summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--roles/haproxy/files/haproxy.cfg43
-rw-r--r--roles/haproxy/tasks/main.yml52
-rw-r--r--roles/vcsworker/files/vcsworker.service13
3 files changed, 108 insertions, 0 deletions
diff --git a/roles/haproxy/files/haproxy.cfg b/roles/haproxy/files/haproxy.cfg
new file mode 100644
index 0000000..4bb9ebf
--- /dev/null
+++ b/roles/haproxy/files/haproxy.cfg
@@ -0,0 +1,43 @@
+global
+ log 127.0.0.1 local4
+ chroot /var/lib/haproxy
+ stats socket /run/haproxy/admin.sock mode 660 level admin
+ stats timeout 30s
+ user haproxy
+ group haproxy
+ daemon
+
+ ca-base /etc/ssl/certs
+ crt-base /etc/ssl/private
+ tune.ssl.default-dh-param 2048
+ ssl-default-bind-options no-tls-tickets
+ ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
+
+defaults
+ log global
+ mode http
+ option httplog
+ option dontlognull
+ timeout connect 5000
+ timeout client 50000
+ timeout server 50000
+ errorfile 400 /etc/haproxy/errors/400.http
+ errorfile 403 /etc/haproxy/errors/403.http
+ errorfile 408 /etc/haproxy/errors/408.http
+ errorfile 500 /etc/haproxy/errors/500.http
+ errorfile 502 /etc/haproxy/errors/502.http
+ errorfile 503 /etc/haproxy/errors/503.http
+ errorfile 504 /etc/haproxy/errors/504.http
+
+
+frontend http-in
+ bind *:80
+ bind *:443 ssl no-sslv3 no-tlsv10 crt /etc/ssl/haproxy.pem
+
+ rspadd Strict-Transport-Security:\ max-age=15768000
+
+ acl api path_beg /
+ use_backend api if api
+
+backend api
+ server api_1 127.0.0.1:2222
diff --git a/roles/haproxy/tasks/main.yml b/roles/haproxy/tasks/main.yml
new file mode 100644
index 0000000..f7464c8
--- /dev/null
+++ b/roles/haproxy/tasks/main.yml
@@ -0,0 +1,52 @@
+- name: "add certbot apt repo"
+ apt_repository:
+ repo: "deb http://deb.debian.org/debian stretch-backports main"
+
+- name: "install certbot"
+ apt:
+ name: certbot
+ default_release: stretch-backports
+
+- name: "install daily cron job to create haproxy.pem"
+ copy:
+ content: |
+ #!/bin/sh
+ set -eu
+ cd /etc/letsencrypt/live/haproxy
+ cat fullchain.pem privkey.pem > /etc/ssl/haproxy.pem
+ systemctl restart haproxy
+ dest: /etc/cron.daily/haproxy.pem
+ owner: root
+ group: root
+ mode: 0755
+
+- name: "run certbot"
+ shell: |
+ set -eu
+ certbot certonly \
+ --standalone \
+ --noninteractive \
+ --email "{{ letsencrypt_email }}" \
+ --agree-tos \
+ --expand \
+ --cert-name haproxy \
+ --keep \
+ --pre-hook "systemctl stop apache2 haproxy" \
+ --post-hook "systemctl start apache2 haproxy" \
+ -d "{{ haproxy_domain }}"
+ /etc/cron.daily/haproxy.pem
+
+- name: install haproxy
+ apt:
+ name: haproxy
+
+- name: "install haproxy config"
+ copy:
+ src: haproxy.cfg
+ dest: /etc/haproxy/haproxy.cfg
+
+- name: enable and start haproxy
+ service:
+ state: restarted
+ enabled: yes
+ name: haproxy
diff --git a/roles/vcsworker/files/vcsworker.service b/roles/vcsworker/files/vcsworker.service
new file mode 100644
index 0000000..d06521b
--- /dev/null
+++ b/roles/vcsworker/files/vcsworker.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=VCS worker
+After=network.target
+
+[Service]
+Type=simple
+User=_wmf
+Group=_wmf
+ExecStart=/srv/wmf-ci-arch/api.py vcsworker /etc/wmf_ci_token.pub /etc/wmf_gitlab_token
+KillSignal=QUIT
+
+[Install]
+WantedBy=multi-user.target