From 58a368335525ee6f6d32cd5c0eaa8c27050b3324 Mon Sep 17 00:00:00 2001
From: Jake Howard <git@theorangeone.net>
Date: Sun, 8 Dec 2019 16:47:28 +0000
Subject: [PATCH] Define haproxy config

---
 .gitignore                              |  1 +
 ansible/main.yml                        |  1 +
 ansible/roles/gateway/files/haproxy.cfg | 62 +++++++++++++++++++++++++
 ansible/roles/gateway/tasks/main.yml    | 29 ++++++++++++
 ansible/roles/gateway/vars/vault.yml    | 11 +++++
 ansible/vars.yml                        |  2 -
 scripts/ansible.sh                      |  2 +-
 7 files changed, 105 insertions(+), 3 deletions(-)
 create mode 100644 ansible/roles/gateway/files/haproxy.cfg
 create mode 100644 ansible/roles/gateway/tasks/main.yml
 create mode 100644 ansible/roles/gateway/vars/vault.yml
 delete mode 100644 ansible/vars.yml

diff --git a/.gitignore b/.gitignore
index 17d7028..a1eb6b8 100644
--- a/.gitignore
+++ b/.gitignore
@@ -112,3 +112,4 @@ dmypy.json
 
 # End of https://www.gitignore.io/api/python,ansible
 env/
+ansible/.vault_pass
diff --git a/ansible/main.yml b/ansible/main.yml
index 7a34eb0..5822893 100644
--- a/ansible/main.yml
+++ b/ansible/main.yml
@@ -6,3 +6,4 @@
 - hosts: casey
   roles:
     - ssh-bastion
+    - gateway
diff --git a/ansible/roles/gateway/files/haproxy.cfg b/ansible/roles/gateway/files/haproxy.cfg
new file mode 100644
index 0000000..d224be5
--- /dev/null
+++ b/ansible/roles/gateway/files/haproxy.cfg
@@ -0,0 +1,62 @@
+global
+	log /dev/log	local0
+	log /dev/log	local1 notice
+	chroot /var/lib/haproxy
+	stats socket /run/haproxy/admin.sock mode 660 level admin
+	stats timeout 30s
+	user haproxy
+	group haproxy
+	daemon
+	maxconn 10000
+
+	# Default SSL material locations
+	ca-base /etc/ssl/certs
+	crt-base /etc/ssl/private
+
+	# Default ciphers to use on SSL-enabled listening sockets.
+	# For more information, see ciphers(1SSL). This list is from:
+	#  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
+	# An alternative list with additional directives can be obtained from
+	#  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
+	ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
+	ssl-default-bind-options no-sslv3
+
+defaults
+	log	global
+	mode	http
+	option	httplog
+	option	dontlognull
+        timeout connect 10000
+        timeout client  50000
+        timeout server  50000
+	errorfile 400 /etc/haproxy/errors/400.http
+	errorfile 403 /etc/haproxy/errors/403.http
+	errorfile 408 /etc/haproxy/errors/408.http
+	errorfile 500 /etc/haproxy/errors/500.http
+	errorfile 502 /etc/haproxy/errors/502.http
+	errorfile 503 /etc/haproxy/errors/503.http
+	errorfile 504 /etc/haproxy/errors/504.http
+
+listen https
+	bind *:443
+	mode tcp
+	server default {{ upstream }}:443 check send-proxy
+
+listen http
+	bind *:80
+	stats enable
+	stats show-node
+	stats uri /haproxy
+	stats auth stats:{{ haproxy_stats_pass }}
+	server default {{ upstream }}:80 check
+
+
+listen matrix
+	bind *:8448
+	mode tcp
+	server default {{ upstream }}:8448 check
+
+listen gitea
+	bind *:3022
+	mode tcp
+	server default {{ upstream }}:3022 check
diff --git a/ansible/roles/gateway/tasks/main.yml b/ansible/roles/gateway/tasks/main.yml
new file mode 100644
index 0000000..846a024
--- /dev/null
+++ b/ansible/roles/gateway/tasks/main.yml
@@ -0,0 +1,29 @@
+- name: Install Haproxy
+  apt:
+    name: haproxy
+  become: true
+  become_user: root
+
+- name: Import vault
+  include_vars:
+    file: vault.yml
+
+- name: Define context
+  set_fact:
+    upstream: 10.23.0.2
+
+- name: Haproxy config
+  template:
+    src: files/haproxy.cfg
+    dest: /etc/haproxy/haproxy.cfg
+    validate: /usr/sbin/haproxy -c -- %s
+    backup: yes
+  become: true
+  become_user: root
+  register: haproxy_config
+
+- name: Restart Haproxy
+  service:
+    name: haproxy
+    state: reloaded
+  when: haproxy_config.changed
diff --git a/ansible/roles/gateway/vars/vault.yml b/ansible/roles/gateway/vars/vault.yml
new file mode 100644
index 0000000..701b541
--- /dev/null
+++ b/ansible/roles/gateway/vars/vault.yml
@@ -0,0 +1,11 @@
+$ANSIBLE_VAULT;1.1;AES256
+33643130633631366239623166623161626335633438656130386638333764363531313238306339
+6438323233313136633065623933613463613065336639330a373365366566303164303232386362
+36333333396163343135383336653261343464323638373836623530323031353035653431363736
+6162333162653938640a363337356361643833383264323731343862366330333839653330663831
+63646638316165326430356661346539376365383231323233613533613866666533613635646339
+32346661333631383466363437653537373631393030316632363136613965343966313339613634
+37353138363538343934616539363366356466393663636161333739376137306364356261353130
+38643432303135333861623261626231373137303261313061386363313361313764316265343636
+30653234636333373464613864633065373633343132633435343664313861363032343133373534
+3363386232616333626635643462356362643363666133303463
diff --git a/ansible/vars.yml b/ansible/vars.yml
deleted file mode 100644
index 1d4d15d..0000000
--- a/ansible/vars.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-user: jake
-enable_root: false
diff --git a/scripts/ansible.sh b/scripts/ansible.sh
index fbaa86f..74e068a 100755
--- a/scripts/ansible.sh
+++ b/scripts/ansible.sh
@@ -4,4 +4,4 @@ set -e
 
 PATH=env/bin:${PATH}
 
-ansible-playbook -i ansible/hosts ansible/main.yml -k -K
+ansible-playbook -i ansible/hosts ansible/main.yml -k -K --vault-password-file ansible/.vault_pass