Adding certbot syncing

roles/haproxy/templates/certbot-renewal-cluster.j2

@@ -0,0 +1,45 @@
+#!/bin/bash
+
+# Prereqs
+# Setup private key between members
+
+SERVERS=(
+{% for host in groups['haproxy'] %}
+{{ hostvars[host].ansible_host }}
+{% endfor %}
+)
+VIRTUAL_IP=( {{ haproxy_shared_ip }} )
+USER={{ haproxy_certbot_user }}
+PRIVATE_KEY={{ haproxy_private_key }}
+
+TARFILE=letsencrypt.tar
+TARFILE_COMPRESS=$TARFILE'.gz'
+
+if [[ $(hostname -I)[*] =~ $VIRTUAL_IP ]]; then
+    echo "Current master - Processing renewals"
+    certbot renew
+
+    # tar the letsencrypt directory for transferring to other members with symlinks
+    tar cfP $TARFILE /etc/letsencrypt/
+
+    # Add each letsencrypt cert to the tarball
+    for cert in /etc/letsencrypt/live/*/ ;
+    do
+            tar ufP $TARFILE /etc/haproxy/ssl/$(basename $cert).pem
+    done
+
+    # Compress the file for transfer
+    gzip -f9 $TARFILE
+
+    # Update the other members of the cluster
+    for SERVER in "${SERVERS[@]}"
+    do
+        if [[ ! $(hostname -I)[*] =~ $SERVER ]]; then
+            # Transfer the files to the backup server
+            sudo -u $USER scp -i $PRIVATE_KEY $TARFILE_COMPRESS $USER@$SERVER:~
+
+            # Deploy the current letsencrypt config/certs
+            sudo -u $USER ssh -i $PRIVATE_KEY $USER@$SERVER "sudo rm -rf /etc/letsencrypt; sudo tar xzfP $TARFILE_COMPRESS && sudo rm $TARFILE_COMPRESS;sudo systemctl reload haproxy"
+        fi
+    done
+fi

roles/haproxy/templates/certbot-renewal.service.j2

@@ -0,0 +1,5 @@
+[Unit]
+Description=Certbot Renewal Service
+[Service]
+Type=oneshot
+ExecStart="/usr/local/sbin/certbot-renewal-cluster"

roles/haproxy/templates/certbot-renewal.timer.j2

@@ -0,0 +1,10 @@
+[Unit]
+Description=Certbot Renewal Timer
+[Timer]
+WakeSystem=false
+OnCalendar={{ haproxy_certbot_renewal_timer_calendar }}
+{% if haproxy_certbot_renewal_random_delay != '' %}
+RandomizedDelaySec={{ haproxy_certbot_renewal_random_delay }}
+{% endif %}
+[Install]
+WantedBy=timers.target