refactor haproxy

2019-06-17 20:44:48 +02:00 · 2019-06-17 20:44:48 +02:00 · 3bfeff4d42
parent 017f5d91ed
commit 3bfeff4d42
5 changed files with 25 additions and 12 deletions
--- a/hosts.yaml
+++ b/hosts.yaml
@ -7,7 +7,7 @@ all:
  vars:
    ansible_become: false
  
-    certbotdomains:
+    certbot_domains:
      - "jabber.0rpheus.net"

    haproxy_domains:
--- a/roles/haproxy/files/update_haproxy_certs.sh
+++ b/roles/haproxy/files/update_haproxy_certs.sh
@ -12,14 +12,17 @@ do
          --non-interactive                  \
          --agree-tos                        \
          --email micha@0rpheus.net          \
-          --preferred-challenges=http        \
          --rsa-key-size 4096                \
-          --http-01-port=8888
+          --webroot                          \
+          --webroot-path /var/www/html
    fi
-done < /etc/haproxy/domains.txt
+done < /etc/haproxy/all-domains.txt

 # renew all certificates
-certbot renew --http-01-port=8888 --preferred-challenges=http --rsa-key-size 4096
+certbot renew                     \
+    --rsa-key-size 4096           \
+    --webroot                     \
+    --webroot-path /var/www/html

 # copy certificates
 find /etc/letsencrypt/live/ -mindepth 1 -maxdepth 1 -type d | while read -r domain_path
@ -35,3 +38,7 @@ do
 done

 systemctl reload haproxy
+
+# prosody cert
+prosodyctl --root cert import /etc/letsencrypt/live
+systemctl restart prosody.service
--- a/roles/haproxy/tasks/main.yaml
+++ b/roles/haproxy/tasks/main.yaml
@ -58,11 +58,14 @@
    - haproxy.cfg
  notify: reload haproxy

- name: create domains.txt
+- name: create domains files for certificate generation
  template:
-    src: domains.txt
+    src: "{{ item }}"
    dest: /etc/haproxy/
    mode: 0644
+  with_items:
+    - domains.txt
+    - all-domains.txt
  notify:
    - update certs

--- a/roles/haproxy/templates/all-domains.txt
+++ b/roles/haproxy/templates/all-domains.txt
@ -0,0 +1,6 @@
+{% for domain in haproxy_domains %}
+{{ domain }}
+{% endfor %}
+{% for domain in certbot_domains %}
+{{ domain }}
+{% endfor %}
--- a/roles/haproxy/templates/haproxy.cfg
+++ b/roles/haproxy/templates/haproxy.cfg
@ -74,7 +74,8 @@ frontend http

    # Let's encrypt
    acl letsencrypt-acl path_beg /.well-known/acme-challenge/
-    use_backend bk_letsencrypt                                                 if letsencrypt-acl
+    http-request set-header Host certbot                                       if letsencrypt-acl
+    use_backend bk_apache                                                      if letsencrypt-acl

    # stats backend
    acl stats-acl  path_beg /haproxy
@ -84,10 +85,6 @@ frontend http
    use_backend bk_%[hdr(Host),lower,map(/etc/haproxy/hostname2backend.map)]   if hostname_has_backend


-backend bk_letsencrypt
-    server letsencrypt 127.0.0.1:8888
-
-
 {% for backend in haproxy_backends %}
 backend bk_{{ backend }}
 {% if haproxy_backends[backend]["httpchk"] is defined %}