---
# file: roles/haproxy/tasks/main.yml

- name: Install Ansible prereq packages
  package:
    name:
      - policycoreutils-python-utils
      - NetworkManager
    state: latest
  tags: packages

- name: Install haproxy cluster packages
  package:
    name:
      - keepalived
      - haproxy
      - firewalld
    state: latest
  tags: packages

- name: "### Certbot configuration ###"
  include_tasks:
    file: certbot.yml
  when: haproxy_certbot_enable == true

- name: Add VLAN
  nmcli:
    conn_name: "{{ haproxy_keepalived_adapter }}.{{ haproxy_keepalived_adapter_vlan }}"
    vlanid: "{{ haproxy_keepalived_adapter_vlan }}"
    ip4: "{{ haproxy_keepalived_ip }}"
    vlandev: "{{ haproxy_keepalived_adapter }}"
    autoconnect: yes
    type: vlan
    state: present
  when: (haproxy_keepalived_adapter_vlan != "") and (haproxy_keepalived_ip != "")

- name: Add IP
  nmcli:
    conn_name: "{{ haproxy_keepalived_adapter }}"
    ip4: "{{ haproxy_keepalived_ip }}"
    autoconnect: yes
    type: ethernet
    state: present
  when: (haproxy_keepalived_adapter_vlan == "") and (haproxy_keepalived_ip != "")

- name: Enable firewall rule for vrrp
  firewalld:
    rich_rule: 'rule protocol value="vrrp" accept'
    permanent: yes
    state: enabled
    immediate: yes
  notify: reload firewalld

- name: Allow binding non-local IP
  sysctl:
    name: net.ipv4.ip_nonlocal_bind
    value: "1"
    reload: true
    state: present

- name: Allow binding ip forward
  sysctl:
    name: net.ipv4.ip_forward
    value: "1"
    reload: true
    state: present

- name: Update keepalived configuration
  template:
    src: keepalived.conf.j2
    dest: /etc/keepalived/keepalived.conf
  notify: reload keepalived

- name: Enable keepalived
  service: 
    name: keepalived
    state: started
    enabled: yes

- name: Limit SSH to only ansible_host
  lineinfile:
    path: /etc/ssh/sshd_config
    regexp: '^#?ListenAddress '
    line: "ListenAddress {{ ansible_host }}"
  notify:
    - Restart SSH

- name: Flush handlers
  meta: flush_handlers

- name: Set haproxy_connect_any flag and keep it persistent across reboots
  seboolean:
    name: haproxy_connect_any
    state: yes
    persistent: yes

- name: Ensure maps directory exists
  file: 
    path: "/etc/haproxy/maps" 
    state: directory

- name: Deploy map files
  copy:
    src: "{{ item }}"
    dest: /etc/haproxy/maps
    mode: 0644
    backup: true
  with_fileglob:
    - "maps/*"
  notify: reload haproxy

- name: Ensure ssl directory exists
  file: 
    path: "/etc/haproxy/ssl" 
    state: directory

- name: Deploy host cert for haproxy use
  file:
    src: "/etc/ssl/{{ ansible_hostname }}/live/merged.pem"
    dest: "/etc/haproxy/ssl/{{ ansible_hostname }}.pem"
    state: link
  when: haproxy_local_cert == true

- name: Update HAProxy configuration
  template:
    src: "{{ haproxy_config_file }}"
    dest: /etc/haproxy/haproxy.cfg
    mode: 0644
    validate: haproxy -f %s -c -q
    backup: true
  notify: reload haproxy

- name: Ensure HAProxy is started and enabled on boot.
  service: 
    name: haproxy 
    state: started
    enabled: yes

- name: Enable firewall ports for haproxy
  firewalld:
    rich_rule: 'rule family=ipv4 destination address={{ haproxy_shared_ip }}{{ haproxy_shared_ip_subnet }} port port={{ item.port }} protocol={{ item.protocol }} accept'
    permanent: yes
    immediate: yes
    state: enabled
  loop: "{{ haproxy_listen_ports }}"
  notify: reload firewalld

- name: Enable firewalld
  service: 
    name: firewalld
    state: started
    enabled: yes