ccchb
/
ansible
mirror of https://dev.ccchb.de/ccchb/ansible.git
3
0
Fork 0
Code Issues Releases Wiki Activity

Add Let's Encrypt support to HAProxy. 

Closes #13
This commit is contained in:
genofire 2020-10-21 16:10:23 +02:00
parent 4696d140aa
commit 4dfd89dff1
3 changed files with 62 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
roles/haproxy/tasks/main.yml
View File

@ -1,7 +1,7 @@
--- ---
- name: Install HAProxy - name: Install HAProxy, acme.sh and snooze
package: package:
name: haproxy name: haproxy acme.sh
state: present state: present
notify: notify:
- Restart HAProxy - Restart HAProxy
@ -114,8 +114,8 @@
path: /usr/local/etc/haproxy path: /usr/local/etc/haproxy
state: directory state: directory
owner: root owner: root
group: wheel group: acme
mode: 0755 mode: 0770
- name: Configure HAProxy - name: Configure HAProxy
template: template:
@ -204,3 +204,55 @@
- name: Flush handlers (again) - name: Flush handlers (again)
meta: flush_handlers meta: flush_handlers
- name: "Register Let's Encrypt account"
command: env sudo -u acme acme.sh --register-account --home /var/db/acme
args:
creates: /var/db/acme/ca/acme-v02.api.letsencrypt.org/account.json
- name: Use the example deploy hooks
file:
dest: /var/db/acme/deploy
src: /usr/local/share/examples/acme.sh/deploy
state: link
owner: acme
group: acme
- name: Tell acme.sh where to find HAProxy on FreeBSD
lineinfile:
path: /var/db/acme/account.conf
create: yes
owner: acme
group: acme
regex: '^DEPLOY_HAPROXY_PEM_PATH='
state: present
line: 'DEPLOY_HAPROXY_PEM_PATH="/usr/local/etc/haproxy"'
- name: Tell acme.sh how to reload HAProxy on FreeBSD
lineinfile:
path: /var/db/acme/account.conf
regex: '^DEPLOY_HAPROXY_RELOAD='
state: present
line: 'DEPLOY_HAPROXY_RELOAD="sudo s6-svc -h /run/service/haproxy"'
- name: Allow acme user to reload haproxy
template:
dest: /usr/local/etc/sudoers.d/acme
src: acme.j2
owner: root
group: wheel
mode: '0444'
- name: Request X.509 certificates
command: 'env sudo -u acme acme.sh --home /var/db/acme --standalone --httpport 8080 --issue --domain {{ item }}'
args:
creates: '/var/db/acme/{{ item }}/fullchain.cer'
with_items:
- '{{ ansible_fqdn }}'
- name: Deploy X.509 certificates to HAProxy
command: 'env sudo -Hu acme acme.sh --debug --home /var/db/acme --deploy --domain {{ item }} --deploy-hook haproxy'
args:
creates: '/usr/local/etc/haproxy/{{ item }}.pem'
with_items:
- '{{ ansible_fqdn }}'

1
roles/haproxy/templates/acme.j2 Normal file
View File

@ -0,0 +1 @@
acme ALL=NOPASSWD:/usr/local/bin/s6-svc -h /run/service/haproxy

5
roles/haproxy/templates/http.cfg.j2
View File

@ -4,5 +4,10 @@ frontend http
bind ${BIND_V6}:80 bind ${BIND_V6}:80
http-request set-src src,ipmask(16,56) http-request set-src src,ipmask(16,56)
acl acme_acl path_beg /.well-known/acme-challenge/ AND req.hdr(host) -m str /{{ ansible_fqdn }}/
use_backend acme if acme_acl
use_backend %[req.hdr(host),lower,map(/usr/local/etc/haproxy/http.map)] use_backend %[req.hdr(host),lower,map(/usr/local/etc/haproxy/http.map)]
backend acme
server localhost 127.0.0.1:8080