veza/ansible/roles/haproxy/tasks/main.yml

---
# file: roles/haproxy/tasks/main.yml

- name: "display haproxy_version (verbosity 1 or more)"
  debug:
    var: haproxy_version
    verbosity: 1
  tags: haproxy

- name: "secrets.yml"
  include_tasks: secrets.yml
  loop: "{{ haproxy_userlist | dict2items | map(attribute='value') | flatten }}"
  loop_control:
    loop_var: user
  when: haproxy_userlist is defined
  tags: haproxy

- name: "debian install haproxy"
  import_tasks: install_debian.yml
  when: ansible_distribution == "Debian"
  tags:
    - haproxy
    - apt_sources_list

- name: "ubuntu install haproxy"
  import_tasks: install_ubuntu.yml
  when: ansible_distribution == "Ubuntu"
  tags: haproxy

- name: "folder /etc/systemd/system/haproxy.service.d"
  file:
    path: "/etc/systemd/system/haproxy.service.d"
    state: directory
  tags: haproxy

- name: "handle /etc/systemd/system/haproxy.service.d/override.conf to prevent double logging"
  copy:
    src: "override.conf"
    dest: "/etc/systemd/system/haproxy.service.d/override.conf"
  notify:
    - systemctl daemon_reload
    - restart haproxy
  tags: haproxy

- name: "manage /etc/haproxy/errors/404.http and /etc/haproxy/errors/200.http"
  copy:
    src: "{{ item }}.http"
    dest: "/etc/haproxy/errors/{{ item }}.http"
  loop:
    - 404
    - 200
  tags: haproxy

- name: "folder /usr/local/etc/tls/haproxy"
  file:
    path: /usr/local/etc/tls/haproxy
    state: directory
    mode: 0755
  tags: haproxy

- name: "we need at least one certificate for haproxy to start: /usr/local/etc/tls/haproxy/selfsigned.pem"
  copy:
    src: selfsigned.pem
    dest: /usr/local/etc/tls/haproxy/selfsigned.pem
  tags: haproxy

- block:
    - name: "folder /etc/haproxy/static"
      file:
        path: /etc/haproxy/static
        state: directory
        mode: 0755
    - name: "manage /etc/haproxy/static/robots.txt"
      copy:
        src: "robots.txt"
        dest: "/etc/haproxy/static/robots.txt"
  tags: haproxy

- name: "undefined TLS security profile: set it to 'intermediate'"
  set_fact:
    haproxy_tls_profile: "intermediate"
  when: haproxy_tls_profile is undefined
  tags: haproxy

- name: "invalid TLS security profile"
  fail:
    msg: 'invalid haproxy_tls_profile "{{ haproxy_tls_profile }}", possible values are "modern" or "intermediate"'
  when:
    - haproxy_tls_profile != "modern"
    - haproxy_tls_profile != "intermediate"
    - haproxy_tls_profile != "old"
  tags: haproxy

- name: "generate dhparams file (when the TLS profile is not modern)"
  command: "openssl dhparam -out /usr/local/etc/tls/dh2048.pem 2048"
  args:
    creates: /usr/local/etc/tls/dh2048.pem
  when: haproxy_tls_profile != "modern"
  tags: haproxy

- name: "Modern TLS configuration"
  set_fact:
    tls_ciphersuites: "{{ haproxy_tls_modern['ciphersuites'] }}"
    tls_options: "{{ haproxy_tls_modern['options'] }}"
  when: haproxy_tls_profile == "modern"
  tags: haproxy

- name: "Intermediate TLS configuration"
  set_fact:
    tls_ciphers: "{{ haproxy_tls_intermediate['ciphers'] }}"
    tls_ciphersuites: "{{ haproxy_tls_intermediate['ciphersuites'] }}"
    tls_options: "{{ haproxy_tls_intermediate['options'] }}"
  when: haproxy_tls_profile == "intermediate"
  tags: haproxy

- name: "Old TLS configuration"
  set_fact:
    tls_ciphers: "{{ haproxy_tls_old['ciphers'] }}"
    tls_ciphersuites: "{{ haproxy_tls_old['ciphersuites'] }}"
    tls_options: "{{ haproxy_tls_old['options'] }}"
  when: haproxy_tls_profile == "old"
  tags: haproxy

- name: "coraza spoa configuration"
  ansible.builtin.copy:
    src: coraza.cfg
    dest: /etc/haproxy/coraza.cfg
  when:
    - haproxy_coraza is defined
    - haproxy_coraza
  tags:
    - haproxy
    - coraza

- name: "/etc/haproxy/haproxy.cfg"
  template:
    src: "haproxy.cfg"
    dest: "/etc/haproxy/haproxy.cfg"
    backup: yes
    validate: "haproxy -c -f %s"
  notify: reload haproxy
  register: haproxy_config
  tags: haproxy

- name: "lets encrypt"
  import_tasks: letsencrypt.yml
  when: haproxy_letsencrypt
  tags:
    - haproxy
    - letsencrypt

- name: "check if the folder /etc/zabbix/zabbix_agentd.conf.d exists"
  stat:
    path: "/etc/zabbix/zabbix_agentd.conf.d"
  register: zabbix_folder
  tags:
    - haproxy
    - zabbix

- name: "import_tasks: zabbix.yml"
  import_tasks: zabbix.yml
  when: zabbix_folder.stat.exists
  tags:
    - haproxy
    - zabbix
BASE: completing the initial repo state 2025-12-03 21:56:50 +00:00			`---`
			`# file: roles/haproxy/tasks/main.yml`

			`- name: "display haproxy_version (verbosity 1 or more)"`
			`debug:`
			`var: haproxy_version`
			`verbosity: 1`
			`tags: haproxy`

			`- name: "secrets.yml"`
			`include_tasks: secrets.yml`
			`loop: "{{ haproxy_userlist \| dict2items \| map(attribute='value') \| flatten }}"`
			`loop_control:`
			`loop_var: user`
			`when: haproxy_userlist is defined`
			`tags: haproxy`

			`- name: "debian install haproxy"`
			`import_tasks: install_debian.yml`
			`when: ansible_distribution == "Debian"`
			`tags:`
			`- haproxy`
			`- apt_sources_list`

			`- name: "ubuntu install haproxy"`
			`import_tasks: install_ubuntu.yml`
			`when: ansible_distribution == "Ubuntu"`
			`tags: haproxy`

			`- name: "folder /etc/systemd/system/haproxy.service.d"`
			`file:`
			`path: "/etc/systemd/system/haproxy.service.d"`
			`state: directory`
			`tags: haproxy`

			`- name: "handle /etc/systemd/system/haproxy.service.d/override.conf to prevent double logging"`
			`copy:`
			`src: "override.conf"`
			`dest: "/etc/systemd/system/haproxy.service.d/override.conf"`
			`notify:`
			`- systemctl daemon_reload`
			`- restart haproxy`
			`tags: haproxy`

			`- name: "manage /etc/haproxy/errors/404.http and /etc/haproxy/errors/200.http"`
			`copy:`
			`src: "{{ item }}.http"`
			`dest: "/etc/haproxy/errors/{{ item }}.http"`
			`loop:`
			`- 404`
			`- 200`
			`tags: haproxy`

			`- name: "folder /usr/local/etc/tls/haproxy"`
			`file:`
			`path: /usr/local/etc/tls/haproxy`
			`state: directory`
			`mode: 0755`
			`tags: haproxy`

			`- name: "we need at least one certificate for haproxy to start: /usr/local/etc/tls/haproxy/selfsigned.pem"`
			`copy:`
			`src: selfsigned.pem`
			`dest: /usr/local/etc/tls/haproxy/selfsigned.pem`
			`tags: haproxy`

			`- block:`
			`- name: "folder /etc/haproxy/static"`
			`file:`
			`path: /etc/haproxy/static`
			`state: directory`
			`mode: 0755`
			`- name: "manage /etc/haproxy/static/robots.txt"`
			`copy:`
			`src: "robots.txt"`
			`dest: "/etc/haproxy/static/robots.txt"`
			`tags: haproxy`

			`- name: "undefined TLS security profile: set it to 'intermediate'"`
			`set_fact:`
			`haproxy_tls_profile: "intermediate"`
			`when: haproxy_tls_profile is undefined`
			`tags: haproxy`

			`- name: "invalid TLS security profile"`
			`fail:`
			`msg: 'invalid haproxy_tls_profile "{{ haproxy_tls_profile }}", possible values are "modern" or "intermediate"'`
			`when:`
			`- haproxy_tls_profile != "modern"`
			`- haproxy_tls_profile != "intermediate"`
			`- haproxy_tls_profile != "old"`
			`tags: haproxy`

			`- name: "generate dhparams file (when the TLS profile is not modern)"`
			`command: "openssl dhparam -out /usr/local/etc/tls/dh2048.pem 2048"`
			`args:`
			`creates: /usr/local/etc/tls/dh2048.pem`
			`when: haproxy_tls_profile != "modern"`
			`tags: haproxy`

			`- name: "Modern TLS configuration"`
			`set_fact:`
			`tls_ciphersuites: "{{ haproxy_tls_modern['ciphersuites'] }}"`
			`tls_options: "{{ haproxy_tls_modern['options'] }}"`
			`when: haproxy_tls_profile == "modern"`
			`tags: haproxy`

			`- name: "Intermediate TLS configuration"`
			`set_fact:`
			`tls_ciphers: "{{ haproxy_tls_intermediate['ciphers'] }}"`
			`tls_ciphersuites: "{{ haproxy_tls_intermediate['ciphersuites'] }}"`
			`tls_options: "{{ haproxy_tls_intermediate['options'] }}"`
			`when: haproxy_tls_profile == "intermediate"`
			`tags: haproxy`

			`- name: "Old TLS configuration"`
			`set_fact:`
			`tls_ciphers: "{{ haproxy_tls_old['ciphers'] }}"`
			`tls_ciphersuites: "{{ haproxy_tls_old['ciphersuites'] }}"`
			`tls_options: "{{ haproxy_tls_old['options'] }}"`
			`when: haproxy_tls_profile == "old"`
			`tags: haproxy`

			`- name: "coraza spoa configuration"`
			`ansible.builtin.copy:`
			`src: coraza.cfg`
			`dest: /etc/haproxy/coraza.cfg`
			`when:`
			`- haproxy_coraza is defined`
			`- haproxy_coraza`
			`tags:`
			`- haproxy`
			`- coraza`

			`- name: "/etc/haproxy/haproxy.cfg"`
			`template:`
			`src: "haproxy.cfg"`
			`dest: "/etc/haproxy/haproxy.cfg"`
			`backup: yes`
			`validate: "haproxy -c -f %s"`
			`notify: reload haproxy`
			`register: haproxy_config`
			`tags: haproxy`

			`- name: "lets encrypt"`
			`import_tasks: letsencrypt.yml`
			`when: haproxy_letsencrypt`
			`tags:`
			`- haproxy`
			`- letsencrypt`

			`- name: "check if the folder /etc/zabbix/zabbix_agentd.conf.d exists"`
			`stat:`
			`path: "/etc/zabbix/zabbix_agentd.conf.d"`
			`register: zabbix_folder`
			`tags:`
			`- haproxy`
			`- zabbix`

			`- name: "import_tasks: zabbix.yml"`
			`import_tasks: zabbix.yml`
			`when: zabbix_folder.stat.exists`
			`tags:`
			`- haproxy`
			`- zabbix`