ansible/frontend.yml

---
- hosts: frontend
  vars:
        firewall:
                - { port: "{{ haproxy.ports.https }}", ipv: "v4", proto: "tcp" }
                - { port: "{{ haproxy.ports.https }}", ipv: "v6", proto: "tcp" }
                - { port: "2442", ipv: "v4", proto: "tcp" }
                - { port: "2442", ipv: "v6", proto: "tcp" }
                - { port: "6400", ipv: "v4", proto: "tcp" }
                - { port: "6400", ipv: "v6", proto: "tcp" }
        apt:
                packages:
                        - { package: "haproxy", state: present }
                        - { package: "hitch", state: present }
                        - { package: "varnish", state: present }
        systemd:
                services:
                        - { name: "haproxy", enabled: true, action: restarted }
                        - { name: "hitch", enabled: true, action: restarted }
                        - { name: "varnish", enabled: true, action: restarted }
                overrides:
                        - "haproxy"
                        - "hitch"
                        - "varnish"
        haproxy:
                socketroot: "/run/haproxy"
                config: "/etc/haproxy/haproxy.cfg"
                user: "varnish"
                group: "varnish"
                ports:
                        https: 443
                        tcp:
                                - {expose: 2442, proxy: 2443, group: "dev"}             # Gitea SSH
                                - {expose: 6400, proxy: 6401, group: "social"}          # Mumble
                                #- {expose: 25565, proxy: 25575, group: "minecraft"}    # Minecraft 
                redirect:
                        prefix:
                                - { pfx: "/web", acl: '{ hdr_beg(host) -i seed } { url / }' }
                public:
                        # These are load balanced, it doesn't matter what IP they point to
                        - {domain: "stats", count: 5, service: "grafana", httpchk: true}
                        - {domain: "social", count: 1, service: "pleroma", httpchk: true}
                        - {domain: "git", count: 1, service: "gitea", httpchk: true}
                        - {domain: "seed", count: 1, service: "transmission", httpchk: false}
                        - {domain: "sd", count: 1, service: "seedown", httpchk: true}
        varnish:
                backend:
                        sock: '{{ haproxy.socketroot }}/haproxy.sock'
                frontend:
                        sock: '/var/run/varnish.sock'
                        user: '_hitch'
                        group: '_hitch'
                        mode: '660'
                jail:
                        user: 'varnish'
        hitch:
                backend:
                        sock: '{{ varnish.frontend.sock }}'
                user: '_hitch'
                group: '_hitch'
                frontend:
                        port: 443
  roles:
        - apt
        - haproxy
        - varnish
        - hitch
        - systemd
        - firewall