CyberMind-FR
fed7bd43c1
HAProxy requires certificate files to contain both the fullchain (cert + intermediate CA) and the private key concatenated together. Changes: - haproxyctl: Fix cert_add to create combined .pem files - haproxy-sync-certs: New script to sync ACME certs to HAProxy format - haproxy.sh: ACME deploy hook for HAProxy - init.d: Sync certs before starting HAProxy - Makefile: Install new scripts, add cron job for cert sync This fixes the "No Private Key found" error when HAProxy tries to load certificates that only contain the fullchain without the key. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
78 lines
2.3 KiB
Makefile
78 lines
2.3 KiB
Makefile
# SPDX-License-Identifier: MIT
|
|
# SecuBox HAProxy - Load Balancer & Reverse Proxy in LXC
|
|
# Copyright (C) 2025 CyberMind.fr
|
|
|
|
include $(TOPDIR)/rules.mk
|
|
|
|
PKG_NAME:=secubox-app-haproxy
|
|
PKG_VERSION:=1.0.0
|
|
PKG_RELEASE:=14
|
|
|
|
PKG_MAINTAINER:=CyberMind <contact@cybermind.fr>
|
|
PKG_LICENSE:=MIT
|
|
|
|
include $(INCLUDE_DIR)/package.mk
|
|
|
|
define Package/secubox-app-haproxy
|
|
SECTION:=secubox
|
|
CATEGORY:=SecuBox
|
|
SUBMENU:=Services
|
|
TITLE:=HAProxy Load Balancer & Reverse Proxy
|
|
DEPENDS:=+lxc +lxc-common +openssl-util +wget-ssl +tar +jsonfilter +acme +acme-acmesh +socat
|
|
PKGARCH:=all
|
|
endef
|
|
|
|
define Package/secubox-app-haproxy/description
|
|
HAProxy load balancer and reverse proxy running in an LXC container.
|
|
Features:
|
|
- Virtual hosts with SNI routing
|
|
- Multi-certificate SSL/TLS termination
|
|
- Let's Encrypt auto-renewal via ACME
|
|
- Backend health checks
|
|
- URL-based routing and redirections
|
|
- Stats dashboard
|
|
- Rate limiting and ACLs
|
|
endef
|
|
|
|
define Package/secubox-app-haproxy/conffiles
|
|
/etc/config/haproxy
|
|
endef
|
|
|
|
define Build/Compile
|
|
endef
|
|
|
|
define Package/secubox-app-haproxy/install
|
|
$(INSTALL_DIR) $(1)/etc/config
|
|
$(INSTALL_CONF) ./files/etc/config/haproxy $(1)/etc/config/haproxy
|
|
|
|
$(INSTALL_DIR) $(1)/etc/init.d
|
|
$(INSTALL_BIN) ./files/etc/init.d/haproxy $(1)/etc/init.d/haproxy
|
|
|
|
$(INSTALL_DIR) $(1)/usr/sbin
|
|
$(INSTALL_BIN) ./files/usr/sbin/haproxyctl $(1)/usr/sbin/haproxyctl
|
|
$(INSTALL_BIN) ./files/usr/sbin/haproxy-sync-certs $(1)/usr/sbin/haproxy-sync-certs
|
|
|
|
$(INSTALL_DIR) $(1)/usr/lib/acme/deploy
|
|
$(INSTALL_BIN) ./files/usr/lib/acme/deploy/haproxy.sh $(1)/usr/lib/acme/deploy/haproxy.sh
|
|
|
|
$(INSTALL_DIR) $(1)/usr/share/haproxy/templates
|
|
$(INSTALL_DATA) ./files/usr/share/haproxy/templates/* $(1)/usr/share/haproxy/templates/
|
|
|
|
$(INSTALL_DIR) $(1)/usr/share/haproxy/certs
|
|
|
|
# Add cron job for certificate sync after ACME renewals
|
|
$(INSTALL_DIR) $(1)/etc/cron.d
|
|
echo "# Sync ACME certs to HAProxy after renewals" > $(1)/etc/cron.d/haproxy-certs
|
|
echo "15 3 * * * root /usr/sbin/haproxy-sync-certs >/dev/null 2>&1" >> $(1)/etc/cron.d/haproxy-certs
|
|
endef
|
|
|
|
define Package/secubox-app-haproxy/postinst
|
|
#!/bin/sh
|
|
[ -n "$${IPKG_INSTROOT}" ] && exit 0
|
|
# Sync existing ACME certificates on install
|
|
/usr/sbin/haproxy-sync-certs 2>/dev/null || true
|
|
exit 0
|
|
endef
|
|
|
|
$(eval $(call BuildPackage,secubox-app-haproxy))
|