forked from ISTI-ansible-roles/ansible-roles
Adapt the haproxy role so that it supports both letsencrypt acmetool and acme.sh
This commit is contained in:
parent
c35ab07597
commit
708f8027ef
|
@ -0,0 +1,18 @@
|
|||
---
|
||||
- block:
|
||||
- name: Create the acme hooks directory if it does not yet exist
|
||||
file: dest={{ letsencrypt_acme_sh_services_scripts_dir }} state=directory owner=root group=root
|
||||
|
||||
- name: Install a script that fix the letsencrypt certificate for haproxy and then reload the service
|
||||
template: src=haproxy-letsencrypt-acme.sh.j2 dest={{ letsencrypt_acme_sh_services_scripts_dir }}/haproxy owner=root group=root mode=4555
|
||||
|
||||
- name: When we are going to install letsencrypt certificates, create a preliminary path and a self signed cert. Now handle the haproxy special case
|
||||
shell: mkdir {{ pki_dir }}/haproxy ; cat {{ letsencrypt_acme_user_home | default(omit) }}/live/{{ ansible_fqdn }}/privkey {{ letsencrypt_acme_user_home | default(omit) }}/live/{{ ansible_fqdn }}/cert > {{ pki_dir }}/haproxy/haproxy.pem
|
||||
args:
|
||||
creates: '{{ pki_dir }}/haproxy/haproxy.pem'
|
||||
tags: [ 'pki', 'ssl', 'letsencrypt', 'haproxy', 'letsencrypt_acme_sh' ]
|
||||
|
||||
when:
|
||||
- haproxy_letsencrypt_managed
|
||||
- letsencrypt_acme_sh_install
|
||||
tags: [ 'haproxy', 'letsencrypt', 'letsencrypt_acme_sh' ]
|
|
@ -1,15 +1,18 @@
|
|||
---
|
||||
- name: Create the acme hooks directory if it does not yet exist
|
||||
file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root
|
||||
- block:
|
||||
- name: Create the acme hooks directory if it does not yet exist
|
||||
file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root
|
||||
|
||||
- name: Install a script that fix the letsencrypt certificate for haproxy and then reload the service
|
||||
template: src=haproxy-letsencrypt-acme.sh.j2 dest={{ letsencrypt_acme_services_scripts_dir }}/haproxy owner=root group=root mode=4555
|
||||
|
||||
- name: When we are going to install letsencrypt certificates, create a preliminary path and a self signed cert. Now handle the haproxy special case
|
||||
shell: mkdir {{ pki_dir }}/haproxy ; cat {{ letsencrypt_acme_user_home | default(omit) }}/live/{{ ansible_fqdn }}/privkey {{ letsencrypt_acme_user_home | default(omit) }}/live/{{ ansible_fqdn }}/cert > {{ pki_dir }}/haproxy/haproxy.pem
|
||||
args:
|
||||
creates: '{{ pki_dir }}/haproxy/haproxy.pem'
|
||||
tags: [ 'pki', 'ssl', 'letsencrypt', 'haproxy' ]
|
||||
|
||||
when:
|
||||
- haproxy_letsencrypt_managed
|
||||
- letsencrypt_acme_install
|
||||
tags: [ 'haproxy', 'letsencrypt' ]
|
||||
|
||||
- name: Install a script that fix the letsencrypt certificate for haproxy and then reload the service
|
||||
template: src=haproxy-letsencrypt-acme.sh.j2 dest={{ letsencrypt_acme_services_scripts_dir }}/haproxy owner=root group=root mode=4555
|
||||
when:
|
||||
- haproxy_letsencrypt_managed
|
||||
- letsencrypt_acme_install
|
||||
tags: [ 'haproxy', 'letsencrypt' ]
|
||||
|
||||
|
|
|
@ -1,7 +0,0 @@
|
|||
---
|
||||
- name: Install a script that fix the letsencrypt certificate for haproxy and then reload the service
|
||||
copy: src=haproxy-letsencrypt.sh dest={{ letsencrypt_services_scripts_dir }}/haproxy owner=root group=root mode=0550
|
||||
when:
|
||||
- haproxy_letsencrypt_managed
|
||||
- letsencrypt_install
|
||||
tags: [ 'haproxy', 'letsencrypt' ]
|
|
@ -1,13 +1,13 @@
|
|||
---
|
||||
- import_tasks: haproxy-service.yml
|
||||
- import_tasks: haproxy-letsencrypt.yml
|
||||
- import_tasks: haproxy-letsencrypt-acme-sh.yml
|
||||
when:
|
||||
- haproxy_letsencrypt_managed
|
||||
- letsencrypt_install is defined
|
||||
- letsencrypt_acme_sh_install is defined and letsencrypt_acme_sh_install
|
||||
- import_tasks: haproxy-letsencrypt-acmetool.yml
|
||||
when:
|
||||
- haproxy_letsencrypt_managed
|
||||
- letsencrypt_acme_install is defined
|
||||
- letsencrypt_acme_install is defined and letsencrypt_acme_install
|
||||
- import_tasks: haproxy-ssl.yml
|
||||
when:
|
||||
- haproxy_letsencrypt_managed
|
||||
|
@ -18,7 +18,7 @@
|
|||
- nagios_enabled
|
||||
|
||||
- name: Ensure that haproxy is enabled and started
|
||||
service: name=haproxy state=started enabled=yes
|
||||
service: name=haproxy state=restarted enabled=yes
|
||||
when: haproxy_enabled
|
||||
ignore_errors: True
|
||||
tags: haproxy
|
||||
|
|
|
@ -12,8 +12,14 @@ DATE=$( date )
|
|||
[ ! -d $LE_LOG_DIR ] && mkdir $LE_LOG_DIR
|
||||
echo "$DATE" >> $LE_LOG_DIR/haproxy.log
|
||||
|
||||
if [ -f /etc/default/letsencrypt ] ; then
|
||||
. /etc/default/letsencrypt
|
||||
{% if letsencrypt_acme_install %}
|
||||
LE_ENV_FILE=/etc/default/letsencrypt
|
||||
{% endif %}
|
||||
{% if letsencrypt_acme_sh_install %}
|
||||
LE_ENV_FILE=/etc/default/acme_sh_request_env
|
||||
{% endif %}
|
||||
if [ -f "$LE_ENV_FILE" ] ; then
|
||||
. "$LE_ENV_FILE"
|
||||
else
|
||||
echo "No letsencrypt default file" >> $LE_LOG_DIR/haproxy.log
|
||||
fi
|
||||
|
@ -33,7 +39,7 @@ fi
|
|||
# Run the OCSP stapling script
|
||||
if [ -x /usr/local/bin/hapos-upd ] ; then
|
||||
echo "Run the OCSP stapling updater script" >> $LE_LOG_DIR/haproxy.log
|
||||
/usr/local/bin/hapos-upd --cert {{ haproxy_cert_dir }}/haproxy.pem -v {{ letsencrypt_acme_certs_dir }}/fullchain -s {{ haproxy_admin_socket }} -v - >> $LE_LOG_DIR/haproxy.log 2>&1
|
||||
/usr/local/bin/hapos-upd --cert {{ haproxy_cert_dir }}/haproxy.pem -v ${LE_CERTS_DIR}/fullchain -s {{ haproxy_admin_socket }} -v - >> $LE_LOG_DIR/haproxy.log 2>&1
|
||||
else
|
||||
echo "No OCPS stapling updater script" >> $LE_LOG_DIR/haproxy.log
|
||||
fi
|
||||
|
|
Loading…
Reference in New Issue