commit 3c5c6465d493eaf3d2424f57aa416a291b17b874
parent 7b53a15fe81a782aebc38acbdef53fabe0435295
Author: Dionysis Grigoropoulos <dgrig@erethon.com>
Date: Sun, 29 Apr 2018 00:38:26 +0300
haproxy: Init haproxy role
At the moment this a bit 'hardcoded' for the services on host spinny
Diffstat:
4 files changed, 83 insertions(+), 1 deletion(-)
diff --git a/ansible/inventory/host_vars/spinny/haproxy.yml b/ansible/inventory/host_vars/spinny/haproxy.yml
@@ -1,3 +1,4 @@
---
-haproxy__grafana_backend_port: 18083
+prosody__public_ip: '163.172.24.171'
+prosody__private_ip: '192.168.122.2'
diff --git a/ansible/roles/haproxy/handlers/main.yml b/ansible/roles/haproxy/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+
+- name: Reload haproxy
+ service:
+ name: haproxy
+ state: reloaded
diff --git a/ansible/roles/haproxy/tasks/main.yml b/ansible/roles/haproxy/tasks/main.yml
@@ -0,0 +1,6 @@
+---
+
+- template:
+ src: haproxy.cfg.j2
+ dest: /etc/haproxy/haproxy.cfg
+ notify: Reload haproxy
diff --git a/ansible/roles/haproxy/templates/haproxy.cfg.j2 b/ansible/roles/haproxy/templates/haproxy.cfg.j2
@@ -0,0 +1,69 @@
+global
+ log /dev/log local0
+ log /dev/log local1 notice
+ chroot /var/lib/haproxy
+ stats socket /run/haproxy/admin.sock mode 660 level admin
+ stats timeout 30s
+ user haproxy
+ group haproxy
+ daemon
+
+ ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA384:AES128-SHA256:AES128-SHA:AES256-SHA256:AES256-SHA:!MD5:!aNULL:!DH:!RC4
+ ssl-default-bind-options no-sslv3
+
+defaults
+ log global
+ mode http
+ option httplog
+ option dontlognull
+ option forwardfor
+ timeout connect 5000
+ timeout client 50000
+ timeout server 50000
+ errorfile 400 /etc/haproxy/errors/400.http
+ errorfile 403 /etc/haproxy/errors/403.http
+ errorfile 408 /etc/haproxy/errors/408.http
+ errorfile 500 /etc/haproxy/errors/500.http
+ errorfile 502 /etc/haproxy/errors/502.http
+ errorfile 503 /etc/haproxy/errors/503.http
+ errorfile 504 /etc/haproxy/errors/504.http
+
+frontend prosody
+ bind {{ prosody__public_ip }}:5222
+ mode tcp
+ default_backend prosody_backend
+
+backend prosody_backend
+ mode tcp
+ server prosody {{ prosody__private_ip }}:5222
+
+frontend prosody_muc
+ bind {{ prosody__public_ip }}:5269
+ mode tcp
+ default_backend prosody_muc
+
+backend prosody_muc
+ mode tcp
+ server prosody_muc {{ prosody__private_ip }}:5269
+
+frontend eighty
+ bind *:80
+ mode http
+ redirect scheme https if !{ ssl_fc }
+
+frontend ssl
+ bind *:443 ssl crt /etc/ssl/private/plothopes.com/plothopes.pem
+ mode http
+ http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload
+ http-request set-header X-Forwarded-Proto https if { ssl_fc }
+
+ use_backend local if { url_beg /.well-known }
+ use_backend plothopes if { hdr(host) -i plothopes.com -i www.plothopes.com }
+
+backend plothopes
+ mode http
+ server plothopes {{ plothopes__private_ip }}:{{ plothopes__port }}
+
+backend local
+ mode http
+ server local 127.0.0.1:8080