Actually version the ingress haproxy config

2021-06-12 17:04:21 +01:00 · 2021-06-12 17:04:21 +01:00 · 3485f8e1f0
commit 3485f8e1f0
parent 33fcf1a9e5
5 changed files with 72 additions and 1 deletions
--- a/ansible/roles/gateway/files/haproxy.cfg
+++ b/ansible/roles/gateway/files/haproxy.cfg
@ -33,7 +33,7 @@ listen http
  timeout connect 10m
  timeout client  10m
  timeout server  10m
-  server default {{ wireguard.clients.ingress.ip }}:880 check
+  server default {{ wireguard.clients.ingress.ip }}:880 send-proxy

 listen matrix
  bind *:8448
--- a/ansible/roles/ingress/files/haproxy.cfg
+++ b/ansible/roles/ingress/files/haproxy.cfg
@ -0,0 +1,42 @@
+global
+  log /dev/log	local0
+  log /dev/log	local1 notice
+  pidfile /run/haproxy.pid
+  stats timeout 30s
+  user haproxy
+  group haproxy
+  daemon
+  maxconn 10000
+
+defaults
+  log global
+  mode	http
+  option httplog
+  option dontlognull
+
+# Internal LAN routes
+listen http_internal
+    bind *:80
+    mode http
+    server default {{ pve_hosts.pve_docker.ip }}:80 send-proxy
+
+listen https_internal
+    bind *:443
+    mode tcp
+    server default {{ pve_hosts.pve_docker.ip }}:443 send-proxy
+
+listen matrix_internal
+    bind *:8448
+    mode tcp
+    server default {{ pve_hosts.pve_docker.ip }}:443 send-proxy
+
+# External routes
+listen http_external
+    bind *:880 accept-proxy
+    mode http
+    server default {{ pve_hosts.pve_docker.ip }}:80 send-proxy
+
+listen https_external
+    bind *:8443 accept-proxy
+    mode tcp
+    server default {{ pve_hosts.pve_docker.ip }}:443 send-proxy
--- a/ansible/roles/ingress/handlers/main.yml
+++ b/ansible/roles/ingress/handlers/main.yml
@ -3,3 +3,9 @@
    name: wg-quick.wg0
    state: restarted
  become: true
+
+- name: restart haproxy
+  service:
+    name: haproxy
+    state: restarted
+  become: true
--- a/ansible/roles/ingress/tasks/haproxy.yml
+++ b/ansible/roles/ingress/tasks/haproxy.yml
@ -0,0 +1,20 @@
+- name: Install Haproxy
+  package:
+    name: haproxy
+  become: true
+
+- name: Haproxy config
+  template:
+    src: files/haproxy.cfg
+    dest: /etc/haproxy/haproxy.cfg
+    validate: /usr/sbin/haproxy -c -- %s
+    mode: "0644"
+    backup: yes
+  become: true
+  notify: restart haproxy
+
+- name: Enable Haproxy
+  service:
+    name: haproxy
+    enabled: true
+  become: true
--- a/ansible/roles/ingress/tasks/main.yml
+++ b/ansible/roles/ingress/tasks/main.yml
@ -1,2 +1,5 @@
 - name: Configure wireguard
  include: wireguard.yml
+
+- name: Configure haproxy
+  include: haproxy.yml