7c632352a0
The behaviour of the `include` module is badly defined (it try to choose between statically importing the tasks and dynamically including them) and can cause problems depending on any number of constraints (mostly if it choose the wrong behaviour). Replace it with the `import_tasks` (always statically import tasks) unless the `include` is in a loop in which case we replace it with `include_tasks` (always dynamically include tasks).
151 lines
3.4 KiB
YAML
151 lines
3.4 KiB
YAML
---
|
|
- name: ssl-cert package is installed
|
|
apt:
|
|
name: ssl-cert
|
|
state: present
|
|
tags:
|
|
- haproxy
|
|
- packages
|
|
|
|
- name: HAProxy SSL directory is present
|
|
file:
|
|
path: /etc/haproxy/ssl
|
|
owner: root
|
|
group: root
|
|
mode: "0700"
|
|
state: directory
|
|
tags:
|
|
- haproxy
|
|
- ssl
|
|
|
|
- name: Self-signed certificate is present in HAProxy ssl directory
|
|
shell: "cat /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/private/ssl-cert-snakeoil.key > /etc/haproxy/ssl/ssl-cert-snakeoil.pem"
|
|
args:
|
|
creates: /etc/haproxy/ssl/ssl-cert-snakeoil.pem
|
|
notify: reload haproxy
|
|
tags:
|
|
- haproxy
|
|
- ssl
|
|
|
|
- name: HAProxy stats_access_ips are present
|
|
blockinfile:
|
|
dest: /etc/haproxy/stats_access_ips
|
|
create: yes
|
|
block: |
|
|
{% for ip in haproxy_stats_access_ips | default([]) %}
|
|
{{ ip }}
|
|
{% endfor %}
|
|
notify: reload haproxy
|
|
tags:
|
|
- haproxy
|
|
- config
|
|
- update-config
|
|
|
|
- name: HAProxy stats_admin_ips are present
|
|
blockinfile:
|
|
dest: /etc/haproxy/stats_admin_ips
|
|
create: yes
|
|
block: |
|
|
{% for ip in haproxy_stats_admin_ips | default([]) %}
|
|
{{ ip }}
|
|
{% endfor %}
|
|
notify: reload haproxy
|
|
tags:
|
|
- haproxy
|
|
- config
|
|
- update-config
|
|
|
|
- name: HAProxy maintenance_ips are present
|
|
blockinfile:
|
|
dest: /etc/haproxy/maintenance_ips
|
|
create: yes
|
|
block: |
|
|
{% for ip in haproxy_maintenance_ips | default([]) %}
|
|
{{ ip }}
|
|
{% endfor %}
|
|
notify: reload haproxy
|
|
tags:
|
|
- haproxy
|
|
- config
|
|
- update-config
|
|
|
|
- name: HAProxy deny_ips are present
|
|
blockinfile:
|
|
dest: /etc/haproxy/deny_ips
|
|
create: yes
|
|
block: |
|
|
{% for ip in haproxy_deny_ips | default([]) %}
|
|
{{ ip }}
|
|
{% endfor %}
|
|
notify: reload haproxy
|
|
tags:
|
|
- haproxy
|
|
- config
|
|
- update-config
|
|
|
|
- import_tasks: packages_backports.yml
|
|
when: haproxy_backports | bool
|
|
|
|
- name: Install HAProxy package
|
|
apt:
|
|
name: haproxy
|
|
state: present
|
|
tags:
|
|
- haproxy
|
|
- packages
|
|
|
|
- name: Copy HAProxy configuration
|
|
template:
|
|
src: "{{ item }}"
|
|
dest: /etc/haproxy/haproxy.cfg
|
|
force: "{{ haproxy_force_config }}"
|
|
validate: "haproxy -c -f %s"
|
|
loop: "{{ query('first_found', templates) }}"
|
|
vars:
|
|
templates:
|
|
- "templates/haproxy/haproxy.{{ inventory_hostname }}.cfg.j2"
|
|
- "templates/haproxy/haproxy.{{ host_group | default('all') }}.cfg.j2"
|
|
- "templates/haproxy/haproxy.default.cfg.j2"
|
|
- "templates/haproxy.default.cfg.j2"
|
|
notify: reload haproxy
|
|
when: haproxy_update_config | bool
|
|
tags:
|
|
- haproxy
|
|
- config
|
|
- update-config
|
|
|
|
- name: Rotate logs with dateext
|
|
lineinfile:
|
|
dest: /etc/logrotate.d/haproxy
|
|
line: ' dateext'
|
|
regexp: '^\s*#*\s*(no)?dateext'
|
|
insertbefore: '}'
|
|
tags:
|
|
- haproxy
|
|
- logrotate
|
|
|
|
- name: Rotate logs with nodelaycompress
|
|
lineinfile:
|
|
dest: /etc/logrotate.d/haproxy
|
|
line: ' nodelaycompress'
|
|
regexp: '^\s*#*\s*(no)?delaycompress'
|
|
insertbefore: '}'
|
|
tags:
|
|
- haproxy
|
|
- logrotate
|
|
|
|
- name: Set net.ipv4.ip_nonlocal_bind
|
|
sysctl:
|
|
name: net.ipv4.ip_nonlocal_bind
|
|
value: "{{ haproxy_allow_ip_nonlocal_bind | ternary('1','0') }}"
|
|
sysctl_file: "{{ evolinux_kernel_sysctl_path | default('/etc/sysctl.d/evolinux.conf') }}"
|
|
state: present
|
|
reload: yes
|
|
tags:
|
|
- haproxy
|
|
when:
|
|
- haproxy_allow_ip_nonlocal_bind is defined
|
|
- haproxy_allow_ip_nonlocal_bind is not none
|
|
|
|
- import_tasks: munin.yml
|