Remove obsolete certificate task and stop patching during a deploy (#660)

crosmuller · web-flow · commit e709961b0207 · 2026-05-04T17:30:01.000+02:00
- Remove obsolete certificate task
- Remove obsolete template
- Stop Haproxy updates during deploys
diff --git a/roles/haproxy/tasks/main.yml b/roles/haproxy/tasks/main.yml
@@ -16,7 +16,7 @@
 - name: Install haproxy and socat
   ansible.builtin.apt:
     name:
-      - "haproxy=3.0.*"
+      - "haproxy"
       - "socat"
       - "git"
     state: "present"
@@ -88,17 +88,6 @@
     group: haproxy
     mode: "0770"
 
-- name: Create combined key and certificate file for HAproxy
-  ansible.builtin.copy:
-    content: >
-      {{ item.key_content }}{{ lookup('file', '{{ inventory_dir }}/files/certs/{{ item.crt_name }}') }}
-    dest: "/etc/haproxy/certs/{{ item.name }}_haproxy.pem"
-    mode: "0600"
-  with_items: "{{ haproxy_sni_ip.certs }}"
-  when: haproxy_sni_ip.certs is defined
-  notify:
-    - "reload haproxy"
-
 - name: Create backend CA directory
   ansible.builtin.file:
     path: "{{ tls_backend_ca | dirname }}"
diff --git a/roles/haproxy/templates/certlist.lst.j2 b/roles/haproxy/templates/certlist.lst.j2
@@ -3,11 +3,6 @@
 /etc/haproxy/certs/{{ host }}.pem [ocsp-update on]
 {% endfor %}
 {% endif %}
-{% if haproxy_sni_ip.certs is defined %}
-{% for cert in haproxy_sni_ip.certs %}
-/etc/haproxy/certs/{{ cert.name }}_haproxy.pem [ocsp-update on]
-{% endfor %}
-{% endif %}
 {% if haproxy_extra_certs is defined %}
 {% for cert in haproxy_extra_certs %}
 {{ cert }} [ocsp-update on]
diff --git a/roles/haproxy/templates/update_ocsp.j2 b/roles/haproxy/templates/update_ocsp.j2
