Refactor HAProxy configuration and certificate management

- Updated HAProxy configuration template to reflect changes for the Taurus Production Environment, including SSL settings and rate limiting for specific endpoints.
- Introduced new playbooks for certificate distribution and validation with OCI Vault, ensuring certificates are correctly managed and renewed.
- Added hooks for uploading renewed certificates to OCI Vault and validating their integrity.
- Enhanced the HAProxy configuration playbook to ensure proper service management and verification of the HAProxy service.
- Updated inventory variables for certificate management and ensured compatibility with the new structure.

ansible/haproxy/deploy.yml

@@ -1,117 +1,83 @@
 ---
-- name: Deploy HAProxy
-  hosts: ubuntu
+# -----------------------------------------------------------------------------
+# HAProxy Deployment Playbook
+# -----------------------------------------------------------------------------
+# Installs HAProxy and creates the directory structure required by downstream
+# playbooks. This playbook must run BEFORE certbot/deploy.yml so that the
+# /etc/haproxy/certs directory exists with the correct haproxy group ownership
+# when certbot writes the combined PEM file.
+#
+# Dependency chain:
+#   haproxy/deploy.yml      ← this playbook (package + dirs)
+#   certbot/deploy.yml      ← writes cert to /etc/haproxy/certs/
+#   haproxy/configure.yml   ← templates haproxy.cfg and starts the service
+#
+# Hosts: horkos (public reverse proxy), bootes (internal HAProxy)
+# -----------------------------------------------------------------------------
+
+- name: Deploy HAProxy (package and directory structure)
+  hosts: all
+  become: true
+  tags: [haproxy, service, deploy]
+
   tasks:
     - name: Check if host has haproxy service
-      set_fact:
-        has_haproxy_service: "{{'haproxy' in services}}"
+      ansible.builtin.set_fact:
+        has_haproxy_service: "{{ 'haproxy' in services | default([]) }}"
 
     - name: Skip hosts without haproxy service
-      meta: end_host
+      ansible.builtin.meta: end_host
       when: not has_haproxy_service
 
-    - name: Create haproxy group
-      become: true
-      ansible.builtin.group:
-        name: "{{haproxy_group}}"
-        gid: "{{haproxy_gid}}"
-        system: true
+    # -------------------------------------------------------------------------
+    # Install HAProxy
+    # -------------------------------------------------------------------------
 
-    - name: Create haproxy user
-      become: true
-      ansible.builtin.user:
-        name: "{{haproxy_user}}"
-        comment: "{{haproxy_user}}"
-        group: "{{haproxy_group}}"
-        uid: "{{haproxy_uid}}"
-        system: true
-
-    - name: Add group haproxy to keeper_user
-      become: true
-      ansible.builtin.user:
-        name: "{{keeper_user}}"
-        groups: "{{haproxy_group}}"
-        append: true
-
-    - name: Create required directories
-      become: true
-      ansible.builtin.file:
-        path: "{{haproxy_directory}}"
-        owner: "{{haproxy_user}}"
-        group: "{{haproxy_group}}"
-        state: directory
-        mode: '750'
-
-    - name: Create /etc/haproxy directory
-      become: true
-      ansible.builtin.file:
-        path: /etc/haproxy
-        owner: root
-        group: root
-        state: directory
-        mode: '755'
-
-    - name: Create certs directory
-      become: true
-      ansible.builtin.file:
-        path: /etc/haproxy/certs
-        owner: "{{haproxy_user}}"
-        group: "{{haproxy_group}}"
-        state: directory
-        mode: '750'
-
-    - name: Check if certificate already exists
-      become: true
-      stat:
-        path: "{{ haproxy_cert_path }}"
-      register: cert_file
-
-    - name: Generate self-signed wildcard certificate
-      become: true
-      command: >
-        openssl req -x509 -nodes -days 365 -newkey rsa:2048
-        -keyout {{ haproxy_cert_path }}
-        -out {{ haproxy_cert_path }}
-        -subj "/C=US/ST=State/L=City/O=Ouranos/CN=*.{{ haproxy_domain }}"
-        -addext "subjectAltName=DNS:*.{{ haproxy_domain }},DNS:{{ haproxy_domain }}"
-      when: not cert_file.stat.exists and 'certbot' not in services
-
-    - name: Set certificate permissions
-      become: true
-      ansible.builtin.file:
-        path: "{{ haproxy_cert_path }}"
-        owner: "{{haproxy_user}}"
-        group: "{{haproxy_group}}"
-        mode: '640'
-
-    - name: Install HAProxy
-      become: true
+    - name: Ensure HAProxy is installed
       ansible.builtin.apt:
         name: haproxy
         state: present
         update_cache: true
 
-    - name: Template HAProxy configuration
-      become: true
-      ansible.builtin.template:
-        src: "haproxy.cfg.j2"
-        dest: /etc/haproxy/haproxy.cfg
-        owner: "{{haproxy_user}}"
-        group: "{{haproxy_group}}"
-        mode: "640"
-        validate: haproxy -c -f %s
-      register: haproxy_config
+    # -------------------------------------------------------------------------
+    # User / Group
+    # HAProxy's apt package creates the haproxy user/group, but we also need
+    # the certbot group to exist so that /etc/haproxy/certs can be group-owned
+    # by haproxy and written by certbot.
+    # -------------------------------------------------------------------------
 
-    - name: Enable and start HAProxy service
-      become: true
-      ansible.builtin.systemd:
-        name: haproxy
-        enabled: true
-        state: started
+    - name: Ensure haproxy group exists
+      ansible.builtin.group:
+        name: "{{ haproxy_group | default('haproxy') }}"
+        system: true
 
-    - name: Reload HAProxy if configuration changed
-      become: true
-      ansible.builtin.systemd:
-        name: haproxy
-        state: reloaded
-      when: haproxy_config.changed
+    - name: Ensure haproxy user exists
+      ansible.builtin.user:
+        name: "{{ haproxy_user | default('haproxy') }}"
+        group: "{{ haproxy_group | default('haproxy') }}"
+        system: true
+        shell: /usr/sbin/nologin
+        home: /nonexistent
+        create_home: false
+
+    # -------------------------------------------------------------------------
+    # Directory Structure
+    # /etc/haproxy/certs must exist with haproxy group ownership before certbot
+    # runs so that the renewal hook can write the combined PEM file there.
+    # -------------------------------------------------------------------------
+
+    - name: Ensure /etc/haproxy directory exists
+      ansible.builtin.file:
+        path: /etc/haproxy
+        owner: root
+        group: "{{ haproxy_group | default('haproxy') }}"
+        state: directory
+        mode: '0755'
+
+    - name: Ensure /etc/haproxy/certs directory exists
+      ansible.builtin.file:
+        path: /etc/haproxy/certs
+        owner: "{{ certbot_user | default('certbot') }}"
+        group: "{{ haproxy_group | default('haproxy') }}"
+        state: directory
+        mode: '0750'