From 1e20f06e097f83d78871676711514be7440f7b50 Mon Sep 17 00:00:00 2001 From: Pedro Alvarez Date: Tue, 31 Aug 2021 18:03:08 +0100 Subject: Auto renew SSL certs --- baserock_frontend/files/deploy-haproxy.sh | 2 ++ baserock_frontend/files/post-haproxy.sh | 2 ++ baserock_frontend/files/pre-haproxy.sh | 2 ++ baserock_frontend/instance-config.yml | 55 ++++++++++++++++++++++++++++--- 4 files changed, 56 insertions(+), 5 deletions(-) create mode 100644 baserock_frontend/files/deploy-haproxy.sh create mode 100644 baserock_frontend/files/post-haproxy.sh create mode 100644 baserock_frontend/files/pre-haproxy.sh diff --git a/baserock_frontend/files/deploy-haproxy.sh b/baserock_frontend/files/deploy-haproxy.sh new file mode 100644 index 00000000..c7732a2c --- /dev/null +++ b/baserock_frontend/files/deploy-haproxy.sh @@ -0,0 +1,2 @@ +#!/bin/sh +cat $RENEWED_LINEAGE/fullchain.pem $RENEWED_LINEAGE/privkey.pem > /etc/ssl/private/baserock.pem diff --git a/baserock_frontend/files/post-haproxy.sh b/baserock_frontend/files/post-haproxy.sh new file mode 100644 index 00000000..4582f4a9 --- /dev/null +++ b/baserock_frontend/files/post-haproxy.sh @@ -0,0 +1,2 @@ +#!/bin/sh +service haproxy start diff --git a/baserock_frontend/files/pre-haproxy.sh b/baserock_frontend/files/pre-haproxy.sh new file mode 100644 index 00000000..b83d5179 --- /dev/null +++ b/baserock_frontend/files/pre-haproxy.sh @@ -0,0 +1,2 @@ +#!/bin/sh +service haproxy stop diff --git a/baserock_frontend/instance-config.yml b/baserock_frontend/instance-config.yml index 491ee535..3e85fbfb 100644 --- a/baserock_frontend/instance-config.yml +++ b/baserock_frontend/instance-config.yml @@ -6,13 +6,58 @@ - hosts: frontend-haproxy gather_facts: false become: yes + vars: + domain: ".baserock.org" + subdomain_list: + - frontend + - irclogs + - paste + - spec + - docs + - download + - ostree + - cache + full_subdomain_list: "{{ subdomain_list | product([domain]) | map('join') | list }}" + full_subdomain_string: "{{ full_subdomain_list | join(',') }}" + main_subdomain: "{{ full_subdomain_list[0] }}" + letsencrypt_email: "admin@baserock.org" tasks: - - name: install SSL certificate + - name: Install LetsEncrypt client + apt: + name: + - certbot + + - name: Install certbot hooks copy: - content: "{{ lookup('file', '../private/frontend-with-key.pem') }}" - dest: /etc/ssl/private/baserock.pem - owner: haproxy - mode: 400 + src: "{{ item.src }}" + dest: "{{ item.dest }}" + mode: '0755' + with_items: + - src: pre-haproxy.sh + dest: /etc/letsencrypt/renewal-hooks/pre/haproxy.sh + - src: post-haproxy.sh + dest: /etc/letsencrypt/renewal-hooks/post/haproxy.sh + - src: deploy-haproxy.sh + dest: /etc/letsencrypt/renewal-hooks/deploy/haproxy.sh + + - name: check for certificate live configuration + stat: + path: "/etc/letsencrypt/live/{{ main_subdomain }}" + get_checksum: no + get_mime: no + register: letsencrypt_live + + - name: check for certificate renewal configuration + stat: + path: "/etc/letsencrypt/renewal/{{ main_subdomain }}.conf" + get_checksum: no + get_mime: no + register: letsencrypt_renewal + + - name: Generate certificates if not already there + command: + cmd: "certbot certonly -d {{ full_subdomain_string }} --standalone --pre-hook /etc/letsencrypt/renewal-hooks/pre/haproxy.sh --post-hook /etc/letsencrypt/renewal-hooks/post/haproxy.sh --deploy-hook /etc/letsencrypt/renewal-hooks/deploy/haproxy.sh --agree-tos -m {{ letsencrypt_email }} -n -v" + when: not (letsencrypt_live.stat.exists and letsencrypt_renewal.stat.exists) notify: - restart haproxy -- cgit v1.2.1