From 24eaa6c48c7147f2f7330bcb1ad4677208714403 Mon Sep 17 00:00:00 2001
From: Lars Wirzenius <liw@liw.fi>
Date: Tue, 7 Aug 2018 12:09:43 +0300
Subject: Add: haproxy role

---
 roles/haproxy/README                         |  1 +
 roles/haproxy/defaults/main.yml              | 14 +++++
 roles/haproxy/tasks/main.yml                 | 94 ++++++++++++++++++++++++++++
 roles/haproxy/templates/haproxy.cfg.preamble | 37 +++++++++++
 4 files changed, 146 insertions(+)
 create mode 100644 roles/haproxy/README
 create mode 100644 roles/haproxy/defaults/main.yml
 create mode 100644 roles/haproxy/tasks/main.yml
 create mode 100644 roles/haproxy/templates/haproxy.cfg.preamble

(limited to 'roles')

diff --git a/roles/haproxy/README b/roles/haproxy/README
new file mode 100644
index 0000000..ed0360a
--- /dev/null
+++ b/roles/haproxy/README
@@ -0,0 +1 @@
+Install haproxy and set up a Let's Encrypt TLS certificate for it.
diff --git a/roles/haproxy/defaults/main.yml b/roles/haproxy/defaults/main.yml
new file mode 100644
index 0000000..12e2906
--- /dev/null
+++ b/roles/haproxy/defaults/main.yml
@@ -0,0 +1,14 @@
+# Set the domain haproxy serves, used for the TLS certificate.
+
+haproxy_domain: FIXME
+
+# List haproxy rules: a list of dicts like this:
+#
+#   name: foo
+#   path: /foo
+#   backends:
+#   - 127.0.0.1:8080
+#   - 127.0.0.1:8181
+
+haproxy_rules: []
+
diff --git a/roles/haproxy/tasks/main.yml b/roles/haproxy/tasks/main.yml
new file mode 100644
index 0000000..0a56410
--- /dev/null
+++ b/roles/haproxy/tasks/main.yml
@@ -0,0 +1,94 @@
+- name: "check haproxy_domain is set"
+  shell: |
+    case "{{ haproxy_domain }}" in
+        FIXME)
+            echo "ERROR: MUST set haproxy_domain" 1>&2
+            exit 1
+            ;;
+    esac
+
+- name: "install certbot"
+  apt:
+    name: certbot
+    default_release: stretch-backports
+
+- name: "run certbot"
+  shell: |
+    certbot certonly \
+            --standalone \
+            --noninteractive \
+            --email "{{ letsencrypt_email }}" \
+            --agree-tos \
+            --expand \
+            --cert-name haproxy \
+            --keep \
+            --pre-hook "systemctl stop haproxy" \
+            --post-hook "systemctl start haproxy" \
+            -d "{{ haproxy_domain }}"
+    (cd /etc/letsencrypt/live/haproxy; cat fullchain.pem privkey.pem) \
+        > /etc/ssl/haproxy.pem
+
+- name: install haproxy
+  apt:
+    name: haproxy
+
+- name: "create config dirs"
+  file:
+    state: directory
+    path: "{{ item }}"
+    owner: root
+    group: root
+    mode: 0755
+  with_items:
+    - /etc/haproxy
+
+- name: "drop haproxy frontends and backends lists"
+  file:
+    state: absent
+    path: "{{ item }}"
+  with_items:
+    - /etc/haproxy/frontends
+    - /etc/haproxy/backends
+
+- name: "create haproxy frontends list"
+  shell: |
+    (
+        echo ""
+        echo "    acl {{ item.name }} path_beg {{ item.path }}"
+        echo "    use_backend {{ item.name }} if {{ item.name }}"
+    ) >> /etc/haproxy/frontends
+  with_items:
+    - "{{ haproxy_rules }}"
+
+- name: "create haproxy backends list"
+  shell: |
+    (
+        echo ""
+        echo "backend {{ item.name }}"
+        i=0
+        {% for backend in item.backends %}
+        i="$(expr $i + 1)"
+        echo "    server {{ item.name }}_$i {{ backend }}"
+        {% endfor %}
+    ) >> /etc/haproxy/backends
+  with_items:
+    - "{{ haproxy_rules }}"
+
+- name: "copy haproxy preamble"
+  template:
+    src: haproxy.cfg.preamble
+    dest: /etc/haproxy
+
+- name: "assemble haproxy preamble"
+  shell: |
+    cd /etc/haproxy
+    cat haproxy.cfg.preamble frontends backends > haproxy.cfg
+    chmod 0755 haproxy.cfg
+
+- name: enable and start haproxy
+  service:
+    name: "{{ item }}"
+    state: restarted
+    enabled: yes
+  with_items:
+    - haproxy
diff --git a/roles/haproxy/templates/haproxy.cfg.preamble b/roles/haproxy/templates/haproxy.cfg.preamble
new file mode 100644
index 0000000..e01bc4e
--- /dev/null
+++ b/roles/haproxy/templates/haproxy.cfg.preamble
@@ -0,0 +1,37 @@
+global
+    log        127.0.0.1 local4
+    chroot     /var/lib/haproxy
+    stats      socket /run/haproxy/admin.sock mode 660 level admin
+    stats      timeout 30s
+    user       haproxy
+    group      haproxy
+    daemon
+
+    ca-base    /etc/ssl/certs
+    crt-base   /etc/ssl/private
+    tune.ssl.default-dh-param 2048
+    ssl-default-bind-options no-tls-tickets
+    ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
+
+defaults
+    log        global
+    mode       http
+    option     httplog
+    option     dontlognull
+    timeout    connect 5000
+    timeout    client 50000
+    timeout    server 50000
+    errorfile  400 /etc/haproxy/errors/400.http
+    errorfile  403 /etc/haproxy/errors/403.http
+    errorfile  408 /etc/haproxy/errors/408.http
+    errorfile  500 /etc/haproxy/errors/500.http
+    errorfile  502 /etc/haproxy/errors/502.http
+    errorfile  503 /etc/haproxy/errors/503.http
+    errorfile  504 /etc/haproxy/errors/504.http
+
+
+frontend http-in
+    bind *:80
+    bind *:443 ssl no-sslv3 no-tlsv10 crt /etc/ssl/haproxy.pem
+
+    rspadd Strict-Transport-Security:\ max-age=15768000
-- 
cgit v1.2.1