path: root/roles/haproxy
diff options
authorLars Wirzenius <>2018-08-07 12:09:43 +0300
committerLars Wirzenius <>2018-08-07 13:50:40 +0300
commit24eaa6c48c7147f2f7330bcb1ad4677208714403 (patch)
tree15de91977882240ed278ce673aa5360edbe80d89 /roles/haproxy
parent2520c525cb4cdbe2596efd63d0cc8e3529ed19a3 (diff)
Add: haproxy role
Diffstat (limited to 'roles/haproxy')
4 files changed, 146 insertions, 0 deletions
diff --git a/roles/haproxy/README b/roles/haproxy/README
new file mode 100644
index 0000000..ed0360a
--- /dev/null
+++ b/roles/haproxy/README
@@ -0,0 +1 @@
+Install haproxy and set up a Let's Encrypt TLS certificate for it.
diff --git a/roles/haproxy/defaults/main.yml b/roles/haproxy/defaults/main.yml
new file mode 100644
index 0000000..12e2906
--- /dev/null
+++ b/roles/haproxy/defaults/main.yml
@@ -0,0 +1,14 @@
+# Set the domain haproxy serves, used for the TLS certificate.
+haproxy_domain: FIXME
+# List haproxy rules: a list of dicts like this:
+# name: foo
+# path: /foo
+# backends:
+# -
+# -
+haproxy_rules: []
diff --git a/roles/haproxy/tasks/main.yml b/roles/haproxy/tasks/main.yml
new file mode 100644
index 0000000..0a56410
--- /dev/null
+++ b/roles/haproxy/tasks/main.yml
@@ -0,0 +1,94 @@
+- name: "check haproxy_domain is set"
+ shell: |
+ case "{{ haproxy_domain }}" in
+ echo "ERROR: MUST set haproxy_domain" 1>&2
+ exit 1
+ ;;
+ esac
+- name: "install certbot"
+ apt:
+ name: certbot
+ default_release: stretch-backports
+- name: "run certbot"
+ shell: |
+ certbot certonly \
+ --standalone \
+ --noninteractive \
+ --email "{{ letsencrypt_email }}" \
+ --agree-tos \
+ --expand \
+ --cert-name haproxy \
+ --keep \
+ --pre-hook "systemctl stop haproxy" \
+ --post-hook "systemctl start haproxy" \
+ -d "{{ haproxy_domain }}"
+ (cd /etc/letsencrypt/live/haproxy; cat fullchain.pem privkey.pem) \
+ > /etc/ssl/haproxy.pem
+- name: install haproxy
+ apt:
+ name: haproxy
+- name: "create config dirs"
+ file:
+ state: directory
+ path: "{{ item }}"
+ owner: root
+ group: root
+ mode: 0755
+ with_items:
+ - /etc/haproxy
+- name: "drop haproxy frontends and backends lists"
+ file:
+ state: absent
+ path: "{{ item }}"
+ with_items:
+ - /etc/haproxy/frontends
+ - /etc/haproxy/backends
+- name: "create haproxy frontends list"
+ shell: |
+ (
+ echo ""
+ echo " acl {{ }} path_beg {{ item.path }}"
+ echo " use_backend {{ }} if {{ }}"
+ ) >> /etc/haproxy/frontends
+ with_items:
+ - "{{ haproxy_rules }}"
+- name: "create haproxy backends list"
+ shell: |
+ (
+ echo ""
+ echo "backend {{ }}"
+ i=0
+ {% for backend in item.backends %}
+ i="$(expr $i + 1)"
+ echo " server {{ }}_$i {{ backend }}"
+ {% endfor %}
+ ) >> /etc/haproxy/backends
+ with_items:
+ - "{{ haproxy_rules }}"
+- name: "copy haproxy preamble"
+ template:
+ src: haproxy.cfg.preamble
+ dest: /etc/haproxy
+- name: "assemble haproxy preamble"
+ shell: |
+ cd /etc/haproxy
+ cat haproxy.cfg.preamble frontends backends > haproxy.cfg
+ chmod 0755 haproxy.cfg
+- name: enable and start haproxy
+ service:
+ name: "{{ item }}"
+ state: restarted
+ enabled: yes
+ with_items:
+ - haproxy
diff --git a/roles/haproxy/templates/haproxy.cfg.preamble b/roles/haproxy/templates/haproxy.cfg.preamble
new file mode 100644
index 0000000..e01bc4e
--- /dev/null
+++ b/roles/haproxy/templates/haproxy.cfg.preamble
@@ -0,0 +1,37 @@
+ log local4
+ chroot /var/lib/haproxy
+ stats socket /run/haproxy/admin.sock mode 660 level admin
+ stats timeout 30s
+ user haproxy
+ group haproxy
+ daemon
+ ca-base /etc/ssl/certs
+ crt-base /etc/ssl/private
+ tune.ssl.default-dh-param 2048
+ ssl-default-bind-options no-tls-tickets
+ log global
+ mode http
+ option httplog
+ option dontlognull
+ timeout connect 5000
+ timeout client 50000
+ timeout server 50000
+ errorfile 400 /etc/haproxy/errors/400.http
+ errorfile 403 /etc/haproxy/errors/403.http
+ errorfile 408 /etc/haproxy/errors/408.http
+ errorfile 500 /etc/haproxy/errors/500.http
+ errorfile 502 /etc/haproxy/errors/502.http
+ errorfile 503 /etc/haproxy/errors/503.http
+ errorfile 504 /etc/haproxy/errors/504.http
+frontend http-in
+ bind *:80
+ bind *:443 ssl no-sslv3 no-tlsv10 crt /etc/ssl/haproxy.pem
+ rspadd Strict-Transport-Security:\ max-age=15768000