r/ouranos
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
c32c3471e062bace32ffe69d08bc13b5fa48099d
ouranos/ansible/haproxy/configure.yml
Robert Helewka 0a053c1cd6 Refactor HAProxy configuration and certificate management 
- Updated HAProxy configuration template to reflect changes for the Taurus Production Environment, including SSL settings and rate limiting for specific endpoints.
- Introduced new playbooks for certificate distribution and validation with OCI Vault, ensuring certificates are correctly managed and renewed.
- Added hooks for uploading renewed certificates to OCI Vault and validating their integrity.
- Enhanced the HAProxy configuration playbook to ensure proper service management and verification of the HAProxy service.
- Updated inventory variables for certificate management and ensured compatibility with the new structure.
2026-03-17 13:13:38 -04:00

102 lines
3.4 KiB
YAML
Raw Blame History

---
# -----------------------------------------------------------------------------
# HAProxy Configuration Playbook
# -----------------------------------------------------------------------------
# Templates haproxy.cfg and starts the HAProxy service. Must run AFTER both
# haproxy/deploy.yml and certbot/deploy.yml so that:
# - The HAProxy package is installed
# - The real Let's Encrypt certificate exists at haproxy_cert_path
#
# Dependency chain:
# haproxy/deploy.yml ← package + dirs
# certbot/deploy.yml ← writes cert to /etc/haproxy/certs/
# haproxy/configure.yml ← this playbook (config + start)
#
# Hosts: horkos (public reverse proxy), bootes (internal HAProxy)
# -----------------------------------------------------------------------------
- name: Configure and start HAProxy
hosts: all
become: true
tags: [haproxy, service, configure]
handlers:
- name: reload haproxy
ansible.builtin.systemd:
name: haproxy
state: reloaded
- name: restart haproxy
ansible.builtin.systemd:
name: haproxy
state: restarted
tasks:
- name: Check if host has haproxy service
ansible.builtin.set_fact:
has_haproxy_service: "{{ 'haproxy' in services | default([]) }}"
- name: Skip hosts without haproxy service
ansible.builtin.meta: end_host
when: not has_haproxy_service
# -------------------------------------------------------------------------
# Certificate Check
# -------------------------------------------------------------------------
- name: Check if TLS certificate exists
ansible.builtin.stat:
path: "{{ haproxy_cert_path }}"
register: cert_file
- name: Fail if certificate is missing
ansible.builtin.fail:
msg: >
Certificate not found at {{ haproxy_cert_path }}.
Run certbot/deploy.yml before haproxy/configure.yml.
Command: ansible-playbook certbot/deploy.yml
when: not cert_file.stat.exists
# -------------------------------------------------------------------------
# Configuration
# -------------------------------------------------------------------------
- name: Template HAProxy configuration
ansible.builtin.template:
src: haproxy.cfg.j2
dest: /etc/haproxy/haproxy.cfg
owner: root
group: "{{ haproxy_group | default('haproxy') }}"
mode: '0640'
validate: "haproxy -c -f %s"
notify: reload haproxy
# -------------------------------------------------------------------------
# Service Management
# -------------------------------------------------------------------------
- name: Enable and start HAProxy service
ansible.builtin.systemd:
name: haproxy
enabled: true
state: started
daemon_reload: true
# -------------------------------------------------------------------------
# Verification
# -------------------------------------------------------------------------
- name: Wait for HAProxy stats port to be ready
ansible.builtin.uri:
url: "http://localhost:{{ haproxy_stats_port }}/metrics"
method: GET
status_code: 200
register: haproxy_health
retries: 5
delay: 3
until: haproxy_health.status == 200
- name: HAProxy configuration status
ansible.builtin.debug:
msg: "HAProxy is running and serving metrics on port {{ haproxy_stats_port }}"
Reference in New Issue View Git Blame Copy Permalink