From 69a8af45653b180674f45ddf7bc94572b9950d15 Mon Sep 17 00:00:00 2001
From: jurgenhaas <juergen@paragon-es.de>
Date: Fri, 18 Mar 2016 10:10:40 +0100
Subject: [PATCH] Support LetsEncrypt from within HaProxy

---
 meta/main.yml         |  1 +
 tasks/configure.yml   |  1 +
 tasks/letsencrypt.yml | 16 ++++++++++++++++
 tasks/main.yml        | 16 ++++++++++++++++
 templates/haproxy_cfg |  8 ++++++--
 5 files changed, 40 insertions(+), 2 deletions(-)
 create mode 100644 tasks/letsencrypt.yml

diff --git a/meta/main.yml b/meta/main.yml
index 4eb972f..128229f 100644
--- a/meta/main.yml
+++ b/meta/main.yml
@@ -2,3 +2,4 @@
 
 dependencies:
   - { role: common }
+  - { role: letsencrypt }
diff --git a/tasks/configure.yml b/tasks/configure.yml
index bee426b..41c31c4 100644
--- a/tasks/configure.yml
+++ b/tasks/configure.yml
@@ -5,6 +5,7 @@
   copy: src={{inventory_dir}}/files/ssl/{{item.file}}
         dest=/etc/haproxy/certs
   with_items: '{{ proxy_certificates }}'
+  when: not item.letsencrypt|default(false)
   notify: 'Proxy | Restart HAProxy'
 
 - name: "Proxy | Create host lists"
diff --git a/tasks/letsencrypt.yml b/tasks/letsencrypt.yml
new file mode 100644
index 0000000..5d9594b
--- /dev/null
+++ b/tasks/letsencrypt.yml
@@ -0,0 +1,16 @@
+---
+# file: roles/haproxy/tasks/letsencrypt.yml
+
+- set_fact: filename='/etc/letsencrypt/live/{{ item.domain }}/cert.pem'
+
+- name: "Check LetsEncrypt Requirement"
+  shell: ls {{ filename }}
+  register: cert_available
+  failed_when: false
+
+#- name: "Stop HAProxy"
+#  service: name=haproxy state=stopped
+
+- name: "Install New Cert"
+  shell: /opt/letsencrypt/letsencrypt-auto certonly -d {{ item.domain }} --standalone --text --email {{ apache_server_admin|default('admin@paragon-es.de') }} --agree-tos --redirect
+  when: cert_available is defined and cert_available.stdout != filename
diff --git a/tasks/main.yml b/tasks/main.yml
index 8a9ad40..de7bb6b 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,6 +1,22 @@
 ---
 # file: roles/haproxy/tasks/main.yml
 
+- block:
+  - name: "LetsEncrypt Certificates"
+    include: letsencrypt.yml
+    with_items: '{{ proxy_certificates_letsencrypt }}'
+
+    # Renewing certificates is only possible generelly, not individually.
+  - name: "Renew Existing Cert"
+    shell: /opt/letsencrypt/letsencrypt-auto renew
+    ignore_errors: true
+
+  - name: "Create PEM file for HaProxy"
+    shell: cat /etc/letsencrypt/live/{{ item.domain }}/fullchain.pem /etc/letsencrypt/live/{{ item.domain }}/privkey.pem > /etc/haproxy/certs/{{ item.domain }}.pem
+    with_items: '{{ proxy_certificates_letsencrypt }}'
+
+  when: '"letsencrypt" not in excluded_roles'
+
 - block:
   - include: install.yml
   - include: configure.yml
diff --git a/templates/haproxy_cfg b/templates/haproxy_cfg
index 0be6aac..05741d8 100644
--- a/templates/haproxy_cfg
+++ b/templates/haproxy_cfg
@@ -53,8 +53,8 @@ frontend http_in
   acl blockedip src  -i -f /etc/haproxy/blacklist
   http-request deny if blockedip
 {% if kibana_users is defined %}
-  acl kibana_present hdr_dom(host) -i '{{ inventory_hostname }}'
-  use_backend backend_kibana if kibana_present
+  acl kibana_present hdr_dom(host) -i '{{ kibana_domain|default(inventory_hostname) }}'
+  use_backend backend_redirect_ssl
 {% endif %}
 {% if varnish_host|default(false) %}
   acl static_content path_end .jpg .jpeg .gif .png .ico .swf .css .js .htm .html
@@ -81,6 +81,10 @@ frontend https_in_{{ cert.ip }}
   bind {{ cert.ip }}:443 ssl crt /etc/haproxy/certs/{{ cert.file }} no-sslv3
   acl blockedip src  -i -f /etc/haproxy/blacklist
   http-request deny if blockedip
+{% if kibana_users is defined %}
+  acl kibana_present hdr_dom(host) -i '{{ kibana_domain|default(inventory_hostname) }}'
+  use_backend backend_kibana if kibana_present
+{% endif %}
 {% if varnish_host|default(false) %}
   acl static_content path_end .jpg .jpeg .gif .png .ico .swf .css .js .htm .html
   use_backend backend_varnish if static_content
-- 
GitLab