84 lines
3.2 KiB
YAML
84 lines
3.2 KiB
YAML
---
|
|
# -----------------------------------------------------------------------------
|
|
# HAProxy Deployment Playbook
|
|
# -----------------------------------------------------------------------------
|
|
# Installs HAProxy and creates the directory structure required by downstream
|
|
# playbooks. This playbook must run BEFORE certbot/deploy.yml so that the
|
|
# /etc/haproxy/certs directory exists with the correct haproxy group ownership
|
|
# when certbot writes the combined PEM file.
|
|
#
|
|
# Dependency chain:
|
|
# haproxy/deploy.yml ← this playbook (package + dirs)
|
|
# certbot/deploy.yml ← writes cert to /etc/haproxy/certs/
|
|
# haproxy/configure.yml ← templates haproxy.cfg and starts the service
|
|
#
|
|
# Hosts: horkos (public reverse proxy), bootes (internal HAProxy)
|
|
# -----------------------------------------------------------------------------
|
|
|
|
- name: Deploy HAProxy (package and directory structure)
|
|
hosts: all
|
|
become: true
|
|
tags: [haproxy, service, deploy]
|
|
|
|
tasks:
|
|
- name: Check if host has haproxy service
|
|
ansible.builtin.set_fact:
|
|
has_haproxy_service: "{{ 'haproxy' in services | default([]) }}"
|
|
|
|
- name: Skip hosts without haproxy service
|
|
ansible.builtin.meta: end_host
|
|
when: not has_haproxy_service
|
|
|
|
# -------------------------------------------------------------------------
|
|
# Install HAProxy
|
|
# -------------------------------------------------------------------------
|
|
|
|
- name: Ensure HAProxy is installed
|
|
ansible.builtin.apt:
|
|
name: haproxy
|
|
state: present
|
|
update_cache: true
|
|
|
|
# -------------------------------------------------------------------------
|
|
# User / Group
|
|
# HAProxy's apt package creates the haproxy user/group, but we also need
|
|
# the certbot group to exist so that /etc/haproxy/certs can be group-owned
|
|
# by haproxy and written by certbot.
|
|
# -------------------------------------------------------------------------
|
|
|
|
- name: Ensure haproxy group exists
|
|
ansible.builtin.group:
|
|
name: "{{ haproxy_group | default('haproxy') }}"
|
|
system: true
|
|
|
|
- name: Ensure haproxy user exists
|
|
ansible.builtin.user:
|
|
name: "{{ haproxy_user | default('haproxy') }}"
|
|
group: "{{ haproxy_group | default('haproxy') }}"
|
|
system: true
|
|
shell: /usr/sbin/nologin
|
|
home: /nonexistent
|
|
create_home: false
|
|
|
|
# -------------------------------------------------------------------------
|
|
# Directory Structure
|
|
# /etc/haproxy/certs must exist with haproxy group ownership before certbot
|
|
# runs so that the renewal hook can write the combined PEM file there.
|
|
# -------------------------------------------------------------------------
|
|
|
|
- name: Ensure /etc/haproxy directory exists
|
|
ansible.builtin.file:
|
|
path: /etc/haproxy
|
|
owner: root
|
|
group: "{{ haproxy_group | default('haproxy') }}"
|
|
state: directory
|
|
mode: '0755'
|
|
|
|
- name: Ensure /etc/haproxy/certs directory exists
|
|
ansible.builtin.file:
|
|
path: /etc/haproxy/certs
|
|
owner: "{{ haproxy_user | default('haproxy') }}"
|
|
group: "{{ haproxy_group | default('haproxy') }}"
|
|
state: directory
|
|
mode: '0750'
|