80 lines
2.0 KiB
YAML
80 lines
2.0 KiB
YAML
---
|
|
# The home-server project produces a multi-purpose setup using Ansible.
|
|
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
|
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
|
|
|
### UPSTREAM BEGIN ⇒ ###
|
|
- name: pull prerequisites from upstream
|
|
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=upstream.yml
|
|
vars:
|
|
msg: haproxy
|
|
### ⇐ UPSTREAM BEGIN ###
|
|
|
|
- name: install software
|
|
package:
|
|
name: "{{item}}"
|
|
state: present
|
|
with_items:
|
|
- haproxy
|
|
|
|
### UPSTREAM END ⇒ ###
|
|
- name: merge upstream
|
|
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=merge.yml
|
|
vars:
|
|
msg: haproxy
|
|
### ⇐ UPSTREAM END ###
|
|
|
|
- name: prepare overriding haproxy settings
|
|
file:
|
|
name: /etc/systemd/system/haproxy.service.d
|
|
state: directory
|
|
mode: 0755
|
|
|
|
- name: set nginx as a dependency (for sockets)
|
|
copy:
|
|
content: |
|
|
[Unit]
|
|
Wants=nginx.service
|
|
After=nginx.service
|
|
dest: /etc/systemd/system/haproxy.service.d/wants_nginx.conf
|
|
mode: 0644
|
|
notify:
|
|
- restart haproxy.service
|
|
|
|
- name: secure haproxy systemd settings
|
|
copy:
|
|
content: |
|
|
[Service]
|
|
CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_CHROOT
|
|
PrivateTmp=true
|
|
PrivateDevices=true
|
|
ProtectSystem=full
|
|
ProtectHome=true
|
|
NoNewPrivileges=true
|
|
dest: "/etc/systemd/system/haproxy.service.d/secure-{{nickname}}.conf"
|
|
mode: 0644
|
|
notify:
|
|
- restart haproxy.service
|
|
|
|
- name: configure HAProxy
|
|
template:
|
|
src: templates/haproxy.conf.j2
|
|
dest: /etc/haproxy/haproxy.cfg
|
|
mode: 0600
|
|
notify:
|
|
- restart haproxy.service
|
|
|
|
- name: enable haproxy
|
|
systemd:
|
|
daemon-reload: true
|
|
name: haproxy.service
|
|
enabled: true
|
|
|
|
### LOCAL COMMIT ⇒ ###
|
|
- name: commit local changes
|
|
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml
|
|
vars:
|
|
msg: haproxy
|
|
### ⇐ LOCAL COMMIT ###
|
|
- meta: flush_handlers
|