systems/infrastructure
1
Fork 0
Code Issues1 Pull requests20 Activity Actions

Define haproxy config

Browse source
This commit is contained in:
Jake Howard 2019-12-08 16:47:28 +00:00 committed by Jake Howard
parent f8ecd8bf78
commit 58a3683355
7 changed files with 105 additions and 3 deletions

1
.gitignore vendored
View file

@ -112,3 +112,4 @@ dmypy.json
# End of https://www.gitignore.io/api/python,ansible # End of https://www.gitignore.io/api/python,ansible
env/ env/
ansible/.vault_pass

1
ansible/main.yml
View file

@ -6,3 +6,4 @@
- hosts: casey - hosts: casey
roles: roles:
- ssh-bastion - ssh-bastion
- gateway

62
ansible/roles/gateway/files/haproxy.cfg Normal file
View file

@ -0,0 +1,62 @@
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
maxconn 10000
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
# An alternative list with additional directives can be obtained from
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 10000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
listen https
bind *:443
mode tcp
server default {{ upstream }}:443 check send-proxy
listen http
bind *:80
stats enable
stats show-node
stats uri /haproxy
stats auth stats:{{ haproxy_stats_pass }}
server default {{ upstream }}:80 check
listen matrix
bind *:8448
mode tcp
server default {{ upstream }}:8448 check
listen gitea
bind *:3022
mode tcp
server default {{ upstream }}:3022 check

29
ansible/roles/gateway/tasks/main.yml Normal file
View file

@ -0,0 +1,29 @@
- name: Install Haproxy
apt:
name: haproxy
become: true
become_user: root
- name: Import vault
include_vars:
file: vault.yml
- name: Define context
set_fact:
upstream: 10.23.0.2
- name: Haproxy config
template:
src: files/haproxy.cfg
dest: /etc/haproxy/haproxy.cfg
validate: /usr/sbin/haproxy -c -- %s
backup: yes
become: true
become_user: root
register: haproxy_config
- name: Restart Haproxy
service:
name: haproxy
state: reloaded
when: haproxy_config.changed

11
ansible/roles/gateway/vars/vault.yml Normal file
View file

@ -0,0 +1,11 @@
$ANSIBLE_VAULT;1.1;AES256
33643130633631366239623166623161626335633438656130386638333764363531313238306339
6438323233313136633065623933613463613065336639330a373365366566303164303232386362
36333333396163343135383336653261343464323638373836623530323031353035653431363736
6162333162653938640a363337356361643833383264323731343862366330333839653330663831
63646638316165326430356661346539376365383231323233613533613866666533613635646339
32346661333631383466363437653537373631393030316632363136613965343966313339613634
37353138363538343934616539363366356466393663636161333739376137306364356261353130
38643432303135333861623261626231373137303261313061386363313361313764316265343636
30653234636333373464613864633065373633343132633435343664313861363032343133373534
3363386232616333626635643462356362643363666133303463

2
ansible/vars.yml
View file

@ -1,2 +0,0 @@
user: jake
enable_root: false

2
scripts/ansible.sh
View file

@ -4,4 +4,4 @@ set -e
PATH=env/bin:${PATH} PATH=env/bin:${PATH}
ansible-playbook -i ansible/hosts ansible/main.yml -k -K ansible-playbook -i ansible/hosts ansible/main.yml -k -K --vault-password-file ansible/.vault_pass