Files
homelab/ansible/roles/haproxy/defaults/main.yml
Hermes Agent service account 92b2a9d609 refactor: consolidate all roles into ansible/roles/ and update ansible.cfg
- Move all roles from playbooks/roles/ to roles/
- Update roles_path in ansible.cfg
- Add cast user to common role
- Create standalone podman role
- Add semaphore role with Podman + Quadlet support
2026-05-26 22:22:08 -05:00

148 lines
4.3 KiB
YAML

---
# ansible/roles/haproxy/defaults/main.yml
# HAProxy version and installation
haproxy_version: "3.2"
haproxy_install_method: "package" # package or source
# System configuration
haproxy_user: haproxy
haproxy_group: haproxy
haproxy_chroot_dir: /var/lib/haproxy
haproxy_config_dir: /etc/haproxy
haproxy_log_dir: /var/log/haproxy
# Global settings
haproxy_global_maxconn: 4096
haproxy_global_log_facility: local0
haproxy_global_log_level: info
haproxy_global_nbthread: "{{ ansible_processor_vcpus }}"
# Default timeouts (milliseconds)
haproxy_timeout_connect: 5000
haproxy_timeout_client: 50000
haproxy_timeout_server: 50000
# Stats interface
haproxy_stats_enable: true
haproxy_stats_port: 8404
haproxy_stats_uri: /stats
haproxy_stats_refresh: 30s
haproxy_stats_username: admin
haproxy_stats_password: "{{ vault_haproxy_stats_password | default('changeme') }}"
# SSL/TLS configuration
haproxy_ssl_cert_dir: "{{ haproxy_config_dir }}/certs"
haproxy_ssl_default_crt: "{{ haproxy_ssl_cert_dir }}/default.pem"
haproxy_ssl_ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384"
haproxy_ssl_options: "ssl-min-ver TLSv1.2 no-tls-tickets"
# Health check defaults
haproxy_health_check_interval: 2000
haproxy_health_check_timeout: 1000
haproxy_health_check_rise: 2
haproxy_health_check_fall: 3
# Service discovery integration
haproxy_netbox_integration: false # true
haproxy_netbox_url: "http://fire-station.local.mk-labs.cloud:8000"
haproxy_netbox_token: "{{ vault_netbox_token | default('') }}"
# Frontends configuration
haproxy_frontends: []
# - name: http_front
# bind: "*:80"
# mode: http
# redirect: "scheme https code 301"
#
# - name: https_front
# bind: "*:443 ssl crt {{ haproxy_ssl_cert_dir }}"
# mode: http
# options:
# - "http-server-close"
# - "forwardfor"
# acls:
# - "netbox hdr(host) -i fire-station.local.mk-labs.cloud"
# - "wordpress hdr(host) -i be-our-guest.local.mk-labs.cloud"
# use_backends:
# - "netbox_back if netbox"
# - "wordpress_back if wordpress"
# Backends configuration
haproxy_backends: []
# - name: netbox_back
# mode: http
# balance: roundrobin
# options:
# - "httpchk GET /"
# servers:
# - name: fire-station
# address: 10.1.71.102:8000
# check: true
# TCP services configuration
haproxy_tcp_services: []
# - name: postgres
# frontend_port: 5432
# backend_port: 5432
# balance: leastconn
# servers:
# - name: netbox-db
# address: 10.1.71.102
# Firewall configuration
haproxy_configure_firewall: true
haproxy_firewall_allowed_ports:
- 80/tcp
- 443/tcp
- 8404/tcp
# Monitoring and observability
haproxy_prometheus_exporter: false
haproxy_prometheus_port: 9101
# Logging
haproxy_rsyslog_config: true
haproxy_log_rotation: true
# Certificate management - Certbot with Cloudflare DNS
haproxy_certbot_enable: true
haproxy_certbot_challenge_method: "dns-cloudflare" # or "webroot" for HTTP-01
haproxy_certbot_email: "ryan.blundon@protonmail.com"
haproxy_certbot_staging: false # Set to true for testing with Let's Encrypt staging
# Cloudflare DNS configuration
haproxy_certbot_cloudflare_api_token: "{{ vault_cloudflare_api_token }}"
haproxy_certbot_cloudflare_credentials_file: "/etc/letsencrypt/cloudflare.ini"
# Certificate domains - DNS-01 supports wildcards
haproxy_certbot_domains:
- domain: "*.mk-labs.cloud"
include_base: true
- domain: "*.local.mk-labs.cloud"
include_base: true # Also include local.mk-labs.cloud
- domain: "lightning-lane.local.mk-labs.cloud"
include_base: false
# Alternative: specific domains without wildcard
# haproxy_certbot_domains:
# - domain: "lightning-lane.local.mk-labs.cloud"
# - domain: "fire-station.local.mk-labs.cloud"
# - domain: "be-our-guest.local.mk-labs.cloud"
# Certbot renewal settings
haproxy_certbot_renewal_cron_minute: "0"
haproxy_certbot_renewal_cron_hour: "3" # 3 AM daily
haproxy_certbot_renewal_cron_day: "*"
haproxy_certbot_post_hook: "{{ haproxy_config_dir }}/certbot-post-hook.sh"
# Certificate storage
haproxy_certbot_cert_dir: "/etc/letsencrypt/live"
haproxy_certbot_archive_dir: "/etc/letsencrypt/archive"
# DNS propagation wait time (seconds)
haproxy_certbot_dns_propagation_seconds: 60
# Fallback to self-signed if Certbot fails
haproxy_certbot_fallback_selfsigned: true