Sync before Archive
This commit is contained in:
147
ansible/playbooks/roles/haproxy/defaults/main.yml
Normal file
147
ansible/playbooks/roles/haproxy/defaults/main.yml
Normal file
@@ -0,0 +1,147 @@
|
||||
---
|
||||
# ansible/roles/haproxy/defaults/main.yml
|
||||
|
||||
# HAProxy version and installation
|
||||
haproxy_version: "3.2"
|
||||
haproxy_install_method: "package" # package or source
|
||||
|
||||
# System configuration
|
||||
haproxy_user: haproxy
|
||||
haproxy_group: haproxy
|
||||
haproxy_chroot_dir: /var/lib/haproxy
|
||||
haproxy_config_dir: /etc/haproxy
|
||||
haproxy_log_dir: /var/log/haproxy
|
||||
|
||||
# Global settings
|
||||
haproxy_global_maxconn: 4096
|
||||
haproxy_global_log_facility: local0
|
||||
haproxy_global_log_level: info
|
||||
haproxy_global_nbthread: "{{ ansible_processor_vcpus }}"
|
||||
|
||||
# Default timeouts (milliseconds)
|
||||
haproxy_timeout_connect: 5000
|
||||
haproxy_timeout_client: 50000
|
||||
haproxy_timeout_server: 50000
|
||||
|
||||
# Stats interface
|
||||
haproxy_stats_enable: true
|
||||
haproxy_stats_port: 8404
|
||||
haproxy_stats_uri: /stats
|
||||
haproxy_stats_refresh: 30s
|
||||
haproxy_stats_username: admin
|
||||
haproxy_stats_password: "{{ vault_haproxy_stats_password | default('changeme') }}"
|
||||
|
||||
# SSL/TLS configuration
|
||||
haproxy_ssl_cert_dir: "{{ haproxy_config_dir }}/certs"
|
||||
haproxy_ssl_default_crt: "{{ haproxy_ssl_cert_dir }}/default.pem"
|
||||
haproxy_ssl_ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384"
|
||||
haproxy_ssl_options: "ssl-min-ver TLSv1.2 no-tls-tickets"
|
||||
|
||||
# Health check defaults
|
||||
haproxy_health_check_interval: 2000
|
||||
haproxy_health_check_timeout: 1000
|
||||
haproxy_health_check_rise: 2
|
||||
haproxy_health_check_fall: 3
|
||||
|
||||
# Service discovery integration
|
||||
haproxy_netbox_integration: false # true
|
||||
haproxy_netbox_url: "http://fire-station.local.mk-labs.cloud:8000"
|
||||
haproxy_netbox_token: "{{ vault_netbox_token | default('') }}"
|
||||
|
||||
# Frontends configuration
|
||||
haproxy_frontends: []
|
||||
# - name: http_front
|
||||
# bind: "*:80"
|
||||
# mode: http
|
||||
# redirect: "scheme https code 301"
|
||||
#
|
||||
# - name: https_front
|
||||
# bind: "*:443 ssl crt {{ haproxy_ssl_cert_dir }}"
|
||||
# mode: http
|
||||
# options:
|
||||
# - "http-server-close"
|
||||
# - "forwardfor"
|
||||
# acls:
|
||||
# - "netbox hdr(host) -i fire-station.local.mk-labs.cloud"
|
||||
# - "wordpress hdr(host) -i be-our-guest.local.mk-labs.cloud"
|
||||
# use_backends:
|
||||
# - "netbox_back if netbox"
|
||||
# - "wordpress_back if wordpress"
|
||||
|
||||
# Backends configuration
|
||||
haproxy_backends: []
|
||||
# - name: netbox_back
|
||||
# mode: http
|
||||
# balance: roundrobin
|
||||
# options:
|
||||
# - "httpchk GET /"
|
||||
# servers:
|
||||
# - name: fire-station
|
||||
# address: 10.1.71.102:8000
|
||||
# check: true
|
||||
|
||||
# TCP services configuration
|
||||
haproxy_tcp_services: []
|
||||
# - name: postgres
|
||||
# frontend_port: 5432
|
||||
# backend_port: 5432
|
||||
# balance: leastconn
|
||||
# servers:
|
||||
# - name: netbox-db
|
||||
# address: 10.1.71.102
|
||||
|
||||
# Firewall configuration
|
||||
haproxy_configure_firewall: true
|
||||
haproxy_firewall_allowed_ports:
|
||||
- 80/tcp
|
||||
- 443/tcp
|
||||
- 8404/tcp
|
||||
|
||||
# Monitoring and observability
|
||||
haproxy_prometheus_exporter: false
|
||||
haproxy_prometheus_port: 9101
|
||||
|
||||
# Logging
|
||||
haproxy_rsyslog_config: true
|
||||
haproxy_log_rotation: true
|
||||
|
||||
# Certificate management - Certbot with Cloudflare DNS
|
||||
haproxy_certbot_enable: true
|
||||
haproxy_certbot_challenge_method: "dns-cloudflare" # or "webroot" for HTTP-01
|
||||
haproxy_certbot_email: "ryan.blundon@protonmail.com"
|
||||
haproxy_certbot_staging: false # Set to true for testing with Let's Encrypt staging
|
||||
|
||||
# Cloudflare DNS configuration
|
||||
haproxy_certbot_cloudflare_api_token: "{{ vault_cloudflare_api_token }}"
|
||||
haproxy_certbot_cloudflare_credentials_file: "/etc/letsencrypt/cloudflare.ini"
|
||||
|
||||
# Certificate domains - DNS-01 supports wildcards
|
||||
haproxy_certbot_domains:
|
||||
- domain: "*.mk-labs.cloud"
|
||||
include_base: true
|
||||
- domain: "*.local.mk-labs.cloud"
|
||||
include_base: true # Also include local.mk-labs.cloud
|
||||
- domain: "lightning-lane.local.mk-labs.cloud"
|
||||
include_base: false
|
||||
|
||||
# Alternative: specific domains without wildcard
|
||||
# haproxy_certbot_domains:
|
||||
# - domain: "lightning-lane.local.mk-labs.cloud"
|
||||
# - domain: "fire-station.local.mk-labs.cloud"
|
||||
# - domain: "be-our-guest.local.mk-labs.cloud"
|
||||
|
||||
# Certbot renewal settings
|
||||
haproxy_certbot_renewal_cron_minute: "0"
|
||||
haproxy_certbot_renewal_cron_hour: "3" # 3 AM daily
|
||||
haproxy_certbot_renewal_cron_day: "*"
|
||||
haproxy_certbot_post_hook: "{{ haproxy_config_dir }}/certbot-post-hook.sh"
|
||||
|
||||
# Certificate storage
|
||||
haproxy_certbot_cert_dir: "/etc/letsencrypt/live"
|
||||
haproxy_certbot_archive_dir: "/etc/letsencrypt/archive"
|
||||
|
||||
# DNS propagation wait time (seconds)
|
||||
haproxy_certbot_dns_propagation_seconds: 60
|
||||
|
||||
# Fallback to self-signed if Certbot fails
|
||||
haproxy_certbot_fallback_selfsigned: true
|
||||
Reference in New Issue
Block a user