Initial commit

2021-09-23 09:54:34 -06:00 · 2021-09-23 09:54:34 -06:00 · 054a3711f1
commit 054a3711f1
parent cc01d8bf27
9 changed files with 393 additions and 7 deletions
--- a/roles/haproxy/tasks/main.yml
+++ b/roles/haproxy/tasks/main.yml
@ -0,0 +1,134 @@
+---
+# file: roles/haproxy/tasks/main.yml
+
+- name: Install Ansible prereq packages
+  package:
+    name:
+      - policycoreutils-python-utils
+      - NetworkManager
+    state: latest
+  become: yes
+
+- name: Install packages
+  package:
+    name:
+      - keepalived
+      - haproxy
+      - firewalld
+    state: latest
+  become: yes
+
+- name: Add VLAN
+  nmcli:
+    conn_name: "{{ haproxy_keepalived_adapter }}.{{ haproxy_keepalived_adapter_vlan }}"
+    vlanid: "{{ haproxy_keepalived_adapter_vlan }}"
+    ip4: "{{ haproxy_keepalived_ip }}"
+    vlandev: "{{ haproxy_keepalived_adapter }}"
+    autoconnect: yes
+    type: vlan
+    state: present
+  become: yes
+  when: (haproxy_keepalived_adapter_vlan is defined) and (haproxy_keepalived_ip is defined)
+
+- name: Enable firewall rule for vrrp
+  firewalld:
+    rich_rule: 'rule protocol value="vrrp" accept'
+    permanent: yes
+    state: enabled
+    immediate: yes
+  notify: reload firewalld
+  become: yes
+
+- name: Allow binding non-local IP
+  sysctl:
+    name: net.ipv4.ip_nonlocal_bind
+    value: "1"
+    reload: true
+    state: present
+  become: yes
+
+- name: Allow binding ip forward
+  sysctl:
+    name: net.ipv4.ip_forward
+    value: "1"
+    reload: true
+    state: present
+  become: yes
+
+- name: Update keepalived configuration
+  template:
+    src: keepalived.conf.j2
+    dest: /etc/keepalived/keepalived.conf
+  notify: reload keepalived
+  become: yes 
+
+- name: Enable keepalived
+  service: 
+    name: keepalived
+    state: started
+    enabled: yes
+  become: yes
+
+- name: Limit SSH to only ansible_host
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '^#?ListenAddress '
+    line: "ListenAddress {{ ansible_host }}"
+  notify:
+    - Restart SSH
+  become: yes
+
+- name: Flush handlers
+  meta: flush_handlers
+
+- name: Set haproxy_connect_any flag and keep it persistent across reboots
+  seboolean:
+    name: haproxy_connect_any
+    state: yes
+    persistent: yes
+  become: yes
+
+- name: Update HAProxy configuration
+  template:
+    src: haproxy.cfg.j2
+    dest: /etc/haproxy/haproxy.cfg
+    mode: 0644
+    validate: haproxy -f %s -c -q
+  notify: reload haproxy
+  become: yes 
+
+- name: Ensure HAProxy is started and enabled on boot.
+  service: 
+    name: haproxy 
+    state: started
+    enabled: yes
+  become: yes
+
+- name: Enable firewall ports for haproxy
+  firewalld:
+    rich_rule: 'rule family=ipv4 destination address={{ haproxy_shared_ip }}{{ haproxy_shared_ip_subnet }} port port={{ item.port }} protocol={{ item.protocol }} accept'
+    permanent: yes
+    immediate: yes
+    state: enabled
+  with_items:
+    - {port: "22", protocol: "tcp"}
+    - {port: "80", protocol: "tcp"}
+    - {port: "443", protocol: "tcp"}
+  notify: reload firewalld
+  become: yes
+
+- name: Enable firewall ports for haproxy stats
+  firewalld:
+    port: "9999/tcp"
+    permanent: yes
+    immediate: yes
+    state: enabled
+  notify: reload firewalld
+  become: yes
+
+- name: Enable firewalld
+  service: 
+    name: firewalld
+    state: started
+    enabled: yes
+  become: yes