mirror of https://dev.ccchb.de/ccchb/ansible.git
parent
4696d140aa
commit
4dfd89dff1
|
@ -1,7 +1,7 @@
|
||||||
---
|
---
|
||||||
- name: Install HAProxy
|
- name: Install HAProxy, acme.sh and snooze
|
||||||
package:
|
package:
|
||||||
name: haproxy
|
name: haproxy acme.sh
|
||||||
state: present
|
state: present
|
||||||
notify:
|
notify:
|
||||||
- Restart HAProxy
|
- Restart HAProxy
|
||||||
|
@ -114,8 +114,8 @@
|
||||||
path: /usr/local/etc/haproxy
|
path: /usr/local/etc/haproxy
|
||||||
state: directory
|
state: directory
|
||||||
owner: root
|
owner: root
|
||||||
group: wheel
|
group: acme
|
||||||
mode: 0755
|
mode: 0770
|
||||||
|
|
||||||
- name: Configure HAProxy
|
- name: Configure HAProxy
|
||||||
template:
|
template:
|
||||||
|
@ -204,3 +204,55 @@
|
||||||
|
|
||||||
- name: Flush handlers (again)
|
- name: Flush handlers (again)
|
||||||
meta: flush_handlers
|
meta: flush_handlers
|
||||||
|
|
||||||
|
- name: "Register Let's Encrypt account"
|
||||||
|
command: env sudo -u acme acme.sh --register-account --home /var/db/acme
|
||||||
|
args:
|
||||||
|
creates: /var/db/acme/ca/acme-v02.api.letsencrypt.org/account.json
|
||||||
|
|
||||||
|
- name: Use the example deploy hooks
|
||||||
|
file:
|
||||||
|
dest: /var/db/acme/deploy
|
||||||
|
src: /usr/local/share/examples/acme.sh/deploy
|
||||||
|
state: link
|
||||||
|
owner: acme
|
||||||
|
group: acme
|
||||||
|
|
||||||
|
- name: Tell acme.sh where to find HAProxy on FreeBSD
|
||||||
|
lineinfile:
|
||||||
|
path: /var/db/acme/account.conf
|
||||||
|
create: yes
|
||||||
|
owner: acme
|
||||||
|
group: acme
|
||||||
|
regex: '^DEPLOY_HAPROXY_PEM_PATH='
|
||||||
|
state: present
|
||||||
|
line: 'DEPLOY_HAPROXY_PEM_PATH="/usr/local/etc/haproxy"'
|
||||||
|
|
||||||
|
- name: Tell acme.sh how to reload HAProxy on FreeBSD
|
||||||
|
lineinfile:
|
||||||
|
path: /var/db/acme/account.conf
|
||||||
|
regex: '^DEPLOY_HAPROXY_RELOAD='
|
||||||
|
state: present
|
||||||
|
line: 'DEPLOY_HAPROXY_RELOAD="sudo s6-svc -h /run/service/haproxy"'
|
||||||
|
|
||||||
|
- name: Allow acme user to reload haproxy
|
||||||
|
template:
|
||||||
|
dest: /usr/local/etc/sudoers.d/acme
|
||||||
|
src: acme.j2
|
||||||
|
owner: root
|
||||||
|
group: wheel
|
||||||
|
mode: '0444'
|
||||||
|
|
||||||
|
- name: Request X.509 certificates
|
||||||
|
command: 'env sudo -u acme acme.sh --home /var/db/acme --standalone --httpport 8080 --issue --domain {{ item }}'
|
||||||
|
args:
|
||||||
|
creates: '/var/db/acme/{{ item }}/fullchain.cer'
|
||||||
|
with_items:
|
||||||
|
- '{{ ansible_fqdn }}'
|
||||||
|
|
||||||
|
- name: Deploy X.509 certificates to HAProxy
|
||||||
|
command: 'env sudo -Hu acme acme.sh --debug --home /var/db/acme --deploy --domain {{ item }} --deploy-hook haproxy'
|
||||||
|
args:
|
||||||
|
creates: '/usr/local/etc/haproxy/{{ item }}.pem'
|
||||||
|
with_items:
|
||||||
|
- '{{ ansible_fqdn }}'
|
||||||
|
|
|
@ -0,0 +1 @@
|
||||||
|
acme ALL=NOPASSWD:/usr/local/bin/s6-svc -h /run/service/haproxy
|
|
@ -4,5 +4,10 @@ frontend http
|
||||||
bind ${BIND_V6}:80
|
bind ${BIND_V6}:80
|
||||||
http-request set-src src,ipmask(16,56)
|
http-request set-src src,ipmask(16,56)
|
||||||
|
|
||||||
|
acl acme_acl path_beg /.well-known/acme-challenge/ AND req.hdr(host) -m str /{{ ansible_fqdn }}/
|
||||||
|
use_backend acme if acme_acl
|
||||||
|
|
||||||
use_backend %[req.hdr(host),lower,map(/usr/local/etc/haproxy/http.map)]
|
use_backend %[req.hdr(host),lower,map(/usr/local/etc/haproxy/http.map)]
|
||||||
|
|
||||||
|
backend acme
|
||||||
|
server localhost 127.0.0.1:8080
|
||||||
|
|
Loading…
Reference in New Issue