148 lines
3.4 KiB
YAML
148 lines
3.4 KiB
YAML
---
|
|
# file: roles/haproxy/tasks/main.yml
|
|
|
|
- name: Install Ansible prereq packages
|
|
package:
|
|
name:
|
|
- policycoreutils-python-utils
|
|
- NetworkManager
|
|
state: latest
|
|
|
|
- name: Install haproxy cluster packages
|
|
package:
|
|
name:
|
|
- keepalived
|
|
- haproxy
|
|
- firewalld
|
|
state: latest
|
|
|
|
- name: "### Certbot configuration ###"
|
|
include_tasks:
|
|
file: certbot.yml
|
|
when: haproxy_certbot_enable == true
|
|
|
|
- name: Add VLAN
|
|
nmcli:
|
|
conn_name: "{{ haproxy_keepalived_adapter }}.{{ haproxy_keepalived_adapter_vlan }}"
|
|
vlanid: "{{ haproxy_keepalived_adapter_vlan }}"
|
|
ip4: "{{ haproxy_keepalived_ip }}"
|
|
vlandev: "{{ haproxy_keepalived_adapter }}"
|
|
autoconnect: yes
|
|
type: vlan
|
|
state: present
|
|
when: (haproxy_keepalived_adapter_vlan != "") and (haproxy_keepalived_ip is defined)
|
|
|
|
- name: Add IP
|
|
nmcli:
|
|
conn_name: "{{ haproxy_keepalived_adapter }}"
|
|
ip4: "{{ haproxy_keepalived_ip }}"
|
|
autoconnect: yes
|
|
type: ethernet
|
|
state: present
|
|
when: (haproxy_keepalived_adapter_vlan == "") and (haproxy_keepalived_ip is defined)
|
|
|
|
- name: Enable firewall rule for vrrp
|
|
firewalld:
|
|
rich_rule: 'rule protocol value="vrrp" accept'
|
|
permanent: yes
|
|
state: enabled
|
|
immediate: yes
|
|
notify: reload firewalld
|
|
|
|
- name: Allow binding non-local IP
|
|
sysctl:
|
|
name: net.ipv4.ip_nonlocal_bind
|
|
value: "1"
|
|
reload: true
|
|
state: present
|
|
|
|
- name: Allow binding ip forward
|
|
sysctl:
|
|
name: net.ipv4.ip_forward
|
|
value: "1"
|
|
reload: true
|
|
state: present
|
|
|
|
- name: Update keepalived configuration
|
|
template:
|
|
src: keepalived.conf.j2
|
|
dest: /etc/keepalived/keepalived.conf
|
|
notify: reload keepalived
|
|
|
|
- name: Enable keepalived
|
|
service:
|
|
name: keepalived
|
|
state: started
|
|
enabled: yes
|
|
|
|
- name: Limit SSH to only ansible_host
|
|
lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: '^#?ListenAddress '
|
|
line: "ListenAddress {{ ansible_host }}"
|
|
notify:
|
|
- Restart SSH
|
|
|
|
- name: Flush handlers
|
|
meta: flush_handlers
|
|
|
|
- name: Set haproxy_connect_any flag and keep it persistent across reboots
|
|
seboolean:
|
|
name: haproxy_connect_any
|
|
state: yes
|
|
persistent: yes
|
|
|
|
- name: Ensure maps directory exists
|
|
file:
|
|
path: "/etc/haproxy/maps"
|
|
state: directory
|
|
|
|
- name: Deploy map files
|
|
copy:
|
|
src: "{{ item }}"
|
|
dest: /etc/haproxy/maps
|
|
mode: 0644
|
|
with_fileglob:
|
|
- "maps/*"
|
|
notify: reload haproxy
|
|
|
|
- name: Ensure ssl directory exists
|
|
file:
|
|
path: "/etc/haproxy/ssl"
|
|
state: directory
|
|
|
|
- name: Deploy host cert for haproxy use
|
|
file:
|
|
src: "/etc/ssl/{{ ansible_hostname }}/live/merged.pem"
|
|
dest: "/etc/haproxy/ssl/{{ ansible_hostname }}.pem"
|
|
state: link
|
|
when: haproxy_local_cert == true
|
|
|
|
- name: Update HAProxy configuration
|
|
template:
|
|
src: "{{ haproxy_config_file }}"
|
|
dest: /etc/haproxy/haproxy.cfg
|
|
mode: 0644
|
|
validate: haproxy -f %s -c -q
|
|
notify: reload haproxy
|
|
|
|
- name: Ensure HAProxy is started and enabled on boot.
|
|
service:
|
|
name: haproxy
|
|
state: started
|
|
enabled: yes
|
|
|
|
- name: Enable firewall ports for haproxy
|
|
firewalld:
|
|
rich_rule: 'rule family=ipv4 destination address={{ haproxy_shared_ip }}{{ haproxy_shared_ip_subnet }} port port={{ item.port }} protocol={{ item.protocol }} accept'
|
|
permanent: yes
|
|
immediate: yes
|
|
state: enabled
|
|
loop: "{{ haproxy_listen_ports }}"
|
|
notify: reload firewalld
|
|
|
|
- name: Enable firewalld
|
|
service:
|
|
name: firewalld
|
|
state: started
|
|
enabled: yes
|