--- # file: roles/haproxy/tasks/main.yml - name: "display haproxy_version (verbosity 1 or more)" debug: var: haproxy_version verbosity: 1 tags: haproxy - name: "secrets.yml" include_tasks: secrets.yml loop: "{{ haproxy_userlist | dict2items | map(attribute='value') | flatten }}" loop_control: loop_var: user when: haproxy_userlist is defined tags: haproxy - name: "debian install haproxy" import_tasks: install_debian.yml when: ansible_distribution == "Debian" tags: - haproxy - apt_sources_list - name: "ubuntu install haproxy" import_tasks: install_ubuntu.yml when: ansible_distribution == "Ubuntu" tags: haproxy - name: "folder /etc/systemd/system/haproxy.service.d" file: path: "/etc/systemd/system/haproxy.service.d" state: directory tags: haproxy - name: "handle /etc/systemd/system/haproxy.service.d/override.conf to prevent double logging" copy: src: "override.conf" dest: "/etc/systemd/system/haproxy.service.d/override.conf" notify: - systemctl daemon_reload - restart haproxy tags: haproxy - name: "manage /etc/haproxy/errors/404.http and /etc/haproxy/errors/200.http" copy: src: "{{ item }}.http" dest: "/etc/haproxy/errors/{{ item }}.http" loop: - 404 - 200 tags: haproxy - name: "folder /usr/local/etc/tls/haproxy" file: path: /usr/local/etc/tls/haproxy state: directory mode: 0755 tags: haproxy - name: "we need at least one certificate for haproxy to start: /usr/local/etc/tls/haproxy/selfsigned.pem" copy: src: selfsigned.pem dest: /usr/local/etc/tls/haproxy/selfsigned.pem tags: haproxy - block: - name: "folder /etc/haproxy/static" file: path: /etc/haproxy/static state: directory mode: 0755 - name: "manage /etc/haproxy/static/robots.txt" copy: src: "robots.txt" dest: "/etc/haproxy/static/robots.txt" tags: haproxy - name: "undefined TLS security profile: set it to 'intermediate'" set_fact: haproxy_tls_profile: "intermediate" when: haproxy_tls_profile is undefined tags: haproxy - name: "invalid TLS security profile" fail: msg: 'invalid haproxy_tls_profile "{{ haproxy_tls_profile }}", possible values are "modern" or "intermediate"' when: - haproxy_tls_profile != "modern" - haproxy_tls_profile != "intermediate" - haproxy_tls_profile != "old" tags: haproxy - name: "generate dhparams file (when the TLS profile is not modern)" command: "openssl dhparam -out /usr/local/etc/tls/dh2048.pem 2048" args: creates: /usr/local/etc/tls/dh2048.pem when: haproxy_tls_profile != "modern" tags: haproxy - name: "Modern TLS configuration" set_fact: tls_ciphersuites: "{{ haproxy_tls_modern['ciphersuites'] }}" tls_options: "{{ haproxy_tls_modern['options'] }}" when: haproxy_tls_profile == "modern" tags: haproxy - name: "Intermediate TLS configuration" set_fact: tls_ciphers: "{{ haproxy_tls_intermediate['ciphers'] }}" tls_ciphersuites: "{{ haproxy_tls_intermediate['ciphersuites'] }}" tls_options: "{{ haproxy_tls_intermediate['options'] }}" when: haproxy_tls_profile == "intermediate" tags: haproxy - name: "Old TLS configuration" set_fact: tls_ciphers: "{{ haproxy_tls_old['ciphers'] }}" tls_ciphersuites: "{{ haproxy_tls_old['ciphersuites'] }}" tls_options: "{{ haproxy_tls_old['options'] }}" when: haproxy_tls_profile == "old" tags: haproxy - name: "coraza spoa configuration" ansible.builtin.copy: src: coraza.cfg dest: /etc/haproxy/coraza.cfg when: - haproxy_coraza is defined - haproxy_coraza tags: - haproxy - coraza - name: "/etc/haproxy/haproxy.cfg" template: src: "haproxy.cfg" dest: "/etc/haproxy/haproxy.cfg" backup: yes validate: "haproxy -c -f %s" notify: reload haproxy register: haproxy_config tags: haproxy - name: "lets encrypt" import_tasks: letsencrypt.yml when: haproxy_letsencrypt tags: - haproxy - letsencrypt - name: "check if the folder /etc/zabbix/zabbix_agentd.conf.d exists" stat: path: "/etc/zabbix/zabbix_agentd.conf.d" register: zabbix_folder tags: - haproxy - zabbix - name: "import_tasks: zabbix.yml" import_tasks: zabbix.yml when: zabbix_folder.stat.exists tags: - haproxy - zabbix