ansible plays for docker, haproxy & varnish

ansible/roles/haproxy/defaults/main.yml

@@ -0,0 +1,3 @@
+haproxy_package_name: haproxy
+haproxy_cfg_path: /etc/haproxy/haproxy.cfg
+haproxy_service_name: haproxy

ansible/roles/haproxy/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: reload haproxy
+  service:
+    name: haproxy
+    state: reloaded

ansible/roles/haproxy/tasks/config.yml

@@ -0,0 +1,20 @@
+---
+- file:
+    path: "{{ haproxy_certs_dir }}"
+    state: directory
+    owner: root
+    group: root
+    mode: "0755"
+
+- template:
+    src: haproxy.cfg.j2
+    dest: "{{ haproxy_cfg_path }}"
+    owner: root
+    group: root
+    mode: "0644"
+    validate: "haproxy -c -f %s"
+  notify: reload haproxy
+
+- service:
+    name: haproxy
+    state: started

ansible/roles/haproxy/tasks/install.yml

@@ -0,0 +1,8 @@
+---
+- package:
+    name: haproxy
+    state: present
+
+- service:
+    name: haproxy
+    enabled: true

ansible/roles/haproxy/tasks/main.yml

@@ -0,0 +1,4 @@
+---
+- import_tasks: install.yml
+- import_tasks: snakeoil.yml
+- import_tasks: config.yml

ansible/roles/haproxy/tasks/snakeoil.yml

@@ -0,0 +1,48 @@
+---
+# tasks/snakeoil.yml
+- name: Ensure snakeoil certificate tooling is installed
+  ansible.builtin.package:
+    name: ssl-cert
+    state: present
+
+- name: Check whether HAProxy snakeoil PEM already exists
+  ansible.builtin.stat:
+    path: /etc/haproxy/certs/ssl-cert-snakeoil.pem
+  register: haproxy_pem
+
+# Validate cert structure if the file exists
+- name: Validate certificate structure in HAProxy PEM
+  ansible.builtin.command: >
+    openssl x509 -in /etc/haproxy/certs/ssl-cert-snakeoil.pem -noout
+  register: pem_cert_check
+  changed_when: false
+  failed_when: false
+  when: haproxy_pem.stat.exists
+
+- name: Ensure HAProxy cert directory exists
+  ansible.builtin.file:
+    path: /etc/haproxy/certs
+    state: directory
+    owner: root
+    group: root
+    mode: "0755"
+
+- name: Decide if we must (re)create PEM (missing/empty/invalid)
+  ansible.builtin.set_fact:
+    haproxy_pem_needs_create: >-
+        {{
+            (not haproxy_pem.stat.exists)
+            or ((pem_cert_check | default({'rc': 'undef'})).rc != 0)
+        }}
+
+# Generate the snakeoil cert/key if we need to (re)create bundle
+- name: Generate default snakeoil cert/key
+  ansible.builtin.command: make-ssl-cert generate-default-snakeoil
+  when: haproxy_pem_needs_create
+  changed_when: true
+
+- name: Assemble HAProxy snakeoil PEM bundle (cert + key)
+  shell:
+    cmd: "cat /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/private/ssl-cert-snakeoil.key > /etc/haproxy/certs/ssl-cert-snakeoil.pem"
+  when: haproxy_pem_needs_create
+  notify: reload haproxy

ansible/roles/haproxy/templates/haproxy.cfg.j2

@@ -0,0 +1,134 @@
+global
+    log /dev/log    local0
+    log /dev/log    local1 notice
+    chroot /var/lib/haproxy
+    stats socket /run/haproxy/admin.sock mode 660 level admin
+    stats timeout 30s
+    user haproxy
+    group haproxy
+    daemon
+
+    limited-quic
+
+    # Default SSL material locations
+    ca-base /etc/ssl/certs
+    crt-base /etc/ssl/private
+
+    # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
+    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+    ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
+
+defaults
+    log     global
+    mode    http
+    option  httplog
+    option  dontlognull
+    timeout connect 5000
+    timeout client  50000
+    timeout server  50000
+    errorfile 400 /etc/haproxy/errors/400.http
+    errorfile 403 /etc/haproxy/errors/403.http
+    errorfile 408 /etc/haproxy/errors/408.http
+    errorfile 500 /etc/haproxy/errors/500.http
+    errorfile 502 /etc/haproxy/errors/502.http
+    errorfile 503 /etc/haproxy/errors/503.http
+    errorfile 504 /etc/haproxy/errors/504.http
+
+# Front door: public HTTP
+frontend fe_http
+    bind :80
+
+    http-request set-header X-Forwarded-Proto https
+    option forwardfor
+
+    default_backend be_traefik_http
+
+# Front door: public HTTPS
+frontend fe_https
+    mode http
+    bind :443 ssl crt {{ haproxy_certs_dir }} alpn h2,http/1.1
+    bind quic4@:443 ssl crt {{ haproxy_certs_dir }} alpn h3
+
+    # Add forwarding headers so Traefik/apps can know original client info
+    http-request set-header X-Forwarded-Proto https
+    option forwardfor
+
+    # DISABLED: Advertise HTTP3
+    # acl is_h2 ssl_fc_alpn -i h2
+    # http-response set-header Alt-Svc "h3=\":443\"; ma=900" if is_h2
+
+    # =========================================================
+    # Debug response headers (enabled via ?debug=1)
+
+    # Read debug query parameter
+    http-request set-var(txn.debug) urlp(debug)
+
+    # Define what "debug enabled" means
+    acl debug_enabled var(txn.debug) -m str -i 1 true yes on
+
+    http-request set-var(txn.http_ver) req.ver
+    http-response add-header X-Debug-HTTP-Version %[var(txn.http_ver)] if debug_enabled
+    http-response add-header X-Debug-Served-By haproxy-https if debug_enabled
+    http-response add-header X-Debug-Frontend %[fe_name]    if debug_enabled
+    http-response add-header X-Debug-Backend  %[be_name]    if debug_enabled
+    http-response add-header X-Debug-Server   %[srv_name]   if debug_enabled
+
+    # Client & network
+    http-response add-header X-Debug-Client-IP   %[src] if debug_enabled
+    # http-response add-header X-Debug-Client-Port %[sp]  if debug_enabled
+    # http-response add-header X-Debug-XFF %[req.hdr(X-Forwarded-For)] if debug_enabled
+
+    # TLS / HTTPS details
+    http-response add-header X-Debug-TLS %[ssl_fc] if debug_enabled
+    http-response add-header X-Debug-TLS-Version %[ssl_fc_protocol] if debug_enabled
+    http-response add-header X-Debug-TLS-Cipher  %[ssl_fc_cipher]   if debug_enabled
+
+    # Request identity & correlation
+    http-response add-header X-Debug-Request-ID %[unique-id] if debug_enabled
+    http-response add-header X-Debug-Method     %[method]   if debug_enabled
+
+    # Safety: prevent caching of debug responses
+    http-response add-header Cache-Control no-store if debug_enabled
+
+    default_backend be_traefik_http
+
+
+# Backend: Traefik VM
+backend be_traefik_http
+    mode http
+    balance roundrobin
+    cookie LB_SERVER insert indirect nocache dynamic
+    dynamic-cookie-key {{ haproxy_dynamic_cookie_key }}
+
+    # Health check: Traefik should respond with 404 for unknown host; that's still "alive".
+    # We'll just do a TCP check (simpler and reliable).
+    option tcp-check
+
+    {% for ip in haproxy_traefik_ip %}
+        server traefik{{ loop.index }} {{ ip }}:{{ haproxy_traefik_port }} check cookie {{ haproxy_cookie_value }}
+    {% endfor %}
+
+# Frontend: HAProxy prometheus exporter metrics
+frontend fe_metrics
+    bind :8405
+    mode http
+
+    http-request use-service prometheus-exporter if { path /metrics }
+
+# ============================
+# HAProxy Stats (metrics UI)
+# ============================
+listen haproxy_stats
+    bind :8404
+    mode http
+
+    stats enable
+    stats uri /stats
+    stats refresh 10s
+
+    # Optional basic auth
+    stats auth {{ haproxy_stats_auth }}
+
+    # Show extra info (handy for debugging)
+    stats show-legends

ansible/roles/haproxy/vars/main.yml

@@ -0,0 +1,2 @@
+---
+haproxy_service_name: haproxy