---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.

### UPSTREAM BEGIN ⇒ ###
- name: pull prerequisites from upstream
  include_role: name=etckeeper.inc allow_duplicates=true tasks_from=upstream.yml
  vars:
    msg: haproxy
### ⇐ UPSTREAM BEGIN ###

- name: install software
  package:
    name: "{{item}}"
    state: present
  with_items:
    - haproxy

### UPSTREAM END ⇒ ###
- name: merge upstream
  include_role: name=etckeeper.inc allow_duplicates=true tasks_from=merge.yml
  vars:
    msg: haproxy
### ⇐ UPSTREAM END ###

- name: prepare overriding haproxy settings
  file:
    name: /etc/systemd/system/haproxy.service.d
    state: directory
    mode: 0755

- name: set nginx as a dependency (for sockets)
  copy:
    content: |
      [Unit]
      Wants=openresty.service
      After=openresty.service
    dest: /etc/systemd/system/haproxy.service.d/wants_nginx.conf
    mode: 0644
  notify:
    - restart haproxy.service

- name: secure haproxy systemd settings
  copy:
    content: |
      [Service]
      CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_CHROOT
      PrivateTmp=true
      PrivateDevices=true
      ProtectSystem=full
      ProtectHome=true
      NoNewPrivileges=true
    dest: "/etc/systemd/system/haproxy.service.d/secure-{{nickname}}.conf"
    mode: 0644
  notify:
    - restart haproxy.service

- name: configure HAProxy
  template:
    src: templates/haproxy.conf.j2
    dest: /etc/haproxy/haproxy.cfg
    mode: 0600
  notify:
    - restart haproxy.service

- name: enable haproxy
  systemd:
    daemon-reload: true
    name: haproxy.service
    enabled: true

### LOCAL COMMIT ⇒ ###
- name: commit local changes
  include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml
  vars:
    msg: haproxy
### ⇐ LOCAL COMMIT ###
- meta: flush_handlers