---
- name: ssl-cert package is installed
  ansible.builtin.apt:
    name: ssl-cert
    state: present
  tags:
    - haproxy
    - packages

- name: HAProxy SSL directory is present
  ansible.builtin.file:
    path: /etc/haproxy/ssl
    owner: root
    group: root
    mode: "0700"
    state: directory
  tags:
    - haproxy
    - ssl

- name: Self-signed certificate is present in HAProxy ssl directory
  ansible.builtin.shell:
    cmd: "cat /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/private/ssl-cert-snakeoil.key > /etc/haproxy/ssl/ssl-cert-snakeoil.pem"
  args:
    creates: /etc/haproxy/ssl/ssl-cert-snakeoil.pem
  notify: reload haproxy
  tags:
    - haproxy
    - ssl

- name: HAProxy stats_access_ips are present
  ansible.builtin.blockinfile:
    dest: /etc/haproxy/stats_access_ips
    create: yes
    block: |
      {% for ip in haproxy_stats_access_ips | default([]) %}
      {{ ip }}
      {% endfor %}
  notify: reload haproxy
  tags:
    - haproxy
    - config
    - update-config

- name: HAProxy stats_admin_ips are present
  ansible.builtin.blockinfile:
    dest: /etc/haproxy/stats_admin_ips
    create: yes
    block: |
      {% for ip in haproxy_stats_admin_ips | default([]) %}
      {{ ip }}
      {% endfor %}
  notify: reload haproxy
  tags:
    - haproxy
    - config
    - update-config

- name: HAProxy maintenance_ips are present
  ansible.builtin.blockinfile:
    dest: /etc/haproxy/maintenance_ips
    create: yes
    block: |
      {% for ip in haproxy_maintenance_ips | default([]) %}
      {{ ip }}
      {% endfor %}
  notify: reload haproxy
  tags:
    - haproxy
    - config
    - update-config

- name: HAProxy deny_ips are present
  ansible.builtin.blockinfile:
    dest: /etc/haproxy/deny_ips
    create: yes
    block: |
      {% for ip in haproxy_deny_ips | default([]) %}
      {{ ip }}
      {% endfor %}
  notify: reload haproxy
  tags:
    - haproxy
    - config
    - update-config

- ansible.builtin.include: packages_backports.yml
  when: haproxy_backports | bool

- name: Install HAProxy package
  ansible.builtin.apt:
    name: haproxy
    state: present
  tags:
    - haproxy
    - packages

- name: Copy HAProxy configuration
  ansible.builtin.template:
    src: "{{ item }}"
    dest: /etc/haproxy/haproxy.cfg
    force: "{{ haproxy_force_config }}"
    validate: "haproxy -c -f %s"
  loop: "{{ query('first_found', templates) }}"
  vars:
    templates:
      - "templates/haproxy/haproxy.{{ inventory_hostname }}.cfg.j2"
      - "templates/haproxy/haproxy.{{ host_group | default('all') }}.cfg.j2"
      - "templates/haproxy/haproxy.default.cfg.j2"
      - "templates/haproxy.default.cfg.j2"
  notify: reload haproxy
  when: haproxy_update_config | bool
  tags:
    - haproxy
    - config
    - update-config

- name: Rotate logs with dateext
  ansible.builtin.lineinfile:
    dest: /etc/logrotate.d/haproxy
    line: '    dateext'
    regexp: '^\s*#*\s*(no)?dateext'
    insertbefore: '}'
  tags:
    - haproxy
    - logrotate

- name: Rotate logs with nodelaycompress
  ansible.builtin.lineinfile:
    dest: /etc/logrotate.d/haproxy
    line: '    nodelaycompress'
    regexp: '^\s*#*\s*(no)?delaycompress'
    insertbefore: '}'
  tags:
    - haproxy
    - logrotate

- name: Set net.ipv4.ip_nonlocal_bind
  ansible.posix.sysctl:
    name: net.ipv4.ip_nonlocal_bind
    value: "{{ haproxy_allow_ip_nonlocal_bind | ternary('1','0') }}"
    sysctl_file: "{{ evolinux_kernel_sysctl_path | default('/etc/sysctl.d/evolinux.conf') }}"
    state: present
    reload: yes
  tags:
    - haproxy
  when:
    - haproxy_allow_ip_nonlocal_bind is defined
    - haproxy_allow_ip_nonlocal_bind is not none

- ansible.builtin.include: munin.yml