ansible/roles/haproxy/tasks/main.yml
2022-07-01 15:25:52 +02:00

325 lines
7.6 KiB
YAML
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
- name: Install HAProxy, acme.sh and snooze
package:
name: haproxy acme.sh
state: present
notify:
- Restart HAProxy
- name: Create HAProxy group
group:
name: haproxy
gid: 20001
notify:
- Restart HAProxy
- name: Create HAProxy user
user:
name: haproxy
uid: 20001
group: haproxy
create_home: no
home: /var/empty
notify:
- Restart HAProxy
- name: Add /var/log/haproxy to fstab
mount:
path: /var/log/haproxy
src: tmpfs
fstype: tmpfs
opts: rw,size=128m,mode=750,uid=20000,gid=20000,late
state: mounted
- name: Create /var/run/haproxy
file:
path: /var/run/haproxy
state: directory
owner: root
group: wheel
mode: 0755
- name: Create HAProxy service directories
file:
path: '/etc/s6-rc/service/{{ item }}'
state: directory
owner: root
group: wheel
mode: 0755
with_items:
- haproxy
- haproxy/env
- haproxy/data
- haproxy-log
- haproxy-log/env
- name: Generate HAProxy service scripts
template:
dest: '/etc/s6-rc/service/{{ item }}'
src: '{{ item }}.j2'
mode: 0555
owner: root
group: wheel
with_items:
- haproxy/run
- haproxy/finish
- haproxy/data/check
- haproxy-log/run
- haproxy-log/finish
notify:
- Reload s6-rc
- Restart HAProxy
- Restart HAProxy log
- name: Generate HAProxy service configuration
copy:
dest: '/etc/s6-rc/service/{{ item.name }}'
content: '{{ item.content }}'
mode: 0444
owner: root
group: wheel
loop_control:
label: '{{ item.name }} = {{ item.content }}'
notify:
- Reload s6-rc
- Restart HAProxy
- Restart HAProxy log
with_items:
- name: haproxy/type
content: longrun
- name: haproxy/notification-fd
content: 3
- name: haproxy/producer-for
content: haproxy-log
- name: haproxy/env/NAME
content: haproxy
- name: haproxy/env/PATH
content: /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/root/bin
- name: haproxy/env/BIND_V4
content: '{{ haproxy_v4 }}'
- name: haproxy/env/BIND_V6
content: '{{ haproxy_v6 }}'
- name: haproxy-log/type
content: longrun
- name: haproxy-log/notification-fd
content: 3
- name: haproxy-log/consumer-for
content: haproxy
- name: haproxy-log/env/NAME
content: haproxy
- name: haproxy-log/env/PATH
content: /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/root/bin
- name: haproxy-log/env/MODE
content: '750'
- name: haproxy-log/env/USER
content: s6-log
- name: haproxy-log/env/GROUP
content: s6-log
- name: haproxy-log/env/DIR
content: /var/log/haproxy
- name: Create HAProxy configuration directory
file:
path: /usr/local/etc/haproxy
state: directory
owner: root
group: acme
mode: 0770
- name: Configure HAProxy
template:
dest: '/usr/local/etc/haproxy/{{ item }}'
src: '{{ item }}.j2'
owner: root
group: wheel
mode: 0444
notify:
- Reload HAProxy
with_items:
- defaults.cfg
- global.cfg
- http.cfg
- sni.cfg
- name: Configure HAProxy HTTP backends
template:
dest: '/usr/local/etc/haproxy/http_{{ item.host }}.cfg'
src: http_host.cfg.j2
owner: root
group: wheel
mode: 0444
notify:
- Reload HAProxy
with_items: '{{ haproxy_http }}'
- name: Configure HAProxy SNI backends
template:
dest: '/usr/local/etc/haproxy/sni_{{ item.host }}.cfg'
src: sni_host.cfg.j2
owner: root
group: wheel
mode: 0444
notify:
- Reload HAProxy
with_items: '{{ haproxy_sni }}'
- name: Make sure the HTTP map exists
command: env touch /usr/local/etc/haproxy/http.map
args:
creates: /usr/local/etc/haproxy/http.map
notify:
- Reload HAProxy
- name: Make sure the SNI map exists
command: env touch /usr/local/etc/haproxy/sni.map
args:
creates: /usr/local/etc/haproxy/sni.map
notify:
- Reload HAProxy
- name: Enable HAProxy HTTP backends
lineinfile:
path: /usr/local/etc/haproxy/http.map
regex: '^{{ item.host }} '
line: '{{ item.host }} http_{{ item.host }}'
notify:
- Reload HAProxy
with_items: '{{ haproxy_http }}'
- name: Enable HAProxy SNI backends
lineinfile:
path: /usr/local/etc/haproxy/sni.map
regex: '^{{ item.host }} '
line: '{{ item.host }} sni_{{ item.host }}'
notify:
- Reload HAProxy
with_items: '{{ haproxy_sni }}'
- name: Flush handlers
meta: flush_handlers
- name: Start HAProxy
command: fdmove -c 2 1 s6-rc -u -v 2 change haproxy
register: change
changed_when: change.stdout | length > 0
- name: Enable HAProxy
lineinfile:
path: /etc/s6-rc/service/enabled/contents
regexp: "^haproxy$"
line: "haproxy"
notify:
- Reload s6-rc
- name: Flush handlers (again)
meta: flush_handlers
- name: "Register Let's Encrypt account"
command: 'env sudo -u acme acme.sh --email {{ haproxy_acme_email }} --server letsencrypt --register-account --home /var/db/acme'
args:
creates: /var/db/acme/ca/acme-v02.api.letsencrypt.org/directory/account.json
- name: Use the example deploy hooks
file:
dest: /var/db/acme/deploy
src: /usr/local/share/examples/acme.sh/deploy
state: link
owner: acme
group: acme
- name: Tell acme.sh where to find HAProxy on FreeBSD
lineinfile:
path: /var/db/acme/account.conf
create: yes
owner: acme
group: acme
regex: '^DEPLOY_HAPROXY_PEM_PATH='
state: present
line: 'DEPLOY_HAPROXY_PEM_PATH="/usr/local/etc/haproxy"'
- name: Tell acme.sh how to reload HAProxy on FreeBSD
lineinfile:
path: /var/db/acme/account.conf
regex: '^DEPLOY_HAPROXY_RELOAD='
state: present
line: 'DEPLOY_HAPROXY_RELOAD="sudo s6-svc -h /run/service/haproxy"'
- name: Allow acme user to reload haproxy
template:
dest: /usr/local/etc/sudoers.d/acme
src: acme.j2
owner: root
group: wheel
mode: '0444'
- name: Request X.509 certificates
command: 'env sudo -u acme acme.sh --home /var/db/acme --standalone --httpport 8080 --issue --domain {{ item }}'
args:
creates: '/var/db/acme/{{ item }}/fullchain.cer'
with_items:
- '{{ ansible_fqdn }}'
- name: Deploy X.509 certificates to HAProxy
command: 'env sudo -Hu acme acme.sh --debug --home /var/db/acme --deploy --domain {{ item }} --deploy-hook haproxy'
args:
creates: '/usr/local/etc/haproxy/{{ item }}.pem'
with_items:
- '{{ ansible_fqdn }}'
- name: Create acme.sh renew service directories
file:
path: '/etc/s6-rc/service/{{ item }}'
state: directory
owner: root
group: wheel
mode: 0755
with_items: '{{ acme_service_dirs }}'
notify:
- Reload s6-rc
- Restart acme-renew
- name: Generate acme.sh renew service scripts
template:
dest: '/etc/s6-rc/service/{{ item }}'
src: '{{ item }}.j2'
mode: 0555
owner: root
group: wheel
with_items: '{{ acme_service_scripts }}'
notify:
- Reload s6-rc
- Restart acme-renew
- name: Generate acme.sh renew service configuration
copy:
dest: '/etc/s6-rc/service/{{ item.name }}'
content: '{{ item.content }}'
mode: 0444
owner: root
group: wheel
loop_control:
label: '{{ item.name }} = {{ item.content }}'
with_items: '{{ acme_service_config }}'
notify:
- Reload s6-rc
- Restart acme-renew
- name: Flush handlers
meta: flush_handlers
- name: Start acme renew service
command: fdmove -c 2 1 s6-rc -u -v 2 change acme-renew
register: change
changed_when: change.stdout | length > 0
- name: Enable acme-renew
lineinfile:
path: /etc/s6-rc/service/enabled/contents
regexp: "^acme-renew$"
line: "acme-renew"
notify:
- Reload s6-rc
- name: Flush handlers (again)
meta: flush_handlers