40 lines
1.8 KiB
YAML
40 lines
1.8 KiB
YAML
---
|
|
- name: haproxy-ssl | Manage OCSP
|
|
tags: ['haproxy', 'letsencrypt', 'ssl', 'ssl_ocsp']
|
|
when: haproxy_ssl_ocsp_enabled
|
|
block:
|
|
- name: haproxy-ssl | Install the socat binary needed to talk to the haproxy socket
|
|
ansible.builtin.apt:
|
|
name: socat
|
|
state: present
|
|
cache_valid_time: 3600
|
|
|
|
- name: haproxy-ssl | Install a script that refreshes the OCSP configuration and reloads haproxy if needed
|
|
ansible.builtin.get_url:
|
|
url: 'https://raw.githubusercontent.com/pierky/haproxy-ocsp-stapling-updater/master/hapos-upd'
|
|
dest: /usr/local/bin/hapos-upd
|
|
owner: root
|
|
group: root
|
|
mode: "0755"
|
|
|
|
- name: haproxy-ssl | Install a cron job that refreshes the OCSP configuration
|
|
ansible.builtin.cron:
|
|
name: "Refresh the haproxy OCSP information"
|
|
user: root
|
|
cron_file: haproxy_ocsp
|
|
special_time: daily
|
|
state: present
|
|
job: "/usr/local/bin/hapos-upd {% if haproxy_docker_container %}-S{% endif %} --cert {{ haproxy_cert_dir }}/haproxy.pem -v {{ letsencrypt_acme_certs_dir }}/fullchain -s {% if not haproxy_docker_container %}{{ haproxy_admin_socket }}{% else %}{{ haproxy_docker_socket_dir }}/{{ haproxy_admin_socket_file }}{% endif %} -v - >/var/log/hapos-upd.log 2>&1{% if haproxy_docker_container %} ; docker kill --signal USR2 $(docker container ls --filter name=haproxy_haproxy --quiet){% endif %}"
|
|
|
|
- name: haproxy-ssl | Disable the OCSP handling
|
|
tags: ['haproxy', 'letsencrypt', 'ssl', 'ssl_ocsp']
|
|
when: not haproxy_ssl_ocsp_enabled
|
|
block:
|
|
- name: haproxy-ssl | Remove the cron job that refreshes the OCSP configuration
|
|
ansible.builtin.cron:
|
|
name: "Refresh the haproxy OCSP information"
|
|
user: root
|
|
cron_file: haproxy_ocsp
|
|
special_time: daily
|
|
state: absent
|