HAProxy: add templates lookup and documentation

haproxy/README.md

@@ -1,38 +1,14 @@
-Role Name
-=========
+# haproxy
 
-A brief description of the role goes here.
+Install HAProxy.
 
-Requirements
-------------
+## Tasks
 
-Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
+Everything is in the `tasks/main.yml` file.
 
-Role Variables
---------------
+## Available variables
 
-A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
+* `general_package_release`: which Debian release to use generally (default: `stable`).
+* `haproxy_package_release`: which Debian release to use for HAProxy (default: `general_package_release`).
 
-Dependencies
-------------
-
-A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
-
-Example Playbook
-----------------
-
-Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
-
-    - hosts: servers
-      roles:
-         - { role: username.rolename, x: 42 }
-
-License
--------
-
-BSD
-
-Author Information
-------------------
-
-An optional section for the role authors to include contact information, or a website (HTML is not allowed).
+The full list of variables (with default values) can be found in `defaults/main.yml`.

haproxy/defaults/main.yml

@@ -1,2 +1,2 @@
 ---
-# defaults file for haproxy
+general_package_release: stable

haproxy/tasks/main.yml

@@ -1,6 +1,28 @@
 ---
-# tasks file for haproxy
-- name: Install packages
+
+- name: ssl-cert package is installed
+  apt:
+    name: ssl-cert
+    state: installed
+
+- name: Install HAProxy package
   apt:
     name: haproxy
+    default_release: "{{ haproxy_package_release or general_package_release | mandatory }}"
+    update_cache: True
     state: present
+
+- name: Copy HAProxy configuration
+  template:
+    src: "{{ item }}"
+    dest: /etc/haproxy/haproxy.cfg
+    force: yes
+  with_first_found:
+  - files:
+    - "{{ inventory_hostname }}"
+    - "{{ host_group }}"
+    - "default"
+    paths:
+    - templates/haproxy-config
+  - default
+  notify: reload haproxy

haproxy/templates/default

@@ -0,0 +1,35 @@
+global
+    log /dev/log    local0
+    log /dev/log    local1 notice
+    chroot /var/lib/haproxy
+    stats socket /run/haproxy/admin.sock mode 660 level admin
+    stats timeout 30s
+    user haproxy
+    group haproxy
+    daemon
+
+    # Default SSL material locations
+    ca-base /etc/ssl/certs
+    crt-base /etc/ssl/private
+
+    # Default ciphers to use on SSL-enabled listening sockets.
+    # For more information, see ciphers(1SSL). This list is from:
+    #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
+    ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
+    ssl-default-bind-options no-sslv3
+
+defaults
+    log global
+    mode    http
+    option  httplog
+    option  dontlognull
+        timeout connect 5000
+        timeout client  50000
+        timeout server  50000
+    errorfile 400 /etc/haproxy/errors/400.http
+    errorfile 403 /etc/haproxy/errors/403.http
+    errorfile 408 /etc/haproxy/errors/408.http
+    errorfile 500 /etc/haproxy/errors/500.http
+    errorfile 502 /etc/haproxy/errors/502.http
+    errorfile 503 /etc/haproxy/errors/503.http
+    errorfile 504 /etc/haproxy/errors/504.http

haproxy/vars/main.yml

@@ -1,2 +0,0 @@
----
-# vars file for haproxy