refactor haproxy

2019-06-17 20:44:48 +02:00
parent 017f5d91ed
commit 3bfeff4d42
5 changed files with 25 additions and 12 deletions
--- a/roles/haproxy/files/update_haproxy_certs.sh
+++ b/roles/haproxy/files/update_haproxy_certs.sh
@@ -12,14 +12,17 @@ do
          --non-interactive                  \
          --agree-tos                        \
          --email micha@0rpheus.net          \
-          --preferred-challenges=http        \
          --rsa-key-size 4096                \
-          --http-01-port=8888
+          --webroot                          \
+          --webroot-path /var/www/html
    fi
-done < /etc/haproxy/domains.txt
+done < /etc/haproxy/all-domains.txt

 # renew all certificates
-certbot renew --http-01-port=8888 --preferred-challenges=http --rsa-key-size 4096
+certbot renew                     \
+    --rsa-key-size 4096           \
+    --webroot                     \
+    --webroot-path /var/www/html

 # copy certificates
 find /etc/letsencrypt/live/ -mindepth 1 -maxdepth 1 -type d | while read -r domain_path
@@ -35,3 +38,7 @@ do
 done

 systemctl reload haproxy
+
+# prosody cert
+prosodyctl --root cert import /etc/letsencrypt/live
+systemctl restart prosody.service
--- a/roles/haproxy/tasks/main.yaml
+++ b/roles/haproxy/tasks/main.yaml
@@ -58,11 +58,14 @@
    - haproxy.cfg
  notify: reload haproxy

- name: create domains.txt
+- name: create domains files for certificate generation
  template:
-    src: domains.txt
+    src: "{{ item }}"
    dest: /etc/haproxy/
    mode: 0644
+  with_items:
+    - domains.txt
+    - all-domains.txt
  notify:
    - update certs

--- a/roles/haproxy/templates/all-domains.txt
+++ b/roles/haproxy/templates/all-domains.txt
@@ -0,0 +1,6 @@
+{% for domain in haproxy_domains %}
+{{ domain }}
+{% endfor %}
+{% for domain in certbot_domains %}
+{{ domain }}
+{% endfor %}
--- a/roles/haproxy/templates/haproxy.cfg
+++ b/roles/haproxy/templates/haproxy.cfg
@@ -74,7 +74,8 @@ frontend http

    # Let's encrypt
    acl letsencrypt-acl path_beg /.well-known/acme-challenge/
-    use_backend bk_letsencrypt                                                 if letsencrypt-acl
+    http-request set-header Host certbot                                       if letsencrypt-acl
+    use_backend bk_apache                                                      if letsencrypt-acl

    # stats backend
    acl stats-acl  path_beg /haproxy
@@ -84,10 +85,6 @@ frontend http
    use_backend bk_%[hdr(Host),lower,map(/etc/haproxy/hostname2backend.map)]   if hostname_has_backend


-backend bk_letsencrypt
-    server letsencrypt 127.0.0.1:8888
-
-
 {% for backend in haproxy_backends %}
 backend bk_{{ backend }}
 {% if haproxy_backends[backend]["httpchk"] is defined %}