haproxy: simplify tls config

provision/base.sh

@@ -137,7 +137,7 @@ done
 EO_PKG_SECURITY
 }
 
-configure_ssl_dirs()
+configure_tls_dirs()
 {
  if [ ! -d "$BASE_MNT/etc/ssl/certs" ]; then
  mkdir -m 0644 "$BASE_MNT/etc/ssl/certs"
@@ -213,7 +213,7 @@ configure_base()
  update_motd=NO
 
  configure_pkg_latest "$BASE_MNT"
- configure_ssl_dirs
+ configure_tls_dirs
  configure_tls_dhparams
  disable_cron_jobs
  enable_security_periodic

provision/haproxy.sh

@@ -82,7 +82,7 @@ defaults
 frontend http-in
  #mode tcp
  bind :::80 v4v6 alpn http/1.1
- bind :::443 v4v6 alpn http/1.1 ssl crt /etc/ssl/private crt /data/etc/tls.d
+ bind :::443 v4v6 alpn http/1.1 ssl crt /data/etc/tls.d
  # ciphers AES128+EECDH:AES128+EDH
 
  http-request set-header X-Forwarded-Proto https if { ssl_fc }
@@ -329,20 +329,16 @@ EO_OCSP
 
 configure_haproxy_tls()
 {
- if [ ! -f "$STAGE_MNT/etc/ssl/private/server.pem" ]; then
- tell_status "concatenating TLS key and crt to PEM"
- cat /etc/ssl/private/server.key /etc/ssl/certs/server.crt \
- > "$STAGE_MNT/etc/ssl/private/server.pem"
- fi
-
- if [ ! -d "$ZFS_DATA_MNT/haproxy/ssl" ]; then
- tell_status "creating /data/ssl"
- mkdir -p "$ZFS_DATA_MNT/haproxy/ssl"
+ local _tls_dir="$ZFS_DATA_MNT/haproxy/etc/tls.d"
+ if [ ! -d "$_tls_dir" ]; then
+ tell_status "creating $_tls_dir"
+ mkdir -p "$_tls_dir"
  fi
 
- if [ ! -d "$ZFS_DATA_MNT/haproxy/etc/tls.d" ]; then
- tell_status "creating /data/etc/tls.d"
- mkdir -p "$ZFS_DATA_MNT/haproxy/etc/tls.d"
+ if [ ! -f "$_tls_dir/$TOASTER_HOSTNAME.pem" ]; then
+ tell_status "concatenating TLS key and crt to PEM"
+ cat /etc/ssl/private/server.key /etc/ssl/certs/server.crt \
+ > "$_tls_dir/$TOASTER_HOSTNAME.pem"
  fi
 
  install_ocsp_stapler "$STAGE_MNT/usr/local/etc/periodic/daily/501.ocsp-staple.sh"

provision/webmail.sh

@@ -185,7 +185,6 @@ install_webmail()
 
  if [ "$TOASTER_WEBMAIL_PROXY" = "nginx" ]; then
  stage_setup_tls
- pkg install -y socat acme.sh
  fi
 
  configure_nginx_server