Initial commit

tasks/main.yml

@@ -0,0 +1,12 @@
+- name: Copy HAProxy files
+  loop:
+        - { src: 'haproxy.conf.j2', dest: '/etc/haproxy/haproxy.cfg' }
+  template:
+        follow: yes
+        src: "{{ item.src }}"
+        dest: "{{ item.dest }}"
+  notify: Run service actions
+  tags:
+        - update
+        - haproxy
+        - configs

templates/haproxy.conf.j2

@@ -0,0 +1,66 @@
+global
+  maxconn 2048
+  maxconnrate 40
+  unix-bind prefix /run/haproxy user nobody group nogroup
+
+defaults
+  mode http
+  retries 1
+  option forwardfor
+  option http-keep-alive
+  option tcp-smart-connect
+  option tcpka
+  option http-buffer-request
+  balance roundrobin
+  compression algo gzip
+  timeout http-request 10s
+  timeout connect 10s
+  timeout client 60s
+  timeout server 240s
+  timeout http-keep-alive 240s
+  default-server resolvers local init-addr libc,none resolve-opts prevent-dup-ip check
+
+resolvers local
+  nameserver unbound 127.0.0.1:53
+  resolve_retries 2
+  timeout retry 300ms
+  hold other           100ms
+  hold refused         100ms
+  hold nx              100ms
+  hold timeout         3s
+  hold valid           5s
+{% for entry in services.haproxy.ports.tcp %}
+
+listen {{ entry.group }}
+  mode tcp
+  bind ipv4@*:{{ entry.expose }},ipv6@*:{{ entry.expose }}
+  option tcp-check
+{% for host in groups[entry.group] %}
+  server {{ entry.group }}-{{ loop.index0 }} {{ hostvars[host]['ansible_ens10']['ipv4']['address'] }}:{{ entry.proxy }} {% if loop.index0 != 0 %}backup{% endif %}
+
+{% endfor %}
+{% endfor %}
+
+frontend http
+  mode http
+  bind /haproxy.sock mode 660
+
+  acl root url /
+
+{% for domains in services.haproxy.public %}
+  use_backend backend-{{ domains.service }} if { hdr_beg(host) -i {{ domains.domain }} }
+{% endfor %}
+
+  http-response add-header X-Forwarded-Proto https
+  http-response set-header X-XSS-Protection 1;\ mode=block
+  http-response set-header X-Content-Type-Options nosniff
+  http-response set-header Referrer-Policy no-referrer-when-downgrade
+  http-response set-header Strict-Transport-Security max-age=31536000;\ includeSubDomains;\ preload
+{% for domains in services.haproxy.public %}
+
+backend backend-{{ domains.service }}
+  server-template {{ domains.service }} 1 _{{ domains.service }}._tcp.redxen.localhost
+{% if domains.httpchk %}
+  option httpchk HEAD / HTTP/1.1\r\nHost:\ {{ domains.domain }}.redxen.eu
+{% endif %}
+{% endfor %}

vars/main.yml

@@ -0,0 +1,4 @@
+apt_packages:
+        - { package: "haproxy", state: present }
+systemd:
+        - { name: "haproxy", enabled: true, action: reloaded, daemon_reload: true}