refactor: consolidate all roles into ansible/roles/ and update ansible.cfg
- Move all roles from playbooks/roles/ to roles/ - Update roles_path in ansible.cfg - Add cast user to common role - Create standalone podman role - Add semaphore role with Podman + Quadlet support
This commit is contained in:
188
ansible/roles/haproxy/templates/haproxy.cfg.j2
Normal file
188
ansible/roles/haproxy/templates/haproxy.cfg.j2
Normal file
@@ -0,0 +1,188 @@
|
||||
{# ansible/roles/haproxy/templates/haproxy.cfg.j2 #}
|
||||
#---------------------------------------------------------------------
|
||||
# HAProxy Configuration for {{ inventory_hostname }}
|
||||
# Generated by Ansible - DO NOT EDIT MANUALLY
|
||||
# Magic Kingdom Labs - lightning-lane load balancer
|
||||
#---------------------------------------------------------------------
|
||||
|
||||
#---------------------------------------------------------------------
|
||||
# Global settings
|
||||
#---------------------------------------------------------------------
|
||||
global
|
||||
log 127.0.0.1 {{ haproxy_global_log_facility }} {{ haproxy_global_log_level }}
|
||||
chroot {{ haproxy_chroot_dir }}
|
||||
pidfile /var/run/haproxy.pid
|
||||
maxconn {{ haproxy_global_maxconn }}
|
||||
user {{ haproxy_user }}
|
||||
group {{ haproxy_group }}
|
||||
daemon
|
||||
nbthread {{ haproxy_global_nbthread }}
|
||||
|
||||
# Runtime socket for management
|
||||
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
|
||||
stats timeout 30s
|
||||
|
||||
# SSL/TLS configuration
|
||||
ssl-default-bind-ciphers {{ haproxy_ssl_ciphers }}
|
||||
ssl-default-bind-options {{ haproxy_ssl_options }}
|
||||
ssl-default-server-ciphers {{ haproxy_ssl_ciphers }}
|
||||
ssl-default-server-options {{ haproxy_ssl_options }}
|
||||
|
||||
# Performance tuning
|
||||
tune.ssl.default-dh-param 2048
|
||||
tune.ssl.cachesize 100000
|
||||
tune.ssl.lifetime 600
|
||||
|
||||
#---------------------------------------------------------------------
|
||||
# Common defaults
|
||||
#---------------------------------------------------------------------
|
||||
defaults
|
||||
mode http
|
||||
log global
|
||||
option httplog
|
||||
option dontlognull
|
||||
option http-server-close
|
||||
option redispatch
|
||||
retries 3
|
||||
timeout connect {{ haproxy_timeout_connect }}
|
||||
timeout client {{ haproxy_timeout_client }}
|
||||
timeout server {{ haproxy_timeout_server }}
|
||||
timeout http-request 10s
|
||||
timeout http-keep-alive 10s
|
||||
timeout check 10s
|
||||
maxconn 3000
|
||||
|
||||
# Error pages
|
||||
errorfile 400 /etc/haproxy/errors/400.http
|
||||
errorfile 403 /etc/haproxy/errors/403.http
|
||||
errorfile 408 /etc/haproxy/errors/408.http
|
||||
errorfile 500 /etc/haproxy/errors/500.http
|
||||
errorfile 502 /etc/haproxy/errors/502.http
|
||||
errorfile 503 /etc/haproxy/errors/503.http
|
||||
errorfile 504 /etc/haproxy/errors/504.http
|
||||
|
||||
#---------------------------------------------------------------------
|
||||
# Stats interface
|
||||
#---------------------------------------------------------------------
|
||||
{% if haproxy_stats_enable %}
|
||||
listen stats
|
||||
bind *:{{ haproxy_stats_port }}
|
||||
mode http
|
||||
stats enable
|
||||
stats uri {{ haproxy_stats_uri }}
|
||||
stats refresh {{ haproxy_stats_refresh }}
|
||||
stats realm Magic\ Kingdom\ Labs\ -\ HAProxy\ Statistics
|
||||
stats auth {{ haproxy_stats_username }}:{{ haproxy_stats_password }}
|
||||
stats admin if TRUE
|
||||
{% endif %}
|
||||
|
||||
#---------------------------------------------------------------------
|
||||
# HTTP Redirect Frontend (HTTP -> HTTPS)
|
||||
#---------------------------------------------------------------------
|
||||
frontend http_front
|
||||
bind *:80
|
||||
mode http
|
||||
|
||||
# Redirect all HTTP traffic to HTTPS
|
||||
redirect scheme https code 301
|
||||
|
||||
#---------------------------------------------------------------------
|
||||
# HTTPS Frontend with SNI
|
||||
#---------------------------------------------------------------------
|
||||
frontend https_front
|
||||
bind *:443 ssl crt {{ haproxy_ssl_cert_dir }}/live crt {{ haproxy_ssl_default_crt }} alpn h2,http/1.1
|
||||
mode http
|
||||
|
||||
# Security headers
|
||||
http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
|
||||
http-response set-header X-Frame-Options "SAMEORIGIN"
|
||||
http-response set-header X-Content-Type-Options "nosniff"
|
||||
http-response set-header X-XSS-Protection "1; mode=block"
|
||||
|
||||
# Logging
|
||||
option httplog
|
||||
option forwardfor
|
||||
|
||||
{% if haproxy_frontends is defined and haproxy_frontends | length > 0 %}
|
||||
{% for frontend in haproxy_frontends %}
|
||||
{% if frontend.acls is defined %}
|
||||
# ACLs for {{ frontend.name }}
|
||||
{% for acl in frontend.acls %}
|
||||
acl {{ acl }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
|
||||
{% for frontend in haproxy_frontends %}
|
||||
{% if frontend.use_backends is defined %}
|
||||
# Backend routing for {{ frontend.name }}
|
||||
{% for use_backend in frontend.use_backends %}
|
||||
use_backend {{ use_backend }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
# Default backend
|
||||
default_backend no_match_back
|
||||
|
||||
#---------------------------------------------------------------------
|
||||
# Backends
|
||||
#---------------------------------------------------------------------
|
||||
{% for backend in haproxy_backends %}
|
||||
backend {{ backend.name }}
|
||||
mode {{ backend.mode | default('http') }}
|
||||
balance {{ backend.balance | default('roundrobin') }}
|
||||
{% if backend.options is defined %}
|
||||
{% for option in backend.options %}
|
||||
option {{ option }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% if backend.http_check is defined %}
|
||||
option httpchk {{ backend.http_check }}
|
||||
{% endif %}
|
||||
{% if backend.servers is defined %}
|
||||
{% for server in backend.servers %}
|
||||
server {{ server.name }} {{ server.address }}{% if server.check | default(false) %} check{% endif %}{% if server.backup | default(false) %} backup{% endif %}{% if server.weight is defined %} weight {{ server.weight }}{% endif %}
|
||||
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% endfor %}
|
||||
|
||||
# Default backend for unmatched requests
|
||||
backend no_match_back
|
||||
mode http
|
||||
http-request deny deny_status 404
|
||||
|
||||
#---------------------------------------------------------------------
|
||||
# TCP Services
|
||||
#---------------------------------------------------------------------
|
||||
{% for tcp_service in haproxy_tcp_services %}
|
||||
# {{ tcp_service.name | upper }} Service (TCP)
|
||||
frontend {{ tcp_service.name }}_front
|
||||
bind *:{{ tcp_service.frontend_port }}
|
||||
mode tcp
|
||||
option tcplog
|
||||
{% if tcp_service.timeout_client is defined %}
|
||||
timeout client {{ tcp_service.timeout_client }}
|
||||
{% endif %}
|
||||
default_backend {{ tcp_service.name }}_back
|
||||
|
||||
backend {{ tcp_service.name }}_back
|
||||
mode tcp
|
||||
balance {{ tcp_service.balance | default('roundrobin') }}
|
||||
{% if tcp_service.timeout_server is defined %}
|
||||
timeout server {{ tcp_service.timeout_server }}
|
||||
{% endif %}
|
||||
{% if tcp_service.timeout_connect is defined %}
|
||||
timeout connect {{ tcp_service.timeout_connect }}
|
||||
{% endif %}
|
||||
{% if tcp_service.servers is defined %}
|
||||
{% for server in tcp_service.servers %}
|
||||
server {{ server.name }} {{ server.address }}:{{ tcp_service.backend_port }}{% if server.check | default(true) %} check{% endif %}
|
||||
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% endfor %}
|
||||
Reference in New Issue
Block a user