evolix/ansible-roles
22
2
Fork 2
Code Issues 61 Pull requests 18 Releases 32 Wiki Activity

boost-proxy: new role, extracted from internal use, to make a Boost server

Browse source
This commit is contained in:
Jérémy Lecour 2022-11-26 19:07:43 +01:00 committed by Jérémy Lecour
parent 54dca82838
commit f8715078f6
9 changed files with 364 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
CHANGELOG.md
View file

@ -12,6 +12,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
### Added
* boost-proxy: new role, extracted from internal use, to make a Boost server
* evolinux-base: replace regular kernel by cloud kernel on virtual servers
* nagios-nrpe: check_haproxy_stats supports DRAIN status
* lxc-php: set php-fpm umask to 007

17
boost-proxy/defaults/main.yml Normal file
View file

@ -0,0 +1,17 @@
---
boost_sysctl_config: []
boost_sysctl_file_path: /etc/sysctl.d/boost.conf
boost_allow_root_ssh_between_servers: False
boost_sites_enabled: []
boost_sites_enabled_for_all: []
boost_sites_enabled_for_group: []
boost_sites_enabled_for_host: []
other_servers_from_group_ips: []
boost_validate_haproxy: True
boost_validate_varnish: True
boost_haproxy_check_url: "/haproxycheck"
boost_varnish_check_url: "/varnishcheck"

6
boost-proxy/handlers/main.yml Normal file
View file

@ -0,0 +1,6 @@
---
- name: reload sshd
service:
name: ssh
state: reloaded

57
boost-proxy/tasks/haproxy.yml Normal file
View file

@ -0,0 +1,57 @@
---
- name: URL for HAProxy admin page is on default page
lineinfile:
path: "/var/www/index.html"
line: ' <li><a href="{{ haproxy_stats_external_url }}">HAProxy</a></li>'
regexp: '>HAProxy<'
insertafter: ">Stats système<"
tags:
- haproxy
- config
- name: HAproxy run directory in chroot
file:
dest: "/var/lib/haproxy/run"
owner: root
group: root
mode: "0755"
state: directory
tags:
- haproxy
- config
- name: HAproxy errors directory is present
file:
dest: "/etc/haproxy/errors"
owner: root
group: root
mode: "0755"
state: directory
tags:
- haproxy
- config
- update-config
- name: Maintenance file is present
copy:
src: "templates/haproxy/maintenance.http"
dest: /etc/haproxy/errors/maintenance.http
mode: "0644"
notify: reload haproxy
tags:
- haproxy
- config
- update-config
- name: 2048 bits DHparam file is present
get_url:
url: https://ssl-config.mozilla.org/ffdhe2048.txt
dest: /etc/ssl/dhparam-haproxy
mode: '0600'
owner: root
group: root
force: no
tags:
- haproxy
- config

48
boost-proxy/tasks/main.yml Normal file
View file

@ -0,0 +1,48 @@
---
#######################
# System configuration
#######################
# Merge variables from group_vars and host_vars
- set_fact:
boost_sites_enabled: "{{ boost_sites_enabled_for_all | union(boost_sites_enabled_for_group) | union(boost_sites_enabled_for_host) | unique }}"
tags: always
- debug:
var: boost_sites_enabled
tags: always
- include: haproxy.yml
- include: sshd.yml
- include: sysctl.yml
######################
# Sites configuration
######################
- include_tasks: sites.yml
#################
# external roles
#################
- import_role:
name: haproxy
- import_role:
name: varnish
- import_role:
name: nginx
- import_role:
name: certbot
##############
# validations
##############
- include_tasks: validate.yml

172
boost-proxy/tasks/sites.yml Normal file
View file

@ -0,0 +1,172 @@
---
# HAProxy
- name: Create sites parent directory
file:
dest: "/etc/haproxy/sites"
owner: root
group: root
mode: "0755"
state: directory
tags:
- haproxy
- config
- update-config
- name: Create sites directories
file:
dest: "/etc/haproxy/sites/{{ item }}"
owner: root
group: root
mode: "0755"
state: directory
loop: "{{ boost_sites_enabled }}"
tags:
- haproxy
- config
- update-config
- name: Copy maintenance page
template:
src: "{{ lookup('first_found', file) }}"
dest: "/etc/haproxy/sites/{{ site }}/maintenance.http"
owner: root
group: root
mode: "0644"
vars:
file:
- "templates/boost-sites/{{ site }}/haproxy/maintenance.http"
- "templates/haproxy/maintenance.http"
loop: "{{ boost_sites_enabled }}"
loop_control:
loop_var: site
tags:
- haproxy
- config
- update-config
- name: Copy 503 page
template:
src: "{{ lookup('first_found', file, errors='ignore') }}"
dest: "/etc/haproxy/sites/{{ site }}/503.http"
owner: root
group: root
mode: "0644"
vars:
file:
- "templates/boost-sites/{{ site }}/haproxy/503.http"
- "templates/haproxy/503.http"
loop: "{{ boost_sites_enabled }}"
loop_control:
loop_var: site
tags:
- haproxy
- config
- update-config
- name: Copy 502 page
template:
src: "{{ lookup('first_found', file, errors='ignore') }}"
dest: "/etc/haproxy/sites/{{ site }}/502.http"
owner: root
group: root
mode: "0644"
vars:
file:
- "templates/boost-sites/{{ site }}/haproxy/502.http"
- "templates/haproxy/503.http"
loop: "{{ boost_sites_enabled }}"
loop_control:
loop_var: site
tags:
- haproxy
- config
- update-config
- name: Copy 500 page
template:
src: "{{ lookup('first_found', file) }}"
dest: "/etc/haproxy/sites/{{ site }}/500.http"
owner: root
group: root
mode: "0644"
vars:
file:
- "templates/boost-sites/{{ site }}/haproxy/500.http"
- "templates/haproxy/500.http"
loop: "{{ boost_sites_enabled }}"
loop_control:
loop_var: site
tags:
- haproxy
- config
- update-config
- name: Copy 403 page
template:
src: "{{ lookup('first_found', file) }}"
dest: "/etc/haproxy/sites/{{ site }}/403.http"
owner: root
group: root
mode: "0644"
vars:
file:
- "templates/boost-sites/{{ site }}/haproxy/403.http"
- "templates/haproxy/403.http"
loop: "{{ boost_sites_enabled }}"
loop_control:
loop_var: site
tags:
- haproxy
- config
- update-config
- name: Copy 404 page
template:
src: "{{ lookup('first_found', file) }}"
dest: "/etc/haproxy/sites/{{ site }}/404.http"
owner: root
group: root
mode: "0644"
vars:
file:
- "templates/boost-sites/{{ site }}/haproxy/404.http"
- "templates/haproxy/404.http"
loop: "{{ boost_sites_enabled }}"
loop_control:
loop_var: site
tags:
- haproxy
- config
- update-config
# Varnish
- name: Create sites parent directory
file:
dest: "/etc/varnish/sites"
owner: root
group: root
mode: "0755"
state: directory
tags:
- varnish
- config
- update-config
- name: Copy sites custom VCL
template:
src: "templates/boost-sites/{{ site }}/varnish/default.vcl.j2"
dest: "/etc/varnish/sites/{{ site }}.vcl"
owner: root
group: root
mode: "0644"
loop: "{{ boost_sites_enabled }}"
loop_control:
loop_var: site
notify: reload varnish
tags:
- varnish
- config
- update-config

27
boost-proxy/tasks/sshd.yml Normal file
View file

@ -0,0 +1,27 @@
---
- name: "root can connect over SSH from other servers"
blockinfile:
dest: /etc/ssh/sshd_config
marker: "# {mark} ROOT AUTHORIZATION"
block: |
Match User root Address {{ other_servers_from_group_ips | join(',') }}
AllowGroups root
PubkeyAuthentication yes
PasswordAuthentication no
PermitRootLogin without-password
state: present
notify: reload sshd
when: (boost_allow_root_ssh_between_servers | bool) and (other_servers_from_group_ips | length > 0)
tags:
- ssh
- name: "root can connect over SSH from other servers"
blockinfile:
dest: /etc/ssh/sshd_config
marker: "# {mark} ROOT AUTHORIZATION"
state: absent
notify: reload sshd
when: not (boost_allow_root_ssh_between_servers | bool) or (other_servers_from_group_ips | length <= 0)
tags:
- ssh

12
boost-proxy/tasks/sysctl.yml Normal file
View file

@ -0,0 +1,12 @@
---
- name: Boost optimization for sysctl
sysctl:
sysctl_file: "{{ boost_sysctl_file_path }}"
name: "{{ item.key }}"
value: "{{ item.value }}"
reload: yes
sysctl_set: yes
loop: "{{ boost_sysctl_config }}"
tags:
- sysctl

24
boost-proxy/tasks/validate.yml Normal file
View file

@ -0,0 +1,24 @@
---
- name: check if HAProxy configuration is valid
shell:
cmd: "haproxy -c -f /etc/haproxy/haproxy.cfg"
changed_when: false
check_mode: no
register: haproxy_validate
when: boost_validate_haproxy
tags:
- always
- name: check if Varnish configuration is valid
shell:
cmd: "sudo -u vcache TMPDIR={{ varnish_tmp_dir }} varnishd -C -f /etc/varnish/default.vcl > /dev/null"
args:
warn: False
changed_when: false
check_mode: no
register: varnish_validate
when: boost_validate_varnish
tags:
- always