73 lines
2.7 KiB
YAML
73 lines
2.7 KiB
YAML
---
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
- name: Install certbot from distro package
|
|
package:
|
|
name: "{{ haproxy_distro_certbot_packages }}"
|
|
state: present
|
|
|
|
- name: Create first time ssl cert with certbot
|
|
throttle: 1
|
|
shell: >
|
|
{% if haproxy_ssl_letsencrypt_certbot_challenge == 'http-01' %}
|
|
timeout {{ haproxy_ssl_letsencrypt_pre_hook_timeout }}
|
|
python3 -m http.server {{ haproxy_ssl_letsencrypt_certbot_backend_port }}
|
|
--bind {{ haproxy_ssl_letsencrypt_certbot_bind_address }} || true &&
|
|
{% endif %}
|
|
{{ haproxy_ssl_letsencrypt_certbot_binary }} certonly
|
|
--agree-tos
|
|
--non-interactive
|
|
--text
|
|
--rsa-key-size 4096
|
|
--email {{ haproxy_ssl_letsencrypt_email }}
|
|
--domains {{ haproxy_ssl_letsencrypt_domains | join(',') }}
|
|
{% if haproxy_ssl_letsencrypt_certbot_server is defined %}
|
|
--server {{ haproxy_ssl_letsencrypt_certbot_server }}
|
|
{% endif %}
|
|
{% if haproxy_ssl_letsencrypt_certbot_challenge == 'http-01' %}
|
|
--standalone
|
|
--http-01-port {{ haproxy_ssl_letsencrypt_certbot_backend_port }}
|
|
--http-01-address {{ haproxy_ssl_letsencrypt_certbot_bind_address }}
|
|
{% endif %}
|
|
{{ haproxy_ssl_letsencrypt_setup_extra_params }}
|
|
args:
|
|
creates: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ haproxy_ssl_letsencrypt_domains | first }}/fullchain.pem"
|
|
|
|
# Certbot automatically installs its systemd timer responsible for renewals
|
|
- name: Create certbot pre hook
|
|
template:
|
|
src: letsencrypt_pre_hook_certbot_distro.j2
|
|
dest: /etc/letsencrypt/renewal-hooks/pre/haproxy-pre
|
|
mode: "0755"
|
|
when:
|
|
- haproxy_ssl_letsencrypt_certbot_challenge == 'http-01'
|
|
|
|
- name: Create certbot post renewal hook
|
|
template:
|
|
src: letsencrypt_renew_certbot_distro.j2
|
|
dest: /etc/letsencrypt/renewal-hooks/post/haproxy-renew
|
|
mode: "0755"
|
|
|
|
- name: Create new pem file for haproxy
|
|
assemble:
|
|
src: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ haproxy_ssl_letsencrypt_domains | first }}"
|
|
dest: "{{ haproxy_ssl_cert_path ~ '/haproxy_' ~ ansible_facts['hostname'] ~ '-' ~ item ~ '.pem' }}"
|
|
regexp: '(privkey|fullchain).pem$'
|
|
owner: haproxy
|
|
group: haproxy
|
|
mode: "0640"
|
|
with_items:
|
|
- "{{ [haproxy_bind_external_lb_vip_address] + extra_lb_tls_vip_addresses }}"
|
|
notify:
|
|
- Reload haproxy
|