Adding certbot syncing
This commit is contained in:
parent
586f9303d7
commit
b599bade6f
GPG key ID:
C7CC4B910D88EF96
8 changed files with 144 additions and 6 deletions
61
roles/haproxy/tasks/certbot.yml
Normal file
61
roles/haproxy/tasks/certbot.yml
Normal file
|
|
@ -0,0 +1,61 @@
|
|||
---
|
||||
# file: roles/haproxy/tasks/main.yml
|
||||
|
||||
- name: Install certbot
|
||||
pip:
|
||||
name: certbot
|
||||
executable: pip3
|
||||
state: latest
|
||||
|
||||
- name: Place certbot script
|
||||
template:
|
||||
src: "certbot-renewal-cluster.j2"
|
||||
dest: "/usr/local/sbin/certbot-renewal-cluster"
|
||||
owner: root
|
||||
mode: 755
|
||||
|
||||
- name: Deploy certbot renewal service
|
||||
template:
|
||||
src: certbot-renewal.service.j2
|
||||
dest: /etc/systemd/system/certbot-renewal.service
|
||||
notify: Daemon Reload
|
||||
|
||||
- name: Deploy borgbackups timer
|
||||
template:
|
||||
src: certbot-renewal.timer.j2
|
||||
dest: /etc/systemd/system/certbot-renewal.timer
|
||||
notify: Daemon Reload
|
||||
|
||||
- name: Generate ssh keypair
|
||||
user:
|
||||
name: "{{ haproxy_certbot_user }}"
|
||||
generate_ssh_key: yes
|
||||
ssh_key_type: ed25519
|
||||
ssh_key_bits: 4096
|
||||
ssh_key_file: "{{ haproxy_private_key }}"
|
||||
ssh_key_passphrase: ""
|
||||
force: no
|
||||
|
||||
- name: Get the public key
|
||||
slurp:
|
||||
src: "{{ haproxy_private_key }}.pub"
|
||||
register: slurped_pub_key
|
||||
|
||||
- name: Decode the pub key and store as fact
|
||||
set_fact:
|
||||
haproxy_pub_key: "{{ slurped_pub_key.content | b64decode }}"
|
||||
|
||||
- name: "Setup authorized key for the user with limited access"
|
||||
authorized_key:
|
||||
user: "{{ haproxy_certbot_user }}"
|
||||
state: present
|
||||
key: "{{ hostvars[item]['haproxy_pub_key'] }}"
|
||||
loop: "{{ groups['haproxy']|difference([inventory_hostname]) }}"
|
||||
|
||||
- name: Ensure ssh host key known
|
||||
lineinfile:
|
||||
dest: "/home/{{ haproxy_certbot_user }}/.ssh/known_hosts"
|
||||
create: yes
|
||||
state: present
|
||||
line: "{{ lookup('pipe', 'ssh-keyscan -t ecdsa -p22 ' + hostvars[item]['ansible_host'] + ' ' + '2>/dev/null', errors='warn') }}"
|
||||
loop: "{{ groups['haproxy']|difference([inventory_hostname]) }}"
|
||||
|
|
@ -8,7 +8,7 @@
|
|||
- NetworkManager
|
||||
state: latest
|
||||
|
||||
- name: Install packages
|
||||
- name: Install haproxy cluster packages
|
||||
package:
|
||||
name:
|
||||
- keepalived
|
||||
|
|
@ -16,6 +16,11 @@
|
|||
- firewalld
|
||||
state: latest
|
||||
|
||||
- name: "### Certbot configuration ###"
|
||||
include_tasks:
|
||||
file: certbot.yml
|
||||
when: haproxy_certbot_enable == true
|
||||
|
||||
- name: Add VLAN
|
||||
nmcli:
|
||||
conn_name: "{{ haproxy_keepalived_adapter }}.{{ haproxy_keepalived_adapter_vlan }}"
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue