diff --git a/.gitignore b/.gitignore
index 997ca2f846554a247d3cc3f653e17dd1d5a15ffe..3dc78757678c04a36fad43e701485bfc26c050a1 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
-.vagrant
\ No newline at end of file
+.vagrant
+docker-haproxy-confd
diff --git a/Vagrantfile b/Vagrantfile
index ef870f22d8ab242935d8d4f86dfdc2ea23a522e5..98d4c1892f85cb70631ba3ea092172fffdd09b0a 100644
--- a/Vagrantfile
+++ b/Vagrantfile
@@ -40,6 +40,7 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
end
core.vm.hostname = HOSTNAME
+ core.hostsupdater.aliases = ["example.dev"]
core.vm.network :private_network, ip: "#{BASE_IP_ADDR}.#{i+1}"
core.vm.synced_folder ".", "/data/infrastructure"
core.vm.synced_folder "/data/per-user", "/data/per-user"
@@ -47,6 +48,7 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
core.vm.synced_folder "/data/per-user", "/data/per-user", id: "coreos-per-user", :nfs => true, :mount_options => ['nolock,vers=3,udp']
core.vm.provision :file, source: "./config/user-data", destination: "/tmp/vagrantfile-user-data"
core.vm.provision :shell, path: "./scripts/setup.sh"
+ core.vm.provision :shell, inline: "etcdctl set /services/default '{\"app\":\"nginx\", \"hostname\":\"#{HOSTNAME}\"}'"
core.vm.provision :shell, path: "./scripts/approve-user.sh", args: [HOSTNAME, "nginx"]
end
end
diff --git a/config/user-data b/config/user-data
index 2a32c3a16242fa3904e09223ce7101a310139d48..884a03563e4006a92dc1b57927c4d7b74f6f4c67 100644
--- a/config/user-data
+++ b/config/user-data
@@ -3,3 +3,9 @@
coreos:
update:
reboot-strategy: best-effort
+ etcd:
+ addr: $public_ipv4:4001
+ peer-addr: $public_ipv4:7001
+ units:
+ - name: etcd.service
+ command: start
diff --git a/scripts/approve-user.sh b/scripts/approve-user.sh
index 1aa01b1f3956ce88c4b837d79a2c1ab221927fd5..86c114a835ad3baba7a42bc0c03591992f668036 100755
--- a/scripts/approve-user.sh
+++ b/scripts/approve-user.sh
@@ -3,29 +3,3 @@
# Start service for new site (and create the user)
systemctl enable $2@$1.service
systemctl start $2@$1.service
-
-sleep 10
-
-# Configure new site in HAproxy
-IP=`docker inspect --format '{{.NetworkSettings.IPAddress}}' $2-$1`
-
-echo IP address of new container \'$2-$1\' is \'$IP\'
-
-if [ -f /data/per-user/$1/combined.pem ]; then
- echo Importing cert from /data/per-user/$1/combined.pem
- echo TODO: enforce validity check at this point!
- echo Please run scripts/check-cert.sh $1 to make sure it\'s OK
- mkdir -p /data/server-wide/haproxy/approved-certs
- cp /data/per-user/$1/combined.pem /data/server-wide/haproxy/approved-certs/$1.pem
- echo /haproxy-override/approved-certs/$1.pem $1 >> /data/server-wide/haproxy/certs/list.txt
- sed s/%HOSTNAME%/$1/g /data/infrastructure/templates/haproxy-cert.part >> /data/server-wide/haproxy/certs.part
-else
- echo WARNING: TLS cert /data/per-user/$1/combined.pem not found! Not enabling SNI for this domain.
-fi
-
-sed s/%HOSTNAME%/$1/g /data/infrastructure/templates/haproxy-frontend.part >> /data/server-wide/haproxy/frontends.part
-
-sed s/%HOSTNAME%/$1/g /data/infrastructure/templates/haproxy-backend.part | sed s/%IP%/$IP/g >> /data/server-wide/haproxy/backends.part
-
-cat /data/server-wide/haproxy/haproxy-1.part /data/server-wide/haproxy/hostname.part /data/server-wide/haproxy/haproxy-2.part /data/server-wide/haproxy/certs.part /data/server-wide/haproxy/haproxy-3.part /data/server-wide/haproxy/hostname.part /data/server-wide/haproxy/haproxy-4.part /data/server-wide/haproxy/frontends.part /data/server-wide/haproxy/backends.part > /data/server-wide/haproxy/haproxy.cfg
-systemctl reload haproxy.service
diff --git a/scripts/setup.sh b/scripts/setup.sh
index d490795f58737d837484b42b0539e6bb9acd8d0a..03b500a251800881c56aa3d9e4cdc807f40e3e7e 100755
--- a/scripts/setup.sh
+++ b/scripts/setup.sh
@@ -8,21 +8,13 @@ cp /data/infrastructure/unit-files/* /etc/systemd/system
systemctl daemon-reload
# Pull relevant docker images
+docker pull pierreozoux/haproxy-confd
docker pull tutum/mysql
docker pull tutum/wordpress-stackable
docker pull tutum/nginx
# Configure and start HAproxy
-docker pull dockerfile/haproxy
-mkdir -p /data/server-wide/haproxy/certs
-touch /data/server-wide/haproxy/certs/list.txt
-cp /data/infrastructure/templates/haproxy-*.part /data/server-wide/haproxy/
-rm /data/server-wide/haproxy/*.part
-#rm /etc/systemd/system/multi-user.target.wants/*
-touch /data/server-wide/haproxy/certs.part
-touch /data/server-wide/haproxy/frontends.part
-touch /data/server-wide/haproxy/backends.part
-hostname > /data/server-wide/haproxy/hostname.part
-cp /data/infrastructure/templates/haproxy-*.part /data/server-wide/haproxy/
+mkdir -p /data/server-wide/haproxy/approved-certs
+cp /data/infrastructure/scripts/unsecure-certs/*.pem /data/server-wide/haproxy/approved-certs
systemctl enable haproxy.service
systemctl start haproxy.service
diff --git a/scripts/unsecure-certs/example.dev.pem b/scripts/unsecure-certs/example.dev.pem
new file mode 100644
index 0000000000000000000000000000000000000000..bb9b92754295c23fc8c215b2cd981cd10b500a2b
--- /dev/null
+++ b/scripts/unsecure-certs/example.dev.pem
@@ -0,0 +1,83 @@
+-----BEGIN CERTIFICATE-----
+MIIFjDCCA3QCCQDmo57ouPDhnTANBgkqhkiG9w0BAQUFADCBhzELMAkGA1UEBhMC
+UFQxETAPBgNVBAgTCFBvcnR1Z2FsMQ8wDQYDVQQHEwZMaXNib24xFTATBgNVBAoT
+DEluZGllSG9zdGVyczEUMBIGA1UEAxMLZXhhbXBsZS5kZXYxJzAlBgkqhkiG9w0B
+CQEWGGNvbnRhY3RAaW5kaWVob3N0ZXJzLm5ldDAeFw0xNDEwMTAxNTA3MDVaFw0x
+NTEwMTAxNTA3MDVaMIGHMQswCQYDVQQGEwJQVDERMA8GA1UECBMIUG9ydHVnYWwx
+DzANBgNVBAcTBkxpc2JvbjEVMBMGA1UEChMMSW5kaWVIb3N0ZXJzMRQwEgYDVQQD
+EwtleGFtcGxlLmRldjEnMCUGCSqGSIb3DQEJARYYY29udGFjdEBpbmRpZWhvc3Rl
+cnMubmV0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAm/gbDGFtfMzT
+nVZaPBQNl7SqMUMhTlDoR2C24W53QPslLuqBGkatbBs+9jWKGm2XPWeuK0uC2ot6
+fIie72wghFepmzIdAb7SU0lpFVw49dk1nGVHIqwbFA3G6pYL7hY5ocD4HziNKnuj
+ZA42a+rjpYl3zx/4GgcWnNyuawlsIMI8rdvuv5Mg77fGaVSXriJKQ1nTJ/Z65CDU
+U6c9vzXSGkye3i0gv/8tZ0VA8xgV9FoXsLWhP7NLWDAh5+X/4aJpIFjvwzYSJLBr
+3O9siP17NZuJI+7zB6KVlBeoSt2Dmt3k7fG2YrpwTzFlFBMr4Hq6T+wp+Q2J1JQP
+Jm1s3lr2vJwmLVKlUspgT+zpuTAsUHOv2xxmbb+8k8ZE5II9IzAcE85C75bvL3An
+fG0xQlF2+dOcXgvYFtRyeJ8fCIEjQBkOoUJq4H2inTwM2IYo060FF32jEVgFB5ZP
+xuEsxEOGusUmOFsm8dIwaXv/WCPXopt1EGKFcNZWLSMC0jX0d4jZP74D1K0u4VPV
+/kkQS6lUCK4qrq6tNm1R4TQlquefbfcwEhE8hVyUGcyDX6FOCL5z4lXal3gyUgbC
+B50WrOST4hShb8+cWngcvDTO78kLg/OhqYZZVbpAshcF60sugEYke0xGNArWMQMU
+5uxaWqPA3/gA3u4rJfWhLOwFIU+4ewsCAwEAATANBgkqhkiG9w0BAQUFAAOCAgEA
+JiUIK43wZ6PHYrinKZu1wgDSbL7g3mNxSf2NiTMbu11J0JvypJc19DZHoSq5S0XH
+yalW9Xeml9U8u/zHaciTwAaxWyj/gzqWyLBbd1xHTmdx+WvoG+OjcnYJYelrFzDH
+bd4XumR+oHBXUsCiCIyF0d4gJZRUH8OxpDN/dD828FlcmMaeaPBl/xLm1G5ZXnPE
+KNA8VR6ylo4w4HayQCjXI6qef29Y9I2Jvt9lREEpR5YoEnc1aj1ZJofeEzISfmhm
+3D2BiI2Hx6mMlBwE95D+c9HZZAQyvdPyUdcTto7dOiJUGGt3EqhBRPebhe0HNlj8
+L5h2/w1zChlQKWoFCZ4Uz6AJeibvPMZTEgihWtNWPyRAbjWL39GH1Emb/0m8ydaR
+NmQEFL9VApMAsUm0mNHjWZQOTL5PYwgfKloXWMJ+rCd9N54sUUj5tt+Zc7G4irUN
+Lnu8fYAaFC2BljANwQdy0H7pkVCYBcwwqvtKsrhX+FBGukkUjMo43FWep+fA82BU
+uU6mlnPKm9vRYHC9gkKJejzFNgDZaC7p+xiwOO53oY/mFPgEVoCWwO0zAc1AXaZV
+mJkkeYhRWpqmuxvqP+tpXFSfHu2Ee/RKBrrowWDOad3IlWuV7gt7Bo5ZBj+iqbPf
+Km1Y5oFRF+Kp1NoIL527LHGj7dDV8eXinRIb7CPtbL4=
+-----END CERTIFICATE-----
+-----BEGIN RSA PRIVATE KEY-----
+MIIJKQIBAAKCAgEAm/gbDGFtfMzTnVZaPBQNl7SqMUMhTlDoR2C24W53QPslLuqB
+GkatbBs+9jWKGm2XPWeuK0uC2ot6fIie72wghFepmzIdAb7SU0lpFVw49dk1nGVH
+IqwbFA3G6pYL7hY5ocD4HziNKnujZA42a+rjpYl3zx/4GgcWnNyuawlsIMI8rdvu
+v5Mg77fGaVSXriJKQ1nTJ/Z65CDUU6c9vzXSGkye3i0gv/8tZ0VA8xgV9FoXsLWh
+P7NLWDAh5+X/4aJpIFjvwzYSJLBr3O9siP17NZuJI+7zB6KVlBeoSt2Dmt3k7fG2
+YrpwTzFlFBMr4Hq6T+wp+Q2J1JQPJm1s3lr2vJwmLVKlUspgT+zpuTAsUHOv2xxm
+bb+8k8ZE5II9IzAcE85C75bvL3AnfG0xQlF2+dOcXgvYFtRyeJ8fCIEjQBkOoUJq
+4H2inTwM2IYo060FF32jEVgFB5ZPxuEsxEOGusUmOFsm8dIwaXv/WCPXopt1EGKF
+cNZWLSMC0jX0d4jZP74D1K0u4VPV/kkQS6lUCK4qrq6tNm1R4TQlquefbfcwEhE8
+hVyUGcyDX6FOCL5z4lXal3gyUgbCB50WrOST4hShb8+cWngcvDTO78kLg/OhqYZZ
+VbpAshcF60sugEYke0xGNArWMQMU5uxaWqPA3/gA3u4rJfWhLOwFIU+4ewsCAwEA
+AQKCAgBGDvYnY4QIsQDFBcrWfbN1V4OzSRIm2ZTcqwa60CHlIGqdXlzLbr/rdXmc
+ooP8RwnOXUoQzIRkoo5MbhnmNc2NZMscmTAKXqqfGrSHEbvMQtsf+yYu3tvy8BVP
+vkJxma4diE5rx70xPgQwp2muo/3Jl6wnb5bEKjbwEviNv9fABz+2YLond3Et/IC1
+Q3g2kdSF2E1PABpHaq+1O8QypXxQr+YUqnSxiW/dmXAJQeJqtiU6DPv3XxQS8tvo
+DJoZwhgynYBlUV5o+I4a2bkI98NmWw0JBQZJgbBqqw2/Qy0gXVe9wftI8bINAIUE
+tW/aD4as68oWwwwMXs1HV5O1dWqqrncx9SGNUSO+oqZPzjPBUtGpBj8sBOA6AgaU
+ohnUhx4NLd3KEl+3yLgyv16VsW3XkOCCdtEwKfhLMfPM95LtOx0z1YsGP2DHQIb1
+Q7lv81n5YCThIBxiRbDi46GgOAFukORb7rKfzu18qxiWyLLJ79QyONCdDZWU2jgA
+8t3Fwzv28nXIetfxoRj8v0+B3NPxWS2StZ8Gltj/zVdbqiUyAU4TeV655la9bI2R
+5NEQWW0q66BdJsSEnJ+6etM3yvaJ6rGw0Fz28JJuIwmc2uod14MgXFv3/ylg3bBK
+Ddhuaw78iOz+hYq2rOk6xGB1q+HTTc61bFe1iKouTrVKT2jBoQKCAQEAyzfVyfzv
+NS43ZcEe/MC+S8+zbjoxsS6b57hB6+lyokz2/YmliTpsmMgHnPSAWDUtXanGQjFY
+IsDpt3r1x9wyOuNblKN4Xj/LqK+8ZS+qIwmFc84r9b7I8Evm3YOsYkUSRoroDhz1
+eU09Df0YdLJaSTcJTvMm2LX+h3Yy6UTkHAg8nxI3PDF4SonV4QSf1LDWw1HGPiLv
+quBPHGOrgcXvEpNOuOCzjmW90LKrRyk1V1rX9F+8e+Dr1rWpJKLFYVz6DgB5NFEI
+rlz3PaZwQSdaeTMURt2Z9MErC3GHtGc+saf1vLdhQjoD2KAwG9FsqdtiaGX86Qh0
+3Llblry0FkOHQwKCAQEAxHqkuAWS9DOcZPTs4VlQHItnHI+qRcp8hQZtz/8R204O
+x8IbmMc7BQLLNKZj8yOP13d1uL+2RB3wJON6Z+GzfwLPG5ZuaklZv1j0c1r6/WZf
+E9AMxO3IgC0o5tYxfB9JIPUfDbm7fpm2EZvlIK//29m5iC5Ii6E9PIbWenTjXpvy
+NjDzRJDXoEa7lDzY0nKdwiiDrK+Hfte2CkS+4ESQALw8l84B8EPJ9mXFiFR4l6CG
+ZlI8uLdb/FraChC1qgOknonEGS7WLwfxKhXoEo2X0cTDjR7awUtrXVB0yfpEGzsu
+gxvmDMKudwBGM6BotkLuE337t44gUajiG/GB7syMmQKCAQEAuHespzfkY9/aBZHy
+cPj9RI/7jplgtjda6lLF9EHq/wziP2+NRi40mdMppf4D6w4KajVMdJWaLaH0Bcum
+A5AMQIxVe22QO+2pDyzG1QsZY8imzWJfYSmX+RjNLlLyThno5wP8daMv6LaGL4aJ
+hpTHhCJjXrk1kA5UR96xhDI25oNLlBHS9d7qFK9d6G5sL4N+z7oRPCI2cGRBK8IF
+0z07MR9qnEPMefw8+47UDzqG4w7hbUDiNYkMS9CHA2yFw0XE7qTbYPQV70EQZXQJ
+/fqdE9ucEl/h+tzGGBMsXkRCEr4mQPItZRKIn0F5qibGfsFYaO/7TgWRHzNawk/1
+ISiXRQKCAQBGXBkSoURf2P+fk6okhORQZId3TedO+NUgmg3HF3OgklJurI9PZcE3
+6Sk14IQYdNq08V2h3F18BTCTNTcHbmbmC+541aUSwNO31zYq/SC2j+tqX+3Cs9hC
+NmnYSEoORfHdMIp/UszW6Fqv8aDa1MwOQejT4KcwAXy5aRvzXFpz7eqOB3eGTUw6
+ZDoWOrf2nP7robCNrYobHUpeYQHts//Rk5crUaWWEeCIMSfMy1soCV830ylViKwT
+McG1KwizKnzQHUuxLPmce/6b8J5bzoLYptrUdYEnCUgYcZBxKAMtsULVxq7aUPlD
+OkDpif8VjeBN8Kass+PU+mKGWTULfAq5AoIBAQCRd1bJmD/nAB90B19yzat7i1eZ
+r6BUpMQ6vTMDA/u9uxn7A92kcZ6PFIPN3ez4ThIgSonAQHBKQYIblrDgPEQ/ixqe
+YoKmvVQg5/fEXcpBZbKy3oNr437ZDWShbkPVsV7SvIsye3ckFQf/ASSOtKLY6E2Z
+YQC1S9lXaIv7LOpZpIbGnrQuw/uXkuuW682vIjOsS+zGaq+UdLHVv0ZcTqbbmurh
+HaWktTlH8htMK65JgvRv2Ze4a+xe83vCtinmK45yFdFJvkyVkTGGtE7wVeKaCyH/
+2PRNVB8SMzV2lmvsr0jXi7FS8slvxzsLeMbLe+sYStIhatOYoBggnhSi/p9j
+-----END RSA PRIVATE KEY-----
diff --git a/scripts/unsecure-certs/indiehosters.dev.pem b/scripts/unsecure-certs/indiehosters.dev.pem
new file mode 100644
index 0000000000000000000000000000000000000000..a40918d145cbf5ba8a6f302c5c1cea0b0dab445f
--- /dev/null
+++ b/scripts/unsecure-certs/indiehosters.dev.pem
@@ -0,0 +1,83 @@
+-----BEGIN CERTIFICATE-----
+MIIFljCCA34CCQDXgLjASWHpmDANBgkqhkiG9w0BAQUFADCBjDELMAkGA1UEBhMC
+UFQxETAPBgNVBAgTCFBvcnR1Z2FsMQ8wDQYDVQQHEwZMaXNib24xFTATBgNVBAoT
+DEluZGllSG9zdGVyczEZMBcGA1UEAxMQaW5kaWVob3N0ZXJzLmRldjEnMCUGCSqG
+SIb3DQEJARYYY29udGFjdEBpbmRpZWhvc3RlcnMubmV0MB4XDTE0MTAxMDE0MzY1
+NVoXDTE1MTAxMDE0MzY1NVowgYwxCzAJBgNVBAYTAlBUMREwDwYDVQQIEwhQb3J0
+dWdhbDEPMA0GA1UEBxMGTGlzYm9uMRUwEwYDVQQKEwxJbmRpZUhvc3RlcnMxGTAX
+BgNVBAMTEGluZGllaG9zdGVycy5kZXYxJzAlBgkqhkiG9w0BCQEWGGNvbnRhY3RA
+aW5kaWVob3N0ZXJzLm5ldDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB
+AKBOylYEoL1P3q7skTJsRA8yQj6fVHWHS3kPg6tcVavZawc6tRxIiDc41/EWjL7i
+Owb6io2UbKaD/g8695CFER9FvcW1iukrC/tUV5/AVd0SDcvS3RnGUndKh82HCNrM
+rUDU/XH8smEpfjuXrq0YPuiGbY1zSLQKirjYTiasJODfGkxSbobNfjdL7aEo+3HX
+BQq5mGIj9A4PYmeyFGkHCN8tRvf4lY1KfPJoWtDL4kmO4SFNZ4FAehH9AJ6vTN8y
+MFcHtFzpp2636TYTBQsLu48nrKs6MqOOyU0R/Ufw9QjiWDLo3Co6pcCTmVf16skO
+odg9BNdEhMXefpiEE1NOL6ZOkSUG5WSY0Q5Il649QcJOYzw2A0Nk3IOxoIexXat4
+siCgSlNfgyRmBn5HNcZo5aEDf9+3gEqFzEFSyH3ClIApC7RePbpPvsCAgpagBOXC
+PgO2w2VW9HfNHkwpF3Yqn7cqw0FQKwKREufVdnSvs9fgFlMZnqA3sMym8o99Fcvq
+WBaTuh54ePfNGmawPt1N8vUZUYXXOasWKmnjfan3S1rsNAf5M2ntLqEJRDwihdSm
+ZSO+B51hDO5jzHoqxHwA71CwUAp4hRO83xR6ziB1KR2834I/7LBzbpZ0EWm9adez
+8V+dwgBhTt0LYEUGLJN22XRi9d4RPhnRJpSLPV/h0Fa/AgMBAAEwDQYJKoZIhvcN
+AQEFBQADggIBAFzYeGiomhKZW//aUM4V4RLMVIf0B4uixSMxZGQIUWVtYckmyG2N
+t8qNBHAQ3gl811NqnqestIQ4DpGkNQRCv/iDa5OwdLJHTOQUxajUE/1xmidHtpzR
+ReBZvW48k0dLEM2gmIrt7qQwqqecjlWjvSQlvJxYWrn6TBAkFL6Quu8gfoPK9/cE
+HG/aRQ0PCywGV20LSZ+J03LN7MlACClgVTB7dJuWIN0dNi7TsqpIupk11ZQ3ybBY
+WPQmLnIiCAijL69kBmBynLvJT5XDy2C4ChyzZ5Y73CXhgJwCqOZJwbO7Doig9PZQ
+yVLtui18W3uVQ7ZlIxCAQUeFzSkZf3/XNlr2FkP+efw4LLGH8kiKMsyKuoLuthO1
+1YrXvI0sjuDOxQwrlNQ2CLVANLBpUMH2U1aiYbA6iICSHr8ORAc84StgG9mFLeyN
+w32/04MGPvZfset8gRCOuvA2sLTjylqh0IpaPWlnT77neqOFtETtzJ+3UuOcdfnN
+t2bxqimHT8WhBB823WajWlLdXcc902e9LLhe9M1/bwOqFIIlKDqtCndjyXpe/qhA
+s0YB8TqJLxJQqvdnmYiBFfGrDTgNBpjt6AKJHRGd4xgsYsmQ3zLJ0Z8mNNQhlLf/
+osGXa2s/ZX7ernfvSDQIOB70gohCLFtBok0unyBJhtHxXmZ7UmpuIanx
+-----END CERTIFICATE-----
+-----BEGIN RSA PRIVATE KEY-----
+MIIJKAIBAAKCAgEAoE7KVgSgvU/eruyRMmxEDzJCPp9UdYdLeQ+Dq1xVq9lrBzq1
+HEiINzjX8RaMvuI7BvqKjZRspoP+Dzr3kIURH0W9xbWK6SsL+1RXn8BV3RINy9Ld
+GcZSd0qHzYcI2sytQNT9cfyyYSl+O5eurRg+6IZtjXNItAqKuNhOJqwk4N8aTFJu
+hs1+N0vtoSj7cdcFCrmYYiP0Dg9iZ7IUaQcI3y1G9/iVjUp88mha0MviSY7hIU1n
+gUB6Ef0Anq9M3zIwVwe0XOmnbrfpNhMFCwu7jyesqzoyo47JTRH9R/D1COJYMujc
+KjqlwJOZV/XqyQ6h2D0E10SExd5+mIQTU04vpk6RJQblZJjRDkiXrj1Bwk5jPDYD
+Q2Tcg7Ggh7Fdq3iyIKBKU1+DJGYGfkc1xmjloQN/37eASoXMQVLIfcKUgCkLtF49
+uk++wICClqAE5cI+A7bDZVb0d80eTCkXdiqftyrDQVArApES59V2dK+z1+AWUxme
+oDewzKbyj30Vy+pYFpO6Hnh4980aZrA+3U3y9RlRhdc5qxYqaeN9qfdLWuw0B/kz
+ae0uoQlEPCKF1KZlI74HnWEM7mPMeirEfADvULBQCniFE7zfFHrOIHUpHbzfgj/s
+sHNulnQRab1p17PxX53CAGFO3QtgRQYsk3bZdGL13hE+GdEmlIs9X+HQVr8CAwEA
+AQKCAgEAgDpF8sRE5ukqUHV+Nv0O+7DR+FFuN4x/PFjCk6GKDaodyGyXTgZenv1j
+Db9h2ZYQbSafCVy+A/v0jq42NG2cIo2gnLL4aEY8kU8HwAsTI4A7dNw4a1ONx0ng
+ku/+jzXFJ+S2ziS5cqrEBFryKBcKyugsXUbn0svT5sNuz9RGs3ECEialrkJVQVoE
+vDKR3p+Fsux+DZKAt3Zq2lNBrDkqSYpoCBXZWmlIxIXgjr9nRDt7rS3DK0ot2pGr
+m0LRlH8K17Kb/O4RNaj6bHyOPiWmY33yygwFUXr3XiSTmqYM+oxCzIYjBcxfpUjr
+EcbthOGlZ9h3NNHj+npcfRa4dpxF09c8gW2AVG+nXVhciZpcnLDZ5z/Nd/510axU
+0m0PlCPfh+3L5tiia9k7zlRxjyzER/GofNiJ6v8oo8YZFvhVdbBBQoGs8aadSLH9
+5Kf3fPwm8ZhmmOTVWbFJZul/3o0Ho3yFxMVMq86Qu8Pm+h6Q1Pn7yZsXMg/ECXP/
+/ErBaWA+zuBZkgCSbdZk58cxkN45PGWGkoHHACVUvCbG8IuYQ989JeCy5w01FgFV
+IXm4squNtWgyhLZgvkhl2Hnc4pR+iYJRgh+ouyv7nELQde7hpM6YJLLUpMfjo7r5
+lJyWasZtb9E4iEl4/JrdQYMJCDEyBfDN6sTKr1Ai2txjzQA4uOECggEBAM9LDpJ+
+RR+b1rdYgtS6VL5OR1bWUHSi1W9L8Xz20wSQGbRxfEJfWmSslOU0COXvA01eOxQ9
+OvHcWxISiHdiM3QxpYNtbsgATCQbsSgegMHpbaEgJPadEkUWxdWejbtpA1ypKmGg
+iFB5H5IIcz65wWNFC3g29wrXyBsRevi+K/PTbwOzOlad7AAcbuuHiv73wxi5xo1P
+i6IZfjgQMKzD9AJbACAAqyvg70XT+3vlIo5ABKOw1kLuejbNBaXd1af7OfVXReL7
+BGGJmG6IzI0qP9q7fX3Iq4Gx34Sf0TSomSyW4kxtsDMPXVURMU4ssxeshh0zYFsZ
+GQgsr36mOW5cvbkCggEBAMX5gJTrAW47GgObnQWtYIHRvYO0g7Ge1fN12VzHLiap
+3a3RfhEDTVKkiugO1GxRC1NY0tcDUwrUzS/00ovDZ/8dVqMHITFj6zfA8aX6vnzA
+TnoUWINawPxFBB6FrEuXyGIVbykinuvFyk+z/DzgKzL8X5MaLymYSV+eT+9jjLHO
+pJ37S86evkljq24Ow6KB1rKb8mMsk8GDZB4JalDdGWzlG1qJkHMg7ULkEHx2lDTW
+mcuHwRtMimFPCBGqH0i+p3O1IUkodJPNYbldrEfAkzRdD4lH9B+DNYBgxP4FWhY2
+d9DTHAGCa9ZV0HjnGgPOILRmV69+9yQhNhu5010qNDcCggEABq1VP9S/Z0A+z1MT
+i8SgvCyLUbm/h7JDC723fp34uBnoKg7JwN2PbNS+Sw+9BaMISTKy1nkOcAH4EQH1
+0Vqha6m5uh0JR3ny+erGbxNkdFqPhHQjnKn8j6snHjVoPVQpno94ZQKlwWnVYX/S
+LoAPQaJUtz+V/4xpzq1md6Kwib8SwVzBkU6u7mX8EKwiBwp2B1LcmWqphcQqc6XZ
+24bIUlcaDu3Wlag+LNKiNCByV4CqZZdpn2hNGXzLJMebfTizajqwbppFTtr+xPi1
+Fgr5WZNWfHm9RIU1PPFk7LxNisklau7RkSN6jyXpn6oC7s1I2KHyBZ0uWDwQPxUd
+nndwSQKCAQA/gmrdWwZ6djtCLQmSaKws+TvypFYbBPldwNCaEsubW6Lhv/LRQl3r
+xR1KlHdQyC757eS1VTuundW1LLTeYTFbhe3lHsRnM8ahfCQJOwcgvhBu2VgLy3Fd
+fEZ2BCvhlC+UR4wBhjm1KR5dsz+Xx9IT6SI/7oZysYfYRNEf2q+n2sK0a4lGH2ar
+5G16QQJBf6WAZsa7SfGcgqn7eMnCZytg456CzN6qEEYMz1z6kI+6450yzboFJ+i8
+jr3n7Mtcas0NMW4cKf477AcNkB9UZVLT2YbCY3LNKSpgpKqNUuozdgW51/+D/HLb
+r2vRXVHbJqUXOj2m7vQZgw34lwRXPtLBAoIBAChJgVltpcWKUWqltYXCQsdPPbb4
+DQMb4bb2vV2iON2kl+UlcCdhr0f5yWoAyKjs49lcHBN2Ny4zVR0vIu/IDeX47Fx7
+n0OfcFgcnqiqiFhXkWGcfU2JHq/q5tmk5M04aCgkFM8IyEsG6ZLoi849Km9r8quu
+VfclpJ6SsMGnWo/A2eIVP9GsfqRys9ZWKJ9inZRP5Lmx6pCZa12Mn6ey0h/kxOqh
+ruJQDdV0O4PsvZhTQFhahSVyNmSKnLguq3zsyBwKRsNI9TVXMv/hs0nnwfFgtBK1
+K61c7AL4+9dtAWEnuwqy/1srZEeBr/jgTqyFyr+GQFYUMuE/uXNKCDWlIRI=
+-----END RSA PRIVATE KEY-----
diff --git a/templates/haproxy-1.part b/templates/haproxy-1.part
deleted file mode 100644
index 98656d8e7feb58d8a2aaf90bc4a210ba6aa65375..0000000000000000000000000000000000000000
--- a/templates/haproxy-1.part
+++ /dev/null
@@ -1,20 +0,0 @@
-global
- log 127.0.0.1 local0
- log 127.0.0.1 local1 notice
- maxconn 4096
- user haproxy
- group haproxy
-
-defaults
- log global
- mode http
- option httplog
- option dontlognull
- retries 3
- timeout connect 5000
- timeout client 50000
- timeout server 50000
-
-frontend https-in
-mode http
- bind *:443 ssl crt-list /haproxy-override/certs/list.txt crt /haproxy-override/approved-certs/
diff --git a/templates/haproxy-2.part b/templates/haproxy-2.part
deleted file mode 100644
index 84d9fb6cc9885c8c43d93f0b7d6dec87087e4bf9..0000000000000000000000000000000000000000
--- a/templates/haproxy-2.part
+++ /dev/null
@@ -1,4 +0,0 @@
-/combined.pem
- reqadd X-Forwarded-Proto:\ https
-
-
diff --git a/templates/haproxy-3.part b/templates/haproxy-3.part
deleted file mode 100644
index b6fd987701479e7c5eba2426cddf0517f6b3abc1..0000000000000000000000000000000000000000
--- a/templates/haproxy-3.part
+++ /dev/null
@@ -1 +0,0 @@
-default_backend
diff --git a/templates/haproxy-4.part b/templates/haproxy-4.part
deleted file mode 100644
index f4c239838875f2b558fefe1e25c52bc3f0cef8b6..0000000000000000000000000000000000000000
--- a/templates/haproxy-4.part
+++ /dev/null
@@ -1,4 +0,0 @@
-
-frontend http-in
- bind *:80
-
diff --git a/templates/haproxy-backend.part b/templates/haproxy-backend.part
deleted file mode 100644
index f0755d05edfe756c8e221004afb457007af28e6e..0000000000000000000000000000000000000000
--- a/templates/haproxy-backend.part
+++ /dev/null
@@ -1,7 +0,0 @@
-
-# %HOSTNAME%:
-backend %HOSTNAME%
- cookie SERVERID insert nocache indirect
- option httpclose
- option forwardfor
- server Server %IP%:80 cookie Server
diff --git a/templates/haproxy-cert.part b/templates/haproxy-cert.part
deleted file mode 100644
index 5e706c118cbd884fcdd08937c267ac9f7edb6b5c..0000000000000000000000000000000000000000
--- a/templates/haproxy-cert.part
+++ /dev/null
@@ -1,4 +0,0 @@
-
-# %HOSTNAME%:
- acl https_%HOSTNAME% hdr_end(host) -i %HOSTNAME%
- use_backend %HOSTNAME% if https_%HOSTNAME%
diff --git a/templates/haproxy-frontend.part b/templates/haproxy-frontend.part
deleted file mode 100644
index 2992b1b0ef92682757cbd7696a9395b13f973986..0000000000000000000000000000000000000000
--- a/templates/haproxy-frontend.part
+++ /dev/null
@@ -1,4 +0,0 @@
-
-# %HOSTNAME%:
- acl is_%HOSTNAME% hdr_end(host) -i %HOSTNAME%
- use_backend %HOSTNAME% if is_%HOSTNAME%
diff --git a/unit-files/haproxy.service b/unit-files/haproxy.service
index 856c2b93eebcacc1e4ae427e81d3362847a57ca6..d32f36944a543e4c1937b9a0a8638831197ed9a2 100644
--- a/unit-files/haproxy.service
+++ b/unit-files/haproxy.service
@@ -12,8 +12,8 @@ ExecStart=/usr/bin/docker run\
--name %p\
-p 80:80\
-p 443:443\
--v /data/server-wide/%p:/haproxy-override\
-dockerfile/haproxy
+-v /data/server-wide/haproxy/approved-certs/:/etc/haproxy/approved-certs\
+pierreozoux/haproxy-confd
ExecReload=/usr/bin/docker restart %p
ExecStop=/usr/bin/docker stop %p
diff --git a/unit-files/nginx-discovery@.service b/unit-files/nginx-discovery@.service
new file mode 100644
index 0000000000000000000000000000000000000000..0f9383c35b92552a31c99f6117f91a5d759b98ac
--- /dev/null
+++ b/unit-files/nginx-discovery@.service
@@ -0,0 +1,36 @@
+[Unit]
+Description=%p for %i etcd registration
+
+# Requirements
+Requires=etcd.service
+Requires=nginx@%i.service
+
+# Dependency ordering and binding
+After=etcd.service
+After=nginx@%i.service
+BindsTo=nginx@%i.service
+
+[Service]
+
+EnvironmentFile=/etc/environment
+TimeoutStartSec=0
+# Start
+## Test whether service is accessible and then register useful information
+ExecStart=/bin/bash -c '\
+ sleep 3; \
+ while true; do \
+ app=`echo %p | cut -d"-" -f1`; \
+ ip=`docker inspect --format \'{{.NetworkSettings.IPAddress}}\' $app-%i`; \
+ curl -f $ip; \
+ if [ $? -eq 0 ]; then \
+ etcdctl set /services/$app/%i \'{"ip":"\'$ip\'", "port":"80"}\' --ttl 30; \
+ else \
+ etcdctl rm /services/$app/%i; \
+ fi; \
+ sleep 20; \
+ done'
+
+# Stop
+ExecStop=/bin/bash -ceux '\
+ app=`echo %p | cut -d"-" -f1`;\
+ /usr/bin/etcdctl rm /services/$app/%i
diff --git a/unit-files/nginx@.service b/unit-files/nginx@.service
index 5795ce8621a69abae2a64d7b8a806fd5737b17c5..c91765d016d40c02d9511678a69b4a457546c20c 100644
--- a/unit-files/nginx@.service
+++ b/unit-files/nginx@.service
@@ -2,8 +2,11 @@
Description=%p-%i
After=docker.service
Requires=docker.service
+Requires=etcd.service
Requires=%p-importer@%i.service
After=%p-importer@%i.service
+Requires=%p-discovery@%i.service
+Before=%p-discovery@%i.service
[Service]
Restart=always
diff --git a/unit-files/wordpress-discovery@.service b/unit-files/wordpress-discovery@.service
new file mode 100644
index 0000000000000000000000000000000000000000..94b2cd219d254d96ee0f610de36e099b78951d23
--- /dev/null
+++ b/unit-files/wordpress-discovery@.service
@@ -0,0 +1,36 @@
+[Unit]
+Description=%p for %i etcd registration
+
+# Requirements
+Requires=etcd.service
+Requires=wordpress@%i.service
+
+# Dependency ordering and binding
+After=etcd.service
+After=wordpress@%i.service
+BindsTo=wordpress@%i.service
+
+[Service]
+
+EnvironmentFile=/etc/environment
+TimeoutStartSec=0
+# Start
+## Test whether service is accessible and then register useful information
+ExecStart=/bin/bash -c '\
+ sleep 3; \
+ while true; do \
+ app=`echo %p | cut -d"-" -f1`; \
+ ip=`docker inspect --format \'{{.NetworkSettings.IPAddress}}\' $app-%i`; \
+ curl -f $ip; \
+ if [ $? -eq 0 ]; then \
+ etcdctl set /services/$app/%i \'{"ip":"\'$ip\'", "port":"80"}\' --ttl 30; \
+ else \
+ etcdctl rm /services/$app/%i; \
+ fi; \
+ sleep 20; \
+ done'
+
+# Stop
+ExecStop=/bin/bash -ceux '\
+ app=`echo %p | cut -d"-" -f1`;\
+ /usr/bin/etcdctl rm /services/$app/%i
diff --git a/unit-files/wordpress@.service b/unit-files/wordpress@.service
index ddbae3639e57023b9bc485c266709258d6524049..19d108327f8c9feb17427b8416cf4d73af750417 100644
--- a/unit-files/wordpress@.service
+++ b/unit-files/wordpress@.service
@@ -1,11 +1,16 @@
[Unit]
Description=%p-%i
After=docker.service
+
+Requires=etcd.service
Requires=docker.service
Requires=mysql@%i.service
After=mysql@%i.service
Requires=%p-importer@%i.service
+Requires=%p-discovery@%i.service
+
After=%p-importer@%i.service
+Before=%p-discovery@%i.service
[Service]
Restart=always