From bb35abf58580f570829ba4d3e56eeaf61e2e8a9e Mon Sep 17 00:00:00 2001
From: Lars Wirzenius <liw@liw.fi>
Date: Tue, 6 Nov 2018 11:02:17 +0200
Subject: Fix: recreate haproxy.pem in cron job

haproxy wants a haproxy.pem that is the catenation of letsencrypt's
fullchain.pem and privkey.pem. It's created by the Ansible playbook,
but if you don't run Ansible for three months, the cert will expire.

Add a daily cron job that recreates haproxy.pem every day.

This might be doable using a certbot haproxy plugin, but I can't be
arsed to find out. Don't understand why letsencrypt doesn't just
create such a file by default, or why haproxy wants such a file.
---
 roles/haproxy/tasks/main.yml | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'roles')

diff --git a/roles/haproxy/tasks/main.yml b/roles/haproxy/tasks/main.yml
index a7854fb..8129482 100644
--- a/roles/haproxy/tasks/main.yml
+++ b/roles/haproxy/tasks/main.yml
@@ -38,6 +38,17 @@
     (cd /etc/letsencrypt/live/haproxy; cat fullchain.pem privkey.pem) \
         > /etc/ssl/haproxy.pem
 
+- name: "install daily cron job to create haproxy.pem"
+  copy:
+    content: |
+      #!/bin/sh
+      cd /etc/letsencrypt/live/haproxy
+      cat fullchain.pem privkey.pem > /etc/ssl/haproxy.pem
+    dest: /etc/cron.daily/haproxy.pem
+    owner: root
+    group: root
+    mode: 0755
+
 - name: install haproxy
   apt:
     name: haproxy
-- 
cgit v1.2.1