Clean up haproxy and lego

This commit is contained in:
Amarpreet Minhas 2023-01-05 23:46:02 -05:00
parent b08da75c28
commit ea0f5ddf3a
16 changed files with 0 additions and 291 deletions

View file

@ -61,7 +61,4 @@ vault_ca_cert_payload: |
# lnd # lnd
lnd_version: 0.15.4-beta lnd_version: 0.15.4-beta
# lego
lego_version: 4.7.0
... ...

View file

@ -1,4 +0,0 @@
---
lego_email_address: amarpreet@minhas.io
letsencrypt_account_id: "{{ lookup('hashi_vault', 'secret=kv/data/acme:account_id ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
...

View file

@ -1,3 +0,0 @@
---
consul_config_path: /usr/local/etc/consul.d
...

View file

@ -1,9 +0,0 @@
---
haproxy_domains:
- { name: "freshrss", url: "rss.minhas.io" }
- { name: "gitea", url: "git.minhas.io" }
- { name: "kanban", url: "kanban.minhas.io" }
- { name: "nextcloud", url: "nextcloud.minhas.io" }
- { name: "sudoscientist-go-backend", url: "api.sudoscientist.com" }
- { name: "wallabag", url: "wallabag.minhas.io" }
...

View file

@ -1,5 +0,0 @@
---
lego_certs:
- { name: "_.minhas.io", domain: "*.minhas.io", dns: "namecheap" }
- { name: "api.sudoscientist.com", domain: "api.sudoscientist.com", dns: "route53" }
...

View file

@ -11,9 +11,6 @@ sedan.minhas.io
ranger.minhas.io ranger.minhas.io
hardtack1.minhas.io hardtack1.minhas.io
[haproxy]
sedan.minhas.io
[hardtack] [hardtack]
hardtack[1:7].minhas.io hardtack[1:7].minhas.io

View file

@ -1,6 +0,0 @@
---
- hosts: haproxy
roles:
- role: lego
- role: haproxy
...

View file

@ -1,6 +0,0 @@
---
- name: reload haproxy
systemd:
name: haproxy
state: reloaded
...

View file

@ -1,28 +0,0 @@
---
- name: ensure haproxy exists
apt:
name: haproxy
state: present
- name: ensure haproxy certs dir exists
file:
path: /etc/haproxy/certs
state: directory
owner: haproxy
group: haproxy
mode: 0750
- name: template haproxy config
template:
src: templates/haproxy.cfg.j2
dest: /etc/haproxy/haproxy.cfg
owner: haproxy
group: haproxy
mode: 0644
notify: reload haproxy
- name: ensure haproxy is started and enabled
systemd:
name: haproxy
state: started
enabled: True

View file

@ -1,58 +0,0 @@
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets
ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend fe_default
mode http
bind :443 ssl crt /etc/haproxy/certs/ alpn h2,http/1.1
bind :80
redirect scheme https code 301 if !{ ssl_fc }
http-response set-header Strict-Transport-Security max-age=63072000
{% for domain in haproxy_domains %}
acl host_{{ domain.name }} hdr(host) -i {{ domain.url }}
{% endfor %}
{% for domain in haproxy_domains %}
use_backend be_{{ domain.name }} if host_{{ domain.name }}
{% endfor %}
{% for domain in haproxy_domains %}
backend be_{{ domain.name }}
balance leastconn
server-template {{ domain.name }} 1 _{{ domain.name }}._tcp.service.masked.name resolvers consul resolve-opts allow-dup-ip resolve-prefer ipv4 check
{% endfor %}
resolvers consul
nameserver consul 127.0.0.1:8600
accepted_payload_size 8192
hold valid 5s

View file

@ -1,3 +0,0 @@
---
lego_path: /etc/lego/
...

View file

@ -1,131 +0,0 @@
---
- name: ensure lego group
group:
name: lego
state: present
system: True
- name: ensure lego user
user:
name: lego
state: present
group: lego
system: True
home: /etc/lego
shell: /bin/bash
- name: check lego version
shell:
cmd: "/usr/local/bin/lego --version | cut -d ' ' -f3"
args:
executable: /bin/bash
changed_when: False
register: installed_lego_version
check_mode: False
- name: get lego
unarchive:
src: "https://github.com/go-acme/lego/releases/download/v{{ lego_version }}/lego_v{{ lego_version }}_linux_amd64.tar.gz"
dest: /usr/local/bin/
mode: 0755
owner: root
group: root
remote_src: True
when: installed_lego_version.stdout != lego_version
register: installed_lego
- name: remove LICENSE/CHANGELOG
file:
path: "{{ item }}"
state: absent
loop:
- /usr/local/bin/CHANGELOG.md
- /usr/local/bin/LICENSE
changed_when: False
when: installed_lego.changed
- name: ensure lego account directory exists
file:
path: /etc/lego/accounts/acme-v02.api.letsencrypt.org/{{ lego_email_address }}/keys/
state: directory
owner: lego
group: lego
mode: 0700
- name: ensure account.json exists
template:
src: templates/account.json.j2
dest: /etc/lego/accounts/acme-v02.api.letsencrypt.org/{{ lego_email_address }}/account.json
owner: lego
group: lego
mode: 0600
- name: ensure account private key exists
template:
src: templates/{{ lego_email_address }}.key.j2
dest: /etc/lego/accounts/acme-v02.api.letsencrypt.org/{{ lego_email_address }}/keys/{{ lego_email_address }}.key
owner: lego
group: lego
mode: 0600
- name: ensure namecheap api info exists
template:
src: templates/defaults
dest: /etc/default/lego
owner: lego
group: lego
mode: 0400
- name: check if certs exist
stat:
path: /etc/lego/certificates/{{ item.name }}.pem
loop: "{{ lego_certs }}"
register: statted
- name: create new certs
shell:
cmd: 'source /etc/default/lego && /usr/local/bin/lego --pem --path {{ lego_path }} --email {{ lego_email_address }} --dns {{ item.item.dns }} --domains "{{ item.item.domain }}" run'
args:
executable: /bin/bash
when: item.stat.exists == False
loop: "{{ statted.results }}"
check_mode: False
- name: create reload hook for domain
template:
src: templates/lego_reload.sh.j2
dest: /usr/local/bin/lego_reload_{{ item.name }}.sh
owner: lego
group: lego
mode: 0700
loop: "{{ lego_certs }}"
- name: set cron env to bash
cron:
name: SHELL
env: True
job: /bin/bash
user: lego
- name: set cron env to bash
cron:
name: SHELL
env: True
job: /bin/bash
user: root
- name: create renewal crontabs
cron:
name: "{{ item.name }} renewal"
hour: "4"
user: lego
job: 'source /etc/default/lego && /usr/local/bin/lego --pem --path {{ lego_path }} --email {{ lego_email_address }} --dns {{ item.dns }} --domains "{{ item.domain }}" renew --days 30'
loop: "{{ lego_certs }}"
- name: create haproxy reload crontab
cron:
name: "{{ item.name }} haproxy reload"
hour: "5"
user: root
job: '/usr/local/bin/lego_reload_{{ item.name }}.sh'
loop: "{{ lego_certs }}"

View file

@ -1,12 +0,0 @@
{
"email": "{{ admin_email_address }}",
"registration": {
"body": {
"status": "valid",
"contact": [
"mailto:{{ admin_email_address }}"
]
},
"uri": "https://acme-v02.api.letsencrypt.org/acme/acct/{{ letsencrypt_account_id }}"
}
}

View file

@ -1 +0,0 @@
{{ lookup('hashi_vault', 'secret=kv/data/acme:private_key ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}

View file

@ -1,5 +0,0 @@
export NAMECHEAP_API_USER={{ lookup('hashi_vault', 'secret=kv/data/namecheap:api_user ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}
export NAMECHEAP_API_KEY={{ lookup('hashi_vault', 'secret=kv/data/namecheap:api_key ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}
export AWS_ACCESS_KEY_ID={{ lookup('hashi_vault', 'secret=kv/data/aws:access_key ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}
export AWS_SECRET_ACCESS_KEY={{ lookup('hashi_vault', 'secret=kv/data/aws:secret_key ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}
export AWS_HOSTED_ZONE_ID={{ lookup('hashi_vault', 'secret=kv/data/aws:hosted_zone_id ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}

View file

@ -1,14 +0,0 @@
#!/bin/bash
export SOURCE_PEM=/etc/lego/certificates/{{ item.name }}.pem
export DEST_PEM=/etc/haproxy/certs/{{ item.name }}.pem
if [ -e ${DEST_PEM} ]; then
diff ${SOURCE_PEM} ${DEST_PEM}
diff_rc=$?
if [ ${diff_rc} == 0 ]; then
exit
fi
cp ${SOURCE_PEM} ${DEST_PEM}
chown haproxy:haproxy ${DEST_PEM}
systemctl reload haproxy
fi