r/ouranos
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
0a053c1cd64dfdde3fd31fe2e2928cff81d251c3
ouranos/ansible/certbot/cert-distribute.yml
Robert Helewka 0a053c1cd6 Refactor HAProxy configuration and certificate management 
- Updated HAProxy configuration template to reflect changes for the Taurus Production Environment, including SSL settings and rate limiting for specific endpoints.
- Introduced new playbooks for certificate distribution and validation with OCI Vault, ensuring certificates are correctly managed and renewed.
- Added hooks for uploading renewed certificates to OCI Vault and validating their integrity.
- Enhanced the HAProxy configuration playbook to ensure proper service management and verification of the HAProxy service.
- Updated inventory variables for certificate management and ensured compatibility with the new structure.
2026-03-17 13:13:38 -04:00

88 lines
2.9 KiB
YAML
Raw Blame History

---
# -----------------------------------------------------------------------------
# Certificate Distribution Playbook
# -----------------------------------------------------------------------------
# Pulls certificates from OCI Vault (uploaded by bootes certbot) and
# deploys them directly to target hosts for HAProxy/service TLS termination.
#
# Each target host defines its certificates in host_vars:
# certbot_distributed_certs:
# - cert_name: corvus.helu.ca
# cert_path: /etc/haproxy/certs/corvus.helu.ca.pem
#
# Run from fornax:
# ansible-playbook certbot/cert-distribute.yml
#
# Deployed as a weekly cron job on fornax.
# Can also be run manually after ad-hoc certificate renewals.
# -----------------------------------------------------------------------------
- name: Distribute certificates from OCI Vault to target hosts
hosts: ubuntu:debian
gather_facts: false
handlers:
- name: reload haproxy
become: true
ansible.builtin.systemd:
name: haproxy
state: reloaded
when: "'haproxy' in services | default([])"
tasks:
- name: Skip hosts without distributed certificates
ansible.builtin.meta: end_host
when: certbot_distributed_certs is not defined
- name: Ensure cert directory exists
become: true
ansible.builtin.file:
path: "{{ certbot_distributed_certs[0].cert_path | dirname }}"
state: directory
owner: root
group: root
mode: '0755'
- name: Deploy certificate from OCI Vault
become: true
ansible.builtin.copy:
content: |
{{ lookup('oci_secret', item.cert_name | replace('.', '-') + '-fullchain', vault_id=oci_vault_id) }}
{{ lookup('oci_secret', item.cert_name | replace('.', '-') + '-privkey', vault_id=oci_vault_id) }}
dest: "{{ item.cert_path }}"
owner: root
group: root
mode: '0640'
loop: "{{ certbot_distributed_certs }}"
loop_control:
label: "{{ item.cert_name }}"
no_log: true
notify: reload haproxy
- name: Verify deployed certificates are valid PEM
become: true
ansible.builtin.command:
cmd: openssl x509 -noout -checkend 0 -in {{ item.cert_path }}
register: _cert_check
loop: "{{ certbot_distributed_certs }}"
loop_control:
label: "{{ item.cert_name }}"
changed_when: false
- name: Show certificate expiry dates
become: true
ansible.builtin.command:
cmd: openssl x509 -noout -subject -enddate -in {{ item.cert_path }}
register: _cert_info
loop: "{{ certbot_distributed_certs }}"
loop_control:
label: "{{ item.cert_name }}"
changed_when: false
- name: Log certificate status
ansible.builtin.debug:
msg: "{{ item.item.cert_name }}: {{ item.stdout }}"
loop: "{{ _cert_info.results }}"
loop_control:
label: "{{ item.item.cert_name }}"
Reference in New Issue View Git Blame Copy Permalink