initial commit for ansible haproxy role

2019-03-20 19:50:49 +01:00
parent e545c85ed3
commit 1fa96a719b
11 changed files with 363 additions and 0 deletions
--- a/roles/haproxy/files/haproxy.service
+++ b/roles/haproxy/files/haproxy.service
@@ -0,0 +1,36 @@
+[Unit]
+Description=HAProxy Load Balancer
+After=network.target
+
+[Service]
+Environment="CONFIG=/etc/haproxy/haproxy.cfg" "PIDFILE=/run/haproxy.pid"
+ExecStartPre=/usr/local/bin/haproxy -f $CONFIG -c -q
+ExecStart=/usr/local/bin/haproxy -Ws -f $CONFIG -p $PIDFILE
+ExecReload=/usr/local/bin/haproxy -f $CONFIG -c -q
+ExecReload=/bin/kill -USR2 $MAINPID
+KillMode=mixed
+Restart=always
+SuccessExitStatus=143
+Type=notify
+
+# The following lines leverage SystemD's sandboxing options to provide
+# defense in depth protection at the expense of restricting some flexibility
+# in your setup (e.g. placement of your configuration files) or possibly
+# reduced performance. See systemd.service(5) and systemd.exec(5) for further
+# information.
+
+# NoNewPrivileges=true
+# ProtectHome=true
+# If you want to use 'ProtectSystem=strict' you should whitelist the PIDFILE,
+# any state files and any other files written using 'ReadWritePaths' or
+# 'RuntimeDirectory'.
+# ProtectSystem=true
+# ProtectKernelTunables=true
+# ProtectKernelModules=true
+# ProtectControlGroups=true
+# If your SystemD version supports them, you can add: @reboot, @swap, @sync
+# SystemCallFilter=~@cpu-emulation @keyring @module @obsolete @raw-io
+
+[Install]
+WantedBy=multi-user.target
+
--- a/roles/haproxy/files/update_haproxy_certs.sh
+++ b/roles/haproxy/files/update_haproxy_certs.sh
@@ -0,0 +1,36 @@
+#!/bin/bash
+
+set -e
+
+# request certificates
+while read -r domain
+do
+    if [ ! -d "/etc/letsencrypt/live/$domain" ]
+    then
+        certbot certonly --standalone        \
+          -d "$domain"                       \
+          --non-interactive                  \
+          --agree-tos                        \
+          --email micha@0rpheus.net          \
+          --preferred-challenges=http        \
+          --http-01-port=8888
+    fi
+done < /etc/haproxy/domains.txt
+
+# renew all certificates
+certbot renew --http-01-port=8888 --preferred-challenges=http
+
+# copy certificates
+find /etc/letsencrypt/live/ -mindepth 1 -maxdepth 1 -type d | while read -r domain_path
+do
+    domain=$(basename "$domain_path")
+
+    if grep -q "$domain" /etc/haproxy/domains.txt
+    then
+        pem_file=/etc/haproxy/certs/$domain.pem
+        cat "$domain_path/fullchain.pem" "$domain_path/privkey.pem" > "$pem_file"
+        chmod 600 "$pem_file"
+    fi
+done
+
+systemctl reload haproxy