--- # ansible/roles/haproxy/defaults/main.yml # HAProxy version and installation haproxy_version: "3.2" haproxy_install_method: "package" # package or source # System configuration haproxy_user: haproxy haproxy_group: haproxy haproxy_chroot_dir: /var/lib/haproxy haproxy_config_dir: /etc/haproxy haproxy_log_dir: /var/log/haproxy # Global settings haproxy_global_maxconn: 4096 haproxy_global_log_facility: local0 haproxy_global_log_level: info haproxy_global_nbthread: "{{ ansible_processor_vcpus }}" # Default timeouts (milliseconds) haproxy_timeout_connect: 5000 haproxy_timeout_client: 50000 haproxy_timeout_server: 50000 # Stats interface haproxy_stats_enable: true haproxy_stats_port: 8404 haproxy_stats_uri: /stats haproxy_stats_refresh: 30s haproxy_stats_username: admin haproxy_stats_password: "{{ vault_haproxy_stats_password | default('changeme') }}" # SSL/TLS configuration haproxy_ssl_cert_dir: "{{ haproxy_config_dir }}/certs" haproxy_ssl_default_crt: "{{ haproxy_ssl_cert_dir }}/default.pem" haproxy_ssl_ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384" haproxy_ssl_options: "ssl-min-ver TLSv1.2 no-tls-tickets" # Health check defaults haproxy_health_check_interval: 2000 haproxy_health_check_timeout: 1000 haproxy_health_check_rise: 2 haproxy_health_check_fall: 3 # Service discovery integration haproxy_netbox_integration: false # true haproxy_netbox_url: "http://fire-station.local.mk-labs.cloud:8000" haproxy_netbox_token: "{{ vault_netbox_token | default('') }}" # Frontends configuration haproxy_frontends: [] # - name: http_front # bind: "*:80" # mode: http # redirect: "scheme https code 301" # # - name: https_front # bind: "*:443 ssl crt {{ haproxy_ssl_cert_dir }}" # mode: http # options: # - "http-server-close" # - "forwardfor" # acls: # - "netbox hdr(host) -i fire-station.local.mk-labs.cloud" # - "wordpress hdr(host) -i be-our-guest.local.mk-labs.cloud" # use_backends: # - "netbox_back if netbox" # - "wordpress_back if wordpress" # Backends configuration haproxy_backends: [] # - name: netbox_back # mode: http # balance: roundrobin # options: # - "httpchk GET /" # servers: # - name: fire-station # address: 10.1.71.102:8000 # check: true # TCP services configuration haproxy_tcp_services: [] # - name: postgres # frontend_port: 5432 # backend_port: 5432 # balance: leastconn # servers: # - name: netbox-db # address: 10.1.71.102 # Firewall configuration haproxy_configure_firewall: true haproxy_firewall_allowed_ports: - 80/tcp - 443/tcp - 8404/tcp # Monitoring and observability haproxy_prometheus_exporter: false haproxy_prometheus_port: 9101 # Logging haproxy_rsyslog_config: true haproxy_log_rotation: true # Certificate management - Certbot with Cloudflare DNS haproxy_certbot_enable: true haproxy_certbot_challenge_method: "dns-cloudflare" # or "webroot" for HTTP-01 haproxy_certbot_email: "ryan.blundon@protonmail.com" haproxy_certbot_staging: false # Set to true for testing with Let's Encrypt staging # Cloudflare DNS configuration haproxy_certbot_cloudflare_api_token: "{{ vault_cloudflare_api_token }}" haproxy_certbot_cloudflare_credentials_file: "/etc/letsencrypt/cloudflare.ini" # Certificate domains - DNS-01 supports wildcards haproxy_certbot_domains: - domain: "*.mk-labs.cloud" include_base: true - domain: "*.local.mk-labs.cloud" include_base: true # Also include local.mk-labs.cloud - domain: "lightning-lane.local.mk-labs.cloud" include_base: false # Alternative: specific domains without wildcard # haproxy_certbot_domains: # - domain: "lightning-lane.local.mk-labs.cloud" # - domain: "fire-station.local.mk-labs.cloud" # - domain: "be-our-guest.local.mk-labs.cloud" # Certbot renewal settings haproxy_certbot_renewal_cron_minute: "0" haproxy_certbot_renewal_cron_hour: "3" # 3 AM daily haproxy_certbot_renewal_cron_day: "*" haproxy_certbot_post_hook: "{{ haproxy_config_dir }}/certbot-post-hook.sh" # Certificate storage haproxy_certbot_cert_dir: "/etc/letsencrypt/live" haproxy_certbot_archive_dir: "/etc/letsencrypt/archive" # DNS propagation wait time (seconds) haproxy_certbot_dns_propagation_seconds: 60 # Fallback to self-signed if Certbot fails haproxy_certbot_fallback_selfsigned: true