-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathhaproxy.yml
174 lines (154 loc) · 5.35 KB
/
haproxy.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
---
- name: Install HAProxy and Setup LetsEncrypt
hosts: "{{ target }}"
gather_facts: true
become: true
vars_files:
- "{{ vars_file | default('haproxyvars.yml') }}"
tasks:
# Open http & https firewall services to allow HTTP/HTTPS traffic
- name: Open Firewall Ports
ansible.posix.firewalld:
service: "{{ item }}"
immediate: true
permanent: true
state: enabled
loop:
- "http"
- "https"
# Open port to enable access of HAProxy Stats/Status Page
- name: Open Firewall Port for Stats Page
ansible.posix.firewalld:
port: "{{ stats_page_port }}/tcp"
immediate: true
permanent: true
state: enabled
when: stats_page_enable
# Install EPEL depending on RHEL version
- name: Install EPEL
ansible.builtin.yum:
name: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-{{ ansible_distribution_major_version }}.noarch.rpm"
state: present
disable_gpg_check: yes
# Install required packages
- name: Install Packages
ansible.builtin.yum:
name: "{{ packages }}"
state: latest
vars:
packages:
- haproxy
- certbot
- python3-libselinux
# Disable SELinux for installation
# TODO: Make it work better with SELinux
- name: Disable SELinux
ansible.posix.selinux:
state: disabled
register: selinuxresult
# Reboot the server if required after SELinux is disabled
- name: Reboot
ansible.builtin.reboot:
when: selinuxresult.reboot_required
# Create an RSYSLOG configuration file for HAProxy logging
- name: Create Rsyslog Config
ansible.builtin.copy:
src: syslog.cfg
dest: /etc/rsyslog.d/99-haproxy.conf
notify: Restart rsyslog
# Create a socket to allow HAproxy logging
- name: make log socket directory
ansible.builtin.file:
path: /var/lib/haproxy/dev
state: directory
notify: Restart rsyslog
# Template a temporary HAProxy config to allow the HAProxy service to start before final configuration
- name: Template temporary haproxy config
ansible.builtin.template:
src: bootstrap.cfg.j2
dest: /etc/haproxy/haproxy.cfg
when: configure_letsencrypt
# Restart the HAProxy service
- name: Restart HAProxy
ansible.builtin.systemd:
service: haproxy
state: restarted
when: configure_letsencrypt
# Create a directory to store SSL certificates
- name: make SSL cert directory
ansible.builtin.file:
path: /etc/ssl/haproxy
state: directory
# Create a directory to store the post hooks needed for certbot and certificate renewal
- name: make post-hook directory
ansible.builtin.file:
path: /etc/letsencrypt/renewal-hooks/post
state: directory
when: configure_letsencrypt
# Copy the post hook script to the newly-created post hooks directory
- name: copy post-hook script
ansible.builtin.copy:
src: post-hook.sh
dest: /etc/letsencrypt/renewal-hooks/post/haproxy.sh
mode: '0774'
owner: root
group: root
when: configure_letsencrypt
# Ensure required letsencrypt directories exist
- name: Ensure directories exist
ansible.builtin.file:
path: "/etc/letsencrypt/{{item}}"
state: directory
mode: '0750'
loop:
- archive
- csr
- keys
- "live/{{domain_list[0]}}"
# Setup Certbot to allow certificate renewal
- name: run Certbot command
ansible.builtin.command: "certbot certonly --standalone -d {{domain_list | join(' -d ')}} --agree-tos --email {{ admin_email }} --http-01-port=8888 --expand --non-interactive --post-hook /etc/letsencrypt/renewal-hooks/post/haproxy.sh"
when: configure_letsencrypt
# Generate more secure DH (Diffie-Hellman) parameters for OpenSSL
- name: generate more secure DH params
ansible.builtin.command: "openssl dhparam -out /etc/haproxy/dhparams.pem 2048"
# Create a systemd timer file to run certbot certificate renewal automatically
- name: Copy systemd timer file
ansible.builtin.copy:
src: certbot-renewal.timer
dest: /etc/systemd/system
owner: root
group: root
when: configure_letsencrypt
# Create a systemd unit file for the certbot certificate renewal process
- name: Copy systemd unit file
ansible.builtin.copy:
src: certbot-renewal.service
dest: /etc/systemd/system
owner: root
group: root
when: configure_letsencrypt
# Enable the newly created certbot systemd timer
- name: enable certbot renew timer
ansible.builtin.systemd:
name: certbot-renewal.timer
state: started
daemon_reload: yes
enabled: yes
when: configure_letsencrypt
# Template and install the final HAProxy configuration file
- name: Template haproxy config
ansible.builtin.template:
src: config.cfg.j2
dest: /etc/haproxy/haproxy.cfg
notify: Restart haproxy
handlers:
- name: Restart rsyslog
ansible.builtin.systemd:
service: rsyslog
state: restarted
- name: Restart haproxy
ansible.builtin.systemd:
service: haproxy
state: restarted
enabled: yes