forked from ccchb/ansible
parent
4696d140aa
commit
4dfd89dff1
3 changed files with 62 additions and 4 deletions
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
- name: Install HAProxy
|
||||
- name: Install HAProxy, acme.sh and snooze
|
||||
package:
|
||||
name: haproxy
|
||||
name: haproxy acme.sh
|
||||
state: present
|
||||
notify:
|
||||
- Restart HAProxy
|
||||
|
@ -114,8 +114,8 @@
|
|||
path: /usr/local/etc/haproxy
|
||||
state: directory
|
||||
owner: root
|
||||
group: wheel
|
||||
mode: 0755
|
||||
group: acme
|
||||
mode: 0770
|
||||
|
||||
- name: Configure HAProxy
|
||||
template:
|
||||
|
@ -204,3 +204,55 @@
|
|||
|
||||
- name: Flush handlers (again)
|
||||
meta: flush_handlers
|
||||
|
||||
- name: "Register Let's Encrypt account"
|
||||
command: env sudo -u acme acme.sh --register-account --home /var/db/acme
|
||||
args:
|
||||
creates: /var/db/acme/ca/acme-v02.api.letsencrypt.org/account.json
|
||||
|
||||
- name: Use the example deploy hooks
|
||||
file:
|
||||
dest: /var/db/acme/deploy
|
||||
src: /usr/local/share/examples/acme.sh/deploy
|
||||
state: link
|
||||
owner: acme
|
||||
group: acme
|
||||
|
||||
- name: Tell acme.sh where to find HAProxy on FreeBSD
|
||||
lineinfile:
|
||||
path: /var/db/acme/account.conf
|
||||
create: yes
|
||||
owner: acme
|
||||
group: acme
|
||||
regex: '^DEPLOY_HAPROXY_PEM_PATH='
|
||||
state: present
|
||||
line: 'DEPLOY_HAPROXY_PEM_PATH="/usr/local/etc/haproxy"'
|
||||
|
||||
- name: Tell acme.sh how to reload HAProxy on FreeBSD
|
||||
lineinfile:
|
||||
path: /var/db/acme/account.conf
|
||||
regex: '^DEPLOY_HAPROXY_RELOAD='
|
||||
state: present
|
||||
line: 'DEPLOY_HAPROXY_RELOAD="sudo s6-svc -h /run/service/haproxy"'
|
||||
|
||||
- name: Allow acme user to reload haproxy
|
||||
template:
|
||||
dest: /usr/local/etc/sudoers.d/acme
|
||||
src: acme.j2
|
||||
owner: root
|
||||
group: wheel
|
||||
mode: '0444'
|
||||
|
||||
- name: Request X.509 certificates
|
||||
command: 'env sudo -u acme acme.sh --home /var/db/acme --standalone --httpport 8080 --issue --domain {{ item }}'
|
||||
args:
|
||||
creates: '/var/db/acme/{{ item }}/fullchain.cer'
|
||||
with_items:
|
||||
- '{{ ansible_fqdn }}'
|
||||
|
||||
- name: Deploy X.509 certificates to HAProxy
|
||||
command: 'env sudo -Hu acme acme.sh --debug --home /var/db/acme --deploy --domain {{ item }} --deploy-hook haproxy'
|
||||
args:
|
||||
creates: '/usr/local/etc/haproxy/{{ item }}.pem'
|
||||
with_items:
|
||||
- '{{ ansible_fqdn }}'
|
||||
|
|
1
roles/haproxy/templates/acme.j2
Normal file
1
roles/haproxy/templates/acme.j2
Normal file
|
@ -0,0 +1 @@
|
|||
acme ALL=NOPASSWD:/usr/local/bin/s6-svc -h /run/service/haproxy
|
|
@ -4,5 +4,10 @@ frontend http
|
|||
bind ${BIND_V6}:80
|
||||
http-request set-src src,ipmask(16,56)
|
||||
|
||||
acl acme_acl path_beg /.well-known/acme-challenge/ AND req.hdr(host) -m str /{{ ansible_fqdn }}/
|
||||
use_backend acme if acme_acl
|
||||
|
||||
use_backend %[req.hdr(host),lower,map(/usr/local/etc/haproxy/http.map)]
|
||||
|
||||
backend acme
|
||||
server localhost 127.0.0.1:8080
|
||||
|
|
Loading…
Reference in a new issue