800254b354
This could be achieved using the haproxy_ssl_letsencrypt_setup_extra_params variable, but this makes it a bit neater. Change-Id: Iee2d5a10e1762b23fcb3f3140950c76a754743b7
115 lines
4.1 KiB
YAML
115 lines
4.1 KiB
YAML
---
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
- name: Install certbot with certbot-auto
|
|
when: haproxy_ssl_letsencrypt_install_method == 'certbot-auto'
|
|
block:
|
|
|
|
- name: Ensure haproxy_ssl_letsencrypt_install_path exists
|
|
file:
|
|
path: "{{ haproxy_ssl_letsencrypt_install_path }}"
|
|
state: directory
|
|
|
|
- name: Download certbot-auto
|
|
get_url:
|
|
url: "{{ haproxy_ssl_letsencrypt_download_url }}"
|
|
dest: "{{ haproxy_ssl_letsencrypt_install_path }}"
|
|
mode: 0755
|
|
register: fetch_url
|
|
until: fetch_url is success
|
|
retries: 3
|
|
delay: 10
|
|
|
|
- name: Install certbot with certbot-auto script
|
|
shell: >
|
|
PIP_INDEX_URL="https://pypi.org/simple/"
|
|
{{ haproxy_ssl_letsencrypt_install_path }}/{{ haproxy_ssl_letsencrypt_download_url | basename }}
|
|
--install-only
|
|
args:
|
|
creates: "{{ haproxy_ssl_letsencrypt_venv }}"
|
|
|
|
- name: Create letsencrypt_renew file
|
|
template:
|
|
src: letsencrypt_renew_certbot_auto.j2
|
|
dest: /usr/local/bin/letsencrypt_renew
|
|
mode: 0755
|
|
force: yes
|
|
|
|
- name: Renew Letsencrypt Cert Cron
|
|
cron:
|
|
name: "Renew Letsencrypt Cert"
|
|
minute: "{{ haproxy_ssl_letsencrypt_cron_minute }}"
|
|
hour: "{{ haproxy_ssl_letsencrypt_cron_hour }}"
|
|
weekday: "{{ haproxy_ssl_letsencrypt_cron_weekday }}"
|
|
job: "/usr/local/bin/letsencrypt_renew"
|
|
user: "root"
|
|
state: present
|
|
|
|
- name: Install certbot from distro package
|
|
package:
|
|
name: "{{ haproxy_distro_certbot_packages }}"
|
|
state: present
|
|
when: haproxy_ssl_letsencrypt_install_method == 'distro'
|
|
|
|
- name: Create first time ssl cert with certbot
|
|
shell: >
|
|
{% if haproxy_ssl_letsencrypt_certbot_challenge == 'http-01' %}
|
|
timeout {{ haproxy_ssl_letsencrypt_pre_hook_timeout }}
|
|
python3 -m http.server {{ haproxy_ssl_letsencrypt_certbot_backend_port }}
|
|
--bind {{ haproxy_ssl_letsencrypt_certbot_bind_address }} || true &&
|
|
{% endif %}
|
|
{{ haproxy_ssl_letsencrypt_certbot_binary }} certonly
|
|
--standalone
|
|
--agree-tos
|
|
--non-interactive
|
|
--text
|
|
--rsa-key-size 4096
|
|
--email {{ haproxy_ssl_letsencrypt_email }}
|
|
--domains {{ haproxy_bind_external_lb_vip_address }}
|
|
{% if haproxy_ssl_letsencrypt_certbot_server is defined %}
|
|
--server {{ haproxy_ssl_letsencrypt_certbot_server }}
|
|
{% endif %}
|
|
{% if haproxy_ssl_letsencrypt_certbot_challenge == 'http-01' %}
|
|
--http-01-port {{ haproxy_ssl_letsencrypt_certbot_backend_port }}
|
|
--http-01-address {{ haproxy_ssl_letsencrypt_certbot_bind_address }}
|
|
{% endif %}
|
|
{{ haproxy_ssl_letsencrypt_setup_extra_params }}
|
|
args:
|
|
creates: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ haproxy_bind_external_lb_vip_address }}/fullchain.pem"
|
|
|
|
- name: Create certbot pre hook
|
|
template:
|
|
src: letsencrypt_pre_hook_certbot_distro.j2
|
|
dest: /etc/letsencrypt/renewal-hooks/pre/haproxy-pre
|
|
mode: 0755
|
|
when:
|
|
- haproxy_ssl_letsencrypt_install_method == 'distro'
|
|
- haproxy_ssl_letsencrypt_certbot_challenge == 'http-01'
|
|
|
|
- name: Create certbot post renewal hook
|
|
template:
|
|
src: letsencrypt_renew_certbot_distro.j2
|
|
dest: /etc/letsencrypt/renewal-hooks/post/haproxy-renew
|
|
mode: 0755
|
|
when: haproxy_ssl_letsencrypt_install_method == 'distro'
|
|
|
|
- name: Create new pem file for haproxy
|
|
assemble:
|
|
src: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ haproxy_bind_external_lb_vip_address }}"
|
|
dest: "{{ haproxy_ssl_cert_path ~ '/haproxy_' ~ ansible_facts['hostname'] ~ '-' ~ item ~ '.pem' }}"
|
|
regexp: '(privkey|fullchain).pem$'
|
|
with_items:
|
|
- "{{ [ haproxy_bind_external_lb_vip_address ] + extra_lb_tls_vip_addresses }}"
|
|
notify:
|
|
- Reload haproxy
|