Haproxy: Fix the order of certain tasks, for idempotency

OpenConext · Jul 3, 2024 · cee7a26 · cee7a26
1 parent 15e5885
commit cee7a26
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 18 deletions.
diff --git a/roles/haproxy/tasks/get_acme_certs.yml b/roles/haproxy/tasks/get_acme_certs.yml
@@ -10,3 +10,21 @@
     cmd: "DEPLOY_HAPROXY_PEM_PATH=/etc/haproxy/certs   /home/acme/.acme.sh/acme.sh --deploy -d {{ base_domain }} --deploy-hook haproxy"
   become_user: acme
   become: true
+
+- name: Start and enable haproxy
+  ansible.builtin.service:
+    name: haproxy
+    state: started
+    enabled: true
+
+- name: Wait for port 443 to become open
+  ansible.builtin.wait_for:
+    port: 443
+    delay: 5      
+    host: "{{ haproxy_sni_ip_ipv4 }}"
+
+- name: Deploy the certificates to haproxy while running, ensuring that when updating certs it will hot reload haproxy
+  ansible.builtin.shell:
+    cmd: "DEPLOY_HAPROXY_HOT_UPDATE=yes   DEPLOY_HAPROXY_STATS_SOCKET=/var/lib/haproxy/haproxy.stats   DEPLOY_HAPROXY_PEM_PATH=/etc/haproxy/certs   /home/acme/.acme.sh/acme.sh --deploy -d {{ base_domain }} --deploy-hook haproxy"
+  become_user: acme
+  become: true
diff --git a/roles/haproxy/tasks/main.yml b/roles/haproxy/tasks/main.yml
@@ -23,15 +23,15 @@
   register: haproxy_package_installed
   until: haproxy_package_installed is succeeded
 
-- name: Include acme installation
-  ansible.builtin.include_tasks: acme.yml
-  when: haproxy_acme | bool
-
 - name: Create lbops group
   ansible.builtin.group:
     name: lbops
     state: present
 
+- name: Include acme installation
+  ansible.builtin.include_tasks: acme.yml
+  when: haproxy_acme | bool
+
 - name: Copy haproxy sysconfig file
   ansible.builtin.copy:
     src: sysconfig_haproxy
@@ -167,6 +167,21 @@
   notify:
     - "reload haproxy"
 
+- name: Add lbops user to sudoers and let it reload haproxy
+  ansible.builtin.copy:
+    src: lbops
+    dest: /etc/sudoers.d/lbops
+    owner: root
+    mode: "0440"
+
+- name: Mount /dev/log into the haproxy chroot
+  ansible.posix.mount:
+    path: /var/lib/haproxy/dev/log
+    src: /dev/log
+    opts: bind
+    state: mounted
+    fstype: none
+
 - name: include get_acme_certs
   include_tasks: get_acme_certs.yml
   when: haproxy_acme | bool and vhost_acls.changed
@@ -176,16 +191,3 @@
     name: haproxy
     state: started
     enabled: true
-
-- name: Deploy the certificates to haproxy while running, ensuring that when updating certs it will hot reload haproxy
-  ansible.builtin.shell:
-    cmd: "DEPLOY_HAPROXY_HOT_UPDATE=yes   DEPLOY_HAPROXY_STATS_SOCKET=/var/lib/haproxy/haproxy.stats   DEPLOY_HAPROXY_PEM_PATH=/etc/haproxy/certs   /home/acme/.acme.sh/acme.sh --deploy -d {{ base_domain }} --deploy-hook haproxy"
-  become_user: acme
-  become: true
-
-- name: Add lbops user to sudoers and let it reload haproxy
-  ansible.builtin.copy:
-    src: lbops
-    dest: /etc/sudoers.d/lbops
-    owner: root
-    mode: "0440"
diff --git a/roles/haproxy/templates/haproxy_global.cfg.j2 b/roles/haproxy/templates/haproxy_global.cfg.j2
@@ -4,7 +4,7 @@
 #---------------------------------------------------------------------
 
 global
-  log         127.0.0.1 len 32768 format local local2
+  log         /dev/log len 32768 format local local2
   chroot      /var/lib/haproxy
   maxconn     4000
   user        haproxy