
||||||
when: haproxy_latest_release
|
|
||||||
register: haproxy_repo
|
|
||||||
tags: haproxy
|
|
||||||
|
|
||||||
- name: Install the haproxy package
|
|
||||||
apt: name=haproxy state=present default_release={{ ansible_lsb.codename }}-backports
|
|
||||||
when: not haproxy_latest_release
|
|
||||||
tags: haproxy
|
|
||||||
|
|
||||||
- name: Install the haproxy package
|
|
||||||
apt: name=haproxy state=latest default_release={{ ansible_lsb.codename }}-backports-{{ haproxy_version }}
|
|
||||||
when:
|
|
||||||
- haproxy_latest_release
|
|
||||||
- is_debian
|
|
||||||
tags: haproxy
|
|
||||||
|
|
||||||
- name: Install the haproxy package
|
|
||||||
apt: name=haproxy state=latest
|
|
||||||
when:
|
|
||||||
- haproxy_latest_release
|
|
||||||
- is_ubuntu
|
|
||||||
tags: haproxy
|
|
||||||
|
|
||||||
- name: Ensure that haproxy is enabled and started
|
|
||||||
service: name=haproxy state=restarted enabled=yes
|
|
||||||
when: haproxy_enabled
|
|
||||||
ignore_errors: True
|
|
||||||
tags: haproxy
|
|
||||||
|
|
||||||
- name: Haproxy puts a new rsyslog directive. Reload rsyslog to activate it
|
|
||||||
service: name=rsyslog state=reloaded
|
|
||||||
when: haproxy_enabled
|
|
||||||
tags: haproxy
|
|
||||||
|
|
||||||
- name: Ensure that haproxy is stopped and disabled if needed
|
|
||||||
service: name=haproxy state=stopped enabled=no
|
|
||||||
when: not haproxy_enabled
|
|
||||||
tags: haproxy
|
|
||||||
|
|
|
@ -30,3 +30,4 @@ letsencrypt_text_interface: True
|
||||||
letsencrypt_domains: '{{ ansible_fqdn }} example.com example.org'
|
letsencrypt_domains: '{{ ansible_fqdn }} example.com example.org'
|
||||||
letsencrypt_renew_by_default: True
|
letsencrypt_renew_by_default: True
|
||||||
letsencrypt_standalone_port: 9999
|
letsencrypt_standalone_port: 9999
|
||||||
|
|
||||||
|
|
|
@ -33,6 +33,11 @@
|
||||||
when: letsencrypt_install
|
when: letsencrypt_install
|
||||||
tags: letsencrypt
|
tags: letsencrypt
|
||||||
|
|
||||||
|
- name: Install a default file that shell scripts can include
|
||||||
|
template: src=letsencrypt-default.j2 dest=/etc/default/letsencrypt owner=root group=root mode=0644
|
||||||
|
when: letsencrypt_install
|
||||||
|
tags: letsencrypt
|
||||||
|
|
||||||
- name: Install the command that asks for the certificates and their renewal
|
- name: Install the command that asks for the certificates and their renewal
|
||||||
template: src=letsencrypt-cert-request.sh.j2 dest=/usr/local/sbin/letsencrypt-cert-request owner=root group=root mode=0550
|
template: src=letsencrypt-cert-request.sh.j2 dest=/usr/local/sbin/letsencrypt-cert-request owner=root group=root mode=0550
|
||||||
when: letsencrypt_install
|
when: letsencrypt_install
|
||||||
|
|
|
@ -37,7 +37,7 @@ RETVAL=$?
|
||||||
for f in $( /bin/ls -1 $LE_SERVICES_SCRIPT_DIR ) ; do
|
for f in $( /bin/ls -1 $LE_SERVICES_SCRIPT_DIR ) ; do
|
||||||
if [ -x $LE_SERVICES_SCRIPT_DIR/$f ] ; then
|
if [ -x $LE_SERVICES_SCRIPT_DIR/$f ] ; then
|
||||||
echo "Running $LE_SERVICES_SCRIPT_DIR/$f" >> $LOG_DIR/letsencrypt_request.log
|
echo "Running $LE_SERVICES_SCRIPT_DIR/$f" >> $LOG_DIR/letsencrypt_request.log
|
||||||
$f >> $LOG_DIR/letsencrypt_request.log 2>&1
|
$LE_SERVICES_SCRIPT_DIR/$f >> $LOG_DIR/letsencrypt_request.log 2>&1
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,8 @@
|
||||||
|
RSA_KEY_SIZE={{ letsencrypt_rsa_key_size }}
|
||||||
|
LE_EMAIL={{ letsencrypt_email }}
|
||||||
|
LE_AUTHENTICATOR={{ letsencrypt_authenticator }}
|
||||||
|
LE_STANDALONE_SUPPORTED_CHALLENGES={{ letsencrypt_standalone_supp_challenges }}
|
||||||
|
LE_SERVICES_SCRIPT_DIR={{ letsencrypt_services_scripts_dir }}
|
||||||
|
LE_COMMAND={{ letsencrypt_auto }}
|
||||||
|
LE_CERTS_DIR={{ letsencrypt_certs_dir }}
|
||||||
|
LE_LOG_DIR={{ letsencrypt_logdir }}
|
Loading…
Reference in New Issue