Support LetsEncrypt from within HaProxy

69a8af45 · jurgenhaas · 8d082833 · 69a8af45 · 69a8af45 · 69a8af45
Commit 69a8af45 authored 9 years ago by jurgenhaas
--- a/meta/main.yml
+++ b/meta/main.yml
@@ -2,3 +2,4 @@
 dependencies:
  - { role: common }
+  - { role: letsencrypt }
--- a/tasks/configure.yml
+++ b/tasks/configure.yml
@@ -5,6 +5,7 @@
  copy: src={{inventory_dir}}/files/ssl/{{item.file}}
        dest=/etc/haproxy/certs
  with_items: '{{ proxy_certificates }}'
+  when: not item.letsencrypt|default(false)
  notify: 'Proxy | Restart HAProxy'
 - name: "Proxy | Create host lists"

--- a/tasks/letsencrypt.yml
+++ b/tasks/letsencrypt.yml
+---
+# file: roles/haproxy/tasks/letsencrypt.yml
+- set_fact: filename='/etc/letsencrypt/live/{{ item.domain }}/cert.pem'
+- name: "Check LetsEncrypt Requirement"
+  shell: ls {{ filename }}
+  register: cert_available
+  failed_when: false
+#- name: "Stop HAProxy"
+#  service: name=haproxy state=stopped
+- name: "Install New Cert"
+  shell: /opt/letsencrypt/letsencrypt-auto certonly -d {{ item.domain }} --standalone --text --email {{ apache_server_admin|default('admin@paragon-es.de') }} --agree-tos --redirect
+  when: cert_available is defined and cert_available.stdout != filename
--- a/tasks/main.yml
+++ b/tasks/main.yml
 ---
 # file: roles/haproxy/tasks/main.yml
+- block:
+  - name: "LetsEncrypt Certificates"
+    include: letsencrypt.yml
+    with_items: '{{ proxy_certificates_letsencrypt }}'
+    # Renewing certificates is only possible generelly, not individually.
+  - name: "Renew Existing Cert"
+    shell: /opt/letsencrypt/letsencrypt-auto renew
+    ignore_errors: true
+  - name: "Create PEM file for HaProxy"
+    shell: cat /etc/letsencrypt/live/{{ item.domain }}/fullchain.pem /etc/letsencrypt/live/{{ item.domain }}/privkey.pem > /etc/haproxy/certs/{{ item.domain }}.pem
+    with_items: '{{ proxy_certificates_letsencrypt }}'
+  when: '"letsencrypt" not in excluded_roles'
 - block:
  - include: install.yml
  - include: configure.yml

--- a/templates/haproxy_cfg
+++ b/templates/haproxy_cfg
@@ -53,8 +53,8 @@ frontend http_in
  acl blockedip src  -i -f /etc/haproxy/blacklist
  http-request deny if blockedip
 {% if kibana_users is defined %}
-  acl kibana_present hdr_dom(host) -i '{{ inventory_hostname }}'
+  acl kibana_present hdr_dom(host) -i '{{ kibana_domain|default(inventory_hostname) }}'
-  use_backend backend_kibana if kibana_present
+  use_backend backend_redirect_ssl
 {% endif %}
 {% if varnish_host|default(false) %}
  acl static_content path_end .jpg .jpeg .gif .png .ico .swf .css .js .htm .html
@@ -81,6 +81,10 @@ frontend https_in_{{ cert.ip }}
  bind {{ cert.ip }}:443 ssl crt /etc/haproxy/certs/{{ cert.file }} no-sslv3
  acl blockedip src  -i -f /etc/haproxy/blacklist
  http-request deny if blockedip
+{% if kibana_users is defined %}
+  acl kibana_present hdr_dom(host) -i '{{ kibana_domain|default(inventory_hostname) }}'
+  use_backend backend_kibana if kibana_present
+{% endif %}
 {% if varnish_host|default(false) %}
  acl static_content path_end .jpg .jpeg .gif .png .ico .swf .css .js .htm .html
  use_backend backend_varnish if static_content