diff options
| author | Pedro Alvarez <pedro.alvarez@codethink.co.uk> | 2021-08-31 18:03:08 +0100 |
|---|---|---|
| committer | Pedro Alvarez <pedro.alvarez@codethink.co.uk> | 2021-09-20 12:40:51 +0100 |
| commit | 1e20f06e097f83d78871676711514be7440f7b50 (patch) | |
| tree | cddcaa43d84d9a73a39ecc66c95787b4cf1e370b | |
| parent | 122042a7411f58557568bbda4cd04336d5f0396f (diff) | |
| download | infrastructure-1e20f06e097f83d78871676711514be7440f7b50.tar.gz | |
Auto renew SSL certs
| -rw-r--r-- | baserock_frontend/files/deploy-haproxy.sh | 2 | ||||
| -rw-r--r-- | baserock_frontend/files/post-haproxy.sh | 2 | ||||
| -rw-r--r-- | baserock_frontend/files/pre-haproxy.sh | 2 | ||||
| -rw-r--r-- | baserock_frontend/instance-config.yml | 55 |
4 files changed, 56 insertions, 5 deletions
diff --git a/baserock_frontend/files/deploy-haproxy.sh b/baserock_frontend/files/deploy-haproxy.sh new file mode 100644 index 00000000..c7732a2c --- /dev/null +++ b/baserock_frontend/files/deploy-haproxy.sh @@ -0,0 +1,2 @@ +#!/bin/sh +cat $RENEWED_LINEAGE/fullchain.pem $RENEWED_LINEAGE/privkey.pem > /etc/ssl/private/baserock.pem diff --git a/baserock_frontend/files/post-haproxy.sh b/baserock_frontend/files/post-haproxy.sh new file mode 100644 index 00000000..4582f4a9 --- /dev/null +++ b/baserock_frontend/files/post-haproxy.sh @@ -0,0 +1,2 @@ +#!/bin/sh +service haproxy start diff --git a/baserock_frontend/files/pre-haproxy.sh b/baserock_frontend/files/pre-haproxy.sh new file mode 100644 index 00000000..b83d5179 --- /dev/null +++ b/baserock_frontend/files/pre-haproxy.sh @@ -0,0 +1,2 @@ +#!/bin/sh +service haproxy stop diff --git a/baserock_frontend/instance-config.yml b/baserock_frontend/instance-config.yml index 491ee535..3e85fbfb 100644 --- a/baserock_frontend/instance-config.yml +++ b/baserock_frontend/instance-config.yml @@ -6,13 +6,58 @@ - hosts: frontend-haproxy gather_facts: false become: yes + vars: + domain: ".baserock.org" + subdomain_list: + - frontend + - irclogs + - paste + - spec + - docs + - download + - ostree + - cache + full_subdomain_list: "{{ subdomain_list | product([domain]) | map('join') | list }}" + full_subdomain_string: "{{ full_subdomain_list | join(',') }}" + main_subdomain: "{{ full_subdomain_list[0] }}" + letsencrypt_email: "admin@baserock.org" tasks: - - name: install SSL certificate + - name: Install LetsEncrypt client + apt: + name: + - certbot + + - name: Install certbot hooks copy: - content: "{{ lookup('file', '../private/frontend-with-key.pem') }}" - dest: /etc/ssl/private/baserock.pem - owner: haproxy - mode: 400 + src: "{{ item.src }}" + dest: "{{ item.dest }}" + mode: '0755' + with_items: + - src: pre-haproxy.sh + dest: /etc/letsencrypt/renewal-hooks/pre/haproxy.sh + - src: post-haproxy.sh + dest: /etc/letsencrypt/renewal-hooks/post/haproxy.sh + - src: deploy-haproxy.sh + dest: /etc/letsencrypt/renewal-hooks/deploy/haproxy.sh + + - name: check for certificate live configuration + stat: + path: "/etc/letsencrypt/live/{{ main_subdomain }}" + get_checksum: no + get_mime: no + register: letsencrypt_live + + - name: check for certificate renewal configuration + stat: + path: "/etc/letsencrypt/renewal/{{ main_subdomain }}.conf" + get_checksum: no + get_mime: no + register: letsencrypt_renewal + + - name: Generate certificates if not already there + command: + cmd: "certbot certonly -d {{ full_subdomain_string }} --standalone --pre-hook /etc/letsencrypt/renewal-hooks/pre/haproxy.sh --post-hook /etc/letsencrypt/renewal-hooks/post/haproxy.sh --deploy-hook /etc/letsencrypt/renewal-hooks/deploy/haproxy.sh --agree-tos -m {{ letsencrypt_email }} -n -v" + when: not (letsencrypt_live.stat.exists and letsencrypt_renewal.stat.exists) notify: - restart haproxy |