# # Cookbook:: esh_haproxy # Recipe:: config # # Copyright:: 2022, https://easyself.host # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apt_package %w(haproxy whois) directory "/etc/haproxy/country" do owner 'root' group 'root' mode '0755' action :create end cookbook_file '/usr/local/bin/haproxy_country' do owner 'root' group 'root' mode '0755' action :create end execute 'haproxy generate country acl' do command '/usr/local/bin/haproxy_country' environment ({ 'LICENSE_KEY' => node['esh']['haproxy']['config']['maxmind_key'] }) action :run not_if { ::File.exist?('/etc/haproxy/country/JP.txt') } end remote_file '/etc/haproxy/dhparam' do source 'https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem' owner 'root' group 'root' mode '0444' action :create end template '/etc/haproxy/haproxy.cfg' do owner 'root' group 'root' mode '0444' variables acls: node['esh']['haproxy']['config']['acls'], listen: node['esh']['haproxy']['config']['listen'], backends: node['esh']['haproxy']['config']['backends'], stats_password: node['esh']['haproxy']['config']['stats_password'] action :create end systemd_unit 'haproxy_country_failure.service' do content <<~EOU [Unit] Description=Notifies HC if haproxy country fail [Service] Type=simple ExecStart=/usr/bin/curl -fsS -m 10 --retry 5 #{node['esh']['haproxy']['config']['hc_url']}/fail EOU verify false action [:create, :enable] end systemd_unit 'haproxy_country_success.service' do content <<~EOU [Unit] Description=Notifies HC if haproxy country succeed [Service] Type=simple ExecStart=/usr/bin/curl -fsS -m 10 --retry 5 #{node['esh']['haproxy']['config']['hc_url']} EOU verify false action [:create, :enable] end systemd_unit 'haproxy_country.service' do content <<~EOU [Unit] Description=Update haproxy country IP range OnFailure=haproxy_country_failure.service OnSuccess=haproxy_country_success.service [Service] Type=simple Environment="LICENSE_KEY=#{node['esh']['haproxy']['config']['maxmind_key']}" ExecStartPre=/usr/bin/curl -fsS -m 10 --retry 5 #{node['esh']['haproxy']['config']['hc_url']}/start ExecStart=/usr/local/bin/haproxy_country EOU verify false action [:create, :enable] end systemd_unit 'haproxy_country.timer' do content <<~EOU [Unit] Description=Run haproxy_country on Fridays, 12h random [Timer] OnCalendar=Fri 00:00 RandomizedDelaySec=12h [Install] WantedBy=timers.target EOU verify false action [:create, :enable] end apt_package 'ssl-cert' directory '/etc/haproxy/crt' do owner 'root' group 'root' mode '0755' action :create end execute 'add to haproxy default self-signed certificate' do command <<~EOT cat /etc/ssl/certs/ssl-cert-snakeoil.pem \ /etc/ssl/private/ssl-cert-snakeoil.key \ > /etc/haproxy/crt/ssl-cert-snakeoil.pem EOT not_if { ::File.exist?('/etc/haproxy/crt/ssl-cert-snakeoil.pem') } action :run end service 'haproxy' do action :nothing subscribes :reload, 'template[/etc/haproxy/haproxy.cfg]', :immediately end