2020-10-03 02:30:41 +02:00
|
|
|
|
---
|
2020-10-21 16:10:23 +02:00
|
|
|
|
- name: Install HAProxy, acme.sh and snooze
|
2020-10-03 02:30:41 +02:00
|
|
|
|
package:
|
2020-10-21 16:10:23 +02:00
|
|
|
|
name: haproxy acme.sh
|
2020-10-03 02:30:41 +02:00
|
|
|
|
state: present
|
|
|
|
|
notify:
|
|
|
|
|
- Restart HAProxy
|
|
|
|
|
|
|
|
|
|
- name: Create HAProxy group
|
|
|
|
|
group:
|
|
|
|
|
name: haproxy
|
|
|
|
|
gid: 20001
|
|
|
|
|
notify:
|
|
|
|
|
- Restart HAProxy
|
|
|
|
|
|
|
|
|
|
- name: Create HAProxy user
|
|
|
|
|
user:
|
|
|
|
|
name: haproxy
|
|
|
|
|
uid: 20001
|
|
|
|
|
group: haproxy
|
|
|
|
|
create_home: no
|
|
|
|
|
home: /var/empty
|
|
|
|
|
notify:
|
|
|
|
|
- Restart HAProxy
|
|
|
|
|
|
2020-10-16 15:55:54 +02:00
|
|
|
|
- name: Add /var/log/haproxy to fstab
|
|
|
|
|
mount:
|
|
|
|
|
path: /var/log/haproxy
|
|
|
|
|
src: tmpfs
|
|
|
|
|
fstype: tmpfs
|
2020-10-19 14:20:35 +02:00
|
|
|
|
opts: rw,size=128m,mode=750,uid=20000,gid=20000,late
|
2020-10-16 15:55:54 +02:00
|
|
|
|
state: mounted
|
|
|
|
|
|
2020-10-26 23:31:57 +01:00
|
|
|
|
- name: Create /var/run/haproxy
|
|
|
|
|
file:
|
|
|
|
|
path: /var/run/haproxy
|
|
|
|
|
state: directory
|
|
|
|
|
owner: root
|
|
|
|
|
group: wheel
|
|
|
|
|
mode: 0755
|
|
|
|
|
|
2020-10-03 02:30:41 +02:00
|
|
|
|
- name: Create HAProxy service directories
|
|
|
|
|
file:
|
|
|
|
|
path: '/etc/s6-rc/service/{{ item }}'
|
|
|
|
|
state: directory
|
|
|
|
|
owner: root
|
|
|
|
|
group: wheel
|
|
|
|
|
mode: 0755
|
|
|
|
|
with_items:
|
|
|
|
|
- haproxy
|
|
|
|
|
- haproxy/env
|
|
|
|
|
- haproxy/data
|
|
|
|
|
- haproxy-log
|
|
|
|
|
- haproxy-log/env
|
|
|
|
|
|
|
|
|
|
- name: Generate HAProxy service scripts
|
|
|
|
|
template:
|
|
|
|
|
dest: '/etc/s6-rc/service/{{ item }}'
|
|
|
|
|
src: '{{ item }}.j2'
|
|
|
|
|
mode: 0555
|
|
|
|
|
owner: root
|
|
|
|
|
group: wheel
|
|
|
|
|
with_items:
|
|
|
|
|
- haproxy/run
|
|
|
|
|
- haproxy/finish
|
|
|
|
|
- haproxy/data/check
|
|
|
|
|
- haproxy-log/run
|
|
|
|
|
- haproxy-log/finish
|
|
|
|
|
notify:
|
|
|
|
|
- Reload s6-rc
|
|
|
|
|
- Restart HAProxy
|
2021-01-04 23:33:42 +01:00
|
|
|
|
- Restart HAProxy log
|
2020-10-03 02:30:41 +02:00
|
|
|
|
|
|
|
|
|
- name: Generate HAProxy service configuration
|
|
|
|
|
copy:
|
|
|
|
|
dest: '/etc/s6-rc/service/{{ item.name }}'
|
|
|
|
|
content: '{{ item.content }}'
|
|
|
|
|
mode: 0444
|
|
|
|
|
owner: root
|
|
|
|
|
group: wheel
|
|
|
|
|
loop_control:
|
|
|
|
|
label: '{{ item.name }} = {{ item.content }}'
|
|
|
|
|
notify:
|
|
|
|
|
- Reload s6-rc
|
|
|
|
|
- Restart HAProxy
|
2021-01-04 23:33:42 +01:00
|
|
|
|
- Restart HAProxy log
|
2020-10-03 02:30:41 +02:00
|
|
|
|
with_items:
|
|
|
|
|
- name: haproxy/type
|
|
|
|
|
content: longrun
|
|
|
|
|
- name: haproxy/notification-fd
|
|
|
|
|
content: 3
|
|
|
|
|
- name: haproxy/producer-for
|
|
|
|
|
content: haproxy-log
|
|
|
|
|
- name: haproxy/env/NAME
|
|
|
|
|
content: haproxy
|
|
|
|
|
- name: haproxy/env/PATH
|
|
|
|
|
content: /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/root/bin
|
|
|
|
|
- name: haproxy/env/BIND_V4
|
|
|
|
|
content: '{{ haproxy_v4 }}'
|
|
|
|
|
- name: haproxy/env/BIND_V6
|
|
|
|
|
content: '{{ haproxy_v6 }}'
|
|
|
|
|
|
|
|
|
|
- name: haproxy-log/type
|
|
|
|
|
content: longrun
|
|
|
|
|
- name: haproxy-log/notification-fd
|
|
|
|
|
content: 3
|
|
|
|
|
- name: haproxy-log/consumer-for
|
|
|
|
|
content: haproxy
|
|
|
|
|
- name: haproxy-log/env/NAME
|
|
|
|
|
content: haproxy
|
|
|
|
|
- name: haproxy-log/env/PATH
|
|
|
|
|
content: /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/root/bin
|
|
|
|
|
- name: haproxy-log/env/MODE
|
|
|
|
|
content: '750'
|
|
|
|
|
- name: haproxy-log/env/USER
|
|
|
|
|
content: s6-log
|
|
|
|
|
- name: haproxy-log/env/GROUP
|
|
|
|
|
content: s6-log
|
|
|
|
|
- name: haproxy-log/env/DIR
|
|
|
|
|
content: /var/log/haproxy
|
|
|
|
|
|
|
|
|
|
- name: Create HAProxy configuration directory
|
|
|
|
|
file:
|
|
|
|
|
path: /usr/local/etc/haproxy
|
|
|
|
|
state: directory
|
|
|
|
|
owner: root
|
2020-10-21 16:10:23 +02:00
|
|
|
|
group: acme
|
|
|
|
|
mode: 0770
|
2020-10-03 02:30:41 +02:00
|
|
|
|
|
|
|
|
|
- name: Configure HAProxy
|
|
|
|
|
template:
|
|
|
|
|
dest: '/usr/local/etc/haproxy/{{ item }}'
|
|
|
|
|
src: '{{ item }}.j2'
|
|
|
|
|
owner: root
|
|
|
|
|
group: wheel
|
|
|
|
|
mode: 0444
|
|
|
|
|
notify:
|
|
|
|
|
- Reload HAProxy
|
|
|
|
|
with_items:
|
|
|
|
|
- defaults.cfg
|
|
|
|
|
- global.cfg
|
|
|
|
|
- http.cfg
|
2020-10-03 03:04:44 +02:00
|
|
|
|
- sni.cfg
|
2020-10-03 02:30:41 +02:00
|
|
|
|
|
2020-10-03 03:04:44 +02:00
|
|
|
|
- name: Configure HAProxy HTTP backends
|
2020-10-03 02:30:41 +02:00
|
|
|
|
template:
|
|
|
|
|
dest: '/usr/local/etc/haproxy/http_{{ item.host }}.cfg'
|
|
|
|
|
src: http_host.cfg.j2
|
|
|
|
|
owner: root
|
|
|
|
|
group: wheel
|
|
|
|
|
mode: 0444
|
|
|
|
|
notify:
|
|
|
|
|
- Reload HAProxy
|
|
|
|
|
with_items: '{{ haproxy_http }}'
|
|
|
|
|
|
2020-10-03 03:04:44 +02:00
|
|
|
|
- name: Configure HAProxy SNI backends
|
|
|
|
|
template:
|
|
|
|
|
dest: '/usr/local/etc/haproxy/sni_{{ item.host }}.cfg'
|
|
|
|
|
src: sni_host.cfg.j2
|
|
|
|
|
owner: root
|
|
|
|
|
group: wheel
|
|
|
|
|
mode: 0444
|
|
|
|
|
notify:
|
|
|
|
|
- Reload HAProxy
|
|
|
|
|
with_items: '{{ haproxy_sni }}'
|
|
|
|
|
|
|
|
|
|
- name: Make sure the HTTP map exists
|
|
|
|
|
command: env touch /usr/local/etc/haproxy/http.map
|
|
|
|
|
args:
|
|
|
|
|
creates: /usr/local/etc/haproxy/http.map
|
|
|
|
|
notify:
|
|
|
|
|
- Reload HAProxy
|
|
|
|
|
|
|
|
|
|
- name: Make sure the SNI map exists
|
|
|
|
|
command: env touch /usr/local/etc/haproxy/sni.map
|
|
|
|
|
args:
|
|
|
|
|
creates: /usr/local/etc/haproxy/sni.map
|
|
|
|
|
notify:
|
|
|
|
|
- Reload HAProxy
|
|
|
|
|
|
2020-10-03 02:30:41 +02:00
|
|
|
|
- name: Enable HAProxy HTTP backends
|
|
|
|
|
lineinfile:
|
|
|
|
|
path: /usr/local/etc/haproxy/http.map
|
|
|
|
|
regex: '^{{ item.host }} '
|
|
|
|
|
line: '{{ item.host }} http_{{ item.host }}'
|
|
|
|
|
notify:
|
|
|
|
|
- Reload HAProxy
|
|
|
|
|
with_items: '{{ haproxy_http }}'
|
|
|
|
|
|
2020-10-03 03:04:44 +02:00
|
|
|
|
- name: Enable HAProxy SNI backends
|
|
|
|
|
lineinfile:
|
|
|
|
|
path: /usr/local/etc/haproxy/sni.map
|
|
|
|
|
regex: '^{{ item.host }} '
|
|
|
|
|
line: '{{ item.host }} sni_{{ item.host }}'
|
2020-10-03 02:30:41 +02:00
|
|
|
|
notify:
|
|
|
|
|
- Reload HAProxy
|
2020-10-03 03:04:44 +02:00
|
|
|
|
with_items: '{{ haproxy_sni }}'
|
2020-10-03 02:30:41 +02:00
|
|
|
|
|
|
|
|
|
- name: Flush handlers
|
|
|
|
|
meta: flush_handlers
|
2020-10-03 03:14:01 +02:00
|
|
|
|
|
|
|
|
|
- name: Start HAProxy
|
|
|
|
|
command: fdmove -c 2 1 s6-rc -u -v 2 change haproxy
|
|
|
|
|
register: change
|
|
|
|
|
changed_when: change.stdout | length > 0
|
|
|
|
|
|
|
|
|
|
- name: Enable HAProxy
|
|
|
|
|
lineinfile:
|
|
|
|
|
path: /etc/s6-rc/service/enabled/contents
|
|
|
|
|
regexp: "^haproxy$"
|
|
|
|
|
line: "haproxy"
|
|
|
|
|
notify:
|
|
|
|
|
- Reload s6-rc
|
|
|
|
|
|
|
|
|
|
- name: Flush handlers (again)
|
|
|
|
|
meta: flush_handlers
|
2020-10-21 16:10:23 +02:00
|
|
|
|
|
|
|
|
|
- name: "Register Let's Encrypt account"
|
2022-07-01 13:56:31 +02:00
|
|
|
|
command: 'env sudo -u acme acme.sh --email {{ haproxy_acme_email }} --server letsencrypt --register-account --home /var/db/acme'
|
2020-10-21 16:10:23 +02:00
|
|
|
|
args:
|
2022-07-01 15:25:52 +02:00
|
|
|
|
creates: /var/db/acme/ca/acme-v02.api.letsencrypt.org/directory/account.json
|
2020-10-21 16:10:23 +02:00
|
|
|
|
|
|
|
|
|
- name: Use the example deploy hooks
|
|
|
|
|
file:
|
|
|
|
|
dest: /var/db/acme/deploy
|
|
|
|
|
src: /usr/local/share/examples/acme.sh/deploy
|
|
|
|
|
state: link
|
|
|
|
|
owner: acme
|
|
|
|
|
group: acme
|
|
|
|
|
|
|
|
|
|
- name: Tell acme.sh where to find HAProxy on FreeBSD
|
|
|
|
|
lineinfile:
|
|
|
|
|
path: /var/db/acme/account.conf
|
|
|
|
|
create: yes
|
|
|
|
|
owner: acme
|
|
|
|
|
group: acme
|
|
|
|
|
regex: '^DEPLOY_HAPROXY_PEM_PATH='
|
|
|
|
|
state: present
|
|
|
|
|
line: 'DEPLOY_HAPROXY_PEM_PATH="/usr/local/etc/haproxy"'
|
|
|
|
|
|
|
|
|
|
- name: Tell acme.sh how to reload HAProxy on FreeBSD
|
|
|
|
|
lineinfile:
|
|
|
|
|
path: /var/db/acme/account.conf
|
|
|
|
|
regex: '^DEPLOY_HAPROXY_RELOAD='
|
|
|
|
|
state: present
|
|
|
|
|
line: 'DEPLOY_HAPROXY_RELOAD="sudo s6-svc -h /run/service/haproxy"'
|
|
|
|
|
|
|
|
|
|
- name: Allow acme user to reload haproxy
|
|
|
|
|
template:
|
|
|
|
|
dest: /usr/local/etc/sudoers.d/acme
|
|
|
|
|
src: acme.j2
|
|
|
|
|
owner: root
|
|
|
|
|
group: wheel
|
|
|
|
|
mode: '0444'
|
|
|
|
|
|
|
|
|
|
- name: Request X.509 certificates
|
|
|
|
|
command: 'env sudo -u acme acme.sh --home /var/db/acme --standalone --httpport 8080 --issue --domain {{ item }}'
|
|
|
|
|
args:
|
|
|
|
|
creates: '/var/db/acme/{{ item }}/fullchain.cer'
|
|
|
|
|
with_items:
|
|
|
|
|
- '{{ ansible_fqdn }}'
|
|
|
|
|
|
|
|
|
|
- name: Deploy X.509 certificates to HAProxy
|
|
|
|
|
command: 'env sudo -Hu acme acme.sh --debug --home /var/db/acme --deploy --domain {{ item }} --deploy-hook haproxy'
|
|
|
|
|
args:
|
|
|
|
|
creates: '/usr/local/etc/haproxy/{{ item }}.pem'
|
|
|
|
|
with_items:
|
|
|
|
|
- '{{ ansible_fqdn }}'
|
2021-01-31 19:16:27 +01:00
|
|
|
|
|
|
|
|
|
- name: Create acme.sh renew service directories
|
|
|
|
|
file:
|
|
|
|
|
path: '/etc/s6-rc/service/{{ item }}'
|
|
|
|
|
state: directory
|
|
|
|
|
owner: root
|
|
|
|
|
group: wheel
|
|
|
|
|
mode: 0755
|
|
|
|
|
with_items: '{{ acme_service_dirs }}'
|
|
|
|
|
notify:
|
|
|
|
|
- Reload s6-rc
|
|
|
|
|
- Restart acme-renew
|
|
|
|
|
|
|
|
|
|
- name: Generate acme.sh renew service scripts
|
|
|
|
|
template:
|
|
|
|
|
dest: '/etc/s6-rc/service/{{ item }}'
|
|
|
|
|
src: '{{ item }}.j2'
|
|
|
|
|
mode: 0555
|
|
|
|
|
owner: root
|
|
|
|
|
group: wheel
|
|
|
|
|
with_items: '{{ acme_service_scripts }}'
|
|
|
|
|
notify:
|
|
|
|
|
- Reload s6-rc
|
|
|
|
|
- Restart acme-renew
|
|
|
|
|
|
|
|
|
|
- name: Generate acme.sh renew service configuration
|
|
|
|
|
copy:
|
|
|
|
|
dest: '/etc/s6-rc/service/{{ item.name }}'
|
|
|
|
|
content: '{{ item.content }}'
|
|
|
|
|
mode: 0444
|
|
|
|
|
owner: root
|
|
|
|
|
group: wheel
|
|
|
|
|
loop_control:
|
|
|
|
|
label: '{{ item.name }} = {{ item.content }}'
|
|
|
|
|
with_items: '{{ acme_service_config }}'
|
|
|
|
|
notify:
|
|
|
|
|
- Reload s6-rc
|
|
|
|
|
- Restart acme-renew
|
|
|
|
|
|
|
|
|
|
- name: Flush handlers
|
|
|
|
|
meta: flush_handlers
|
|
|
|
|
|
|
|
|
|
- name: Start acme renew service
|
|
|
|
|
command: fdmove -c 2 1 s6-rc -u -v 2 change acme-renew
|
|
|
|
|
register: change
|
|
|
|
|
changed_when: change.stdout | length > 0
|
|
|
|
|
|
|
|
|
|
- name: Enable acme-renew
|
|
|
|
|
lineinfile:
|
|
|
|
|
path: /etc/s6-rc/service/enabled/contents
|
|
|
|
|
regexp: "^acme-renew$"
|
|
|
|
|
line: "acme-renew"
|
|
|
|
|
notify:
|
|
|
|
|
- Reload s6-rc
|
|
|
|
|
|
|
|
|
|
- name: Flush handlers (again)
|
|
|
|
|
meta: flush_handlers
|