- Move all roles from playbooks/roles/ to roles/ - Update roles_path in ansible.cfg - Add cast user to common role - Create standalone podman role - Add semaphore role with Podman + Quadlet support
148 lines
4.3 KiB
YAML
148 lines
4.3 KiB
YAML
---
|
|
# ansible/roles/haproxy/defaults/main.yml
|
|
|
|
# HAProxy version and installation
|
|
haproxy_version: "3.2"
|
|
haproxy_install_method: "package" # package or source
|
|
|
|
# System configuration
|
|
haproxy_user: haproxy
|
|
haproxy_group: haproxy
|
|
haproxy_chroot_dir: /var/lib/haproxy
|
|
haproxy_config_dir: /etc/haproxy
|
|
haproxy_log_dir: /var/log/haproxy
|
|
|
|
# Global settings
|
|
haproxy_global_maxconn: 4096
|
|
haproxy_global_log_facility: local0
|
|
haproxy_global_log_level: info
|
|
haproxy_global_nbthread: "{{ ansible_processor_vcpus }}"
|
|
|
|
# Default timeouts (milliseconds)
|
|
haproxy_timeout_connect: 5000
|
|
haproxy_timeout_client: 50000
|
|
haproxy_timeout_server: 50000
|
|
|
|
# Stats interface
|
|
haproxy_stats_enable: true
|
|
haproxy_stats_port: 8404
|
|
haproxy_stats_uri: /stats
|
|
haproxy_stats_refresh: 30s
|
|
haproxy_stats_username: admin
|
|
haproxy_stats_password: "{{ vault_haproxy_stats_password | default('changeme') }}"
|
|
|
|
# SSL/TLS configuration
|
|
haproxy_ssl_cert_dir: "{{ haproxy_config_dir }}/certs"
|
|
haproxy_ssl_default_crt: "{{ haproxy_ssl_cert_dir }}/default.pem"
|
|
haproxy_ssl_ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384"
|
|
haproxy_ssl_options: "ssl-min-ver TLSv1.2 no-tls-tickets"
|
|
|
|
# Health check defaults
|
|
haproxy_health_check_interval: 2000
|
|
haproxy_health_check_timeout: 1000
|
|
haproxy_health_check_rise: 2
|
|
haproxy_health_check_fall: 3
|
|
|
|
# Service discovery integration
|
|
haproxy_netbox_integration: false # true
|
|
haproxy_netbox_url: "http://fire-station.local.mk-labs.cloud:8000"
|
|
haproxy_netbox_token: "{{ vault_netbox_token | default('') }}"
|
|
|
|
# Frontends configuration
|
|
haproxy_frontends: []
|
|
# - name: http_front
|
|
# bind: "*:80"
|
|
# mode: http
|
|
# redirect: "scheme https code 301"
|
|
#
|
|
# - name: https_front
|
|
# bind: "*:443 ssl crt {{ haproxy_ssl_cert_dir }}"
|
|
# mode: http
|
|
# options:
|
|
# - "http-server-close"
|
|
# - "forwardfor"
|
|
# acls:
|
|
# - "netbox hdr(host) -i fire-station.local.mk-labs.cloud"
|
|
# - "wordpress hdr(host) -i be-our-guest.local.mk-labs.cloud"
|
|
# use_backends:
|
|
# - "netbox_back if netbox"
|
|
# - "wordpress_back if wordpress"
|
|
|
|
# Backends configuration
|
|
haproxy_backends: []
|
|
# - name: netbox_back
|
|
# mode: http
|
|
# balance: roundrobin
|
|
# options:
|
|
# - "httpchk GET /"
|
|
# servers:
|
|
# - name: fire-station
|
|
# address: 10.1.71.102:8000
|
|
# check: true
|
|
|
|
# TCP services configuration
|
|
haproxy_tcp_services: []
|
|
# - name: postgres
|
|
# frontend_port: 5432
|
|
# backend_port: 5432
|
|
# balance: leastconn
|
|
# servers:
|
|
# - name: netbox-db
|
|
# address: 10.1.71.102
|
|
|
|
# Firewall configuration
|
|
haproxy_configure_firewall: true
|
|
haproxy_firewall_allowed_ports:
|
|
- 80/tcp
|
|
- 443/tcp
|
|
- 8404/tcp
|
|
|
|
# Monitoring and observability
|
|
haproxy_prometheus_exporter: false
|
|
haproxy_prometheus_port: 9101
|
|
|
|
# Logging
|
|
haproxy_rsyslog_config: true
|
|
haproxy_log_rotation: true
|
|
|
|
# Certificate management - Certbot with Cloudflare DNS
|
|
haproxy_certbot_enable: true
|
|
haproxy_certbot_challenge_method: "dns-cloudflare" # or "webroot" for HTTP-01
|
|
haproxy_certbot_email: "ryan.blundon@protonmail.com"
|
|
haproxy_certbot_staging: false # Set to true for testing with Let's Encrypt staging
|
|
|
|
# Cloudflare DNS configuration
|
|
haproxy_certbot_cloudflare_api_token: "{{ vault_cloudflare_api_token }}"
|
|
haproxy_certbot_cloudflare_credentials_file: "/etc/letsencrypt/cloudflare.ini"
|
|
|
|
# Certificate domains - DNS-01 supports wildcards
|
|
haproxy_certbot_domains:
|
|
- domain: "*.mk-labs.cloud"
|
|
include_base: true
|
|
- domain: "*.local.mk-labs.cloud"
|
|
include_base: true # Also include local.mk-labs.cloud
|
|
- domain: "lightning-lane.local.mk-labs.cloud"
|
|
include_base: false
|
|
|
|
# Alternative: specific domains without wildcard
|
|
# haproxy_certbot_domains:
|
|
# - domain: "lightning-lane.local.mk-labs.cloud"
|
|
# - domain: "fire-station.local.mk-labs.cloud"
|
|
# - domain: "be-our-guest.local.mk-labs.cloud"
|
|
|
|
# Certbot renewal settings
|
|
haproxy_certbot_renewal_cron_minute: "0"
|
|
haproxy_certbot_renewal_cron_hour: "3" # 3 AM daily
|
|
haproxy_certbot_renewal_cron_day: "*"
|
|
haproxy_certbot_post_hook: "{{ haproxy_config_dir }}/certbot-post-hook.sh"
|
|
|
|
# Certificate storage
|
|
haproxy_certbot_cert_dir: "/etc/letsencrypt/live"
|
|
haproxy_certbot_archive_dir: "/etc/letsencrypt/archive"
|
|
|
|
# DNS propagation wait time (seconds)
|
|
haproxy_certbot_dns_propagation_seconds: 60
|
|
|
|
# Fallback to self-signed if Certbot fails
|
|
haproxy_certbot_fallback_selfsigned: true
|