From 3485f8e1f0f79e5944bb40b3386c32b6adfb67ea Mon Sep 17 00:00:00 2001
From: Jake Howard <git@theorangeone.net>
Date: Sat, 12 Jun 2021 17:04:21 +0100
Subject: [PATCH] Actually version the ingress haproxy config

---
 ansible/roles/gateway/files/haproxy.cfg |  2 +-
 ansible/roles/ingress/files/haproxy.cfg | 42 +++++++++++++++++++++++++
 ansible/roles/ingress/handlers/main.yml |  6 ++++
 ansible/roles/ingress/tasks/haproxy.yml | 20 ++++++++++++
 ansible/roles/ingress/tasks/main.yml    |  3 ++
 5 files changed, 72 insertions(+), 1 deletion(-)
 create mode 100644 ansible/roles/ingress/files/haproxy.cfg
 create mode 100644 ansible/roles/ingress/tasks/haproxy.yml

diff --git a/ansible/roles/gateway/files/haproxy.cfg b/ansible/roles/gateway/files/haproxy.cfg
index 3daae8f..23289f0 100644
--- a/ansible/roles/gateway/files/haproxy.cfg
+++ b/ansible/roles/gateway/files/haproxy.cfg
@@ -33,7 +33,7 @@ listen http
   timeout connect 10m
   timeout client  10m
   timeout server  10m
-  server default {{ wireguard.clients.ingress.ip }}:880 check
+  server default {{ wireguard.clients.ingress.ip }}:880 send-proxy
 
 listen matrix
   bind *:8448
diff --git a/ansible/roles/ingress/files/haproxy.cfg b/ansible/roles/ingress/files/haproxy.cfg
new file mode 100644
index 0000000..6abaee4
--- /dev/null
+++ b/ansible/roles/ingress/files/haproxy.cfg
@@ -0,0 +1,42 @@
+global
+  log /dev/log	local0
+  log /dev/log	local1 notice
+  pidfile /run/haproxy.pid
+  stats timeout 30s
+  user haproxy
+  group haproxy
+  daemon
+  maxconn 10000
+
+defaults
+  log global
+  mode	http
+  option httplog
+  option dontlognull
+
+# Internal LAN routes
+listen http_internal
+    bind *:80
+    mode http
+    server default {{ pve_hosts.pve_docker.ip }}:80 send-proxy
+
+listen https_internal
+    bind *:443
+    mode tcp
+    server default {{ pve_hosts.pve_docker.ip }}:443 send-proxy
+
+listen matrix_internal
+    bind *:8448
+    mode tcp
+    server default {{ pve_hosts.pve_docker.ip }}:443 send-proxy
+
+# External routes
+listen http_external
+    bind *:880 accept-proxy
+    mode http
+    server default {{ pve_hosts.pve_docker.ip }}:80 send-proxy
+
+listen https_external
+    bind *:8443 accept-proxy
+    mode tcp
+    server default {{ pve_hosts.pve_docker.ip }}:443 send-proxy
diff --git a/ansible/roles/ingress/handlers/main.yml b/ansible/roles/ingress/handlers/main.yml
index 01093e5..2161dab 100644
--- a/ansible/roles/ingress/handlers/main.yml
+++ b/ansible/roles/ingress/handlers/main.yml
@@ -3,3 +3,9 @@
     name: wg-quick.wg0
     state: restarted
   become: true
+
+- name: restart haproxy
+  service:
+    name: haproxy
+    state: restarted
+  become: true
diff --git a/ansible/roles/ingress/tasks/haproxy.yml b/ansible/roles/ingress/tasks/haproxy.yml
new file mode 100644
index 0000000..7e93026
--- /dev/null
+++ b/ansible/roles/ingress/tasks/haproxy.yml
@@ -0,0 +1,20 @@
+- name: Install Haproxy
+  package:
+    name: haproxy
+  become: true
+
+- name: Haproxy config
+  template:
+    src: files/haproxy.cfg
+    dest: /etc/haproxy/haproxy.cfg
+    validate: /usr/sbin/haproxy -c -- %s
+    mode: "0644"
+    backup: yes
+  become: true
+  notify: restart haproxy
+
+- name: Enable Haproxy
+  service:
+    name: haproxy
+    enabled: true
+  become: true
diff --git a/ansible/roles/ingress/tasks/main.yml b/ansible/roles/ingress/tasks/main.yml
index 72607dd..4f39c79 100644
--- a/ansible/roles/ingress/tasks/main.yml
+++ b/ansible/roles/ingress/tasks/main.yml
@@ -1,2 +1,5 @@
 - name: Configure wireguard
   include: wireguard.yml
+
+- name: Configure haproxy
+  include: haproxy.yml