From a0abd4a7aa5e7b3bee5196c5f1085037b9a7aab5 Mon Sep 17 00:00:00 2001 From: Lars Wirzenius Date: Thu, 4 Jul 2019 17:53:37 +0300 Subject: Add: haproxy, system files --- roles/haproxy/files/haproxy.cfg | 43 +++++++++++++++++++++++++++ roles/haproxy/tasks/main.yml | 52 +++++++++++++++++++++++++++++++++ roles/vcsworker/files/vcsworker.service | 13 +++++++++ 3 files changed, 108 insertions(+) create mode 100644 roles/haproxy/files/haproxy.cfg create mode 100644 roles/haproxy/tasks/main.yml create mode 100644 roles/vcsworker/files/vcsworker.service diff --git a/roles/haproxy/files/haproxy.cfg b/roles/haproxy/files/haproxy.cfg new file mode 100644 index 0000000..4bb9ebf --- /dev/null +++ b/roles/haproxy/files/haproxy.cfg @@ -0,0 +1,43 @@ +global + log 127.0.0.1 local4 + chroot /var/lib/haproxy + stats socket /run/haproxy/admin.sock mode 660 level admin + stats timeout 30s + user haproxy + group haproxy + daemon + + ca-base /etc/ssl/certs + crt-base /etc/ssl/private + tune.ssl.default-dh-param 2048 + ssl-default-bind-options no-tls-tickets + ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK + +defaults + log global + mode http + option httplog + option dontlognull + timeout connect 5000 + timeout client 50000 + timeout server 50000 + errorfile 400 /etc/haproxy/errors/400.http + errorfile 403 /etc/haproxy/errors/403.http + errorfile 408 /etc/haproxy/errors/408.http + errorfile 500 /etc/haproxy/errors/500.http + errorfile 502 /etc/haproxy/errors/502.http + errorfile 503 /etc/haproxy/errors/503.http + errorfile 504 /etc/haproxy/errors/504.http + + +frontend http-in + bind *:80 + bind *:443 ssl no-sslv3 no-tlsv10 crt /etc/ssl/haproxy.pem + + rspadd Strict-Transport-Security:\ max-age=15768000 + + acl api path_beg / + use_backend api if api + +backend api + server api_1 127.0.0.1:2222 diff --git a/roles/haproxy/tasks/main.yml b/roles/haproxy/tasks/main.yml new file mode 100644 index 0000000..f7464c8 --- /dev/null +++ b/roles/haproxy/tasks/main.yml @@ -0,0 +1,52 @@ +- name: "add certbot apt repo" + apt_repository: + repo: "deb http://deb.debian.org/debian stretch-backports main" + +- name: "install certbot" + apt: + name: certbot + default_release: stretch-backports + +- name: "install daily cron job to create haproxy.pem" + copy: + content: | + #!/bin/sh + set -eu + cd /etc/letsencrypt/live/haproxy + cat fullchain.pem privkey.pem > /etc/ssl/haproxy.pem + systemctl restart haproxy + dest: /etc/cron.daily/haproxy.pem + owner: root + group: root + mode: 0755 + +- name: "run certbot" + shell: | + set -eu + certbot certonly \ + --standalone \ + --noninteractive \ + --email "{{ letsencrypt_email }}" \ + --agree-tos \ + --expand \ + --cert-name haproxy \ + --keep \ + --pre-hook "systemctl stop apache2 haproxy" \ + --post-hook "systemctl start apache2 haproxy" \ + -d "{{ haproxy_domain }}" + /etc/cron.daily/haproxy.pem + +- name: install haproxy + apt: + name: haproxy + +- name: "install haproxy config" + copy: + src: haproxy.cfg + dest: /etc/haproxy/haproxy.cfg + +- name: enable and start haproxy + service: + state: restarted + enabled: yes + name: haproxy diff --git a/roles/vcsworker/files/vcsworker.service b/roles/vcsworker/files/vcsworker.service new file mode 100644 index 0000000..d06521b --- /dev/null +++ b/roles/vcsworker/files/vcsworker.service @@ -0,0 +1,13 @@ +[Unit] +Description=VCS worker +After=network.target + +[Service] +Type=simple +User=_wmf +Group=_wmf +ExecStart=/srv/wmf-ci-arch/api.py vcsworker /etc/wmf_ci_token.pub /etc/wmf_gitlab_token +KillSignal=QUIT + +[Install] +WantedBy=multi-user.target -- cgit v1.2.1