--- - name: Install HAProxy, acme.sh and snooze package: name: haproxy acme.sh state: present notify: - Restart HAProxy - name: Create HAProxy group group: name: haproxy gid: 20001 notify: - Restart HAProxy - name: Create HAProxy user user: name: haproxy uid: 20001 group: haproxy create_home: no home: /var/empty notify: - Restart HAProxy - name: Add /var/log/haproxy to fstab mount: path: /var/log/haproxy src: tmpfs fstype: tmpfs opts: rw,size=128m,mode=750,uid=20000,gid=20000,late state: mounted - name: Create HAProxy service directories file: path: '/etc/s6-rc/service/{{ item }}' state: directory owner: root group: wheel mode: 0755 with_items: - haproxy - haproxy/env - haproxy/data - haproxy-log - haproxy-log/env - name: Generate HAProxy service scripts template: dest: '/etc/s6-rc/service/{{ item }}' src: '{{ item }}.j2' mode: 0555 owner: root group: wheel with_items: - haproxy/run - haproxy/finish - haproxy/data/check - haproxy-log/run - haproxy-log/finish notify: - Reload s6-rc - Restart HAProxy - name: Generate HAProxy service configuration copy: dest: '/etc/s6-rc/service/{{ item.name }}' content: '{{ item.content }}' mode: 0444 owner: root group: wheel loop_control: label: '{{ item.name }} = {{ item.content }}' notify: - Reload s6-rc - Restart HAProxy with_items: - name: haproxy/type content: longrun - name: haproxy/notification-fd content: 3 - name: haproxy/producer-for content: haproxy-log - name: haproxy/env/NAME content: haproxy - name: haproxy/env/PATH content: /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/root/bin - name: haproxy/env/BIND_V4 content: '{{ haproxy_v4 }}' - name: haproxy/env/BIND_V6 content: '{{ haproxy_v6 }}' - name: haproxy-log/type content: longrun - name: haproxy-log/notification-fd content: 3 - name: haproxy-log/consumer-for content: haproxy - name: haproxy-log/env/NAME content: haproxy - name: haproxy-log/env/PATH content: /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/root/bin - name: haproxy-log/env/MODE content: '750' - name: haproxy-log/env/USER content: s6-log - name: haproxy-log/env/GROUP content: s6-log - name: haproxy-log/env/DIR content: /var/log/haproxy - name: Create HAProxy configuration directory file: path: /usr/local/etc/haproxy state: directory owner: root group: acme mode: 0770 - name: Configure HAProxy template: dest: '/usr/local/etc/haproxy/{{ item }}' src: '{{ item }}.j2' owner: root group: wheel mode: 0444 notify: - Reload HAProxy with_items: - defaults.cfg - global.cfg - http.cfg - sni.cfg - name: Configure HAProxy HTTP backends template: dest: '/usr/local/etc/haproxy/http_{{ item.host }}.cfg' src: http_host.cfg.j2 owner: root group: wheel mode: 0444 notify: - Reload HAProxy with_items: '{{ haproxy_http }}' - name: Configure HAProxy SNI backends template: dest: '/usr/local/etc/haproxy/sni_{{ item.host }}.cfg' src: sni_host.cfg.j2 owner: root group: wheel mode: 0444 notify: - Reload HAProxy with_items: '{{ haproxy_sni }}' - name: Make sure the HTTP map exists command: env touch /usr/local/etc/haproxy/http.map args: creates: /usr/local/etc/haproxy/http.map notify: - Reload HAProxy - name: Make sure the SNI map exists command: env touch /usr/local/etc/haproxy/sni.map args: creates: /usr/local/etc/haproxy/sni.map notify: - Reload HAProxy - name: Enable HAProxy HTTP backends lineinfile: path: /usr/local/etc/haproxy/http.map regex: '^{{ item.host }} ' line: '{{ item.host }} http_{{ item.host }}' notify: - Reload HAProxy with_items: '{{ haproxy_http }}' - name: Enable HAProxy SNI backends lineinfile: path: /usr/local/etc/haproxy/sni.map regex: '^{{ item.host }} ' line: '{{ item.host }} sni_{{ item.host }}' notify: - Reload HAProxy with_items: '{{ haproxy_sni }}' - name: Flush handlers meta: flush_handlers - name: Start HAProxy command: fdmove -c 2 1 s6-rc -u -v 2 change haproxy register: change changed_when: change.stdout | length > 0 - name: Enable HAProxy lineinfile: path: /etc/s6-rc/service/enabled/contents regexp: "^haproxy$" line: "haproxy" notify: - Reload s6-rc - name: Flush handlers (again) meta: flush_handlers - name: "Register Let's Encrypt account" command: env sudo -u acme acme.sh --register-account --home /var/db/acme args: creates: /var/db/acme/ca/acme-v02.api.letsencrypt.org/account.json - name: Use the example deploy hooks file: dest: /var/db/acme/deploy src: /usr/local/share/examples/acme.sh/deploy state: link owner: acme group: acme - name: Tell acme.sh where to find HAProxy on FreeBSD lineinfile: path: /var/db/acme/account.conf create: yes owner: acme group: acme regex: '^DEPLOY_HAPROXY_PEM_PATH=' state: present line: 'DEPLOY_HAPROXY_PEM_PATH="/usr/local/etc/haproxy"' - name: Tell acme.sh how to reload HAProxy on FreeBSD lineinfile: path: /var/db/acme/account.conf regex: '^DEPLOY_HAPROXY_RELOAD=' state: present line: 'DEPLOY_HAPROXY_RELOAD="sudo s6-svc -h /run/service/haproxy"' - name: Allow acme user to reload haproxy template: dest: /usr/local/etc/sudoers.d/acme src: acme.j2 owner: root group: wheel mode: '0444' - name: Request X.509 certificates command: 'env sudo -u acme acme.sh --home /var/db/acme --standalone --httpport 8080 --issue --domain {{ item }}' args: creates: '/var/db/acme/{{ item }}/fullchain.cer' with_items: - '{{ ansible_fqdn }}' - name: Deploy X.509 certificates to HAProxy command: 'env sudo -Hu acme acme.sh --debug --home /var/db/acme --deploy --domain {{ item }} --deploy-hook haproxy' args: creates: '/usr/local/etc/haproxy/{{ item }}.pem' with_items: - '{{ ansible_fqdn }}'