diff --git a/library/roles/haproxy/README b/library/roles/haproxy/README deleted file mode 100644 index bf2c67a9..00000000 --- a/library/roles/haproxy/README +++ /dev/null @@ -1,40 +0,0 @@ -# -# The user of this role will need to write a haproxy.cfg template and install it with a dedicated task. Something like - -- name: Configure haproxy - template: src=haproxy.cfg.j2 dest=/etc/haproxy/haproxy.cfg owner=root group=haproxy mode=0440 - notify: Reload haproxy - tags: [ 'haproxy', 'haproxy_conf' ] - -# -# Very complex setup that involves varnish. Taken here: -# https://alohalb.wordpress.com/2012/08/25/haproxy-varnish-and-the-single-hostname-website/ -# For a ssl setup, check here: -# http://seanmcgary.com/posts/using-sslhttps-with-haproxy -# https://alohalb.wordpress.com/haproxy/haproxy-and-ssl/ -# https://alohalb.wordpress.com/2013/01/21/mitigating-the-ssl-beast-attack-using-the-aloha-load-balancer-haproxy/ -# http://blog.haproxy.com/2015/05/06/haproxys-load-balancing-algorithm-for-static-content-delivery-with-varnish/ -# http://blog.haproxy.com/2012/09/10/how-to-get-ssl-with-haproxy-getting-rid-of-stunnel-stud-nginx-or-pound/ -# https://serversforhackers.com/using-ssl-certificates-with-haproxy -# -# Session management workarounds: -# http://blog.haproxy.com/2012/03/29/load-balancing-affinity-persistence-sticky-sessions-what-you-need-to-know/ -# http://serverfault.com/questions/439445/haproxy-my-sessions-are-sort-of-sticky -# -# Hints to protect from DDOS or too many legitimate requests -# http://www.loadbalancer.org/de/blog/black-friday-black-out-protection-with-haproxy -# - -When letsencrypt is enabled, the haproxy configurazion file needs to -contain not only the https configuration, but also something like: - -frontend http - bind 80 - acl letsencrypt-request path_beg -i /.well-known/acme-challenge/ - use_backend letsencrypt if letsencrypt-request - -backend letsencrypt - mode http - server letsencrypt 127.0.0.1:9999 - -Where 9999 is the port where the letsencrypt standalone client will listen to. diff --git a/library/roles/haproxy/defaults/main.yml b/library/roles/haproxy/defaults/main.yml deleted file mode 100644 index 9725f4d1..00000000 --- a/library/roles/haproxy/defaults/main.yml +++ /dev/null @@ -1,29 +0,0 @@ ---- -haproxy_latest_release: True -haproxy_version: 1.8 -haproxy_repo_key: 'http://haproxy.debian.net/bernat.debian.org.gpg' -haproxy_debian_latest_repo: "deb http://haproxy.debian.net {{ ansible_lsb.codename }}-backports-{{ haproxy_version }} main" -haproxy_ubuntu_latest_repo: "ppa:vbernat/haproxy-{{ haproxy_version }}" -haproxy_pkg_state: latest -haproxy_enabled: True -haproxy_k_bind_non_local_ip: True - -haproxy_default_port: 80 -haproxy_terminate_tls: False -haproxy_ssl_port: 443 -haproxy_admin_port: 8880 -haproxy_admin_socket: /run/haproxy/admin.sock - -haproxy_letsencrypt_managed: False -haproxy_cert_dir: '{{ pki_dir }}/haproxy' - -haproxy_nagios_check: False -# It's a percentage -haproxy_nagios_check_w: 70 -haproxy_nagios_check_c: 90 - -haproxy_check_interval: 3s -haproxy_backend_maxconn: 2048 - -haproxy_sysctl_conntrack_max: 131072 - diff --git a/library/roles/haproxy/files/check_haproxy_stats b/library/roles/haproxy/files/check_haproxy_stats deleted file mode 100644 index aed3ce34..00000000 --- a/library/roles/haproxy/files/check_haproxy_stats +++ /dev/null @@ -1,225 +0,0 @@ -#!/usr/bin/env perl -# vim: se et ts=4: - -# -# Copyright (C) 2012, Giacomo Montagner -# -# This program is free software; you can redistribute it and/or modify it -# under the same terms as Perl 5.10.1. -# For more details, see http://dev.perl.org/licenses/artistic.html -# -# This program is distributed in the hope that it will be -# useful, but without any warranty; without even the implied -# warranty of merchantability or fitness for a particular purpose. -# - -our $VERSION = "1.0.1"; - -# CHANGELOG: -# 1.0.0 - first release -# 1.0.1 - fixed empty message if all proxies are OK -# - -use strict; -use warnings; -use 5.010.001; -use File::Basename qw/basename/; -use IO::Socket::UNIX; -use Getopt::Long; - -sub usage { - my $me = basename $0; - print <. - $me is distributed under GPL and the Artistic License 2.0 - -SEE ALSO - Check out online haproxy documentation at - -EOU -} - -my %check_statuses = ( - UNK => "unknown", - INI => "initializing", - SOCKERR => "socket error", - L4OK => "layer 4 check OK", - L4CON => "connection error", - L4TMOUT => "layer 1-4 timeout", - L6OK => "layer 6 check OK", - L6TOUT => "layer 6 (SSL) timeout", - L6RSP => "layer 6 protocol error", - L7OK => "layer 7 check OK", - L7OKC => "layer 7 conditionally OK", - L7TOUT => "layer 7 (HTTP/SMTP) timeout", - L7RSP => "layer 7 protocol error", - L7STS => "layer 7 status error", -); - -my @status_names = (qw/OK WARNING CRITICAL UNKNOWN/); - -# Defaults -my $swarn = 80.0; -my $scrit = 90.0; -my $sock = "/run/haproxy/admin.sock"; -my $dump; -my $proxy; -my $help; - -# Read command line -Getopt::Long::Configure ("bundling"); -GetOptions ( - "c|critical=i" => \$scrit, - "d|dump" => \$dump, - "h|help" => \$help, - "p|proxy=s" => \$proxy, - "s|sock|socket=s" => \$sock, - "w|warning=i" => \$swarn, -); - -# Want help? -if ($help) { - usage; - exit 3; -} - -# Connect to haproxy socket and get stats -my $haproxy = new IO::Socket::UNIX ( - Peer => $sock, - Type => SOCK_STREAM, -); -die "Unable to connect to haproxy socket: $@" unless $haproxy; -print $haproxy "show stat\n" or die "Print to socket failed: $!"; - -# Dump stats and exit if requested -if ($dump) { - while (<$haproxy>) { - print; - } - exit 0; -} - -# Get labels from first output line and map them to their position in the line -my $labels = <$haproxy>; -chomp($labels); -$labels =~ s/^# // or die "Data format not supported."; -my @labels = split /,/, $labels; -{ - no strict "refs"; - my $idx = 0; - map { $$_ = $idx++ } @labels; -} - -# Variables I will use from here on: -our $pxname; -our $svname; -our $status; - -my @proxies = split ',', $proxy if $proxy; -my $exitcode = 0; -my $msg; -my $checked = 0; -while (<$haproxy>) { - chomp; - next if /^[[:space:]]*$/; - my @data = split /,/, $_; - if (@proxies) { next unless grep {$data[$pxname] eq $_} @proxies; }; - - # Is session limit enforced? - our $slim; - if ($data[$slim]) { - # Check current session # against limit - our $scur; - my $sratio = $data[$scur]/$data[$slim]; - if ($sratio >= $scrit || $sratio >= $swarn) { - $exitcode = $sratio >= $scrit ? 2 : - $exitcode < 2 ? 1 : $exitcode; - $msg .= sprintf "%s:%s sessions: %.2f%%; ", $data[$pxname], $data[$svname], $sratio; - } - } - - # Check of BACKENDS - if ($data[$svname] eq 'BACKEND') { - if ($data[$status] ne 'UP') { - $msg .= sprintf "BACKEND: %s is %s; ", $data[$pxname], $data[$status]; - $exitcode = 2; - } - # Check of FRONTENDS - } elsif ($data[$svname] eq 'FRONTEND') { - if ($data[$status] ne 'OPEN') { - $msg .= sprintf "FRONTEND: %s is %s; ", $data[$pxname], $data[$status]; - $exitcode = 2; - } - # Check of servers - } else { - if ($data[$status] ne 'UP') { - next if $data[$status] eq 'no check'; # Ignore server if no check is configured to be run - $exitcode = 2; - our $check_status; - $msg .= sprintf "server: %s:%s is %s", $data[$pxname], $data[$svname], $data[$status]; - $msg .= sprintf " (check status: %s)", $check_statuses{$data[$check_status]} if $check_statuses{$data[$check_status]}; - $msg .= "; "; - } - } - ++$checked; -} - -unless ($msg) { - $msg = @proxies ? sprintf("checked proxies: %s", join ', ', sort @proxies) : "checked $checked proxies."; -} -say "Check haproxy $status_names[$exitcode] - $msg"; -exit $exitcode; - diff --git a/library/roles/haproxy/files/haproxy-letsencrypt.sh b/library/roles/haproxy/files/haproxy-letsencrypt.sh deleted file mode 100644 index a5404587..00000000 --- a/library/roles/haproxy/files/haproxy-letsencrypt.sh +++ /dev/null @@ -1,29 +0,0 @@ -#!/bin/bash - -LE_SERVICES_SCRIPT_DIR=/usr/local/lib/letsencrypt -LE_CERTS_DIR=/etc/letsencrypt/live/$HOSTNAME -LE_LOG_DIR=/var/log/letsencrypt -HAPROXY_CERTDIR=/etc/pki/haproxy -HAPROXY_CERTFILE=$HAPROXY_CERTDIR/haproxy.pem -DATE=$( date ) -echo "$DATE" >> $LE_LOG_DIR/haproxy.log - -if [ -f /etc/default/letsencrypt ] ; then - . /etc/default/letsencrypt -else - echo "No letsencrypt default file" >> $LE_LOG_DIR/haproxy.log -fi - -[ ! -d $HAPROXY_CERTDIR ] && mkdir $HAPROXY_CERTDIR - -echo "Building the new certificate file" >> $LE_LOG_DIR/haproxy.log -cat ${LE_CERTS_DIR}/{fullchain.pem,privkey.pem} > ${HAPROXY_CERTFILE} -chmod 440 ${HAPROXY_CERTFILE} -chgrp haproxy ${HAPROXY_CERTFILE} - -echo "Reload the haproxy service" >> $LE_LOG_DIR/haproxy.log -service haproxy reload >/dev/null 2>&1 -echo "Done." >> $LE_LOG_DIR/haproxy.log - -exit 0 - diff --git a/library/roles/haproxy/handlers/main.yml b/library/roles/haproxy/handlers/main.yml deleted file mode 100644 index a3cb82bd..00000000 --- a/library/roles/haproxy/handlers/main.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- -- name: Restart haproxy - service: name=haproxy state=restarted - when: haproxy_enabled - -- name: Reload haproxy - service: name=haproxy state=reloaded - when: haproxy_enabled - -- name: Reload rsyslog - service: name=rsyslog state=reloaded - when: haproxy_enabled - diff --git a/library/roles/haproxy/tasks/haproxy-letsencrypt-acme-sh.yml b/library/roles/haproxy/tasks/haproxy-letsencrypt-acme-sh.yml deleted file mode 100644 index aa0cb5b7..00000000 --- a/library/roles/haproxy/tasks/haproxy-letsencrypt-acme-sh.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- -- block: - - name: Create the acme hooks directory if it does not yet exist - file: dest={{ letsencrypt_acme_sh_services_scripts_dir }} state=directory owner=root group=root - - - name: Install a script that fix the letsencrypt certificate for haproxy and then reload the service - template: src=haproxy-letsencrypt-acme.sh.j2 dest={{ letsencrypt_acme_sh_services_scripts_dir }}/haproxy owner=root group=root mode=4555 - - - name: When we are going to install letsencrypt certificates, create a preliminary path and a self signed cert. Now handle the haproxy special case - shell: mkdir {{ pki_dir }}/haproxy ; cat {{ letsencrypt_acme_user_home | default(omit) }}/live/{{ ansible_fqdn }}/privkey {{ letsencrypt_acme_user_home | default(omit) }}/live/{{ ansible_fqdn }}/cert > {{ pki_dir }}/haproxy/haproxy.pem - args: - creates: '{{ pki_dir }}/haproxy/haproxy.pem' - tags: [ 'pki', 'ssl', 'letsencrypt', 'haproxy', 'letsencrypt_acme_sh' ] - - when: letsencrypt_acme_sh_install - tags: [ 'haproxy', 'letsencrypt', 'letsencrypt_acme_sh' ] diff --git a/library/roles/haproxy/tasks/haproxy-letsencrypt-acmetool.yml b/library/roles/haproxy/tasks/haproxy-letsencrypt-acmetool.yml deleted file mode 100644 index b8c92de0..00000000 --- a/library/roles/haproxy/tasks/haproxy-letsencrypt-acmetool.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- -- block: - - name: Create the acme hooks directory if it does not yet exist - file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root - - - name: Install a script that fix the letsencrypt certificate for haproxy and then reload the service - template: src=haproxy-letsencrypt-acme.sh.j2 dest={{ letsencrypt_acme_services_scripts_dir }}/haproxy owner=root group=root mode=4555 - - - name: When we are going to install letsencrypt certificates, create a preliminary path and a self signed cert. Now handle the haproxy special case - shell: mkdir {{ pki_dir }}/haproxy ; cat {{ letsencrypt_acme_user_home | default(omit) }}/live/{{ ansible_fqdn }}/privkey {{ letsencrypt_acme_user_home | default(omit) }}/live/{{ ansible_fqdn }}/cert > {{ pki_dir }}/haproxy/haproxy.pem - args: - creates: '{{ pki_dir }}/haproxy/haproxy.pem' - tags: [ 'pki', 'ssl', 'letsencrypt', 'haproxy' ] - - when: letsencrypt_acme_install - tags: [ 'haproxy', 'letsencrypt' ] diff --git a/library/roles/haproxy/tasks/haproxy-nagios.yml b/library/roles/haproxy/tasks/haproxy-nagios.yml deleted file mode 100644 index 272e0e07..00000000 --- a/library/roles/haproxy/tasks/haproxy-nagios.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -- name: Install the haproxy NRPE nagios check - copy: src=check_haproxy_stats dest={{ nagios_local_plugdir }}/check_haproxy_stats owner=root group=root mode=0555 - when: haproxy_nagios_check - -- name: Install the haproxy NRPE command configuration - template: src=lb.cfg.j2 dest={{ nrpe_include_dir }}/lb.cfg owner=root group=root mode=0444 - notify: Reload NRPE server - when: haproxy_nagios_check - diff --git a/library/roles/haproxy/tasks/haproxy-service.yml b/library/roles/haproxy/tasks/haproxy-service.yml deleted file mode 100644 index d310add8..00000000 --- a/library/roles/haproxy/tasks/haproxy-service.yml +++ /dev/null @@ -1,63 +0,0 @@ ---- -- name: Get the haproxy repo key - apt_key: url={{ haproxy_repo_key }} state=present - when: haproxy_latest_release - tags: haproxy - -- name: Define the haproxy repository - apt_repository: repo='{{ haproxy_ubuntu_latest_repo }}' state=present update_cache=yes - when: - - haproxy_latest_release - - is_ubuntu - tags: haproxy - -- name: Define the haproxy repository - apt_repository: repo='{{ haproxy_debian_latest_repo }}' state=present update_cache=yes - when: - - haproxy_latest_release - - is_debian - tags: haproxy - -- name: Install the haproxy package - apt: name=haproxy state=present default_release={{ ansible_lsb.codename }}-backports update_cache=yes cache_valid_time=3600 - when: not haproxy_latest_release - register: install_haproxy - tags: haproxy - -- name: Install the haproxy package - apt: name=haproxy state=latest default_release={{ ansible_lsb.codename }}-backports-{{ haproxy_version }} update_cache=yes cache_valid_time=3600 - when: - - haproxy_latest_release - - is_debian - register: install_haproxy - tags: haproxy - -- name: Install the haproxy package - apt: name=haproxy state=latest update_cache=yes cache_valid_time=3600 - when: - - haproxy_latest_release - - is_ubuntu - register: install_haproxy - tags: haproxy - -- name: Enable kernel binding non local IP addresses - sysctl: name={{ item }} value=1 reload=yes state=present - with_items: - - net.ipv4.ip_nonlocal_bind - when: haproxy_k_bind_non_local_ip - tags: [ 'haproxy', 'haproxy_sysctl' ] - -- name: Disable kernel binding non local IP addresses - sysctl: name={{ item }} value=0 reload=yes state=present - with_items: - - net.ipv4.ip_nonlocal_bind - when: not haproxy_k_bind_non_local_ip - tags: [ 'haproxy', 'haproxy_sysctl' ] - -- name: Increase the connection tracking table capacity - sysctl: name={{ item }} value={{ haproxy_sysctl_conntrack_max }} reload=yes state=present - with_items: - - net.nf_conntrack_max - when: is_not_debian9 - tags: [ 'haproxy', 'haproxy_sysctl' ] - diff --git a/library/roles/haproxy/tasks/haproxy-ssl.yml b/library/roles/haproxy/tasks/haproxy-ssl.yml deleted file mode 100644 index f873d464..00000000 --- a/library/roles/haproxy/tasks/haproxy-ssl.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- -- block: - - name: Install the socat binary needed to talk to the haproxy socket - apt: name=socat state=latest update_cache=yes cache_valid_time=3600 - - - name: Install a script that refreshes the OCSP configuration and reloads haproxy if needed - template: src=hapos-upd.j2 dest=/usr/local/bin/hapos-upd owner=root group=root mode=0755 - - - name: Install a cron job that refreshes the OCSP configuration - cron: - name: "Refresh the haproxy OCSP information" - user: root - special_time: daily - job: "/usr/local/bin/hapos-upd --cert {{ haproxy_cert_dir }}/haproxy.pem -v {{ letsencrypt_acme_certs_dir }}/fullchain -s {{ haproxy_admin_socket }} >/var/log/hapos-upd.log 2>&1" - - tags: [ 'haproxy', 'letsencrypt', 'ssl', 'ssl_ocsp' ] - diff --git a/library/roles/haproxy/tasks/main.yml b/library/roles/haproxy/tasks/main.yml deleted file mode 100644 index 7b1c7f44..00000000 --- a/library/roles/haproxy/tasks/main.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- -- import_tasks: haproxy-service.yml -- import_tasks: haproxy-letsencrypt-acme-sh.yml - when: - - haproxy_letsencrypt_managed - - letsencrypt_acme_sh_install -- import_tasks: haproxy-letsencrypt-acmetool.yml - when: - - haproxy_letsencrypt_managed - - letsencrypt_acme_install -- import_tasks: haproxy-ssl.yml - when: - - haproxy_letsencrypt_managed - -- import_tasks: haproxy-nagios.yml - when: - - nagios_enabled is defined - - nagios_enabled - -- name: Ensure that haproxy is enabled and started - service: name=haproxy state=restarted enabled=yes - when: haproxy_enabled - ignore_errors: True - tags: haproxy - -- name: Haproxy puts a new rsyslog directive. Restart rsyslog to activate it. Reload is not sufficient - service: name=rsyslog state=restarted - when: - - haproxy_enabled - - install_haproxy is changed - tags: haproxy - -- name: Ensure that haproxy is stopped and disabled if needed - service: name=haproxy state=stopped enabled=no - when: not haproxy_enabled - tags: haproxy diff --git a/library/roles/haproxy/templates/hapos-upd.j2 b/library/roles/haproxy/templates/hapos-upd.j2 deleted file mode 100644 index 4b399bd8..00000000 --- a/library/roles/haproxy/templates/hapos-upd.j2 +++ /dev/null @@ -1,571 +0,0 @@ -#!/bin/bash - -# HAProxy OCSP Stapling Updater -# Copyright (c) 2015 Pier Carlo Chiodi - http://www.pierky.com -# -# https://github.com/pierky/haproxy-ocsp-stapling-updater - -set -o nounset - -VERSION="0.4.1-pre1" - -PROGNAME="hapos-upd" - -if [ -z ${OPENSSL_BIN+x} ]; then - OPENSSL_BIN="openssl" -fi - -SOCAT_BIN="socat" - -CERT="" -VAFILE="" -HAPROXY_ADMIN_SOCKET_DEFAULT="/run/haproxy/admin.sock" -HAPROXY_ADMIN_SOCKET="$HAPROXY_ADMIN_SOCKET_DEFAULT" -GOOD_ONLY=0 -SYSLOG_PRIO="" -DEBUG=0 -KEEP_TEMP=0 -OCSP_URL="" -OCSP_HOST="" -VERIFY=1 -TMP="" -SKIP_UPDATE=0 -PARTIAL_CHAIN="" - -function Quit() { - if [ $KEEP_TEMP -eq 0 ]; then - if [ -n "$TMP" ]; then - rm -r $TMP &>/dev/null - fi - fi - exit $1 -} - -function LogError() { - MSG="$1" - - if [ -z "$SYSLOG_PRIO" ]; then - echo "$MSG" >&2 - else - logger -p "$SYSLOG_PRIO" -s -- "$PROGNAME - $MSG" - fi - - echo "$MSG" >>$TMP/log -} - -function Error() { - if [ $1 -eq 9 ]; then - MSG="Error: $2" - else - MSG="Error processing '$CERT': $2" - fi - - LogError "$MSG" - - if [ $1 -eq 9 ]; then - echo "Run $PROGNAME -h for help" >&2 - fi - - Quit $1 -} - -function Debug() { - if [ $DEBUG -eq 1 ]; then - echo "$1" - fi - echo "$1" >>$TMP/log -} - -function Trap() { - Debug "Aborting" - Quit 9 -} - -function Usage() { - echo " -HAProxy OCSP Stapling Updater - $VERSION -Copyright (c) 2015 Pier Carlo Chiodi - http://www.pierky.com - -https://github.com/pierky/haproxy-ocsp-stapling-updater - -Usage: - $PROGNAME [options] --cert crt_full_path - -This script extracts and queries the OCSP server present in a -certificate to obtain its revocation status, then updates HAProxy by -writing the '.issuer' and the '.ocsp' files and by sending it the -'set ssl ocsp-response' command through the local UNIX admin socket. - -The crt_full_path argument is the full path to the certificate bundle -used in haproxy 'crt' setting. End-entity (EE) certificate plus any -intermediate CA certificates must be concatenated there. -An OCSP query is sent to the OCSP server given on the command line -(--ocsp-url and --ocsp-host argument); if these arguments are missing, -URL and Host header values are automatically extracted from the -certificate. -If the '.issuer' file already exists it's used to build the OCSP -request, otherwise the chain is extracted from crt_full_path and used -to identify the issuer. -Finally, it writes the related '.issuer' and .'ocsp' files and updates -haproxy, using 'socat' and the local UNIX socket (--socket argument, -default $HAPROXY_ADMIN_SOCKET_DEFAULT). - -Exit codes: - 0 OK - 1 openssl certificates handling error - 2 OCSP server URL not found - 3 string parsing / PEM manipulation error - 4 OCSP error - 5 haproxy management error - 9 program error (wrong arguments, missing dependencies) - -Options: - - -d, --debug : don't do anything, print debug messages only. - - --keep-temp : keep temporary directory after exiting (for - debug purposes). - - -g, --good-only : do not update haproxy if OCSP response - certificate status value is not 'good'. - - -l, --syslog priority : log errors to syslog system log module. - The priority may be specified numerically - or as a facility.level pair (e.g. - local7.error). - - --ocsp-url url : OCSP server URL; use this instead of the - one in the EE certificate. - - --ocsp-host host : OCSP server hostname to be used in the - 'Host:' header; use this instead of the one - extracted from the OCSP server URL. - - --partial-chain : Allow partial certificate chain if at least one certificate - is in trusted store. Useful when validating an intermediate - certificate without the root CA. - - -s, --socket file : haproxy admin socket. If omitted, - $HAPROXY_ADMIN_SOCKET_DEFAULT is used by default. - This script is distributed with only one - method to update haproxy: using 'socat' - with a local admin-level UNIX socket. - Feel free to implement other mechanisms as - needed! The right section in the code is - \"UPDATE HAPROXY\", at the end of the script. - - -v, --VAfile file : same as the openssl ocsp -VAfile option - with 'file' as argument. For more details: - 'man ocsp'. - If file = \"-\" then the chain extracted - from the certificate's bundle (or .issuer - file) is used (useful for OCSP responses - that don't include the signer certificate). - - --noverify : Do not verify OCSP response. - - -S, --skip-update : Do not notify haproxy of the new OCSP response. - - -h, --help : this help." -} - -trap Trap INT TERM - -TMP="`mktemp -d -q -t $PROGNAME.XXXXXXXXXX`" - -# COMMAND LINE PROCESSING -# ---------------------------------- - -while [[ $# > 0 ]] -do - - case "$1" in - -h|--help) - Usage - Quit 0 - ;; - - -d|--debug) - DEBUG=1 - ;; - - --keep-temp) - KEEP_TEMP=1 - ;; - - -g|--good-only) - GOOD_ONLY=1 - ;; - - --noverify) - VERIFY=0 - ;; - - --partial-chain) - PARTIAL_CHAIN="-partial_chain" - ;; - - -l|--syslog) - if [ $# -le 1 ]; then - Error 9 "mandatory value is missing for $1 argument" - fi - SYSLOG_PRIO="$2" - shift - ;; - - --ocsp-url) - if [ $# -le 1 ]; then - Error 9 "mandatory value is missing for $1 argument" - fi - OCSP_URL="$2" - shift - ;; - - --ocsp-host) - if [ $# -le 1 ]; then - Error 9 "mandatory value is missing for $1 argument" - fi - OCSP_HOST="$2" - shift - ;; - - -c|--cert) - if [ $# -le 1 ]; then - Error 9 "mandatory value is missing for $1 argument" - fi - CERT="$2" - shift - ;; - - -v|--VAfile) - if [ $# -le 1 ]; then - Error 9 "mandatory value is missing for $1 argument" - fi - VAFILE="$2" - if [ "$VAFILE" == "-" ]; then - VAFILE="$TMP/chain.pem" - else - if [ ! -e "$VAFILE" ]; then - Error 9 "VAfile does not exists: $VAFILE" - fi - fi - shift - ;; - - -s|--socket) - if [ $# -le 1 ]; then - Error 9 "mandatory value is missing for $1 argument" - fi - HAPROXY_ADMIN_SOCKET="$2" - shift - ;; - - -S|--skip-update) - SKIP_UPDATE=1 - ;; - - *) - Error 9 "unknown option: $1" - esac - - shift -done - -Debug "Temporary directory: $TMP" - -$OPENSSL_BIN version | grep OpenSSL &>>$TMP/log - -if [ $? -ne 0 ]; then - Error 9 "openssl binary not found; adjust OPENSSL_BIN variable in the script" -fi - -$SOCAT_BIN -V | grep socat &>>$TMP/log - -if [ $? -ne 0 ]; then - Error 9 "socat binary not found; adjust SOCAT_BIN variable in the script" -fi - -if [ -z "$CERT" ]; then - Error 9 "certificate not provided (--cert argument)" -fi - -# CURRENT RESPONSE EXPIRED? -# ---------------------------------- - -ISNEW=1 -if [ -e $CERT.ocsp ]; then - ISNEW=0 - Debug "An OCSP response already exists: checking its expiration." - - $OPENSSL_BIN ocsp -respin $CERT.ocsp -text -noverify | \ - grep "Next Update:" &>>$TMP/log - - if [ $? -eq 0 ]; then - CURR_EXP=`$OPENSSL_BIN ocsp -respin $CERT.ocsp -text -noverify | grep "Next Update:" | cut -d ':' -f 2-` - CURR_EXP_EPOCH=`date --date="$CURR_EXP" +%s` - - if [ $? -ne 0 ]; then - Error 3 "can't parse Next Update from current OCSP response" - fi - - if [ $CURR_EXP_EPOCH -lt `date +%s` ]; then - Debug "Current OCSP response expiration: $CURR_EXP - expired" - LogError "current OCSP response is expired: please consider running this script more frequently" - else - Debug "Current OCSP response expiration: $CURR_EXP - NOT expired" - fi - fi -fi - -# EXTRACT EE CERTIFICATE INFO -# ---------------------------------- - -# extract EE certificate -$OPENSSL_BIN x509 -in $CERT -outform PEM -out $TMP/ee.pem &>>$TMP/log - -if [ $? -ne 0 ]; then - Error 1 "can't extract EE certificate from $CERT" -fi - -# get OCSP server URL -if [ -z "$OCSP_URL" ]; then - OCSP_URL="`$OPENSSL_BIN x509 -in $TMP/ee.pem -ocsp_uri -noout`" - - if [ $? -ne 0 ]; then - Error 1 "can't obtain OCSP server URL from $CERT" - fi - - if [ -z "$OCSP_URL" ]; then - Error 2 "OCSP server URL not found in the EE certificate" - fi - - Debug "OCSP server URL found: $OCSP_URL" -else - Debug "Using OCSP server URL from command line: $OCSP_URL" -fi - -# check OCSP server URL format (http:// or https://) -echo "$OCSP_URL" | egrep -i "(http://|https://)" &>/dev/null - -if [ $? -ne 0 ]; then - Error 3 "OCSP server URL not in http[s]:// format" -fi - -# get OCSP server URL host name -if [ -z "$OCSP_HOST" ]; then - OCSP_HOST="`echo "$OCSP_URL" | egrep -i "(http://|https://)" | cut -d'/' -f 3`" - - if [ $? -ne 0 -o -z "$OCSP_HOST" ]; then - Error 3 "can't extract hostname from OCSP server URL $OCSP_URL" - fi - - Debug "OCSP server hostname: $OCSP_HOST" -else - Debug "Using OCSP server hostname from command line: $OCSP_HOST" -fi - -# EXTRACT CHAIN INFO -# ---------------------------------- - -if [ -e $CERT.issuer ]; then - Debug "Using existing chain ($CERT.issuer)" - - # copy .issuer file to temporary chain.pem - cp $CERT.issuer $TMP/chain.pem &>>$TMP/log - - if [ $? -ne 0 ]; then - Error 3 "can't copy current chain from $CERT.issuer" - fi -else - Debug "Extracting chain from certificates bundle" - - # get EE certificate's fingerprint - FP_EE="`$OPENSSL_BIN x509 -fingerprint -noout -in $TMP/ee.pem`" - - if [ $? -ne 0 -o -z "$FP_EE" ]; then - Error 1 "can't obtain EE certificate's fingerprint" - fi - - Debug "EE certificate's fingerprint: $FP_EE" - - # get BEGIN CERTIFICATE and END CERTIFICATE separators - PEM_BEGIN_CERT="`head $TMP/ee.pem -n 1`" - PEM_END_CERT="`tail $TMP/ee.pem -n 1`" - - # get number of certificates in the bundle file - NUM_OF_CERTS=`cat $CERT | grep -e "$PEM_BEGIN_CERT" | wc -l` - - if [ $NUM_OF_CERTS -le 1 ]; then - Error 3 "can't obtain the number of certificates in the chain" - fi - - Debug "$NUM_OF_CERTS certificates found in the bundle" - - # save each certificate in the bundle into $TMP/chain-X.pem - cat $CERT | \ - sed -n -e "/$PEM_BEGIN_CERT/,/$PEM_END_CERT/p" | \ - awk "/$PEM_BEGIN_CERT/{x=\"$TMP/chain-\" ++i \".pem\";}{print > x;}" &>>$TMP/log - - if [ $? -ne 0 ]; then - Error 3 "can't extract certificates from bundle" - fi - - # for each certificate that is extracted from the bundle check if - # it's the EE certificate, otherwise uses it to build the chain file - for c in `seq 1 $NUM_OF_CERTS`; - do - # check fingerprint of current and EE certificates - FP="`$OPENSSL_BIN x509 -fingerprint -noout -in $TMP/chain-$c.pem`" - if [ $? -ne 0 -o -z "$FP" ]; then - Error 1 "can't obtain the fingerprint of the certificate n. $c in the bundle" - else - if [ ! "$FP" == "$FP_EE" ]; then - Debug "Bundle certificate n. $c fingerprint: $FP - it's part of the chain" - - # current certificate is not the same as the EE; append to the chain - cat $TMP/chain-$c.pem >> $TMP/chain.pem - else - Debug "Bundle certificate n. $c fingerprint: $FP - EE certificate" - fi - fi - done -fi - -# check if the EE certificate validates against the chain -$OPENSSL_BIN verify $PARTIAL_CHAIN -CAfile $TMP/chain.pem $TMP/ee.pem &>>$TMP/log - -if [ $? -ne 0 ]; then - if [ -e $CERT.issuer ]; then - Error 1 "can't validate the EE certificate against the existing chain; if it has been changed recently consider removing the current $CERT.issuer file and let this script to figure out a new one" - else - Error 1 "can't validate the EE certificate against the extracted chain" - fi -fi - -# OCSP -# ---------------------------------- - -# query the OCSP server and save its response - -$OPENSSL_BIN version | grep "OpenSSL 1.0" &>/dev/null -if [ $? -eq 0 ]; then - # OpenSSL 1.0.x - - $OPENSSL_BIN ocsp $PARTIAL_CHAIN -issuer $TMP/chain.pem -cert $TMP/ee.pem \ - -respout $TMP/ocsp.der -noverify \ - -no_nonce -url $OCSP_URL -header "Host" "$OCSP_HOST" &>>$TMP/log -else - $OPENSSL_BIN ocsp $PARTIAL_CHAIN -issuer $TMP/chain.pem -cert $TMP/ee.pem \ - -respout $TMP/ocsp.der -noverify \ - -no_nonce -url $OCSP_URL -header "Host=$OCSP_HOST" &>>$TMP/log -fi - -if [ $? -ne 0 ]; then - Error 1 "can't receive the OCSP server response" -fi - -# process the OCSP response -VERIFYOPT="" -if [ $VERIFY -eq 0 ]; then - VERIFYOPT="-noverify" -fi -if [ -z "$VAFILE" ]; then - $OPENSSL_BIN ocsp $PARTIAL_CHAIN $VERIFYOPT -issuer $TMP/chain.pem -cert $TMP/ee.pem \ - -respin $TMP/ocsp.der -no_nonce -CAfile $TMP/chain.pem \ - -out $TMP/ocsp.txt &>>$TMP/ocsp-verify.txt -else - $OPENSSL_BIN ocsp $PARTIAL_CHAIN $VERIFYOPT -issuer $TMP/chain.pem -cert $TMP/ee.pem \ - -respin $TMP/ocsp.der -no_nonce -CAfile $TMP/chain.pem \ - -VAfile $VAFILE \ - -out $TMP/ocsp.txt &>>$TMP/ocsp-verify.txt -fi - -if [ $? -ne 0 ]; then - Error 1 "can't receive OCSP response" -fi - -if [ $VERIFY -eq 1 ]; then - Debug "OCSP response verification results: `cat $TMP/ocsp-verify.txt`" - - cat $TMP/ocsp-verify.txt | grep "Response verify OK" &>>$TMP/log - - if [ $? -ne 0 ]; then - grep "signer certificate not found" $TMP/ocsp-verify.txt &>/dev/null - - if [ $? -eq 0 ]; then - Error 4 "OCSP response verification failure: signer certificate not found; try with '--VAfile -' or '--VAfile OCSP-response-signing-certificate-file' arguments" - else - Error 4 "OCSP response verification failure." - fi - fi -fi - -Debug "OCSP response: `cat $TMP/ocsp.txt`" - -if [ $GOOD_ONLY -eq 1 ]; then - cat $TMP/ocsp.txt | head -n 1 | grep ": good" &>>$TMP/log - - if [ $? -ne 0 ]; then - Error 4 "OCSP response, certificate status not good" - fi -fi - -# UPDATE HAPROXY -# ---------------------------------- - -# Status: -# - $TMP/ocsp.der contains the OCSP response, DER format -# - $TMP/ocsp.txt contains the textual OCSP response as produced -# by openssl -# - the OCSP response has been verified against the chain or -# the --VAfile - -if [ $DEBUG -eq 0 ]; then - # update .ocsp and .issuer files - - cp $TMP/ocsp.der $CERT.ocsp &>>$TMP/log - - if [ $? -ne 0 ]; then - Error 5 "can't update $CERT.ocsp file" - fi - - if [ ! -e $CERT.issuer ]; then - cp $TMP/chain.pem $CERT.issuer &>>$TMP/log - - if [ $? -ne 0 ]; then - Error 5 "can't update $CERT.issuer file" - fi - fi - - if [ $SKIP_UPDATE -eq 0 ]; then - if [ $ISNEW -eq 1 ]; then - # no .ocsp file found, maybe it's an initial run - Debug "Reloading haproxy." - - service haproxy reload - - if [ $? -ne 0 ]; then - Error 5 "can't reload haproxy with 'service haproxy reload'" - fi - else - # update haproxy via local UNIX socket - Debug "Updating haproxy." - - echo "set ssl ocsp-response `base64 -w 0 $TMP/ocsp.der`" | $SOCAT_BIN stdio $HAPROXY_ADMIN_SOCKET &>>$TMP/log - - if [ $? -ne 0 ]; then - Error 5 "can't update haproxy ssl ocsp-response using $HAPROXY_ADMIN_SOCKET socket" - fi - fi - else - Debug "Not notifying haproxy because skip-update is set." - fi - -else - Debug "Debug mode: haproxy update skipped." -fi - -# remove temporary files and quit with success -Quit 0 - -# vim: set tabstop=4 shiftwidth=4 expandtab: diff --git a/library/roles/haproxy/templates/haproxy-letsencrypt-acme.sh.j2 b/library/roles/haproxy/templates/haproxy-letsencrypt-acme.sh.j2 deleted file mode 100644 index 1aaa92bc..00000000 --- a/library/roles/haproxy/templates/haproxy-letsencrypt-acme.sh.j2 +++ /dev/null @@ -1,50 +0,0 @@ -#!/bin/bash - -H_NAME="{{ letsencrypt_acme_sh_certs_data_prefix }}" -LE_SERVICES_SCRIPT_DIR=/usr/lib/acme/hooks -LE_CERTS_DIR=/var/lib/acme/live/$H_NAME -LE_LOG_DIR=/var/log/letsencrypt -HAPROXY_CERTDIR=/etc/pki/haproxy -HAPROXY_CERTFILE=$HAPROXY_CERTDIR/haproxy.pem -DATE=$( date ) - -[ ! -d $HAPROXY_CERTDIR ] && mkdir -p $HAPROXY_CERTDIR -[ ! -d $LE_LOG_DIR ] && mkdir $LE_LOG_DIR -echo "$DATE" >> $LE_LOG_DIR/haproxy.log - -{% if letsencrypt_acme_install %} -LE_ENV_FILE=/etc/default/letsencrypt -{% endif %} -{% if letsencrypt_acme_sh_install %} -LE_ENV_FILE=/etc/default/acme_sh_request_env -{% endif %} -if [ -f "$LE_ENV_FILE" ] ; then - . "$LE_ENV_FILE" -else - echo "No letsencrypt default file" >> $LE_LOG_DIR/haproxy.log -fi - -echo "Building the new certificate file" >> $LE_LOG_DIR/haproxy.log -cat ${LE_CERTS_DIR}/{fullchain,privkey} > ${HAPROXY_CERTFILE} -chmod 440 ${HAPROXY_CERTFILE} -chgrp haproxy ${HAPROXY_CERTFILE} - -echo "Reload the haproxy service" >> $LE_LOG_DIR/haproxy.log -if [ -x /bin/systemctl ] ; then - systemctl reload haproxy >> $LE_LOG_DIR/haproxy.log 2>&1 -else - service haproxy reload >> $LE_LOG_DIR/haproxy.log 2>&1 -fi - -# Run the OCSP stapling script -if [ -x /usr/local/bin/hapos-upd ] ; then - echo "Run the OCSP stapling updater script" >> $LE_LOG_DIR/haproxy.log - /usr/local/bin/hapos-upd --cert {{ haproxy_cert_dir }}/haproxy.pem -v ${LE_CERTS_DIR}/fullchain -s {{ haproxy_admin_socket }} -v - >> $LE_LOG_DIR/haproxy.log 2>&1 -else - echo "No OCPS stapling updater script" >> $LE_LOG_DIR/haproxy.log -fi - -echo "Done." >> $LE_LOG_DIR/haproxy.log - -exit 0 - diff --git a/library/roles/haproxy/templates/lb.cfg.j2 b/library/roles/haproxy/templates/lb.cfg.j2 deleted file mode 100644 index 509d441e..00000000 --- a/library/roles/haproxy/templates/lb.cfg.j2 +++ /dev/null @@ -1,4 +0,0 @@ -# Check the haproxy backends status -command[lb_check_bk_status]=/usr/bin/sudo {{ nagios_local_plugdir }}/check_haproxy_stats -s {{ haproxy_admin_socket }} -w {{ haproxy_nagios_check_w }} -c {{ haproxy_nagios_check_c }} - - diff --git a/library/roles/mediawiki/defaults/main.yml b/library/roles/mediawiki/defaults/main.yml deleted file mode 100644 index e9cc4a0c..00000000 --- a/library/roles/mediawiki/defaults/main.yml +++ /dev/null @@ -1,73 +0,0 @@ ---- -# -# This playbook depends on the php-fpm, mysql role and nginx -# -mw_install_from_package: False -# Distribution packages are always obsolete -mw_install_from_tar: True -mw_version: 1.33 -mw_minor_minor: 0 -mw_download_url: http://releases.wikimedia.org/mediawiki/{{ mw_version }}/mediawiki-{{ mw_version }}.{{ mw_minor_minor }}.tar.gz -mw_download_dir: /srv/mediawiki -mw_install_dir: /var/www/html -mw_conf_dir: /etc/mediawiki -mw_servername: '{{ ansible_fqdn }}' -mw_db_host: localhost -mw_db_table_prefix: 'mw_' - -mw_local_nginx_virtualhost: '{{ mw_local_nginx }}' -mw_context: wiki -mw_doc_root: '{{ mw_install_dir }}/{{ mw_context }}' -mw_wiki_servername: '{{ ansible_fqdn }}' -mw_wiki_name: 'Mediawiki Installation' - -mw_upload_subdirs: - - archive - - thumb - - temp - -mw_local_mysql: True -mw_local_nginx: True -mw_local_memcached: True -mw_memcached_hosts: '"127.0.0.1:11211"' - -mw_db_name: mediawiki -mw_db_user: mediawiki_u -# mw_db_pwd: 'use a vault file' -mw_system_user: mwiki -# mw_admin_pwd: 'use a vault file' -# mw_secret_key: 'use a vault file' - -mw_mysql_db_data: - - { name: '{{ mw_db_name }}', user: '{{ mw_db_user }}', pwd: '{{ mw_db_pwd }}', collation: '{{ mysql_default_collation }}', encoding: '{{ mysql_default_encoding }}', user_grant: 'ALL', allowed_hosts: [ '{{ ansible_fqdn }}/32', '127.0.0.1/8', 'localhost' ] } - -mw_id: 'wiki' -mw_uri: '/wiki' -mw_http_port: 80 -mw_https_port: 443 - -mw_php_version: 7.2 - -mw_php_additional_packages: - - 'php{{ php_version }}-mbstring' - - 'php{{ php_version }}-xmlrpc' - - 'php{{ php_version }}-soap' - - 'php{{ php_version }}-gd' - - 'php{{ php_version }}-xml' - - 'php{{ php_version }}-intl' - - 'php{{ php_version }}-mysql' - - 'php{{ php_version }}-cli' - - 'php{{ php_version }}-zip' - - 'php{{ php_version }}-curl' - - php-apcu - - php-wikidiff2 - - imagemagick - - php-imagick - -mw_phpfpm_pools: - - { pool_name: '{{ phpfpm_default_pool_name }}', app_context: '{{ phpfpm_default_context }}', user: '{{ phpfpm_default_user }}', group: '{{ phpfpm_default_group }}', listen: '{{ phpfpm_default_listen }}', allowed_clients: '{{ phpfpm_default_allowed_clients }}', pm: '{{ phpfpm_default_pm }}', pm_max_children: '{{ phpfpm_default_pm_max_children }}', pm_start_servers: '{{ phpfpm_default_pm_start_servers }}', pm_min_spare: '{{ phpfpm_default_pm_min_spare_servers }}', pm_max_spare: '{{ phpfpm_default_pm_max_spare_servers }}', pm_max_requests: '{{ phpfpm_default_pm_max_requests }}', pm_status_enabled: '{{ phpfpm_default_pm_status_enabled }}', pm_status_path: '{{ phpfpm_default_pm_status_path }}', ping_enabled: '{{ phpfpm_default_ping_enabled }}', ping_path: '{{ phpfpm_default_ping_path }}', ping_response: '{{ phpfpm_default_ping_response }}', display_errors: '{{ phpfpm_default_display_errors }}', log_errors: '{{ phpfpm_default_log_errors }}', memory_limit: '{{ phpfpm_default_memory_limit }}', slowlog_timeout: '{{ phpfpm_default_slowlog_timeout }}', rlimit_files: '{{ phpfpm_default_rlimit_files }}', php_extensions: '{{ phpfpm_default_extensions }}', define_custom_variables: '{{ phpfpm_default_define_custom_variables }}', admin_write: True, doc_root: '{{ mw_doc_root }}', virthost: '{{ mw_context }}' } - -# This choice is not recommended. The package has a poor list of dependencies. We do not want to deal with those -mw_package: - - mediawiki - diff --git a/library/roles/mediawiki/meta/main.yml b/library/roles/mediawiki/meta/main.yml deleted file mode 100644 index 0fc58a06..00000000 --- a/library/roles/mediawiki/meta/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -dependencies: - - { role: '../../library/roles/mysql', when: mw_local_mysql | bool } - - role: '../../library/roles/php-fpm' - - { role: '../../library/roles/memcached', when: mw_local_memcached | bool } - - { role: '../../library/roles/nginx', when: mw_local_nginx | bool } diff --git a/library/roles/mediawiki/tasks/main.yml b/library/roles/mediawiki/tasks/main.yml deleted file mode 100644 index 93bae4e3..00000000 --- a/library/roles/mediawiki/tasks/main.yml +++ /dev/null @@ -1,65 +0,0 @@ ---- -- name: Ensure that the download and install dirs exist - file: path={{ item }} state=directory - with_items: - - '{{ mw_download_dir }}' - - '{{ mw_install_dir }}' - tags: mediawiki - -- name: Download the mediawiki tar file - get_url: url={{ mw_download_url }} dest={{ mw_download_dir }} - when: - - not mw_install_from_package - - mw_install_from_tar - tags: mediawiki - -- name: Unpack the mediawiki tar file - unarchive: copy=no src={{ mw_download_dir }}/mediawiki-{{ mw_version }}.{{ mw_minor_minor }}.tar.gz dest={{ mw_download_dir }} - args: - creates: '{{ mw_download_dir }}/mediawiki-{{ mw_version }}.{{ mw_minor_minor }}/INSTALL' - when: mw_install_from_tar - tags: mediawiki - -- name: Move the mediawiki files to the right place - command: cp -a {{ mw_download_dir }}/mediawiki-{{ mw_version }}.{{ mw_minor_minor }} {{ mw_doc_root }} - args: - creates: '{{ mw_doc_root }}/index.php' - when: mw_install_from_tar - tags: mediawiki - -- name: Create the images subdirs - file: dest={{ mw_doc_root }}/images/{{ item }} state=directory - with_items: '{{ mw_upload_subdirs }}' - tags: mediawiki - -- name: Set the correct ownership of the mediawiki files - file: dest={{ mw_doc_root }} owner={{ item.user }} group={{ item.group }} recurse=yes state=directory - with_items: '{{ phpfpm_pools }}' - tags: mediawiki - -- name: Create the mediawiki conf dir - file: path={{ mw_conf_dir }} state=directory - tags: mediawiki - -- block: - - - name: Check if the mediawiki instance has been initialized already - stat: path={{ mw_doc_root }}/.mwinitialized - register: mw_init - - tags: [ 'mediawiki', 'mediawiki_init' ] - -- block: - - name: Create a file with the DB password - template: src=mw_db_passwd.j2 dest=/tmp/mw_db_passwd owner=root group=root mode=0400 - - - name: Create a file with the admin password - template: src=mw_admin_passwd.j2 dest=/tmp/mw_admin_passwd owner=root group=root mode=0400 - - - name: Initialize the mediawiki instance - shell: cd {{ mw_doc_root }} ; php maintenance/install.php --confpath {{ mw_conf_dir }} --dbname {{ mw_db_name }} --dbprefix {{ mw_db_table_prefix }} --dbuser {{ mw_db_user }} --dbpassfile /tmp/mw_db_passwd --with-extensions --scriptpath {{ mw_uri }} --passfile /tmp/mw_admin_passwd --wiki {{ mw_id }} --dbserver {{ mw_db_host }} --dbtype mysql --server https://{{ mw_wiki_servername }} "{{ mw_wiki_name }}" {{ mw_system_user }} && touch {{ mw_doc_root }}/.mwinitialized ; rm -f /tmp/mw_db_passwd /tmp/mw_admin_passwd - args: - creates: '{{ mw_doc_root }}/.mwinitialized' - - when: mw_init.stat.exists is defined and not mw_init.stat.exists - tags: [ 'mediawiki', 'mediawiki_init' ] diff --git a/library/roles/mediawiki/templates/mw_admin_passwd.j2 b/library/roles/mediawiki/templates/mw_admin_passwd.j2 deleted file mode 100644 index 6feb1bd8..00000000 --- a/library/roles/mediawiki/templates/mw_admin_passwd.j2 +++ /dev/null @@ -1 +0,0 @@ -{{ mw_admin_pwd }} diff --git a/library/roles/mediawiki/templates/mw_db_passwd.j2 b/library/roles/mediawiki/templates/mw_db_passwd.j2 deleted file mode 100644 index 3ba0cf3f..00000000 --- a/library/roles/mediawiki/templates/mw_db_passwd.j2 +++ /dev/null @@ -1 +0,0 @@ -{{ mw_db_pwd }} diff --git a/library/roles/mediawiki/vars/main.yml b/library/roles/mediawiki/vars/main.yml deleted file mode 100644 index 0c9fd813..00000000 --- a/library/roles/mediawiki/vars/main.yml +++ /dev/null @@ -1,14 +0,0 @@ ---- -http_port: '{{ mw_http_port }}' -https_port: '{{ mw_https_port }}' - -php_version: '{{ mw_php_version }}' - -php_additional_packages: '{{ mw_php_additional_packages }}' - -mysql_db_data: '{{ mw_mysql_db_data }}' - -phpfpm_default_pool_name: '{{ mw_system_user }}' -phpfpm_default_user: '{{ mw_system_user }}' - -phpfpm_pools: '{{ mw_phpfpm_pools }}' diff --git a/library/roles/prometheus-haproxy-exporter/defaults/main.yml b/library/roles/prometheus-haproxy-exporter/defaults/main.yml deleted file mode 100644 index ca053ce9..00000000 --- a/library/roles/prometheus-haproxy-exporter/defaults/main.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- -prometheus_h_e_install: True -prometheus_h_e_version: 0.9.0 -prometheus_h_e_dir: 'haproxy_exporter-{{ prometheus_h_e_version }}.linux-amd64' -prometheus_h_e_file: '{{ prometheus_h_e_dir }}.tar.gz' -prometheus_h_e_download_url: 'https://github.com/prometheus/haproxy_exporter/releases/download/v{{ prometheus_h_e_version }}/{{ prometheus_h_e_file }}' -prometheus_h_e_user: prometheus -prometheus_h_e_home: /opt/prometheus -prometheus_h_e_dist_dir: '{{ prometheus_h_e_home }}/dist' -prometheus_h_e_logdir: '/var/log/prometheus-haproxy-exporter' -prometheus_h_e_cmd: '{{ prometheus_h_e_dist_dir }}/{{ prometheus_h_e_dir }}/haproxy_exporter' -prometheus_h_e_port: 9101 -prometheus_h_e_loglevel: info -prometheus_h_e_haproxy_pid: '/run/haproxy.pid' -prometheus_h_e_haproxy_stats_port: 8881 -prometheus_h_e_opts: '--web.listen-address=":{{ prometheus_h_e_port }}" --log.level={{ prometheus_h_e_loglevel }} --haproxy.pid-file="{{ prometheus_h_e_haproxy_pid }}" --haproxy.scrape-uri="http://localhost:{{ prometheus_h_e_haproxy_stats_port }}/;csv"' -# List the additional options here -prometheus_h_e_additional_opts: '' diff --git a/library/roles/prometheus-haproxy-exporter/handlers/main.yml b/library/roles/prometheus-haproxy-exporter/handlers/main.yml deleted file mode 100644 index a07bf565..00000000 --- a/library/roles/prometheus-haproxy-exporter/handlers/main.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -- name: systemd reload - command: systemctl daemon-reload - -- name: Restart haproxy exporter - service: name=haproxy_exporter state=restarted - diff --git a/library/roles/prometheus-haproxy-exporter/tasks/main.yml b/library/roles/prometheus-haproxy-exporter/tasks/main.yml deleted file mode 100644 index 6c33256a..00000000 --- a/library/roles/prometheus-haproxy-exporter/tasks/main.yml +++ /dev/null @@ -1,53 +0,0 @@ ---- -- block: - - name: Create the user under the haproxy exporter will run - user: name={{ prometheus_h_e_user }} home={{ prometheus_h_e_home }} createhome=no shell=/usr/sbin/nologin system=yes - - - name: Create the prometheus haproxy exporter base directory - file: dest={{ item }} state=directory owner=root group=root - with_items: - - '{{ prometheus_h_e_home }}' - - '{{ prometheus_h_e_dist_dir }}' - - - name: Create the prometheus haproxy exporter log directory - file: dest={{ prometheus_h_e_logdir }} state=directory owner={{ prometheus_h_e_user }} group={{ prometheus_h_e_user }} - - - name: Download the prometheus haproxy exporter - get_url: url={{ prometheus_h_e_download_url }} dest=/srv/ - - - name: Unarchive the prometheus distribution - unarchive: src=/srv/{{ prometheus_h_e_file }} dest={{ prometheus_h_e_dist_dir }} remote_src=yes owner=root group=root - args: - creates: '{{ prometheus_h_e_dist_dir }}/{{ prometheus_h_e_dir }}/haproxy_exporter' - notify: Restart haproxy exporter - - - name: Install the prometheus haproxy exporter upstart script - template: src=haproxy_exporter.upstart.j2 dest=/etc/init/haproxy_exporter.conf mode=0644 owner=root group=root - when: ansible_service_mgr != 'systemd' - - - name: Install the prometheus haproxy exporter systemd unit - template: src=haproxy_exporter.systemd.j2 dest=/etc/systemd/system/haproxy_exporter.service mode=0644 owner=root group=root - when: ansible_service_mgr == 'systemd' - notify: systemd reload - - - name: Ensure that prometheus haproxy_exporter is started and enabled - service: name=haproxy_exporter state=started enabled=yes - - tags: [ 'prometheus', 'haproxy_exporter' ] - when: prometheus_h_e_install - -- block: - - name: Ensure that prometheus haproxy_exporter is stopped and disabled - service: name=haproxy_exporter state=stopped enabled=no - - - name: Remove prometheus haproxy exporter upstart script - file: dest=/etc/init/haproxy_exporter.conf state=absent - when: ansible_service_mgr != 'systemd' - - - name: Remove the prometheus haproxy exporter systemd unit - file: dest=/etc/systemd/system/haproxy_exporter.service state=absent - when: ansible_service_mgr == 'systemd' - notify: systemd reload - - tags: [ 'prometheus', 'haproxy_exporter' ] - when: not prometheus_h_e_install diff --git a/library/roles/prometheus-haproxy-exporter/templates/haproxy_exporter.systemd.j2 b/library/roles/prometheus-haproxy-exporter/templates/haproxy_exporter.systemd.j2 deleted file mode 100644 index b0703745..00000000 --- a/library/roles/prometheus-haproxy-exporter/templates/haproxy_exporter.systemd.j2 +++ /dev/null @@ -1,17 +0,0 @@ -[Unit] -Description=haproxy_exporter - Prometheus exporter for haproxy metrics and stats. -After=network.target - -[Service] -Type=simple -Restart=on-failure - -User={{ prometheus_h_e_user }} -Group={{ prometheus_h_e_user }} - -ExecStart={{ prometheus_h_e_cmd }} {{ prometheus_h_e_opts }} {{ prometheus_h_e_additional_opts }} - -[Install] -WantedBy=multi-user.target -Alias=prometheus_haproxy_exporter.service - diff --git a/library/roles/prometheus-haproxy-exporter/templates/haproxy_exporter.upstart.j2 b/library/roles/prometheus-haproxy-exporter/templates/haproxy_exporter.upstart.j2 deleted file mode 100644 index f95929f2..00000000 --- a/library/roles/prometheus-haproxy-exporter/templates/haproxy_exporter.upstart.j2 +++ /dev/null @@ -1,12 +0,0 @@ -description "Prometheus haproxy exporter" -start on (local-filesystems and net-device-up IFACE!=lo) -stop on runlevel [016] - -respawn -respawn limit 10 5 -setuid {{ prometheus_h_e_user }} -setgid {{ prometheus_h_e_user }} - -script - exec {{ prometheus_h_e_cmd }} {{ prometheus_h_e_opts }} {{ prometheus_h_e_additional_opts }} > {{ prometheus_h_e_logdir }}/haproxy_exporter.log 2>&1 -end script