From ea0f5ddf3a9aa42142cc34491fcf07b054324127 Mon Sep 17 00:00:00 2001 From: Asara Date: Thu, 5 Jan 2023 23:46:02 -0500 Subject: [PATCH] Clean up haproxy and lego --- ansible/group_vars/all/main.yml | 3 - ansible/group_vars/haproxy/main.yml | 4 - ansible/host_vars/fatman.minhas.io/main.yml | 3 - ansible/host_vars/sedan.minhas.io/haproxy.yml | 9 -- ansible/host_vars/sedan.minhas.io/lego.yml | 5 - ansible/inventory.txt | 3 - ansible/playbooks/haproxy.yml | 6 - ansible/roles/haproxy/handlers/main.yml | 6 - ansible/roles/haproxy/tasks/main.yml | 28 ---- .../roles/haproxy/templates/haproxy.cfg.j2 | 58 -------- ansible/roles/lego/defaults/main.yml | 3 - ansible/roles/lego/tasks/main.yml | 131 ------------------ ansible/roles/lego/templates/account.json.j2 | 12 -- .../lego/templates/amarpreet@minhas.io.key.j2 | 1 - ansible/roles/lego/templates/defaults | 5 - .../roles/lego/templates/lego_reload.sh.j2 | 14 -- 16 files changed, 291 deletions(-) delete mode 100644 ansible/group_vars/haproxy/main.yml delete mode 100644 ansible/host_vars/fatman.minhas.io/main.yml delete mode 100644 ansible/host_vars/sedan.minhas.io/haproxy.yml delete mode 100644 ansible/host_vars/sedan.minhas.io/lego.yml delete mode 100644 ansible/playbooks/haproxy.yml delete mode 100644 ansible/roles/haproxy/handlers/main.yml delete mode 100644 ansible/roles/haproxy/tasks/main.yml delete mode 100644 ansible/roles/haproxy/templates/haproxy.cfg.j2 delete mode 100644 ansible/roles/lego/defaults/main.yml delete mode 100644 ansible/roles/lego/tasks/main.yml delete mode 100644 ansible/roles/lego/templates/account.json.j2 delete mode 100644 ansible/roles/lego/templates/amarpreet@minhas.io.key.j2 delete mode 100644 ansible/roles/lego/templates/defaults delete mode 100644 ansible/roles/lego/templates/lego_reload.sh.j2 diff --git a/ansible/group_vars/all/main.yml b/ansible/group_vars/all/main.yml index 7e3eb0b..35eff3f 100644 --- a/ansible/group_vars/all/main.yml +++ b/ansible/group_vars/all/main.yml @@ -61,7 +61,4 @@ vault_ca_cert_payload: | # lnd lnd_version: 0.15.4-beta - -# lego -lego_version: 4.7.0 ... diff --git a/ansible/group_vars/haproxy/main.yml b/ansible/group_vars/haproxy/main.yml deleted file mode 100644 index 43f50f2..0000000 --- a/ansible/group_vars/haproxy/main.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -lego_email_address: amarpreet@minhas.io -letsencrypt_account_id: "{{ lookup('hashi_vault', 'secret=kv/data/acme:account_id ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}" -... diff --git a/ansible/host_vars/fatman.minhas.io/main.yml b/ansible/host_vars/fatman.minhas.io/main.yml deleted file mode 100644 index be8da94..0000000 --- a/ansible/host_vars/fatman.minhas.io/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -consul_config_path: /usr/local/etc/consul.d -... diff --git a/ansible/host_vars/sedan.minhas.io/haproxy.yml b/ansible/host_vars/sedan.minhas.io/haproxy.yml deleted file mode 100644 index 5bcee10..0000000 --- a/ansible/host_vars/sedan.minhas.io/haproxy.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -haproxy_domains: - - { name: "freshrss", url: "rss.minhas.io" } - - { name: "gitea", url: "git.minhas.io" } - - { name: "kanban", url: "kanban.minhas.io" } - - { name: "nextcloud", url: "nextcloud.minhas.io" } - - { name: "sudoscientist-go-backend", url: "api.sudoscientist.com" } - - { name: "wallabag", url: "wallabag.minhas.io" } -... diff --git a/ansible/host_vars/sedan.minhas.io/lego.yml b/ansible/host_vars/sedan.minhas.io/lego.yml deleted file mode 100644 index 779e618..0000000 --- a/ansible/host_vars/sedan.minhas.io/lego.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -lego_certs: - - { name: "_.minhas.io", domain: "*.minhas.io", dns: "namecheap" } - - { name: "api.sudoscientist.com", domain: "api.sudoscientist.com", dns: "route53" } -... diff --git a/ansible/inventory.txt b/ansible/inventory.txt index bed7f67..c3be92b 100644 --- a/ansible/inventory.txt +++ b/ansible/inventory.txt @@ -11,9 +11,6 @@ sedan.minhas.io ranger.minhas.io hardtack1.minhas.io -[haproxy] -sedan.minhas.io - [hardtack] hardtack[1:7].minhas.io diff --git a/ansible/playbooks/haproxy.yml b/ansible/playbooks/haproxy.yml deleted file mode 100644 index 4710b0d..0000000 --- a/ansible/playbooks/haproxy.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- hosts: haproxy - roles: - - role: lego - - role: haproxy -... diff --git a/ansible/roles/haproxy/handlers/main.yml b/ansible/roles/haproxy/handlers/main.yml deleted file mode 100644 index fe2943a..0000000 --- a/ansible/roles/haproxy/handlers/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: reload haproxy - systemd: - name: haproxy - state: reloaded -... diff --git a/ansible/roles/haproxy/tasks/main.yml b/ansible/roles/haproxy/tasks/main.yml deleted file mode 100644 index f8ea822..0000000 --- a/ansible/roles/haproxy/tasks/main.yml +++ /dev/null @@ -1,28 +0,0 @@ ---- -- name: ensure haproxy exists - apt: - name: haproxy - state: present - -- name: ensure haproxy certs dir exists - file: - path: /etc/haproxy/certs - state: directory - owner: haproxy - group: haproxy - mode: 0750 - -- name: template haproxy config - template: - src: templates/haproxy.cfg.j2 - dest: /etc/haproxy/haproxy.cfg - owner: haproxy - group: haproxy - mode: 0644 - notify: reload haproxy - -- name: ensure haproxy is started and enabled - systemd: - name: haproxy - state: started - enabled: True diff --git a/ansible/roles/haproxy/templates/haproxy.cfg.j2 b/ansible/roles/haproxy/templates/haproxy.cfg.j2 deleted file mode 100644 index 2e75063..0000000 --- a/ansible/roles/haproxy/templates/haproxy.cfg.j2 +++ /dev/null @@ -1,58 +0,0 @@ -global - log /dev/log local0 - log /dev/log local1 notice - chroot /var/lib/haproxy - stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners - stats timeout 30s - user haproxy - group haproxy - daemon - - # Default SSL material locations - ca-base /etc/ssl/certs - crt-base /etc/ssl/private - ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 - ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets - ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 - ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets - -defaults - log global - mode http - option httplog - option dontlognull - timeout connect 5000 - timeout client 50000 - timeout server 50000 - errorfile 400 /etc/haproxy/errors/400.http - errorfile 403 /etc/haproxy/errors/403.http - errorfile 408 /etc/haproxy/errors/408.http - errorfile 500 /etc/haproxy/errors/500.http - errorfile 502 /etc/haproxy/errors/502.http - errorfile 503 /etc/haproxy/errors/503.http - errorfile 504 /etc/haproxy/errors/504.http - -frontend fe_default - mode http - bind :443 ssl crt /etc/haproxy/certs/ alpn h2,http/1.1 - bind :80 - redirect scheme https code 301 if !{ ssl_fc } - http-response set-header Strict-Transport-Security max-age=63072000 -{% for domain in haproxy_domains %} - acl host_{{ domain.name }} hdr(host) -i {{ domain.url }} -{% endfor %} -{% for domain in haproxy_domains %} - use_backend be_{{ domain.name }} if host_{{ domain.name }} -{% endfor %} - -{% for domain in haproxy_domains %} -backend be_{{ domain.name }} - balance leastconn - server-template {{ domain.name }} 1 _{{ domain.name }}._tcp.service.masked.name resolvers consul resolve-opts allow-dup-ip resolve-prefer ipv4 check - -{% endfor %} - -resolvers consul - nameserver consul 127.0.0.1:8600 - accepted_payload_size 8192 - hold valid 5s diff --git a/ansible/roles/lego/defaults/main.yml b/ansible/roles/lego/defaults/main.yml deleted file mode 100644 index 8de7cc1..0000000 --- a/ansible/roles/lego/defaults/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -lego_path: /etc/lego/ -... diff --git a/ansible/roles/lego/tasks/main.yml b/ansible/roles/lego/tasks/main.yml deleted file mode 100644 index c350874..0000000 --- a/ansible/roles/lego/tasks/main.yml +++ /dev/null @@ -1,131 +0,0 @@ ---- -- name: ensure lego group - group: - name: lego - state: present - system: True - -- name: ensure lego user - user: - name: lego - state: present - group: lego - system: True - home: /etc/lego - shell: /bin/bash - -- name: check lego version - shell: - cmd: "/usr/local/bin/lego --version | cut -d ' ' -f3" - args: - executable: /bin/bash - changed_when: False - register: installed_lego_version - check_mode: False - -- name: get lego - unarchive: - src: "https://github.com/go-acme/lego/releases/download/v{{ lego_version }}/lego_v{{ lego_version }}_linux_amd64.tar.gz" - dest: /usr/local/bin/ - mode: 0755 - owner: root - group: root - remote_src: True - when: installed_lego_version.stdout != lego_version - register: installed_lego - -- name: remove LICENSE/CHANGELOG - file: - path: "{{ item }}" - state: absent - loop: - - /usr/local/bin/CHANGELOG.md - - /usr/local/bin/LICENSE - changed_when: False - when: installed_lego.changed - -- name: ensure lego account directory exists - file: - path: /etc/lego/accounts/acme-v02.api.letsencrypt.org/{{ lego_email_address }}/keys/ - state: directory - owner: lego - group: lego - mode: 0700 - -- name: ensure account.json exists - template: - src: templates/account.json.j2 - dest: /etc/lego/accounts/acme-v02.api.letsencrypt.org/{{ lego_email_address }}/account.json - owner: lego - group: lego - mode: 0600 - -- name: ensure account private key exists - template: - src: templates/{{ lego_email_address }}.key.j2 - dest: /etc/lego/accounts/acme-v02.api.letsencrypt.org/{{ lego_email_address }}/keys/{{ lego_email_address }}.key - owner: lego - group: lego - mode: 0600 - -- name: ensure namecheap api info exists - template: - src: templates/defaults - dest: /etc/default/lego - owner: lego - group: lego - mode: 0400 - -- name: check if certs exist - stat: - path: /etc/lego/certificates/{{ item.name }}.pem - loop: "{{ lego_certs }}" - register: statted - -- name: create new certs - shell: - cmd: 'source /etc/default/lego && /usr/local/bin/lego --pem --path {{ lego_path }} --email {{ lego_email_address }} --dns {{ item.item.dns }} --domains "{{ item.item.domain }}" run' - args: - executable: /bin/bash - when: item.stat.exists == False - loop: "{{ statted.results }}" - check_mode: False - -- name: create reload hook for domain - template: - src: templates/lego_reload.sh.j2 - dest: /usr/local/bin/lego_reload_{{ item.name }}.sh - owner: lego - group: lego - mode: 0700 - loop: "{{ lego_certs }}" - -- name: set cron env to bash - cron: - name: SHELL - env: True - job: /bin/bash - user: lego - -- name: set cron env to bash - cron: - name: SHELL - env: True - job: /bin/bash - user: root - -- name: create renewal crontabs - cron: - name: "{{ item.name }} renewal" - hour: "4" - user: lego - job: 'source /etc/default/lego && /usr/local/bin/lego --pem --path {{ lego_path }} --email {{ lego_email_address }} --dns {{ item.dns }} --domains "{{ item.domain }}" renew --days 30' - loop: "{{ lego_certs }}" - -- name: create haproxy reload crontab - cron: - name: "{{ item.name }} haproxy reload" - hour: "5" - user: root - job: '/usr/local/bin/lego_reload_{{ item.name }}.sh' - loop: "{{ lego_certs }}" diff --git a/ansible/roles/lego/templates/account.json.j2 b/ansible/roles/lego/templates/account.json.j2 deleted file mode 100644 index b796658..0000000 --- a/ansible/roles/lego/templates/account.json.j2 +++ /dev/null @@ -1,12 +0,0 @@ -{ - "email": "{{ admin_email_address }}", - "registration": { - "body": { - "status": "valid", - "contact": [ - "mailto:{{ admin_email_address }}" - ] - }, - "uri": "https://acme-v02.api.letsencrypt.org/acme/acct/{{ letsencrypt_account_id }}" - } -} diff --git a/ansible/roles/lego/templates/amarpreet@minhas.io.key.j2 b/ansible/roles/lego/templates/amarpreet@minhas.io.key.j2 deleted file mode 100644 index 8eef0b0..0000000 --- a/ansible/roles/lego/templates/amarpreet@minhas.io.key.j2 +++ /dev/null @@ -1 +0,0 @@ -{{ lookup('hashi_vault', 'secret=kv/data/acme:private_key ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }} diff --git a/ansible/roles/lego/templates/defaults b/ansible/roles/lego/templates/defaults deleted file mode 100644 index a3427c7..0000000 --- a/ansible/roles/lego/templates/defaults +++ /dev/null @@ -1,5 +0,0 @@ -export NAMECHEAP_API_USER={{ lookup('hashi_vault', 'secret=kv/data/namecheap:api_user ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }} -export NAMECHEAP_API_KEY={{ lookup('hashi_vault', 'secret=kv/data/namecheap:api_key ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }} -export AWS_ACCESS_KEY_ID={{ lookup('hashi_vault', 'secret=kv/data/aws:access_key ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }} -export AWS_SECRET_ACCESS_KEY={{ lookup('hashi_vault', 'secret=kv/data/aws:secret_key ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }} -export AWS_HOSTED_ZONE_ID={{ lookup('hashi_vault', 'secret=kv/data/aws:hosted_zone_id ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }} diff --git a/ansible/roles/lego/templates/lego_reload.sh.j2 b/ansible/roles/lego/templates/lego_reload.sh.j2 deleted file mode 100644 index e4af87c..0000000 --- a/ansible/roles/lego/templates/lego_reload.sh.j2 +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/bash -export SOURCE_PEM=/etc/lego/certificates/{{ item.name }}.pem -export DEST_PEM=/etc/haproxy/certs/{{ item.name }}.pem - -if [ -e ${DEST_PEM} ]; then - diff ${SOURCE_PEM} ${DEST_PEM} - diff_rc=$? - if [ ${diff_rc} == 0 ]; then - exit - fi - cp ${SOURCE_PEM} ${DEST_PEM} - chown haproxy:haproxy ${DEST_PEM} - systemctl reload haproxy -fi