Define haproxy config

.gitignore

@@ -112,3 +112,4 @@ dmypy.json
 
 # End of https://www.gitignore.io/api/python,ansible
 env/
+ansible/.vault_pass

ansible/main.yml

@@ -6,3 +6,4 @@
 - hosts: casey
   roles:
     - ssh-bastion
+    - gateway

ansible/roles/gateway/files/haproxy.cfg

@@ -0,0 +1,62 @@
+global
+	log /dev/log	local0
+	log /dev/log	local1 notice
+	chroot /var/lib/haproxy
+	stats socket /run/haproxy/admin.sock mode 660 level admin
+	stats timeout 30s
+	user haproxy
+	group haproxy
+	daemon
+	maxconn 10000
+
+	# Default SSL material locations
+	ca-base /etc/ssl/certs
+	crt-base /etc/ssl/private
+
+	# Default ciphers to use on SSL-enabled listening sockets.
+	# For more information, see ciphers(1SSL). This list is from:
+	#  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
+	# An alternative list with additional directives can be obtained from
+	#  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
+	ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
+	ssl-default-bind-options no-sslv3
+
+defaults
+	log	global
+	mode	http
+	option	httplog
+	option	dontlognull
+        timeout connect 10000
+        timeout client  50000
+        timeout server  50000
+	errorfile 400 /etc/haproxy/errors/400.http
+	errorfile 403 /etc/haproxy/errors/403.http
+	errorfile 408 /etc/haproxy/errors/408.http
+	errorfile 500 /etc/haproxy/errors/500.http
+	errorfile 502 /etc/haproxy/errors/502.http
+	errorfile 503 /etc/haproxy/errors/503.http
+	errorfile 504 /etc/haproxy/errors/504.http
+
+listen https
+	bind *:443
+	mode tcp
+	server default {{ upstream }}:443 check send-proxy
+
+listen http
+	bind *:80
+	stats enable
+	stats show-node
+	stats uri /haproxy
+	stats auth stats:{{ haproxy_stats_pass }}
+	server default {{ upstream }}:80 check
+
+
+listen matrix
+	bind *:8448
+	mode tcp
+	server default {{ upstream }}:8448 check
+
+listen gitea
+	bind *:3022
+	mode tcp
+	server default {{ upstream }}:3022 check

ansible/roles/gateway/tasks/main.yml

@@ -0,0 +1,29 @@
+- name: Install Haproxy
+  apt:
+    name: haproxy
+  become: true
+  become_user: root
+
+- name: Import vault
+  include_vars:
+    file: vault.yml
+
+- name: Define context
+  set_fact:
+    upstream: 10.23.0.2
+
+- name: Haproxy config
+  template:
+    src: files/haproxy.cfg
+    dest: /etc/haproxy/haproxy.cfg
+    validate: /usr/sbin/haproxy -c -- %s
+    backup: yes
+  become: true
+  become_user: root
+  register: haproxy_config
+
+- name: Restart Haproxy
+  service:
+    name: haproxy
+    state: reloaded
+  when: haproxy_config.changed

ansible/roles/gateway/vars/vault.yml

@@ -0,0 +1,11 @@
+$ANSIBLE_VAULT;1.1;AES256
+33643130633631366239623166623161626335633438656130386638333764363531313238306339
+6438323233313136633065623933613463613065336639330a373365366566303164303232386362
+36333333396163343135383336653261343464323638373836623530323031353035653431363736
+6162333162653938640a363337356361643833383264323731343862366330333839653330663831
+63646638316165326430356661346539376365383231323233613533613866666533613635646339
+32346661333631383466363437653537373631393030316632363136613965343966313339613634
+37353138363538343934616539363366356466393663636161333739376137306364356261353130
+38643432303135333861623261626231373137303261313061386363313361313764316265343636
+30653234636333373464613864633065373633343132633435343664313861363032343133373534
+3363386232616333626635643462356362643363666133303463

ansible/vars.yml

@@ -1,2 +0,0 @@
-user: jake
-enable_root: false

scripts/ansible.sh

@@ -4,4 +4,4 @@ set -e
 
 PATH=env/bin:${PATH}
 
-ansible-playbook -i ansible/hosts ansible/main.yml -k -K
+ansible-playbook -i ansible/hosts ansible/main.yml -k -K --vault-password-file ansible/.vault_pass