diff --git a/CHANGELOG.md b/CHANGELOG.md
index e2b758ef..5410101d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
### Added
+* boost-proxy: new role, extracted from internal use, to make a Boost server
* evolinux-base: replace regular kernel by cloud kernel on virtual servers
* nagios-nrpe: check_haproxy_stats supports DRAIN status
* lxc-php: set php-fpm umask to 007
diff --git a/boost-proxy/defaults/main.yml b/boost-proxy/defaults/main.yml
new file mode 100644
index 00000000..290a8a8f
--- /dev/null
+++ b/boost-proxy/defaults/main.yml
@@ -0,0 +1,17 @@
+---
+boost_sysctl_config: []
+boost_sysctl_file_path: /etc/sysctl.d/boost.conf
+boost_allow_root_ssh_between_servers: False
+
+boost_sites_enabled: []
+boost_sites_enabled_for_all: []
+boost_sites_enabled_for_group: []
+boost_sites_enabled_for_host: []
+
+other_servers_from_group_ips: []
+
+boost_validate_haproxy: True
+boost_validate_varnish: True
+
+boost_haproxy_check_url: "/haproxycheck"
+boost_varnish_check_url: "/varnishcheck"
\ No newline at end of file
diff --git a/boost-proxy/handlers/main.yml b/boost-proxy/handlers/main.yml
new file mode 100644
index 00000000..65f621cb
--- /dev/null
+++ b/boost-proxy/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+
+- name: reload sshd
+ service:
+ name: ssh
+ state: reloaded
diff --git a/boost-proxy/tasks/haproxy.yml b/boost-proxy/tasks/haproxy.yml
new file mode 100644
index 00000000..f1d709ed
--- /dev/null
+++ b/boost-proxy/tasks/haproxy.yml
@@ -0,0 +1,57 @@
+---
+
+- name: URL for HAProxy admin page is on default page
+ lineinfile:
+ path: "/var/www/index.html"
+ line: '
HAProxy'
+ regexp: '>HAProxy<'
+ insertafter: ">Stats système<"
+ tags:
+ - haproxy
+ - config
+
+- name: HAproxy run directory in chroot
+ file:
+ dest: "/var/lib/haproxy/run"
+ owner: root
+ group: root
+ mode: "0755"
+ state: directory
+ tags:
+ - haproxy
+ - config
+
+- name: HAproxy errors directory is present
+ file:
+ dest: "/etc/haproxy/errors"
+ owner: root
+ group: root
+ mode: "0755"
+ state: directory
+ tags:
+ - haproxy
+ - config
+ - update-config
+
+- name: Maintenance file is present
+ copy:
+ src: "templates/haproxy/maintenance.http"
+ dest: /etc/haproxy/errors/maintenance.http
+ mode: "0644"
+ notify: reload haproxy
+ tags:
+ - haproxy
+ - config
+ - update-config
+
+- name: 2048 bits DHparam file is present
+ get_url:
+ url: https://ssl-config.mozilla.org/ffdhe2048.txt
+ dest: /etc/ssl/dhparam-haproxy
+ mode: '0600'
+ owner: root
+ group: root
+ force: no
+ tags:
+ - haproxy
+ - config
diff --git a/boost-proxy/tasks/main.yml b/boost-proxy/tasks/main.yml
new file mode 100644
index 00000000..9587705e
--- /dev/null
+++ b/boost-proxy/tasks/main.yml
@@ -0,0 +1,48 @@
+---
+
+#######################
+# System configuration
+#######################
+
+# Merge variables from group_vars and host_vars
+- set_fact:
+ boost_sites_enabled: "{{ boost_sites_enabled_for_all | union(boost_sites_enabled_for_group) | union(boost_sites_enabled_for_host) | unique }}"
+ tags: always
+
+- debug:
+ var: boost_sites_enabled
+ tags: always
+
+- include: haproxy.yml
+
+- include: sshd.yml
+
+- include: sysctl.yml
+
+######################
+# Sites configuration
+######################
+
+- include_tasks: sites.yml
+
+#################
+# external roles
+#################
+
+- import_role:
+ name: haproxy
+
+- import_role:
+ name: varnish
+
+- import_role:
+ name: nginx
+
+- import_role:
+ name: certbot
+
+##############
+# validations
+##############
+
+- include_tasks: validate.yml
diff --git a/boost-proxy/tasks/sites.yml b/boost-proxy/tasks/sites.yml
new file mode 100644
index 00000000..d0702cf0
--- /dev/null
+++ b/boost-proxy/tasks/sites.yml
@@ -0,0 +1,172 @@
+---
+
+# HAProxy
+
+- name: Create sites parent directory
+ file:
+ dest: "/etc/haproxy/sites"
+ owner: root
+ group: root
+ mode: "0755"
+ state: directory
+ tags:
+ - haproxy
+ - config
+ - update-config
+
+- name: Create sites directories
+ file:
+ dest: "/etc/haproxy/sites/{{ item }}"
+ owner: root
+ group: root
+ mode: "0755"
+ state: directory
+ loop: "{{ boost_sites_enabled }}"
+ tags:
+ - haproxy
+ - config
+ - update-config
+
+- name: Copy maintenance page
+ template:
+ src: "{{ lookup('first_found', file) }}"
+ dest: "/etc/haproxy/sites/{{ site }}/maintenance.http"
+ owner: root
+ group: root
+ mode: "0644"
+ vars:
+ file:
+ - "templates/boost-sites/{{ site }}/haproxy/maintenance.http"
+ - "templates/haproxy/maintenance.http"
+ loop: "{{ boost_sites_enabled }}"
+ loop_control:
+ loop_var: site
+ tags:
+ - haproxy
+ - config
+ - update-config
+
+- name: Copy 503 page
+ template:
+ src: "{{ lookup('first_found', file, errors='ignore') }}"
+ dest: "/etc/haproxy/sites/{{ site }}/503.http"
+ owner: root
+ group: root
+ mode: "0644"
+ vars:
+ file:
+ - "templates/boost-sites/{{ site }}/haproxy/503.http"
+ - "templates/haproxy/503.http"
+ loop: "{{ boost_sites_enabled }}"
+ loop_control:
+ loop_var: site
+ tags:
+ - haproxy
+ - config
+ - update-config
+
+- name: Copy 502 page
+ template:
+ src: "{{ lookup('first_found', file, errors='ignore') }}"
+ dest: "/etc/haproxy/sites/{{ site }}/502.http"
+ owner: root
+ group: root
+ mode: "0644"
+ vars:
+ file:
+ - "templates/boost-sites/{{ site }}/haproxy/502.http"
+ - "templates/haproxy/503.http"
+ loop: "{{ boost_sites_enabled }}"
+ loop_control:
+ loop_var: site
+ tags:
+ - haproxy
+ - config
+ - update-config
+
+- name: Copy 500 page
+ template:
+ src: "{{ lookup('first_found', file) }}"
+ dest: "/etc/haproxy/sites/{{ site }}/500.http"
+ owner: root
+ group: root
+ mode: "0644"
+ vars:
+ file:
+ - "templates/boost-sites/{{ site }}/haproxy/500.http"
+ - "templates/haproxy/500.http"
+ loop: "{{ boost_sites_enabled }}"
+ loop_control:
+ loop_var: site
+ tags:
+ - haproxy
+ - config
+ - update-config
+
+- name: Copy 403 page
+ template:
+ src: "{{ lookup('first_found', file) }}"
+ dest: "/etc/haproxy/sites/{{ site }}/403.http"
+ owner: root
+ group: root
+ mode: "0644"
+ vars:
+ file:
+ - "templates/boost-sites/{{ site }}/haproxy/403.http"
+ - "templates/haproxy/403.http"
+ loop: "{{ boost_sites_enabled }}"
+ loop_control:
+ loop_var: site
+ tags:
+ - haproxy
+ - config
+ - update-config
+
+- name: Copy 404 page
+ template:
+ src: "{{ lookup('first_found', file) }}"
+ dest: "/etc/haproxy/sites/{{ site }}/404.http"
+ owner: root
+ group: root
+ mode: "0644"
+ vars:
+ file:
+ - "templates/boost-sites/{{ site }}/haproxy/404.http"
+ - "templates/haproxy/404.http"
+ loop: "{{ boost_sites_enabled }}"
+ loop_control:
+ loop_var: site
+ tags:
+ - haproxy
+ - config
+ - update-config
+
+# Varnish
+
+- name: Create sites parent directory
+ file:
+ dest: "/etc/varnish/sites"
+ owner: root
+ group: root
+ mode: "0755"
+ state: directory
+ tags:
+ - varnish
+ - config
+ - update-config
+
+- name: Copy sites custom VCL
+ template:
+ src: "templates/boost-sites/{{ site }}/varnish/default.vcl.j2"
+ dest: "/etc/varnish/sites/{{ site }}.vcl"
+ owner: root
+ group: root
+ mode: "0644"
+ loop: "{{ boost_sites_enabled }}"
+ loop_control:
+ loop_var: site
+ notify: reload varnish
+ tags:
+ - varnish
+ - config
+ - update-config
diff --git a/boost-proxy/tasks/sshd.yml b/boost-proxy/tasks/sshd.yml
new file mode 100644
index 00000000..7b79875d
--- /dev/null
+++ b/boost-proxy/tasks/sshd.yml
@@ -0,0 +1,27 @@
+---
+
+- name: "root can connect over SSH from other servers"
+ blockinfile:
+ dest: /etc/ssh/sshd_config
+ marker: "# {mark} ROOT AUTHORIZATION"
+ block: |
+ Match User root Address {{ other_servers_from_group_ips | join(',') }}
+ AllowGroups root
+ PubkeyAuthentication yes
+ PasswordAuthentication no
+ PermitRootLogin without-password
+ state: present
+ notify: reload sshd
+ when: (boost_allow_root_ssh_between_servers | bool) and (other_servers_from_group_ips | length > 0)
+ tags:
+ - ssh
+
+- name: "root can connect over SSH from other servers"
+ blockinfile:
+ dest: /etc/ssh/sshd_config
+ marker: "# {mark} ROOT AUTHORIZATION"
+ state: absent
+ notify: reload sshd
+ when: not (boost_allow_root_ssh_between_servers | bool) or (other_servers_from_group_ips | length <= 0)
+ tags:
+ - ssh
diff --git a/boost-proxy/tasks/sysctl.yml b/boost-proxy/tasks/sysctl.yml
new file mode 100644
index 00000000..517341b1
--- /dev/null
+++ b/boost-proxy/tasks/sysctl.yml
@@ -0,0 +1,12 @@
+---
+
+- name: Boost optimization for sysctl
+ sysctl:
+ sysctl_file: "{{ boost_sysctl_file_path }}"
+ name: "{{ item.key }}"
+ value: "{{ item.value }}"
+ reload: yes
+ sysctl_set: yes
+ loop: "{{ boost_sysctl_config }}"
+ tags:
+ - sysctl
\ No newline at end of file
diff --git a/boost-proxy/tasks/validate.yml b/boost-proxy/tasks/validate.yml
new file mode 100644
index 00000000..f3cac559
--- /dev/null
+++ b/boost-proxy/tasks/validate.yml
@@ -0,0 +1,24 @@
+---
+
+
+- name: check if HAProxy configuration is valid
+ shell:
+ cmd: "haproxy -c -f /etc/haproxy/haproxy.cfg"
+ changed_when: false
+ check_mode: no
+ register: haproxy_validate
+ when: boost_validate_haproxy
+ tags:
+ - always
+
+- name: check if Varnish configuration is valid
+ shell:
+ cmd: "sudo -u vcache TMPDIR={{ varnish_tmp_dir }} varnishd -C -f /etc/varnish/default.vcl > /dev/null"
+ args:
+ warn: False
+ changed_when: false
+ check_mode: no
+ register: varnish_validate
+ when: boost_validate_varnish
+ tags:
+ - always
\ No newline at end of file