summaryrefslogtreecommitdiff
path: root/baserock_frontend/instance-config.yml
diff options
context:
space:
mode:
Diffstat (limited to 'baserock_frontend/instance-config.yml')
-rw-r--r--baserock_frontend/instance-config.yml55
1 files changed, 50 insertions, 5 deletions
diff --git a/baserock_frontend/instance-config.yml b/baserock_frontend/instance-config.yml
index 491ee535..3e85fbfb 100644
--- a/baserock_frontend/instance-config.yml
+++ b/baserock_frontend/instance-config.yml
@@ -6,13 +6,58 @@
- hosts: frontend-haproxy
gather_facts: false
become: yes
+ vars:
+ domain: ".baserock.org"
+ subdomain_list:
+ - frontend
+ - irclogs
+ - paste
+ - spec
+ - docs
+ - download
+ - ostree
+ - cache
+ full_subdomain_list: "{{ subdomain_list | product([domain]) | map('join') | list }}"
+ full_subdomain_string: "{{ full_subdomain_list | join(',') }}"
+ main_subdomain: "{{ full_subdomain_list[0] }}"
+ letsencrypt_email: "admin@baserock.org"
tasks:
- - name: install SSL certificate
+ - name: Install LetsEncrypt client
+ apt:
+ name:
+ - certbot
+
+ - name: Install certbot hooks
copy:
- content: "{{ lookup('file', '../private/frontend-with-key.pem') }}"
- dest: /etc/ssl/private/baserock.pem
- owner: haproxy
- mode: 400
+ src: "{{ item.src }}"
+ dest: "{{ item.dest }}"
+ mode: '0755'
+ with_items:
+ - src: pre-haproxy.sh
+ dest: /etc/letsencrypt/renewal-hooks/pre/haproxy.sh
+ - src: post-haproxy.sh
+ dest: /etc/letsencrypt/renewal-hooks/post/haproxy.sh
+ - src: deploy-haproxy.sh
+ dest: /etc/letsencrypt/renewal-hooks/deploy/haproxy.sh
+
+ - name: check for certificate live configuration
+ stat:
+ path: "/etc/letsencrypt/live/{{ main_subdomain }}"
+ get_checksum: no
+ get_mime: no
+ register: letsencrypt_live
+
+ - name: check for certificate renewal configuration
+ stat:
+ path: "/etc/letsencrypt/renewal/{{ main_subdomain }}.conf"
+ get_checksum: no
+ get_mime: no
+ register: letsencrypt_renewal
+
+ - name: Generate certificates if not already there
+ command:
+ cmd: "certbot certonly -d {{ full_subdomain_string }} --standalone --pre-hook /etc/letsencrypt/renewal-hooks/pre/haproxy.sh --post-hook /etc/letsencrypt/renewal-hooks/post/haproxy.sh --deploy-hook /etc/letsencrypt/renewal-hooks/deploy/haproxy.sh --agree-tos -m {{ letsencrypt_email }} -n -v"
+ when: not (letsencrypt_live.stat.exists and letsencrypt_renewal.stat.exists)
notify:
- restart haproxy
View Lorry Controller Status