From cee7a266d4a7f6b69097e5b1357d5b1b45ffb9e3 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Wed, 3 Jul 2024 17:12:38 +0200 Subject: [PATCH] Haproxy: Fix the order of certain tasks, for idempotency --- roles/haproxy/tasks/get_acme_certs.yml | 18 ++++++++++ roles/haproxy/tasks/main.yml | 36 ++++++++++--------- roles/haproxy/templates/haproxy_global.cfg.j2 | 2 +- 3 files changed, 38 insertions(+), 18 deletions(-) diff --git a/roles/haproxy/tasks/get_acme_certs.yml b/roles/haproxy/tasks/get_acme_certs.yml index 96b63942d..5f2c28014 100644 --- a/roles/haproxy/tasks/get_acme_certs.yml +++ b/roles/haproxy/tasks/get_acme_certs.yml @@ -10,3 +10,21 @@ cmd: "DEPLOY_HAPROXY_PEM_PATH=/etc/haproxy/certs /home/acme/.acme.sh/acme.sh --deploy -d {{ base_domain }} --deploy-hook haproxy" become_user: acme become: true + +- name: Start and enable haproxy + ansible.builtin.service: + name: haproxy + state: started + enabled: true + +- name: Wait for port 443 to become open + ansible.builtin.wait_for: + port: 443 + delay: 5 + host: "{{ haproxy_sni_ip_ipv4 }}" + +- name: Deploy the certificates to haproxy while running, ensuring that when updating certs it will hot reload haproxy + ansible.builtin.shell: + cmd: "DEPLOY_HAPROXY_HOT_UPDATE=yes DEPLOY_HAPROXY_STATS_SOCKET=/var/lib/haproxy/haproxy.stats DEPLOY_HAPROXY_PEM_PATH=/etc/haproxy/certs /home/acme/.acme.sh/acme.sh --deploy -d {{ base_domain }} --deploy-hook haproxy" + become_user: acme + become: true diff --git a/roles/haproxy/tasks/main.yml b/roles/haproxy/tasks/main.yml index 230f3b34e..fcdbce0ea 100644 --- a/roles/haproxy/tasks/main.yml +++ b/roles/haproxy/tasks/main.yml @@ -23,15 +23,15 @@ register: haproxy_package_installed until: haproxy_package_installed is succeeded -- name: Include acme installation - ansible.builtin.include_tasks: acme.yml - when: haproxy_acme | bool - - name: Create lbops group ansible.builtin.group: name: lbops state: present +- name: Include acme installation + ansible.builtin.include_tasks: acme.yml + when: haproxy_acme | bool + - name: Copy haproxy sysconfig file ansible.builtin.copy: src: sysconfig_haproxy @@ -167,6 +167,21 @@ notify: - "reload haproxy" +- name: Add lbops user to sudoers and let it reload haproxy + ansible.builtin.copy: + src: lbops + dest: /etc/sudoers.d/lbops + owner: root + mode: "0440" + +- name: Mount /dev/log into the haproxy chroot + ansible.posix.mount: + path: /var/lib/haproxy/dev/log + src: /dev/log + opts: bind + state: mounted + fstype: none + - name: include get_acme_certs include_tasks: get_acme_certs.yml when: haproxy_acme | bool and vhost_acls.changed @@ -176,16 +191,3 @@ name: haproxy state: started enabled: true - -- name: Deploy the certificates to haproxy while running, ensuring that when updating certs it will hot reload haproxy - ansible.builtin.shell: - cmd: "DEPLOY_HAPROXY_HOT_UPDATE=yes DEPLOY_HAPROXY_STATS_SOCKET=/var/lib/haproxy/haproxy.stats DEPLOY_HAPROXY_PEM_PATH=/etc/haproxy/certs /home/acme/.acme.sh/acme.sh --deploy -d {{ base_domain }} --deploy-hook haproxy" - become_user: acme - become: true - -- name: Add lbops user to sudoers and let it reload haproxy - ansible.builtin.copy: - src: lbops - dest: /etc/sudoers.d/lbops - owner: root - mode: "0440" diff --git a/roles/haproxy/templates/haproxy_global.cfg.j2 b/roles/haproxy/templates/haproxy_global.cfg.j2 index fbbb6bfe8..3b5ede255 100644 --- a/roles/haproxy/templates/haproxy_global.cfg.j2 +++ b/roles/haproxy/templates/haproxy_global.cfg.j2 @@ -4,7 +4,7 @@ #--------------------------------------------------------------------- global - log 127.0.0.1 len 32768 format local local2 + log /dev/log len 32768 format local local2 chroot /var/lib/haproxy maxconn 4000 user haproxy