2016-12-29 17:25:01 +01:00
|
|
|
---
|
2017-05-10 11:46:14 +02:00
|
|
|
- name: ssl-cert package is installed
|
2023-03-20 23:33:19 +01:00
|
|
|
ansible.builtin.apt:
|
2017-05-10 11:46:14 +02:00
|
|
|
name: ssl-cert
|
2018-05-18 09:33:25 +02:00
|
|
|
state: present
|
2017-05-12 11:41:25 +02:00
|
|
|
tags:
|
2020-06-04 11:22:52 +02:00
|
|
|
- haproxy
|
|
|
|
- packages
|
2017-07-13 09:47:29 +02:00
|
|
|
|
2020-06-14 12:36:58 +02:00
|
|
|
- name: HAProxy SSL directory is present
|
2023-03-20 23:33:19 +01:00
|
|
|
ansible.builtin.file:
|
2020-06-14 12:36:58 +02:00
|
|
|
path: /etc/haproxy/ssl
|
|
|
|
owner: root
|
|
|
|
group: root
|
|
|
|
mode: "0700"
|
|
|
|
state: directory
|
|
|
|
tags:
|
|
|
|
- haproxy
|
2020-12-23 15:42:57 +01:00
|
|
|
- ssl
|
2017-05-10 11:46:14 +02:00
|
|
|
|
2020-06-14 12:36:58 +02:00
|
|
|
- name: Self-signed certificate is present in HAProxy ssl directory
|
2023-03-20 23:33:19 +01:00
|
|
|
ansible.builtin.shell:
|
|
|
|
cmd: "cat /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/private/ssl-cert-snakeoil.key > /etc/haproxy/ssl/ssl-cert-snakeoil.pem"
|
2020-06-14 12:36:58 +02:00
|
|
|
args:
|
|
|
|
creates: /etc/haproxy/ssl/ssl-cert-snakeoil.pem
|
|
|
|
notify: reload haproxy
|
2017-05-12 11:41:25 +02:00
|
|
|
tags:
|
2020-06-04 11:22:52 +02:00
|
|
|
- haproxy
|
2020-12-23 15:42:57 +01:00
|
|
|
- ssl
|
2017-05-10 11:46:14 +02:00
|
|
|
|
2020-06-09 11:41:26 +02:00
|
|
|
- name: HAProxy stats_access_ips are present
|
2023-03-20 23:33:19 +01:00
|
|
|
ansible.builtin.blockinfile:
|
2020-06-09 11:41:26 +02:00
|
|
|
dest: /etc/haproxy/stats_access_ips
|
|
|
|
create: yes
|
|
|
|
block: |
|
|
|
|
{% for ip in haproxy_stats_access_ips | default([]) %}
|
|
|
|
{{ ip }}
|
|
|
|
{% endfor %}
|
|
|
|
notify: reload haproxy
|
|
|
|
tags:
|
|
|
|
- haproxy
|
|
|
|
- config
|
2020-12-23 15:42:57 +01:00
|
|
|
- update-config
|
2020-06-09 11:41:26 +02:00
|
|
|
|
|
|
|
- name: HAProxy stats_admin_ips are present
|
2023-03-20 23:33:19 +01:00
|
|
|
ansible.builtin.blockinfile:
|
2020-06-09 11:41:26 +02:00
|
|
|
dest: /etc/haproxy/stats_admin_ips
|
|
|
|
create: yes
|
|
|
|
block: |
|
|
|
|
{% for ip in haproxy_stats_admin_ips | default([]) %}
|
|
|
|
{{ ip }}
|
|
|
|
{% endfor %}
|
|
|
|
notify: reload haproxy
|
|
|
|
tags:
|
|
|
|
- haproxy
|
|
|
|
- config
|
2020-12-23 15:42:57 +01:00
|
|
|
- update-config
|
2020-06-09 11:41:26 +02:00
|
|
|
|
|
|
|
- name: HAProxy maintenance_ips are present
|
2023-03-20 23:33:19 +01:00
|
|
|
ansible.builtin.blockinfile:
|
2020-06-09 11:41:26 +02:00
|
|
|
dest: /etc/haproxy/maintenance_ips
|
|
|
|
create: yes
|
|
|
|
block: |
|
|
|
|
{% for ip in haproxy_maintenance_ips | default([]) %}
|
|
|
|
{{ ip }}
|
|
|
|
{% endfor %}
|
|
|
|
notify: reload haproxy
|
2020-12-23 15:42:57 +01:00
|
|
|
tags:
|
|
|
|
- haproxy
|
|
|
|
- config
|
|
|
|
- update-config
|
2020-06-09 11:41:26 +02:00
|
|
|
|
2020-06-14 23:28:29 +02:00
|
|
|
- name: HAProxy deny_ips are present
|
2023-03-20 23:33:19 +01:00
|
|
|
ansible.builtin.blockinfile:
|
2020-06-14 23:28:29 +02:00
|
|
|
dest: /etc/haproxy/deny_ips
|
|
|
|
create: yes
|
|
|
|
block: |
|
|
|
|
{% for ip in haproxy_deny_ips | default([]) %}
|
|
|
|
{{ ip }}
|
|
|
|
{% endfor %}
|
|
|
|
notify: reload haproxy
|
2020-12-23 15:42:57 +01:00
|
|
|
tags:
|
|
|
|
- haproxy
|
|
|
|
- config
|
|
|
|
- update-config
|
2020-06-14 23:28:29 +02:00
|
|
|
|
2023-03-20 23:33:19 +01:00
|
|
|
- ansible.builtin.include: packages_backports.yml
|
2021-05-09 23:06:42 +02:00
|
|
|
when: haproxy_backports | bool
|
2020-06-14 12:36:58 +02:00
|
|
|
|
|
|
|
- name: Install HAProxy package
|
2023-03-20 23:33:19 +01:00
|
|
|
ansible.builtin.apt:
|
2020-06-14 12:36:58 +02:00
|
|
|
name: haproxy
|
|
|
|
state: present
|
|
|
|
tags:
|
|
|
|
- haproxy
|
|
|
|
- packages
|
|
|
|
|
|
|
|
- name: Copy HAProxy configuration
|
2023-03-20 23:33:19 +01:00
|
|
|
ansible.builtin.template:
|
2020-06-14 12:36:58 +02:00
|
|
|
src: "{{ item }}"
|
|
|
|
dest: /etc/haproxy/haproxy.cfg
|
|
|
|
force: "{{ haproxy_force_config }}"
|
|
|
|
validate: "haproxy -c -f %s"
|
2021-05-03 18:02:57 +02:00
|
|
|
loop: "{{ query('first_found', templates) }}"
|
|
|
|
vars:
|
|
|
|
templates:
|
2021-05-04 13:39:47 +02:00
|
|
|
- "templates/haproxy/haproxy.{{ inventory_hostname }}.cfg.j2"
|
|
|
|
- "templates/haproxy/haproxy.{{ host_group | default('all') }}.cfg.j2"
|
|
|
|
- "templates/haproxy/haproxy.default.cfg.j2"
|
|
|
|
- "templates/haproxy.default.cfg.j2"
|
2020-06-14 12:36:58 +02:00
|
|
|
notify: reload haproxy
|
2021-05-09 23:06:42 +02:00
|
|
|
when: haproxy_update_config | bool
|
2020-06-14 12:36:58 +02:00
|
|
|
tags:
|
|
|
|
- haproxy
|
|
|
|
- config
|
2020-12-23 15:42:57 +01:00
|
|
|
- update-config
|
2020-06-14 12:36:58 +02:00
|
|
|
|
2020-06-22 19:02:29 +02:00
|
|
|
- name: Rotate logs with dateext
|
2023-03-20 23:33:19 +01:00
|
|
|
ansible.builtin.lineinfile:
|
2020-06-22 19:02:29 +02:00
|
|
|
dest: /etc/logrotate.d/haproxy
|
|
|
|
line: ' dateext'
|
|
|
|
regexp: '^\s*#*\s*(no)?dateext'
|
|
|
|
insertbefore: '}'
|
|
|
|
tags:
|
|
|
|
- haproxy
|
2020-12-23 15:42:57 +01:00
|
|
|
- logrotate
|
2020-06-22 19:02:29 +02:00
|
|
|
|
|
|
|
- name: Rotate logs with nodelaycompress
|
2023-03-20 23:33:19 +01:00
|
|
|
ansible.builtin.lineinfile:
|
2020-06-22 19:02:29 +02:00
|
|
|
dest: /etc/logrotate.d/haproxy
|
|
|
|
line: ' nodelaycompress'
|
|
|
|
regexp: '^\s*#*\s*(no)?delaycompress'
|
|
|
|
insertbefore: '}'
|
|
|
|
tags:
|
|
|
|
- haproxy
|
2020-12-23 15:42:57 +01:00
|
|
|
- logrotate
|
2020-06-22 19:02:29 +02:00
|
|
|
|
2022-06-22 15:32:10 +02:00
|
|
|
- name: Set net.ipv4.ip_nonlocal_bind
|
2023-03-20 23:33:19 +01:00
|
|
|
ansible.posix.sysctl:
|
2022-06-22 15:32:10 +02:00
|
|
|
name: net.ipv4.ip_nonlocal_bind
|
|
|
|
value: "{{ haproxy_allow_ip_nonlocal_bind | ternary('1','0') }}"
|
|
|
|
sysctl_file: "{{ evolinux_kernel_sysctl_path | default('/etc/sysctl.d/evolinux.conf') }}"
|
|
|
|
state: present
|
|
|
|
reload: yes
|
|
|
|
tags:
|
|
|
|
- haproxy
|
|
|
|
when:
|
|
|
|
- haproxy_allow_ip_nonlocal_bind is defined
|
|
|
|
- haproxy_allow_ip_nonlocal_bind is not none
|
|
|
|
|
2023-03-20 23:33:19 +01:00
|
|
|
- ansible.builtin.include: munin.yml
|