Compare revisions

bc3863b0 · bd054308 · 7964f4ca · 6f87f4f5 · 9408d279 · 7fe1c295
--- a/LICENSE
+++ b/LICENSE
+The MIT License (MIT)
+Copyright (c) 2015, 2016 Jürgen Haas, PARAGON Executive Services GmbH
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
--- a/defaults/main.yml
+++ b/defaults/main.yml
+---
 default_proxy: ''
+proxy_debug: no
 proxy_default_backend: ''
 proxy_certificates: []
-proxy_blacklist_ips: []
+proxy_timeout_connect: 5s
+proxy_timeout_client: 20s
+proxy_timeout_server: 45s
+proxy_redirect_aliase: no
+proxy_maxconn: 100
+proxy_varnish_maxconn: 1000
+proxy_redirect_maps:
+  domain: {}
+  domain-and-path: {}
+  domain-append-path: {}
+  path: {}
+proxy_blacklist:
+  ip:
+    - 146.185.176.158
+    - 162.243.9.72
+    - 173.199.114.0/24
+    - 173.199.115.0/24
+    - 173.199.115.112/29
+    - 173.199.116.0/24
+    - 173.199.117.0/24
+    - 173.199.118.0/24
+    - 173.199.119.0/24
+    - 173.199.120.0/24
+    - 182.50.130.0/24
+    - 188.92.74.0/24
+    - 195.239.0/24
+    - 198.186.190.0/23
+    - 198.186.192.0/23
+    - 198.186.194.0/24
+    - 208.167.230.0/24
+    - 209.222.12.0/24
+    - 210.171.3.0/24
+    - 212.100.254.105
+    - 212.113.0.0/24
+    - 212.113.32.0/21
+    - 212.113.37.0/24
+    - 213.186.0.0/24
+    - 213.186.96.0/19
+    - 46.137.98.159
+    - 5.10.83.0/24
+    - 5.10.83.0/25
+    - 5.9.0.0/24
+    - 5.9.104.0/24
+    - 50.112.126.117
+    - 54.232.100.158
+    - 54.235.220.243
+    - 54.249.240.15
+    - 54.251.45.250
+    - 54.252.97.95
+    - 69.42.83.0/24
+  referer:
+    - best-seo-solution.com
+    - best-seo-offer.com
+    - buttons-for-website.com
+    - buttons-for-your-website.com
+    - semalt.com
+    - 7makemoneyonline.com
+  agent:
+    - AhrefsBot
+    - Ahrefs
+    - rogerbot
+    - MJ12bot
+    - majestic12
+    - MJ12
+    - SiteBot
+    - Semrush
+    - CCBot
+    - 80legs
+    - Sogou
+    - DigExt
+    - spbot
+    - ia_archiver
+    - Rankivabot
+    - DBLBot
+    - libw
+    - Voil
+    - Twice
+    - Sogou
+    - psbot
+    - Exabot
+    - boitho
+    - ajSitemap
+    - Rankivabot
+    - DBLBot
+    - Ezooms
+    - Ezooms/1.0
+    - exabot
+    - dotbot
+    - gigabot
+    - thesis-research-bot
+    - my-tiny-bot
+  other:
+    - path_beg /wp-admin
+    - path_beg /wp-login
+    - path /autodiscover/autodiscover.xml
+    - path /autodiscover.xml
+    - path /CHANGELOG.txt
+    - path /COPYRIGHT.txt
+    - path /INSTALL.mysql.txt
+    - path /INSTALL.pgsql.txt
+    - path /INSTALL.sqlite.txt
+    - path /INSTALL.txt
+    - path /LICENSE.txt
+    - path /MAINTAINERS.txt
+    - path /README.txt
+    - path /UPGRADE.txt
--- a/files/500.http
+++ b/files/500.http
+HTTP/1.0 500 Internal Server Error
+Cache-Control: no-cache
+Connection: close
+Content-Type: text/html
+<!doctype html>
+<!-- 500 Internal Server Error -->
+<html>
+  <title>Site Maintenance | Wartung</title>
+  <style>
+    body { text-align: center; padding: 150px; }
+    h1 { font-size: 50px; }
+    body { font: 20px Helvetica, sans-serif; color: #333; }
+    article { display: block; text-align: left; width: 650px; margin: 0 auto; }
+    a { color: #dc8100; text-decoration: none; }
+    a:hover { color: #333; text-decoration: none; }
+  </style>
+  <body>
+    <article>
+      <h1>We&rsquo;ll be back soon!</h1>
+      <div>
+        <p>Sorry for the inconvenience but we're performing some maintenance at the moment. We'll be back online shortly!</p>
+      </div>
+    </article>
+    <article>
+      <h1>Wir sind bald zur&uuml;ck!</h1>
+      <div>
+        <p>Wir f&uuml;hren derzeit einige Wartungsarbeiten durch und entschuldigen uns f&uuml;r die Unannehmlichkeiten. Wir sind bald wieder online!</p>
+      </div>
+    </article>
+  </body>
+</html>
--- a/files/502.http
+++ b/files/502.http
+HTTP/1.0 502 Bad Gateway
+Cache-Control: no-cache
+Connection: close
+Content-Type: text/html
+<!doctype html>
+<!-- 502 Bad Gateway -->
+<html>
+  <title>Site Maintenance | Wartung</title>
+  <style>
+    body { text-align: center; padding: 150px; }
+    h1 { font-size: 50px; }
+    body { font: 20px Helvetica, sans-serif; color: #333; }
+    article { display: block; text-align: left; width: 650px; margin: 0 auto; }
+    a { color: #dc8100; text-decoration: none; }
+    a:hover { color: #333; text-decoration: none; }
+  </style>
+  <body>
+    <article>
+      <h1>We&rsquo;ll be back soon!</h1>
+      <div>
+        <p>Sorry for the inconvenience but we're performing some maintenance at the moment. We'll be back online shortly!</p>
+      </div>
+    </article>
+    <article>
+      <h1>Wir sind bald zur&uuml;ck!</h1>
+      <div>
+        <p>Wir f&uuml;hren derzeit einige Wartungsarbeiten durch und entschuldigen uns f&uuml;r die Unannehmlichkeiten. Wir sind bald wieder online!</p>
+      </div>
+    </article>
+  </body>
+</html>
--- a/files/503.http
+++ b/files/503.http
+HTTP/1.0 503 Service Unavailable
+Cache-Control: no-cache
+Connection: close
+Content-Type: text/html
+<!doctype html>
+<!-- 503 Service Unavailable -->
+<html>
+  <title>Site Maintenance | Wartung</title>
+  <style>
+    body { text-align: center; padding: 150px; }
+    h1 { font-size: 50px; }
+    body { font: 20px Helvetica, sans-serif; color: #333; }
+    article { display: block; text-align: left; width: 650px; margin: 0 auto; }
+    a { color: #dc8100; text-decoration: none; }
+    a:hover { color: #333; text-decoration: none; }
+  </style>
+  <body>
+    <article>
+      <h1>We&rsquo;ll be back soon!</h1>
+      <div>
+        <p>Sorry for the inconvenience but we're performing some maintenance at the moment. We'll be back online shortly!</p>
+      </div>
+    </article>
+    <article>
+      <h1>Wir sind bald zur&uuml;ck!</h1>
+      <div>
+        <p>Wir f&uuml;hren derzeit einige Wartungsarbeiten durch und entschuldigen uns f&uuml;r die Unannehmlichkeiten. Wir sind bald wieder online!</p>
+      </div>
+    </article>
+  </body>
+</html>
--- a/files/504.http
+++ b/files/504.http
+HTTP/1.0 504 Gateway Time-out
+Cache-Control: no-cache
+Connection: close
+Content-Type: text/html
+<!doctype html>
+<!-- 504 Gateway Time-out -->
+<html>
+  <title>Site Maintenance | Wartung</title>
+  <style>
+    body { text-align: center; padding: 150px; }
+    h1 { font-size: 50px; }
+    body { font: 20px Helvetica, sans-serif; color: #333; }
+    article { display: block; text-align: left; width: 650px; margin: 0 auto; }
+    a { color: #dc8100; text-decoration: none; }
+    a:hover { color: #333; text-decoration: none; }
+  </style>
+  <body>
+    <article>
+      <h1>We&rsquo;ll be back soon!</h1>
+      <div>
+        <p>Sorry for the inconvenience but we're performing some maintenance at the moment. We'll be back online shortly!</p>
+      </div>
+    </article>
+    <article>
+      <h1>Wir sind bald zur&uuml;ck!</h1>
+      <div>
+        <p>Wir f&uuml;hren derzeit einige Wartungsarbeiten durch und entschuldigen uns f&uuml;r die Unannehmlichkeiten. Wir sind bald wieder online!</p>
+      </div>
+    </article>
+  </body>
+</html>
--- a/files/etc_haproxy_update_update_php
+++ b/files/etc_haproxy_update_update_php
-<?php
-/**
- * Script for the Proxy txr1 to grab domain changes for homepage products.
- *
- * @see SV-26726
- */
-$db_host = $argv[1];
-$db_port = $argv[2];
-$db_user = $argv[3];
-$db_pass = $argv[4];
-$db      = $argv[5];
-$path    = $argv[6];
-$myname  = $argv[7];
-$changed = FALSE;
-try {
-  $dbh = new PDO('mysql:host='.$db_host.';port='.$db_port.';dbname='.$db, $db_user, $db_pass, array(PDO::ATTR_PERSISTENT => false));
-  foreach ($dbh->query('select * from variable where name="sverein_proxy_settings_'.$myname.'"') as $row) {
-    $settings = unserialize($row['value']);
-    foreach ($settings as $host => $domains) {
-      $changed = TRUE;
-      file_put_contents($path . '/' . $host . '.crm.list', implode("\n", $domains));
-    }
-  }
-  if ($changed) {
-    $dbh->query('delete from variable where name="sverein_proxy_settings_'.$myname.'"');
-  }
-}
-catch (Exception $e) {}
-exit($changed ? 99 : 0);
--- a/files/etc_logrotate_d_haproxy
+++ b/files/etc_logrotate_d_haproxy
 /var/log/haproxy {
-       daily
+  daily
-       rotate 7
+  rotate 7
-       delaycompress
+  delaycompress
-       compress
+  compress
-       notifempty
+  notifempty
-       missingok
+  missingok
-       postrotate
+  postrotate
-           service haproxy restart > /dev/null
+    service haproxy restart > /dev/null
-       endscript
+  endscript
 }
--- a/files/maintenance.http
+++ b/files/maintenance.http
+HTTP/1.0 503 Service Unavailable
+Cache-Control: no-cache
+Connection: close
+Content-Type: text/html
+<!doctype html>
+<!-- 503 Service Unavailable -->
+<html>
+  <title>Site Maintenance | Wartung</title>
+  <style>
+    body { text-align: center; padding: 150px; }
+    h1 { font-size: 50px; }
+    body { font: 20px Helvetica, sans-serif; color: #333; }
+    article { display: block; text-align: left; width: 650px; margin: 0 auto; }
+    a { color: #dc8100; text-decoration: none; }
+    a:hover { color: #333; text-decoration: none; }
+  </style>
+  <body>
+    <article>
+      <h1>We&rsquo;ll be back soon!</h1>
+      <div>
+        <p>Sorry for the inconvenience but we're performing some maintenance at the moment. We'll be back online shortly!</p>
+      </div>
+    </article>
+    <article>
+      <h1>Wir sind bald zur&uuml;ck!</h1>
+      <div>
+        <p>Wir f&uuml;hren derzeit einige Wartungsarbeiten durch und entschuldigen uns f&uuml;r die Unannehmlichkeiten. Wir sind bald wieder online!</p>
+      </div>
+    </article>
+  </body>
+</html>
--- a/handlers/main.yml
+++ b/handlers/main.yml
 ---
 # file: roles/haproxy/handler/main.yml
- name: "Proxy | Restart HAProxy"
+- name: Check HAProxy Config
-  service: name={{item.name}} state={{item.state}}
+  command: haproxy -c -f /etc/haproxy/haproxy.cfg
+  register: haproxy_config_check
+  changed_when: '"Configuration file is valid" in haproxy_config_check.stdout_lines'
+  failed_when: '"Configuration file is valid" not in haproxy_config_check.stdout_lines'
+  notify:
+    - Restart HAProxy
+- name: Restart HAProxy
+  service:
+    name: '{{ item.name }}'
+    state: '{{ item.state }}'
  with_items:
-    - name: apache2
-      state: stopped
    - name: haproxy
      state: restarted
--- a/meta/main.yml
+++ b/meta/main.yml
@@ -2,3 +2,4 @@
 dependencies:
  - { role: common }
+  - { role: letsencrypt }
--- a/tasks/blacklists.yml
+++ b/tasks/blacklists.yml
+---
+# file: roles/haproxy/tasks/blacklists.yml
+- name: Update blacklists
+  template:
+    src: '{{ item }}'
+    dest: /etc/haproxy/{{ item }}
+    owner: root
+    group: root
+    mode: 0644
+  with_items:
+    - blacklist.ip
+    - blacklist.referer
+    - blacklist.agent
+  notify:
+    - Check HAProxy Config
--- a/tasks/buildcerts.yml
+++ b/tasks/buildcerts.yml
+---
+# file: roles/haproxy/tasks/buildcerts.yml
+- name: Create PEM file for HaProxy
+  assemble:
+    src: /etc/letsencrypt/live/{{ item.domain }}
+    dest: /etc/haproxy/certs/{{ item.file }}
+    regexp: '(fullchain)|(privkey)\.pem'
+  with_items: '{{ proxy_certificates|default([]) }}'
+  when: item.letsencrypt|default(false) and item.active|default(true)
+  ignore_errors: yes
+  notify:
+    - Restart HAProxy
--- a/tasks/configure.yml
+++ b/tasks/configure.yml
 ---
 # file: roles/haproxy/tasks/configure.yml
- name: "Proxy | Install SSL certificates"
+- name: Backup current settings
-  copy: src={{inventory_dir}}/files/ssl/{{item}}
+  archive:
-        dest=/etc/haproxy/certs
+    path: /etc/haproxy
+    dest: /var/backups/haproxy-{{ lookup('pipe','date +%Y%m%d-%H%M%S') }}.tgz
+  when: no
+- name: Install SSL certificates
+  copy:
+    src: '{{inventory_dir}}/files/ssl/{{item.file}}'
+    dest: /etc/haproxy/certs
  with_items: '{{ proxy_certificates }}'
-  notify: 'Proxy | Restart HAProxy'
+  when: not item.letsencrypt|default(false)
+  notify:
+    - Check HAProxy Config
+- name: Create maintenance lists
+  template:
+    src: maintenance_list
+    dest: /etc/haproxy/maintenance.list
+    owner: root
+    group: root
+    mode: 0644
+  notify:
+    - Check HAProxy Config
+- name: Create host lists
+  template:
+    src: host_list
+    dest: /etc/haproxy/{{item}}.list
+    owner: root
+    group: root
+    mode: 0644
+  with_items: '{{ groups.webserver|default([]) }}'
+  notify:
+    - Check HAProxy Config
+- name: Create host ssl lists
+  template:
+    src: host_ssl_list
+    dest: /etc/haproxy/{{item}}.ssl.list
+    owner: root
+    group: root
+    mode: 0644
+  with_items: '{{ groups.webserver|default([]) }}'
+  notify:
+    - Check HAProxy Config
- name: "Proxy | Create host lists"
+- name: Create host path lists
-  template: src=host_list
+  file:
-            dest=/etc/haproxy/{{item}}.list
+    dest: /etc/haproxy/{{item}}.path.list
-            owner=root
+    owner: root
-            group=root
+    group: root
-            mode=644
+    mode: 0644
-  #when: scope == 'all'
+    state: touch
-  with_items: '{{ groups.all }}'
+  with_items: '{{ groups.webserver|default([]) }}'
-  notify: 'Proxy | Restart HAProxy'
+  changed_when: no
- name: "Proxy | Create host ssl lists"
+- name: Create use bigpipe host lists
-  template: src=host_ssl_list
+  template:
-            dest=/etc/haproxy/{{item}}.ssl.list
+    src: use_bigpipe_list
-            owner=root
+    dest: /etc/haproxy/use_bigpipe.list
-            group=root
+    owner: root
-            mode=644
+    group: root
-  #when: scope == 'all'
+    mode: 0644
-  with_items: '{{ groups.all }}'
+  notify:
-  notify: 'Proxy | Restart HAProxy'
+    - Check HAProxy Config
- name: "Proxy | Create empty crm lists files"
+- name: Create ignore varnish host lists
-  file: dest=/etc/haproxy/{{item}}.crm.list
+  template:
-        owner=root
+    src: ignore_varnish_list
-        group=root
+    dest: /etc/haproxy/ignore_varnish.list
-        mode=644
+    owner: root
-        state=touch
+    group: root
-  #when: scope == 'all'
+    mode: 0644
-  with_items: '{{ groups.all }}'
+  notify:
-  notify: 'Proxy | Restart HAProxy'
+    - Check HAProxy Config
- name: "Proxy | Create config file"
+- name: Create empty crm lists files
-  template: src=haproxy_cfg
+  file:
-            dest=/etc/haproxy/haproxy.cfg
+    dest: /etc/haproxy/{{item}}.crm.list
-            owner=root
+    owner: root
-            group=root
+    group: root
-            mode=644
+    mode: 0644
-  #when: scope == 'all'
+    state: touch
-  notify: 'Proxy | Restart HAProxy'
+  with_items: '{{ groups.webserver|default([]) }}'
+  changed_when: no
- name: "Proxy | Install update php script"
+- name: Update private ips
-  copy: src=etc_haproxy_update_update_php
+  template:
-        dest=/etc/haproxy/update/update.php
+    src: privatelist.ip.jinja2
-        owner=root
+    dest: /etc/haproxy/privatelist.ip
-        group=root
+    owner: root
-        mode=444
+    group: root
+    mode: 644
+  when: haproxy_private is defined
+  notify:
+    - Check HAProxy Config
- name: "Proxy | Install update script"
+- name: Update private domains
-  template: src=update_sh
+  template:
-            dest=/etc/haproxy/update/update.sh
+    src: privatelist.domain.jinja2
-            owner=root
+    dest: /etc/haproxy/privatelist.domain
-            group=root
+    owner: root
-            mode=700
+    group: root
+    mode: 0644
+  when: haproxy_private is defined and haproxy_private.domain is defined
+  notify:
+    - Check HAProxy Config
- name: "Proxy | Install update cron"
+- name: Update redirect map files
-  cron: name='Update S-Verein Homepage Domains'
+  template:
-        month='*'
+    src: redirect.map.jinja2
-        day='*'
+    dest: /etc/haproxy/redirect.{{ item }}.map
-        hour='*'
+    owner: root
-        minute='*/1'
+    group: root
-        job='/etc/haproxy/update/update.sh >/dev/null 2>&1'
+    mode: 0644
+  with_items:
+    - domain
+    - domain-and-path
+    - domain-append-path
+    - path
+  notify:
+    - Check HAProxy Config
- name: "Proxy | Update blacklist"
+- name: Create config file
-  template: src=blacklist
+  template:
-            dest=/etc/haproxy/blacklist
+    src: haproxy_cfg.jinja2
-            owner=root
+    dest: /etc/haproxy/haproxy.cfg
-            group=root
+    owner: root
-            mode=644
+    group: root
-  #when: scope == 'all'
+    mode: 0644
-  notify: 'Proxy | Restart HAProxy'
+  notify:
+    - Check HAProxy Config
--- a/tasks/install.yml
+++ b/tasks/install.yml
+---
+# file: roles/haproxy/tasks/install.yml
+- name: Add Apt Repositories
+  apt_repository:
+    repo: '{{ item }}'
+    state: present
+    mode: 0644
+  with_items:
+    - ppa:vbernat/haproxy-2.2
+  when: ansible_distribution_major_version != "16"
+- name: Install some packages
+  apt:
+    pkg: '{{ packages }}'
+    state: latest
+  vars:
+    packages:
+      - haproxy
+      #- hatop
+      - socat
+- name: create directories
+  file:
+    dest: '{{ item }}'
+    state: directory
+    mode: 0755
+  with_items:
+    - /etc/haproxy/certs
+    - /etc/haproxy/update
+- name: Install hatop shortcut
+  copy:
+    src: usr_local_bin_hatop
+    dest: /usr/local/bin/hatop
+    owner: root
+    group: root
+    mode: 0755
+- name: Install log rotator
+  copy:
+    src: etc_logrotate_d_haproxy
+    dest: /etc/logrotate.d/haproxy
+    owner: root
+    group: root
+    mode: 0644
+  tags:
+    - logrotate
+- name: Install script to read socket
+  template:
+    src: hasocket
+    dest: /usr/local/bin/hasocket
+    owner: root
+    group: root
+    mode: 0755
+- name: Install error response files
+  copy:
+    src: '{{ item }}.http'
+    dest: /etc/haproxy/errors/{{ item }}.http
+    owner: root
+    group: root
+    mode: 0644
+  with_items:
+    - '500'
+    - '502'
+    - '503'
+    - '504'
+    - 'maintenance'
+  tags:
+    - errorfiles
+  notify:
+    - Check HAProxy Config
--- a/tasks/main.yml
+++ b/tasks/main.yml
 ---
 # file: roles/haproxy/tasks/main.yml
-#
-# Output logs and errs into temp files:
+- name: HaProxy Role
-# echo "show errors" | sudo socat unix-connect:/run/haproxy/admin.sock stdio >> /tmp/myhapshowerrs.out 2> /tmp/myhapshowerrs.err
+  set_fact:
+    role_haproxy_started: yes
- name: "Proxy | Add Apt Repositories"
+  tags:
-  apt_repository: repo='{{item}}'
+    - always
-                  state=present
-  with_items:
+- block:
-    - "ppa:vbernat/haproxy-1.5"
+    - name: Import install
- name: "Proxy | Install some packages"
+      import_tasks: install.yml
-  apt: pkg={{item}} state=installed
-  with_items:
+    - name: Import configure
-    - haproxy
+      import_tasks: configure.yml
-    - hatop
+      tags:
-    - socat
+        - Config
-    - php5
-    - php5-mysql
+    - name: Import blacklist
+      import_tasks: blacklists.yml
- name: "Proxy | create directories"
+      tags:
-  file: dest='{{item}}'
+        - Config
-        state=directory
+        - Blacklists
-        mode=755
-  with_items:
+  when: not excluded_roles or "haproxy" not in excluded_roles
-    - /etc/haproxy/certs
-    - /etc/haproxy/update
+- block:
- name: "Proxy | Install hatop shortcut"
+    - name: Install Certs
-  copy: src=usr_local_bin_hatop
+      include_tasks: ../../letsencrypt/tasks/cert.yml
-        dest=/usr/local/bin/hatop
+      with_items: '{{ proxy_certificates|default([]) }}'
-        owner=root
+      loop_control:
-        group=root
+        loop_var: domain
-        mode=755
+      when: domain.letsencrypt|default(false) and domain.active|default(true)
- name: "Proxy | Install log rotator"
+    - name: Renew Existing Cert
-  copy: src=etc_logrotate_d_haproxy
+      import_tasks: ../../letsencrypt/tasks/renew.yml
-        dest=/etc/logrotate.d/haproxy
-        owner=root
+    - name: Build HaProxy Certs
-        group=root
+      import_tasks: buildcerts.yml
-        mode=644
+  tags:
- include: configure.yml
+    - Certs
+  when: proxy_active|default(true) and (not excluded_roles or "letsencrypt" not in excluded_roles)
+- name: Import proxypool
+  import_tasks: proxypool.yml
+  when: not excluded_roles or "letsencrypt" not in excluded_roles
+  tags:
+    - Certs
--- a/tasks/proxypool.yml
+++ b/tasks/proxypool.yml
+---
+# file: roles/haproxy/tasks/proxypool.yml
+- block:
+  - name: Set directory permissions to current user
+    file:
+      path: /etc/letsencrypt
+      owner: '{{ ansible_env.SUDO_USER|default("root") }}'
+      recurse: yes
+      follow: no
+    when: proxy_active|default(true)
+  - name: Pull Certs from active Proxy
+    import_tasks: pullcerts.yml
+    when: not proxy_active|default(true)
+  - name: Set directory permissions to root
+    file:
+      path: /etc/letsencrypt
+      owner: root
+      recurse: yes
+      follow: no
+    when: proxy_active|default(true)
+  tags:
+    - Certs
--- a/tasks/pullcerts.yml
+++ b/tasks/pullcerts.yml
+---
+# file: roles/haproxy/tasks/pullcerts.yml
+- name: Find out active proxy
+  set_fact:
+    proxy_active_host: '{{ item }}'
+  with_items: '{{ groups.proxyserver|default([]) }}'
+  when: hostvars[item].proxy_active|default(true)
+- name: Set directory permissions to current user
+  file:
+    path: '{{ item }}'
+    owner: '{{ ansible_env.SUDO_USER|default("root") }}'
+    recurse: yes
+    follow: no
+  with_items:
+    - /etc/letsencrypt
+    - /etc/haproxy/certs
+- name: Sync files
+  shell: 'rsync -rulp "{{ proxy_active_host }}:{{ item }}/" "{{ item }}"'
+  delegate_to: '{{ inventory_hostname }}'
+  become: no
+  with_items:
+    - /etc/letsencrypt
+    - /etc/haproxy/certs
+  ignore_errors: yes
+  # We ignore errors as they may happen if we run the script without the other proxy
+- name: Set directory permissions to root
+  file:
+    path: '{{ item }}'
+    owner: root
+    recurse: yes
+    follow: no
+  with_items:
+    - /etc/letsencrypt
+    - /etc/haproxy/certs
--- a/templates/blacklist
+++ b/templates/blacklist
-{% for host in groups['all'] %}
-{% for line in hostvars[host].proxy_blacklist_ips|default([]) %}
-{{line}}
-{% endfor %}
-{% endfor %}
--- a/templates/blacklist.agent
+++ b/templates/blacklist.agent
+{% if ansible_local is defined and ansible_local.blacklist is defined %}
+{% for line in ansible_local.blacklist.agent|default([]) %}
+{{line}}
+{% endfor %}
+{% endif %}
+{% for line in proxy_blacklist.agent|default([]) %}
+{{line}}
+{% endfor %}
No results found