baserock_frontend/instance-config.yml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76

# Instance configuration for Baserock HAProxy instance.
#
# This playbook should be run after starting an instance of the Baserock
# frontend image.
---
- hosts: frontend-haproxy
  gather_facts: false
  become: yes
  vars:
    domain: ".baserock.org"
    subdomain_list:
      - frontend
      - irclogs
      - paste
      - spec
      - docs
      - download
      - ostree
      - cache
    full_subdomain_list: "{{ subdomain_list | product([domain]) | map('join') | list }}"
    full_subdomain_string: "{{ full_subdomain_list | join(',') }}"
    main_subdomain: "{{ full_subdomain_list[0] }}"
    letsencrypt_email: "admin@baserock.org"
  tasks:
  - name: Install LetsEncrypt client
    apt:
      name:
        - certbot

  - name: Install certbot hooks
    copy:
      src: "{{ item.src }}"
      dest: "{{ item.dest }}"
      mode: '0755'
    with_items:
      - src: pre-haproxy.sh
        dest: /etc/letsencrypt/renewal-hooks/pre/haproxy.sh
      - src: post-haproxy.sh
        dest: /etc/letsencrypt/renewal-hooks/post/haproxy.sh
      - src: deploy-haproxy.sh
        dest: /etc/letsencrypt/renewal-hooks/deploy/haproxy.sh

  - name: check for certificate live configuration
    stat:
      path: "/etc/letsencrypt/live/{{ main_subdomain }}"
      get_checksum: no
      get_mime: no
    register: letsencrypt_live

  - name: check for certificate renewal configuration
    stat:
      path: "/etc/letsencrypt/renewal/{{ main_subdomain }}.conf"
      get_checksum: no
      get_mime: no
    register: letsencrypt_renewal

  - name: Generate certificates if not already there
    command:
      cmd: "certbot certonly -d {{ full_subdomain_string }} --standalone --pre-hook /etc/letsencrypt/renewal-hooks/pre/haproxy.sh --post-hook /etc/letsencrypt/renewal-hooks/post/haproxy.sh --deploy-hook /etc/letsencrypt/renewal-hooks/deploy/haproxy.sh --agree-tos -m {{ letsencrypt_email }} -n -v"
    when: not (letsencrypt_live.stat.exists and letsencrypt_renewal.stat.exists)
    notify:
    - restart haproxy

  - name: HAProxy configuration
    copy:
      src: haproxy.cfg
      dest: /etc/haproxy/haproxy.cfg
    notify:
    - restart haproxy

  handlers:
  - name: restart haproxy
    service:
      name: haproxy
      enabled: true
      state: restarted