From 58a368335525ee6f6d32cd5c0eaa8c27050b3324 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Sun, 8 Dec 2019 16:47:28 +0000 Subject: [PATCH] Define haproxy config --- .gitignore | 1 + ansible/main.yml | 1 + ansible/roles/gateway/files/haproxy.cfg | 62 +++++++++++++++++++++++++ ansible/roles/gateway/tasks/main.yml | 29 ++++++++++++ ansible/roles/gateway/vars/vault.yml | 11 +++++ ansible/vars.yml | 2 - scripts/ansible.sh | 2 +- 7 files changed, 105 insertions(+), 3 deletions(-) create mode 100644 ansible/roles/gateway/files/haproxy.cfg create mode 100644 ansible/roles/gateway/tasks/main.yml create mode 100644 ansible/roles/gateway/vars/vault.yml delete mode 100644 ansible/vars.yml diff --git a/.gitignore b/.gitignore index 17d7028..a1eb6b8 100644 --- a/.gitignore +++ b/.gitignore @@ -112,3 +112,4 @@ dmypy.json # End of https://www.gitignore.io/api/python,ansible env/ +ansible/.vault_pass diff --git a/ansible/main.yml b/ansible/main.yml index 7a34eb0..5822893 100644 --- a/ansible/main.yml +++ b/ansible/main.yml @@ -6,3 +6,4 @@ - hosts: casey roles: - ssh-bastion + - gateway diff --git a/ansible/roles/gateway/files/haproxy.cfg b/ansible/roles/gateway/files/haproxy.cfg new file mode 100644 index 0000000..d224be5 --- /dev/null +++ b/ansible/roles/gateway/files/haproxy.cfg @@ -0,0 +1,62 @@ +global + log /dev/log local0 + log /dev/log local1 notice + chroot /var/lib/haproxy + stats socket /run/haproxy/admin.sock mode 660 level admin + stats timeout 30s + user haproxy + group haproxy + daemon + maxconn 10000 + + # Default SSL material locations + ca-base /etc/ssl/certs + crt-base /etc/ssl/private + + # Default ciphers to use on SSL-enabled listening sockets. + # For more information, see ciphers(1SSL). This list is from: + # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ + # An alternative list with additional directives can be obtained from + # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy + ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS + ssl-default-bind-options no-sslv3 + +defaults + log global + mode http + option httplog + option dontlognull + timeout connect 10000 + timeout client 50000 + timeout server 50000 + errorfile 400 /etc/haproxy/errors/400.http + errorfile 403 /etc/haproxy/errors/403.http + errorfile 408 /etc/haproxy/errors/408.http + errorfile 500 /etc/haproxy/errors/500.http + errorfile 502 /etc/haproxy/errors/502.http + errorfile 503 /etc/haproxy/errors/503.http + errorfile 504 /etc/haproxy/errors/504.http + +listen https + bind *:443 + mode tcp + server default {{ upstream }}:443 check send-proxy + +listen http + bind *:80 + stats enable + stats show-node + stats uri /haproxy + stats auth stats:{{ haproxy_stats_pass }} + server default {{ upstream }}:80 check + + +listen matrix + bind *:8448 + mode tcp + server default {{ upstream }}:8448 check + +listen gitea + bind *:3022 + mode tcp + server default {{ upstream }}:3022 check diff --git a/ansible/roles/gateway/tasks/main.yml b/ansible/roles/gateway/tasks/main.yml new file mode 100644 index 0000000..846a024 --- /dev/null +++ b/ansible/roles/gateway/tasks/main.yml @@ -0,0 +1,29 @@ +- name: Install Haproxy + apt: + name: haproxy + become: true + become_user: root + +- name: Import vault + include_vars: + file: vault.yml + +- name: Define context + set_fact: + upstream: 10.23.0.2 + +- name: Haproxy config + template: + src: files/haproxy.cfg + dest: /etc/haproxy/haproxy.cfg + validate: /usr/sbin/haproxy -c -- %s + backup: yes + become: true + become_user: root + register: haproxy_config + +- name: Restart Haproxy + service: + name: haproxy + state: reloaded + when: haproxy_config.changed diff --git a/ansible/roles/gateway/vars/vault.yml b/ansible/roles/gateway/vars/vault.yml new file mode 100644 index 0000000..701b541 --- /dev/null +++ b/ansible/roles/gateway/vars/vault.yml @@ -0,0 +1,11 @@ +$ANSIBLE_VAULT;1.1;AES256 +33643130633631366239623166623161626335633438656130386638333764363531313238306339 +6438323233313136633065623933613463613065336639330a373365366566303164303232386362 +36333333396163343135383336653261343464323638373836623530323031353035653431363736 +6162333162653938640a363337356361643833383264323731343862366330333839653330663831 +63646638316165326430356661346539376365383231323233613533613866666533613635646339 +32346661333631383466363437653537373631393030316632363136613965343966313339613634 +37353138363538343934616539363366356466393663636161333739376137306364356261353130 +38643432303135333861623261626231373137303261313061386363313361313764316265343636 +30653234636333373464613864633065373633343132633435343664313861363032343133373534 +3363386232616333626635643462356362643363666133303463 diff --git a/ansible/vars.yml b/ansible/vars.yml deleted file mode 100644 index 1d4d15d..0000000 --- a/ansible/vars.yml +++ /dev/null @@ -1,2 +0,0 @@ -user: jake -enable_root: false diff --git a/scripts/ansible.sh b/scripts/ansible.sh index fbaa86f..74e068a 100755 --- a/scripts/ansible.sh +++ b/scripts/ansible.sh @@ -4,4 +4,4 @@ set -e PATH=env/bin:${PATH} -ansible-playbook -i ansible/hosts ansible/main.yml -k -K +ansible-playbook -i ansible/hosts ansible/main.yml -k -K --vault-password-file ansible/.vault_pass