|
22 | 22 | check_mode: false # this is safe run run, even in check mode |
23 | 23 | run_once: true |
24 | 24 |
|
25 | | -- name: Issue the certificates using acme |
26 | | - ansible.builtin.command: |
27 | | - cmd: | |
28 | | - /home/acme/.acme.sh/acme.sh |
29 | | - --issue |
30 | | - --ecc |
31 | | - --keylength ec-384 |
32 | | - --days "{{ haproxy_acme_renewal_days }}" |
33 | | - --dns dns_acmedns |
34 | | - --stateless |
35 | | - --dnssleep 3 |
36 | | - --server "{{ haproxy_acme_server }}" |
37 | | - --domain "{{ item }}" |
38 | | - environment: |
39 | | - ACMEDNS_BASE_URL: "{{ haproxy_acmedns.baseurl }}" |
40 | | - ACMEDNS_USERNAME: "{{ haproxy_acmedns.username }}" |
41 | | - ACMEDNS_PASSWORD: "{{ haproxy_acmedns.password }}" |
42 | | - ACMEDNS_SUBDOMAIN: "{{ haproxy_acmedns.subdomain }}" |
43 | | - loop: "{{ haproxy_ssl_hosts }}" |
44 | | - register: "acme_issue" |
45 | | - changed_when: "acme_issue.rc == 0" |
46 | | - failed_when: 'acme_issue.rc != 0 and acme_issue.rc != 2' |
47 | | - become_user: "acme" |
48 | | - become: true |
| 25 | +- name: Update certificates on one host at a time |
| 26 | + throttle: 1 |
| 27 | + block: |
| 28 | + - name: Issue the certificates using acme |
| 29 | + ansible.builtin.command: |
| 30 | + cmd: | |
| 31 | + /home/acme/.acme.sh/acme.sh |
| 32 | + --issue |
| 33 | + --ecc |
| 34 | + --keylength ec-384 |
| 35 | + --days "{{ haproxy_acme_renewal_days }}" |
| 36 | + --dns dns_acmedns |
| 37 | + --stateless |
| 38 | + --dnssleep 3 |
| 39 | + --server "{{ haproxy_acme_server }}" |
| 40 | + --domain "{{ item }}" |
| 41 | + environment: |
| 42 | + ACMEDNS_BASE_URL: "{{ haproxy_acmedns.baseurl }}" |
| 43 | + ACMEDNS_USERNAME: "{{ haproxy_acmedns.username }}" |
| 44 | + ACMEDNS_PASSWORD: "{{ haproxy_acmedns.password }}" |
| 45 | + ACMEDNS_SUBDOMAIN: "{{ haproxy_acmedns.subdomain }}" |
| 46 | + loop: "{{ haproxy_ssl_hosts }}" |
| 47 | + throttle: 1 |
| 48 | + register: "acme_issue" |
| 49 | + changed_when: "acme_issue.rc == 0" |
| 50 | + failed_when: 'acme_issue.rc != 0 and acme_issue.rc != 2' |
| 51 | + become_user: "acme" |
| 52 | + become: true |
49 | 53 |
|
50 | | -# Now deploy the certificates to haproxy |
51 | | -# We do this in two steps: |
52 | | -# 1. Cold-deploy the certificates to haproxy's certs directory |
53 | | -# 2. Make sure haproxy is started, and hot-deploy the certificates to haproxy though the socket API |
| 54 | + # Now deploy the certificates to haproxy |
| 55 | + # We do this in two steps: |
| 56 | + # 1. Cold-deploy the certificates to haproxy's certs directory |
| 57 | + # 2. Make sure haproxy is started, and hot-deploy the certificates to haproxy though the socket API |
54 | 58 |
|
55 | | -- name: Cold-deploy the certificates to haproxy # noqa: no-handler |
56 | | - ansible.builtin.command: |
57 | | - cmd: | |
58 | | - /home/acme/.acme.sh/acme.sh |
59 | | - --deploy |
60 | | - --deploy-hook haproxy |
61 | | - --domain "{{ item }}" |
62 | | - environment: |
63 | | - DEPLOY_HAPROXY_PEM_PATH: "/etc/haproxy/certs" |
64 | | - loop: "{{ haproxy_ssl_hosts }}" |
65 | | - register: "result" |
66 | | - changed_when: "result.rc == 0" |
67 | | - when: "acme_issue.changed" |
68 | | - become_user: "acme" |
69 | | - become: true |
| 59 | + - name: Cold-deploy the certificates to haproxy # noqa: no-handler |
| 60 | + ansible.builtin.command: |
| 61 | + cmd: | |
| 62 | + /home/acme/.acme.sh/acme.sh |
| 63 | + --deploy |
| 64 | + --deploy-hook haproxy |
| 65 | + --domain "{{ item }}" |
| 66 | + environment: |
| 67 | + DEPLOY_HAPROXY_PEM_PATH: "/etc/haproxy/certs" |
| 68 | + loop: "{{ haproxy_ssl_hosts }}" |
| 69 | + register: "result" |
| 70 | + changed_when: "result.rc == 0" |
| 71 | + when: "acme_issue.changed" |
| 72 | + become_user: "acme" |
| 73 | + become: true |
70 | 74 |
|
71 | | -- name: Start and enable haproxy |
72 | | - ansible.builtin.service: |
73 | | - name: "haproxy" |
74 | | - state: "started" |
75 | | - enabled: true |
| 75 | + - name: Start and enable haproxy |
| 76 | + ansible.builtin.service: |
| 77 | + name: "haproxy" |
| 78 | + state: "started" |
| 79 | + enabled: true |
76 | 80 |
|
77 | | -- name: Wait for port 443 to become open # noqa: no-handler |
78 | | - ansible.builtin.wait_for: |
79 | | - port: 443 |
80 | | - delay: 5 |
81 | | - host: "{{ haproxy_sni_ip.ipv4 }}" |
82 | | - when: "acme_issue.changed" |
| 81 | + - name: Wait for port 443 to become open # noqa: no-handler |
| 82 | + ansible.builtin.wait_for: |
| 83 | + port: 443 |
| 84 | + delay: 5 |
| 85 | + host: "{{ haproxy_sni_ip.ipv4 }}" |
| 86 | + when: "acme_issue.changed" |
83 | 87 |
|
84 | | -- name: Hot-deploy the certificates to haproxy # noqa: no-handler |
85 | | - ansible.builtin.command: |
86 | | - cmd: | |
87 | | - /home/acme/.acme.sh/acme.sh |
88 | | - --deploy |
89 | | - --deploy-hook haproxy |
90 | | - --domain "{{ item }}" |
91 | | - environment: |
92 | | - DEPLOY_HAPROXY_HOT_UPDATE: "yes" |
93 | | - DEPLOY_HAPROXY_STATS_SOCKET: "/var/lib/haproxy/haproxy.stats" |
94 | | - DEPLOY_HAPROXY_PEM_PATH: "/etc/haproxy/certs" |
95 | | - loop: "{{ haproxy_ssl_hosts }}" |
96 | | - when: "acme_issue.changed" |
97 | | - register: "result" |
98 | | - changed_when: "result.changed" |
99 | | - become_user: "acme" |
100 | | - become: true |
| 88 | + - name: Hot-deploy the certificates to haproxy # noqa: no-handler |
| 89 | + ansible.builtin.command: |
| 90 | + cmd: | |
| 91 | + /home/acme/.acme.sh/acme.sh |
| 92 | + --deploy |
| 93 | + --deploy-hook haproxy |
| 94 | + --domain "{{ item }}" |
| 95 | + environment: |
| 96 | + DEPLOY_HAPROXY_HOT_UPDATE: "yes" |
| 97 | + DEPLOY_HAPROXY_STATS_SOCKET: "/var/lib/haproxy/haproxy.stats" |
| 98 | + DEPLOY_HAPROXY_PEM_PATH: "/etc/haproxy/certs" |
| 99 | + loop: "{{ haproxy_ssl_hosts }}" |
| 100 | + when: "acme_issue.changed" |
| 101 | + register: "result" |
| 102 | + changed_when: "result.changed" |
| 103 | + become_user: "acme" |
| 104 | + become: true |
0 commit comments