r/ouranos
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Refactor HAProxy configuration and certificate management

Browse Source 
- Updated HAProxy configuration template to reflect changes for the Taurus Production Environment, including SSL settings and rate limiting for specific endpoints.
- Introduced new playbooks for certificate distribution and validation with OCI Vault, ensuring certificates are correctly managed and renewed.
- Added hooks for uploading renewed certificates to OCI Vault and validating their integrity.
- Enhanced the HAProxy configuration playbook to ensure proper service management and verification of the HAProxy service.
- Updated inventory variables for certificate management and ensured compatibility with the new structure.
This commit is contained in:
Robert
2026-03-17 13:13:38 -04:00
parent 856d7e2ef2
commit 0a053c1cd6
13 changed files with 1268 additions and 204 deletions
Download Patch File Download Diff File Expand all files Collapse all files

231
ansible/certbot/deploy.yml
View File

@@ -2,14 +2,23 @@
# -----------------------------------------------------------------------------
# Certbot Deployment Playbook
# -----------------------------------------------------------------------------
# Deploys certbot with Namecheap DNS-01 validation for wildcard certificates
# Host: hippocamp.helu.ca (OCI HAProxy instance)
# Deploys certbot with Namecheap DNS-01 validation and requests certificates.
# Reusable across all certbot hosts (horkos, bootes).
#
# Supports two host_vars patterns:
# Single-cert: certbot_cert_name + certbot_domains (horkos)
# Multi-cert: certbot_certificates list (bootes)
#
# Secrets are fetched automatically from OCI Vault via group_vars/all/secrets.yml
#
# Usage:
# ansible-playbook certbot/deploy.yml --limit horkos.helu.ca
# ansible-playbook certbot/deploy.yml --limit bootes.helu.ca
# -----------------------------------------------------------------------------
- name: Deploy Certbot with Namecheap DNS-01 Validation
hosts: ubuntu
gather_facts: false
vars:
ansible_common_remote_group: "{{ certbot_group | default(omit) }}"
allow_world_readable_tmpfiles: true
@@ -32,6 +41,16 @@
ansible.builtin.meta: end_host
when: not has_certbot_service
# -------------------------------------------------------------------------
# Build Unified Certificate List
# -------------------------------------------------------------------------
- name: Build unified certificate list from host_vars
ansible.builtin.set_fact:
_certbot_certs: >-
{{ certbot_certificates
| default([{'cert_name': certbot_cert_name, 'domains': certbot_domains}]) }}
# -------------------------------------------------------------------------
# System Setup
# -------------------------------------------------------------------------
@@ -53,10 +72,17 @@
home: "{{ certbot_directory }}"
create_home: false
- name: Add keeper_user to certbot group
- name: Add certbot user to ponos group
become: true
ansible.builtin.user:
name: "{{ keeper_user }}"
name: "{{ certbot_user }}"
groups: ponos
append: true
- name: Add ponos user to certbot group
become: true
ansible.builtin.user:
name: ponos
groups: "{{ certbot_group }}"
append: true
@@ -80,32 +106,6 @@
- "{{ certbot_directory }}/credentials"
- "{{ certbot_directory }}/hooks"
- name: Create haproxy group for certificate directory
become: true
ansible.builtin.group:
name: "{{ haproxy_group | default('haproxy') }}"
system: true
- name: Create haproxy user for certificate directory
become: true
ansible.builtin.user:
name: "{{ haproxy_user | default('haproxy') }}"
comment: "HAProxy Load Balancer"
group: "{{ haproxy_group | default('haproxy') }}"
system: true
shell: /usr/sbin/nologin
home: /nonexistent
create_home: false
- name: Create certificate output directory
become: true
ansible.builtin.file:
path: /etc/haproxy/certs
owner: "{{ certbot_user }}"
group: "{{ haproxy_group | default('haproxy') }}"
state: directory
mode: '0750'
# -------------------------------------------------------------------------
# Python Virtual Environment
# -------------------------------------------------------------------------
@@ -116,6 +116,7 @@
name:
- python3-venv
- python3-pip
- acl
state: present
update_cache: true
@@ -125,50 +126,46 @@
ansible.builtin.command: python3 -m venv {{ certbot_directory }}/.venv
args:
creates: "{{ certbot_directory }}/.venv/bin/activate"
vars:
ansible_common_remote_group: "{{ certbot_group }}"
allow_world_readable_tmpfiles: true
- name: Upgrade pip in virtualenv
become: true
become_user: "{{ certbot_user }}"
ansible.builtin.pip:
name: pip
state: latest
virtualenv: "{{ certbot_directory }}/.venv"
vars:
ansible_common_remote_group: "{{ certbot_group }}"
allow_world_readable_tmpfiles: true
- name: Install certbot and Namecheap DNS plugin
become: true
become_user: "{{ certbot_user }}"
ansible.builtin.pip:
name:
- pip
- certbot
- certbot-dns-namecheap
state: present
virtualenv: "{{ certbot_directory }}/.venv"
vars:
ansible_common_remote_group: "{{ certbot_group }}"
allow_world_readable_tmpfiles: true
- name: Install OCI CLI in certbot venv (vault upload hosts)
become: true
become_user: "{{ certbot_user }}"
ansible.builtin.pip:
name:
- oci-cli
state: present
virtualenv: "{{ certbot_directory }}/.venv"
when: certbot_vault_upload | default(false)
# -------------------------------------------------------------------------
# Namecheap Credentials
# -------------------------------------------------------------------------
- name: Get public IP for Namecheap API
- name: Get public IP for Namecheap API whitelisting
ansible.builtin.uri:
url: https://ifconfig.me/ip
return_content: true
register: public_ip_result
delegate_to: localhost
become: false
- name: Set client IP fact
ansible.builtin.set_fact:
namecheap_client_ip: "{{ public_ip_result.content | trim }}"
- name: Display public IP for Namecheap API whitelisting
ansible.builtin.debug:
msg: "Public IP: {{ namecheap_client_ip }} — ensure whitelisted at https://ap.www.namecheap.com/settings/tools/apiaccess/"
- name: Template Namecheap credentials
become: true
ansible.builtin.template:
@@ -182,7 +179,7 @@
# Renewal Hooks
# -------------------------------------------------------------------------
- name: Template renewal hook script
- name: Template renewal hook script (HAProxy reload)
become: true
ansible.builtin.template:
src: renewal-hook.sh.j2
@@ -190,6 +187,26 @@
owner: "{{ certbot_user }}"
group: "{{ certbot_group }}"
mode: '0750'
when: not (certbot_vault_upload | default(false))
- name: Template vault upload hook script
become: true
ansible.builtin.template:
src: vault-upload-hook.sh.j2
dest: "{{ certbot_directory }}/hooks/renewal-hook.sh"
owner: "{{ certbot_user }}"
group: "{{ certbot_group }}"
mode: '0750'
when: certbot_vault_upload | default(false)
- name: Create Prometheus textfile directory
become: true
ansible.builtin.file:
path: "{{ prometheus_node_exporter_text_directory }}"
state: directory
owner: root
group: root
mode: '0755'
- name: Template certificate metrics script
become: true
@@ -201,20 +218,49 @@
mode: '0750'
# -------------------------------------------------------------------------
# Initial Certificate Request
# Certificate Requests
# -------------------------------------------------------------------------
- name: Check if certificate already exists
- name: Check if certificates already exist
become: true
ansible.builtin.stat:
path: "{{ certbot_directory }}/config/live/{{ certbot_cert_name }}/fullchain.pem"
register: cert_exists
path: "{{ certbot_directory }}/config/live/{{ item.cert_name }}/fullchain.pem"
register: cert_check
loop: "{{ _certbot_certs }}"
loop_control:
label: "{{ item.cert_name }}"
- name: Build domain arguments for certbot
- name: Get current certificate domains
become: true
ansible.builtin.shell: |
set -euo pipefail
openssl x509 -in {{ certbot_directory }}/config/live/{{ item.item.cert_name }}/fullchain.pem \
-noout -ext subjectAltName | \
grep -oP 'DNS:\K[^,\s]+' | sort
args:
executable: /bin/bash
register: cert_domains
loop: "{{ cert_check.results }}"
when: item.stat.exists
changed_when: false
loop_control:
label: "{{ item.item.cert_name }}"
- name: Determine which certificates need requesting
ansible.builtin.set_fact:
certbot_domain_args: "{{ certbot_domains | map('regex_replace', '^', '-d ') | join(' ') }}"
_certs_to_request: >-
{{ _certs_to_request | default([]) + [
item.0.item | combine({
'needs_request': not item.0.stat.exists,
'domains_changed': item.0.stat.exists and
(item.1.stdout_lines | default([]) | sort) != (item.0.item.domains | sort)
})
] }}
loop: "{{ cert_check.results | zip_longest(cert_domains.results | default([]), fillvalue={}) | list }}"
loop_control:
label: "{{ item.0.item.cert_name }}"
- name: Request initial certificate
- name: Request certificates
become: true
become_user: "{{ certbot_user }}"
ansible.builtin.shell: |
@@ -229,17 +275,37 @@
--config-dir {{ certbot_directory }}/config \
--work-dir {{ certbot_directory }}/work \
--logs-dir {{ certbot_directory }}/logs \
--cert-name {{ certbot_cert_name }} \
{{ certbot_domain_args }}
--cert-name {{ item.cert_name }} \
{{ '--force-renewal' if item.domains_changed | default(false) else '' }} \
{{ item.domains | map('regex_replace', '^', '-d ') | join(' ') }}
args:
executable: /bin/bash
when: not cert_exists.stat.exists
register: certbot_request
loop: "{{ _certs_to_request | selectattr('needs_request') | list +
_certs_to_request | selectattr('domains_changed') | list }}"
loop_control:
label: "{{ item.cert_name }}"
register: certbot_requests
- name: Run renewal hook after initial certificate
- name: Run renewal hook after certificate requests
become: true
ansible.builtin.command: "{{ certbot_directory }}/hooks/renewal-hook.sh"
when: certbot_request.changed
environment: >-
{{ {'RENEWED_LINEAGE': certbot_directory + '/config/live/' + item.item.cert_name}
if certbot_vault_upload | default(false) else {} }}
loop: "{{ certbot_requests.results | default([]) }}"
when: item.changed | default(false)
loop_control:
label: "{{ item.item.cert_name }}"
- name: Ensure vault is populated with current certificates
become: true
ansible.builtin.command: "{{ certbot_directory }}/hooks/renewal-hook.sh"
environment:
RENEWED_LINEAGE: "{{ certbot_directory }}/config/live/{{ item.cert_name }}"
loop: "{{ _certbot_certs }}"
when: certbot_vault_upload | default(false)
loop_control:
label: "{{ item.cert_name }}"
# -------------------------------------------------------------------------
# Systemd Timer for Auto-Renewal
@@ -269,7 +335,7 @@
ansible.builtin.copy:
content: |
[Unit]
Description=Run certbot renewal twice daily
Description=Check certbot certificates and renew if expiring
[Timer]
OnCalendar=*-*-* 00,12:00:00
@@ -294,15 +360,6 @@
# Initial Metrics Update
# -------------------------------------------------------------------------
- name: Ensure prometheus textfile directory exists
become: true
ansible.builtin.file:
path: "{{ prometheus_node_exporter_text_directory }}"
state: directory
owner: prometheus
group: prometheus
mode: '0755'
- name: Run certificate metrics script
become: true
ansible.builtin.command: "{{ certbot_directory }}/hooks/cert-metrics.sh"
@@ -312,12 +369,30 @@
# Verification
# -------------------------------------------------------------------------
- name: Verify certificate exists
- name: Verify certificates exist
become: true
ansible.builtin.stat:
path: "{{ haproxy_cert_path }}"
register: final_cert
path: "{{ certbot_directory }}/config/live/{{ item.cert_name }}/fullchain.pem"
register: final_certs
loop: "{{ _certbot_certs }}"
loop_control:
label: "{{ item.cert_name }}"
- name: Certificate deployment status
ansible.builtin.debug:
msg: "Certificate deployed: {{ final_cert.stat.exists }}"
msg: "{{ item.item.cert_name }}: {{ 'deployed' if item.stat.exists else 'MISSING' }}"
loop: "{{ final_certs.results }}"
loop_control:
label: "{{ item.item.cert_name }}"
- name: Verify HAProxy combined PEM exists
become: true
ansible.builtin.stat:
path: "{{ haproxy_cert_path }}"
register: _haproxy_pem
when: haproxy_cert_path is defined
- name: HAProxy PEM status
ansible.builtin.debug:
msg: "HAProxy PEM {{ haproxy_cert_path }}: {{ 'present' if _haproxy_pem.stat.exists else 'MISSING — renewal hook may have failed' }}"
when: haproxy_cert_path is defined and _haproxy_pem is defined