ansible-debops-infrastructure

Unnamed repository; edit this file 'description' to name the repository.
git clone git://git.erethon.com/ansible-debops-infrastructure
Log | Files | Refs

commit 1a9df28b717cb0528dcbbb7b79a36afeb949e140
parent 7297d17b993091908412ce1e7b9f49a551208255
Author: Dionysis Grigoropoulos <dgrig@erethon.com>
Date:   Thu, 23 Aug 2018 01:07:34 +0300

haproxy: Use crt-list to load site certificates

Diffstat:
ansible/inventory/host_vars/spinny/haproxy.yml | 4++++
ansible/roles/haproxy/tasks/main.yml | 7+++++--
ansible/roles/haproxy/templates/crt-list.cfg.j2 | 3+++
ansible/roles/haproxy/templates/haproxy.cfg.j2 | 2+-
4 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/ansible/inventory/host_vars/spinny/haproxy.yml b/ansible/inventory/host_vars/spinny/haproxy.yml @@ -3,3 +3,7 @@ prosody__public_ip: '163.172.24.171' prosody__private_ip: '192.168.122.2' static__private_ip: '192.168.122.2' + +certs__names: ['f.erethon.com', 'chat.erethon.com', 'grafana.erethon.com', + 'capitalism.erethon.com', 'blog.erethon.com', 'erethon.com', + 'www.plothopes.com'] diff --git a/ansible/roles/haproxy/tasks/main.yml b/ansible/roles/haproxy/tasks/main.yml @@ -1,6 +1,9 @@ --- - template: - src: haproxy.cfg.j2 - dest: /etc/haproxy/haproxy.cfg + src: "{{ item }}" + dest: /etc/haproxy/ notify: Reload haproxy + with_items: + - haproxy.cfg.j2 + - crt-list.cfg.j2 diff --git a/ansible/roles/haproxy/templates/crt-list.cfg.j2 b/ansible/roles/haproxy/templates/crt-list.cfg.j2 @@ -0,0 +1,3 @@ +{% for cert in certs__names %} +"/etc/ssl/private/{{ cert }}.pem" +{% endfor %} diff --git a/ansible/roles/haproxy/templates/haproxy.cfg.j2 b/ansible/roles/haproxy/templates/haproxy.cfg.j2 @@ -43,7 +43,7 @@ frontend eighty redirect scheme https if !{ ssl_fc } frontend ssl - bind *:443 ssl crt /etc/ssl/private/plothopes.com/plothopes.pem ssl crt /etc/ssl/private/erethon.com/capitalism.pem ssl crt /etc/ssl/private/erethon.com/erethon.pem ssl crt /etc/ssl/private/erethon.com/f.pem ssl crt /etc/ssl/private/erethon.com/grafana.pem ssl crt /etc/ssl/private/erethon.com/blog.pem + bind *:443 ssl crt-list /etc/haproxy/crt-list.cfg mode http http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload http-request set-header X-Forwarded-Proto https if { ssl_fc }