ansible/roles/haproxy/tasks/main.yml

326 lines
7.6 KiB
YAML
Raw Normal View History

2020-10-03 02:30:41 +02:00
---
- name: Install HAProxy, acme.sh and snooze
2020-10-03 02:30:41 +02:00
package:
name: haproxy acme.sh
2020-10-03 02:30:41 +02:00
state: present
notify:
- Restart HAProxy
- name: Create HAProxy group
group:
name: haproxy
gid: 20001
notify:
- Restart HAProxy
- name: Create HAProxy user
user:
name: haproxy
uid: 20001
group: haproxy
create_home: no
home: /var/empty
notify:
- Restart HAProxy
- name: Add /var/log/haproxy to fstab
mount:
path: /var/log/haproxy
src: tmpfs
fstype: tmpfs
opts: rw,size=128m,mode=750,uid=20000,gid=20000,late
state: mounted
- name: Create /var/run/haproxy
file:
path: /var/run/haproxy
state: directory
owner: root
group: wheel
mode: 0755
2020-10-03 02:30:41 +02:00
- name: Create HAProxy service directories
file:
path: '/etc/s6-rc/service/{{ item }}'
state: directory
owner: root
group: wheel
mode: 0755
with_items:
- haproxy
- haproxy/env
- haproxy/data
- haproxy-log
- haproxy-log/env
- name: Generate HAProxy service scripts
template:
dest: '/etc/s6-rc/service/{{ item }}'
src: '{{ item }}.j2'
mode: 0555
owner: root
group: wheel
with_items:
- haproxy/run
- haproxy/finish
- haproxy/data/check
- haproxy-log/run
- haproxy-log/finish
notify:
- Reload s6-rc
- Restart HAProxy
2021-01-04 23:33:42 +01:00
- Restart HAProxy log
2020-10-03 02:30:41 +02:00
- name: Generate HAProxy service configuration
copy:
dest: '/etc/s6-rc/service/{{ item.name }}'
content: '{{ item.content }}'
mode: 0444
owner: root
group: wheel
loop_control:
label: '{{ item.name }} = {{ item.content }}'
notify:
- Reload s6-rc
- Restart HAProxy
2021-01-04 23:33:42 +01:00
- Restart HAProxy log
2020-10-03 02:30:41 +02:00
with_items:
- name: haproxy/type
content: longrun
- name: haproxy/notification-fd
content: 3
- name: haproxy/producer-for
content: haproxy-log
- name: haproxy/env/NAME
content: haproxy
- name: haproxy/env/PATH
content: /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/root/bin
- name: haproxy/env/BIND_V4
content: '{{ haproxy_v4 }}'
- name: haproxy/env/BIND_V6
content: '{{ haproxy_v6 }}'
- name: haproxy-log/type
content: longrun
- name: haproxy-log/notification-fd
content: 3
- name: haproxy-log/consumer-for
content: haproxy
- name: haproxy-log/env/NAME
content: haproxy
- name: haproxy-log/env/PATH
content: /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/root/bin
- name: haproxy-log/env/MODE
content: '750'
- name: haproxy-log/env/USER
content: s6-log
- name: haproxy-log/env/GROUP
content: s6-log
- name: haproxy-log/env/DIR
content: /var/log/haproxy
- name: Create HAProxy configuration directory
file:
path: /usr/local/etc/haproxy
state: directory
owner: root
group: acme
mode: 0770
2020-10-03 02:30:41 +02:00
- name: Configure HAProxy
template:
dest: '/usr/local/etc/haproxy/{{ item }}'
src: '{{ item }}.j2'
owner: root
group: wheel
mode: 0444
notify:
- Reload HAProxy
with_items:
- defaults.cfg
- global.cfg
- http.cfg
2020-10-03 03:04:44 +02:00
- sni.cfg
2020-10-03 02:30:41 +02:00
2020-10-03 03:04:44 +02:00
- name: Configure HAProxy HTTP backends
2020-10-03 02:30:41 +02:00
template:
dest: '/usr/local/etc/haproxy/http_{{ item.host }}.cfg'
src: http_host.cfg.j2
owner: root
group: wheel
mode: 0444
notify:
- Reload HAProxy
with_items: '{{ haproxy_http }}'
2020-10-03 03:04:44 +02:00
- name: Configure HAProxy SNI backends
template:
dest: '/usr/local/etc/haproxy/sni_{{ item.host }}.cfg'
src: sni_host.cfg.j2
owner: root
group: wheel
mode: 0444
notify:
- Reload HAProxy
with_items: '{{ haproxy_sni }}'
- name: Make sure the HTTP map exists
command: env touch /usr/local/etc/haproxy/http.map
args:
creates: /usr/local/etc/haproxy/http.map
notify:
- Reload HAProxy
- name: Make sure the SNI map exists
command: env touch /usr/local/etc/haproxy/sni.map
args:
creates: /usr/local/etc/haproxy/sni.map
notify:
- Reload HAProxy
2020-10-03 02:30:41 +02:00
- name: Enable HAProxy HTTP backends
lineinfile:
path: /usr/local/etc/haproxy/http.map
regex: '^{{ item.host }} '
line: '{{ item.host }} http_{{ item.host }}'
notify:
- Reload HAProxy
with_items: '{{ haproxy_http }}'
2020-10-03 03:04:44 +02:00
- name: Enable HAProxy SNI backends
lineinfile:
path: /usr/local/etc/haproxy/sni.map
regex: '^{{ item.host }} '
line: '{{ item.host }} sni_{{ item.host }}'
2020-10-03 02:30:41 +02:00
notify:
- Reload HAProxy
2020-10-03 03:04:44 +02:00
with_items: '{{ haproxy_sni }}'
2020-10-03 02:30:41 +02:00
- name: Flush handlers
meta: flush_handlers
2020-10-03 03:14:01 +02:00
- name: Start HAProxy
command: fdmove -c 2 1 s6-rc -u -v 2 change haproxy
register: change
changed_when: change.stdout | length > 0
- name: Enable HAProxy
lineinfile:
path: /etc/s6-rc/service/enabled/contents
regexp: "^haproxy$"
line: "haproxy"
notify:
- Reload s6-rc
- name: Flush handlers (again)
meta: flush_handlers
- name: "Register Let's Encrypt account"
command: 'env sudo -u acme acme.sh --email {{ haproxy_acme_email }} --server letsencrypt --register-account --home /var/db/acme'
args:
creates: /var/db/acme/ca/acme-v02.api.letsencrypt.org/directory/account.json
- name: Use the example deploy hooks
file:
dest: /var/db/acme/deploy
src: /usr/local/share/examples/acme.sh/deploy
state: link
owner: acme
group: acme
- name: Tell acme.sh where to find HAProxy on FreeBSD
lineinfile:
path: /var/db/acme/account.conf
create: yes
owner: acme
group: acme
regex: '^DEPLOY_HAPROXY_PEM_PATH='
state: present
line: 'DEPLOY_HAPROXY_PEM_PATH="/usr/local/etc/haproxy"'
- name: Tell acme.sh how to reload HAProxy on FreeBSD
lineinfile:
path: /var/db/acme/account.conf
regex: '^DEPLOY_HAPROXY_RELOAD='
state: present
line: 'DEPLOY_HAPROXY_RELOAD="sudo s6-svc -h /run/service/haproxy"'
- name: Allow acme user to reload haproxy
template:
dest: /usr/local/etc/sudoers.d/acme
src: acme.j2
owner: root
group: wheel
mode: '0444'
- name: Request X.509 certificates
command: 'env sudo -u acme acme.sh --home /var/db/acme --standalone --httpport 8080 --issue --domain {{ item }}'
args:
creates: '/var/db/acme/{{ item }}/fullchain.cer'
with_items:
- '{{ ansible_fqdn }}'
- name: Deploy X.509 certificates to HAProxy
command: 'env sudo -Hu acme acme.sh --debug --home /var/db/acme --deploy --domain {{ item }} --deploy-hook haproxy'
args:
creates: '/usr/local/etc/haproxy/{{ item }}.pem'
with_items:
- '{{ ansible_fqdn }}'
2021-01-31 19:16:27 +01:00
- name: Create acme.sh renew service directories
file:
path: '/etc/s6-rc/service/{{ item }}'
state: directory
owner: root
group: wheel
mode: 0755
with_items: '{{ acme_service_dirs }}'
notify:
- Reload s6-rc
- Restart acme-renew
- name: Generate acme.sh renew service scripts
template:
dest: '/etc/s6-rc/service/{{ item }}'
src: '{{ item }}.j2'
mode: 0555
owner: root
group: wheel
with_items: '{{ acme_service_scripts }}'
notify:
- Reload s6-rc
- Restart acme-renew
- name: Generate acme.sh renew service configuration
copy:
dest: '/etc/s6-rc/service/{{ item.name }}'
content: '{{ item.content }}'
mode: 0444
owner: root
group: wheel
loop_control:
label: '{{ item.name }} = {{ item.content }}'
with_items: '{{ acme_service_config }}'
notify:
- Reload s6-rc
- Restart acme-renew
- name: Flush handlers
meta: flush_handlers
- name: Start acme renew service
command: fdmove -c 2 1 s6-rc -u -v 2 change acme-renew
register: change
changed_when: change.stdout | length > 0
- name: Enable acme-renew
lineinfile:
path: /etc/s6-rc/service/enabled/contents
regexp: "^acme-renew$"
line: "acme-renew"
notify:
- Reload s6-rc
- name: Flush handlers (again)
meta: flush_handlers