Clean up haproxy and lego

ansible/group_vars/all/main.yml

@@ -61,7 +61,4 @@ vault_ca_cert_payload: |
 
 # lnd
 lnd_version: 0.15.4-beta
-
-# lego
-lego_version: 4.7.0
 ...

ansible/group_vars/haproxy/main.yml

@@ -1,4 +0,0 @@
----
-lego_email_address: amarpreet@minhas.io
-letsencrypt_account_id: "{{ lookup('hashi_vault', 'secret=kv/data/acme:account_id ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
-...

ansible/host_vars/fatman.minhas.io/main.yml

@@ -1,3 +0,0 @@
----
-consul_config_path: /usr/local/etc/consul.d
-...

ansible/host_vars/sedan.minhas.io/haproxy.yml

@@ -1,9 +0,0 @@
----
-haproxy_domains:
-    - { name: "freshrss", url: "rss.minhas.io" }
-    - { name: "gitea", url: "git.minhas.io" }
-    - { name: "kanban", url: "kanban.minhas.io" }
-    - { name: "nextcloud", url: "nextcloud.minhas.io" }
-    - { name: "sudoscientist-go-backend", url: "api.sudoscientist.com" }
-    - { name: "wallabag", url: "wallabag.minhas.io" }
-...

ansible/host_vars/sedan.minhas.io/lego.yml

@@ -1,5 +0,0 @@
----
-lego_certs:
-  - { name: "_.minhas.io", domain: "*.minhas.io", dns: "namecheap" }
-  - { name: "api.sudoscientist.com", domain: "api.sudoscientist.com", dns: "route53" }
-...

ansible/inventory.txt

@@ -11,9 +11,6 @@ sedan.minhas.io
 ranger.minhas.io
 hardtack1.minhas.io
 
-[haproxy]
-sedan.minhas.io
-
 [hardtack]
 hardtack[1:7].minhas.io
 

ansible/playbooks/haproxy.yml

@@ -1,6 +0,0 @@
----
-- hosts: haproxy
-  roles:
-    - role: lego
-    - role: haproxy
-...

ansible/roles/haproxy/handlers/main.yml

@@ -1,6 +0,0 @@
----
-- name: reload haproxy
-  systemd:
-    name: haproxy
-    state: reloaded
-...

ansible/roles/haproxy/tasks/main.yml

@@ -1,28 +0,0 @@
----
-- name: ensure haproxy exists
-  apt:
-    name: haproxy
-    state: present
-
-- name: ensure haproxy certs dir exists
-  file:
-    path: /etc/haproxy/certs
-    state: directory
-    owner: haproxy
-    group: haproxy
-    mode: 0750
-
-- name: template haproxy config
-  template:
-    src: templates/haproxy.cfg.j2
-    dest: /etc/haproxy/haproxy.cfg
-    owner: haproxy
-    group: haproxy
-    mode: 0644
-  notify: reload haproxy
-
-- name: ensure haproxy is started and enabled
-  systemd:
-    name: haproxy
-    state: started
-    enabled: True

ansible/roles/haproxy/templates/haproxy.cfg.j2

@@ -1,58 +0,0 @@
-global
-    log /dev/log	local0
-    log /dev/log	local1 notice
-    chroot /var/lib/haproxy
-    stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
-    stats timeout 30s
-    user haproxy
-    group haproxy
-    daemon
-
-    # Default SSL material locations
-    ca-base /etc/ssl/certs
-    crt-base /etc/ssl/private
-    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
-    ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets
-    ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
-    ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets
-
-defaults
-    log	global
-    mode	http
-    option	httplog
-    option	dontlognull
-    timeout connect 5000
-    timeout client  50000
-    timeout server  50000
-    errorfile 400 /etc/haproxy/errors/400.http
-    errorfile 403 /etc/haproxy/errors/403.http
-    errorfile 408 /etc/haproxy/errors/408.http
-    errorfile 500 /etc/haproxy/errors/500.http
-    errorfile 502 /etc/haproxy/errors/502.http
-    errorfile 503 /etc/haproxy/errors/503.http
-    errorfile 504 /etc/haproxy/errors/504.http
-
-frontend fe_default
-    mode    http
-    bind    :443 ssl crt /etc/haproxy/certs/ alpn h2,http/1.1
-    bind    :80
-    redirect scheme https code 301 if !{ ssl_fc }
-    http-response set-header Strict-Transport-Security max-age=63072000
-{% for domain in haproxy_domains %}
-    acl host_{{ domain.name }} hdr(host) -i {{ domain.url }}
-{% endfor %}
-{% for domain in haproxy_domains %}
-    use_backend be_{{ domain.name }} if host_{{ domain.name }}
-{% endfor %}
-
-{% for domain in haproxy_domains %}
-backend be_{{ domain.name }}
-    balance leastconn
-    server-template {{ domain.name }} 1 _{{ domain.name }}._tcp.service.masked.name resolvers consul resolve-opts allow-dup-ip resolve-prefer ipv4 check
-
-{% endfor %}
-
-resolvers consul
-    nameserver consul 127.0.0.1:8600
-    accepted_payload_size 8192
-    hold valid 5s

ansible/roles/lego/defaults/main.yml

@@ -1,3 +0,0 @@
----
-lego_path: /etc/lego/
-...

ansible/roles/lego/tasks/main.yml

@@ -1,131 +0,0 @@
----
-- name: ensure lego group
-  group:
-    name: lego
-    state: present
-    system: True
-
-- name: ensure lego user
-  user:
-    name: lego
-    state: present
-    group: lego
-    system: True
-    home: /etc/lego
-    shell: /bin/bash
-
-- name: check lego version
-  shell:
-    cmd: "/usr/local/bin/lego --version | cut -d ' ' -f3"
-  args:
-    executable: /bin/bash
-  changed_when: False
-  register: installed_lego_version
-  check_mode: False
-
-- name: get lego
-  unarchive:
-    src: "https://github.com/go-acme/lego/releases/download/v{{ lego_version }}/lego_v{{ lego_version }}_linux_amd64.tar.gz"
-    dest: /usr/local/bin/
-    mode: 0755
-    owner: root
-    group: root
-    remote_src: True
-  when: installed_lego_version.stdout != lego_version
-  register: installed_lego
-
-- name: remove LICENSE/CHANGELOG
-  file:
-    path: "{{ item }}"
-    state: absent
-  loop:
-    - /usr/local/bin/CHANGELOG.md
-    - /usr/local/bin/LICENSE
-  changed_when: False
-  when: installed_lego.changed
-
-- name: ensure lego account directory exists
-  file:
-    path: /etc/lego/accounts/acme-v02.api.letsencrypt.org/{{ lego_email_address }}/keys/
-    state: directory
-    owner: lego
-    group: lego
-    mode: 0700
-
-- name: ensure account.json exists
-  template:
-    src: templates/account.json.j2
-    dest: /etc/lego/accounts/acme-v02.api.letsencrypt.org/{{ lego_email_address }}/account.json
-    owner: lego
-    group: lego
-    mode: 0600
-
-- name: ensure account private key exists
-  template:
-    src: templates/{{ lego_email_address }}.key.j2
-    dest: /etc/lego/accounts/acme-v02.api.letsencrypt.org/{{ lego_email_address }}/keys/{{ lego_email_address }}.key
-    owner: lego
-    group: lego
-    mode: 0600
-
-- name: ensure namecheap api info exists
-  template:
-    src: templates/defaults
-    dest: /etc/default/lego
-    owner: lego
-    group: lego
-    mode: 0400
-
-- name: check if certs exist
-  stat:
-    path: /etc/lego/certificates/{{ item.name }}.pem
-  loop: "{{ lego_certs }}"
-  register: statted
-
-- name: create new certs
-  shell:
-    cmd: 'source /etc/default/lego && /usr/local/bin/lego --pem --path {{ lego_path }} --email {{ lego_email_address }} --dns {{ item.item.dns }} --domains "{{ item.item.domain }}" run'
-  args:
-    executable: /bin/bash
-  when: item.stat.exists == False
-  loop: "{{ statted.results }}"
-  check_mode: False
-
-- name: create reload hook for domain
-  template:
-    src: templates/lego_reload.sh.j2
-    dest: /usr/local/bin/lego_reload_{{ item.name }}.sh
-    owner: lego
-    group: lego
-    mode: 0700
-  loop: "{{ lego_certs }}"
-
-- name: set cron env to bash
-  cron:
-    name: SHELL
-    env: True
-    job: /bin/bash
-    user: lego
-
-- name: set cron env to bash
-  cron:
-    name: SHELL
-    env: True
-    job: /bin/bash
-    user: root
-
-- name: create renewal crontabs
-  cron:
-    name: "{{ item.name }} renewal"
-    hour: "4"
-    user: lego
-    job: 'source /etc/default/lego && /usr/local/bin/lego --pem --path {{ lego_path }} --email {{ lego_email_address }} --dns {{ item.dns }} --domains "{{ item.domain }}" renew --days 30'
-  loop: "{{ lego_certs }}"
-
-- name: create haproxy reload crontab
-  cron:
-    name: "{{ item.name }} haproxy reload"
-    hour: "5"
-    user: root
-    job: '/usr/local/bin/lego_reload_{{ item.name }}.sh'
-  loop: "{{ lego_certs }}"

ansible/roles/lego/templates/account.json.j2

@@ -1,12 +0,0 @@
-{
-	"email": "{{ admin_email_address }}",
-	"registration": {
-		"body": {
-			"status": "valid",
-			"contact": [
-				"mailto:{{ admin_email_address }}"
-			]
-		},
-		"uri": "https://acme-v02.api.letsencrypt.org/acme/acct/{{ letsencrypt_account_id }}"
-	}
-}

ansible/roles/lego/templates/amarpreet@minhas.io.key.j2

@@ -1 +0,0 @@
-{{ lookup('hashi_vault', 'secret=kv/data/acme:private_key ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}

ansible/roles/lego/templates/defaults

@@ -1,5 +0,0 @@
-export NAMECHEAP_API_USER={{ lookup('hashi_vault', 'secret=kv/data/namecheap:api_user ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}
-export NAMECHEAP_API_KEY={{ lookup('hashi_vault', 'secret=kv/data/namecheap:api_key ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}
-export AWS_ACCESS_KEY_ID={{ lookup('hashi_vault', 'secret=kv/data/aws:access_key ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}
-export AWS_SECRET_ACCESS_KEY={{ lookup('hashi_vault', 'secret=kv/data/aws:secret_key ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}
-export AWS_HOSTED_ZONE_ID={{ lookup('hashi_vault', 'secret=kv/data/aws:hosted_zone_id ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}

ansible/roles/lego/templates/lego_reload.sh.j2

@@ -1,14 +0,0 @@
-#!/bin/bash
-export SOURCE_PEM=/etc/lego/certificates/{{ item.name }}.pem
-export DEST_PEM=/etc/haproxy/certs/{{ item.name }}.pem
-
-if [ -e ${DEST_PEM} ]; then
-  diff ${SOURCE_PEM} ${DEST_PEM}
-  diff_rc=$?
-  if [ ${diff_rc} == 0 ]; then
-      exit
-  fi
-  cp ${SOURCE_PEM} ${DEST_PEM}
-  chown haproxy:haproxy ${DEST_PEM}
-  systemctl reload haproxy
-fi