Use the new ACME-generated certs (#615)

Author: JacobCoffee

Vagrantfile

@@ -11,7 +11,7 @@ SERVERS = [
   {:name => "docs", :codename => "noble"},
   {:name => "downloads", :codename => "noble"},
   {:name => "hg", :codename => "noble"},
-  {:name => "loadbalancer", :codename => "noble", :ports => [20000, 20001, 20002, 20003, 20004, 20005, 20010, 20011]},
+  {:name => "loadbalancer", :codename => "noble", :ports => [20000, 20001, 20002, 20004, 20010, 20011]},
   "mail",
   "moin",
   "planet",

pillar/base/firewall/loadbalancer.sls

@@ -11,18 +11,9 @@ firewall:
   http_2:
     port: 20002
 
-  http_3:
-    port: 20003
-
   http_4:
     port: 20004
 
-  http_5:
-    port: 20005
-
-  http_6:
-    port: 20006
-
   http_map:
     port: 20010
 

salt/haproxy/config/haproxy.cfg.jinja

@@ -92,15 +92,14 @@ frontend main
 
     # HTTPS Binds
     # Advertise http/1.1 over NPN to enable TLS False Start
-    bind :20003 ssl alpn h2,http/1.1 crt star.python.org.pem
-    bind :20005 ssl alpn h2,http/1.1 crt star.pypa.io.pem
-    bind :20006 ssl alpn h2,http/1.1 crt speed.pypy.org.pem
-    bind :20007 ssl alpn h2,http/1.1 crt star.pycon.org.pem
-    bind :20008 ssl alpn h2,http/1.1 crt jython.org.pem
-    bind 0.0.0.0:443 ssl alpn h2,http/1.1 crt star.python.org.pem crt star.pycon.org.pem crt star.pypa.io.pem crt star.pyfound.org.pem crt speed.pypy.org.pem crt jython.org.pem crt salt-public.psf.io.pem crt planetpython.org.pem crt bugs.python.org.pem
-    bind :::443 ssl alpn h2,http/1.1 crt star.python.org.pem crt star.pycon.org.pem crt star.pypa.io.pem crt star.pyfound.org.pem  crt speed.pypy.org.pem crt jython.org.pem crt salt-public.psf.io.pem crt planetpython.org.pem crt bugs.python.org.pem
-    bind :20010 ssl alpn h2,http/1.1 crt star.python.org.pem crt star.pycon.org.pem crt star.pypa.io.pem crt star.pyfound.org.pem crt speed.pypy.org.pem crt jython.org.pem crt salt-public.psf.io.pem crt planetpython.org.pem crt bugs.python.org.pem
-    bind :20011 accept-proxy ssl alpn h2,http/1.1 crt star.python.org.pem crt star.pycon.org.pem crt star.pypa.io.pem crt star.pyfound.org.pem crt speed.pypy.org.pem crt jython.org.pem crt salt-public.psf.io.pem crt planetpython.org.pem crt bugs.python.org.pem
+    {% set acme_certs = [] -%}
+    {% for domain in salt["pillar.get"]("tls:acme_cert_configs", {}).keys() -%}
+    {%- set _ = acme_certs.append("acme-" ~ domain ~ ".pem") -%}
+    {% endfor -%}
+    bind 0.0.0.0:443 ssl alpn h2,http/1.1 {% for cert in acme_certs %}crt {{ cert }} {% endfor %}
+    bind :::443 ssl alpn h2,http/1.1 {% for cert in acme_certs %}crt {{ cert }} {% endfor %}
+    bind :20010 ssl alpn h2,http/1.1 {% for cert in acme_certs %}crt {{ cert }} {% endfor %}
+    bind :20011 accept-proxy ssl alpn h2,http/1.1 {% for cert in acme_certs %}crt {{ cert }} {% endfor %}
 
     # Define a stick table for all services
     stick-table type ipv6 size 100k expire 30s store http_req_rate(10s)