ansible plays for docker, haproxy & varnish

ansible/group_vars/CD.yml

@@ -0,0 +1,6 @@
+---
+# CI specific vars
+
+users:
+  - root
+ssh_keys_users: ['drone']

ansible/group_vars/all.yml

@@ -0,0 +1,11 @@
+---
+# Specific variables for all group
+ansible_python_interpreter: '/usr/bin/python3'
+ssh_skip_ssh_config: true
+users:
+  - username: kevin
+    oh_my_zsh:
+      theme: robbyrussell
+  - username: root
+    oh_my_zsh:
+      theme: robbyrussell

ansible/group_vars/consul-server.yml

@@ -0,0 +1,5 @@
+---
+# Consul server specific
+consul_is_server: true
+consul_is_ui: true
+consul_bootstrap_expect: 1

ansible/group_vars/datacenter.yml

@@ -0,0 +1,17 @@
+---
+# dns_domain: "schleppe"
+dns_nameservers:
+  - "1.1.1.1"
+  - "2606:4700:4700::1111"
+  - "2606:4700:4700::1001"
+
+default_user: "kevin"
+
+# Consul cluster
+consul_datacenter: "schleppe"
+consul_servers:
+  - "10.0.0.140"
+  - "10.0.0.141"
+  - "10.0.0.142"
+consul_install_dnsmasq: false
+

ansible/group_vars/haproxy.yml

@@ -0,0 +1,12 @@
+haproxy_traefik_ip: 
+  - "10.24.1.1"
+  - "10.25.0.4"
+haproxy_traefik_port: 80
+haproxy_cookie_value: "{{ inventory_hostname | default('server-1') }}"
+haproxy_dynamic_cookie_key: "mysecretphrase"
+haproxy_stats_auth: "admin:strongpassword"
+haproxy_certs_dir: "/etc/haproxy/certs"
+
+certbot_cloudflare_secrets_dir: "/root/.secrets/certbot"
+certbot_cloudflare_ini_path: "/root/.secrets/certbot/cloudflare.ini"
+certbot_cloudflare_api_token: "REPLACE_WITH_REAL_TOKEN"

ansible/group_vars/macos.yml

@@ -0,0 +1,6 @@
+---
+# python path
+ansible_python_interpreter: /usr/local/bin/python3
+
+users:
+  - kevin

ansible/group_vars/minecraft.yml

@@ -0,0 +1,6 @@
+---
+apt_packages:
+  - git
+  - build-essential
+  - openjdk-21-jdk
+minecraft_version: 1.20.6

ansible/group_vars/proxmox-vm.yml

@@ -0,0 +1,2 @@
+---
+proxmox_install_qemu_guest_agent: true

ansible/group_vars/vinlottis-vm.yml

@@ -0,0 +1,2 @@
+---
+ssh_keys_users: ['kevin', 'kasper']

ansible/hetzner.ini

@@ -0,0 +1,48 @@
+####################
+# HOST DEFINITIONS #
+####################
+localhost ansible_connection=local
+
+[eu]
+web-eu-1        ansible_host=localhost          ansible_port=2222   ansible_user=root
+haproxy-hel-1   ansible_host=65.108.92.44       ansible_port=22     ansible_user=root
+haproxy-hel-2   ansible_host=77.42.77.210       ansible_port=22     ansible_user=root
+varnish-hel-1   ansible_host=65.108.92.44       ansible_port=22     ansible_user=root
+varnish-hel-2   ansible_host=77.42.77.210       ansible_port=22     ansible_user=root
+
+[us]
+web-us-1        ansible_host=localhost          ansible_port=2222   ansible_user=root
+haproxy-va-1    ansible_host=5.161.197.50       ansible_port=22     ansible_user=root
+haproxy-va-2    ansible_host=178.156.219.175    ansible_port=22     ansible_user=root
+varnish-va-1    ansible_host=5.161.197.50       ansible_port=22     ansible_user=root
+varnish-va-2    ansible_host=178.156.219.175    ansible_port=22     ansible_user=root
+
+[haproxy]
+haproxy-hel-1
+haproxy-hel-2
+haproxy-va-1
+haproxy-va-2
+
+[varnish]
+varnish-hel-1
+varnish-hel-2
+varnish-va-1
+varnish-va-2
+
+[web]
+web-eu-1
+
+####################
+# BIGASS GROUPS    #
+####################
+[datacenter:children]
+eu
+us
+
+####################
+# VARS             #
+####################
+[all:vars]
+sudoers=kevin
+ssh_keys_users=['kevin']
+# view more vars at groups_vars/all.yml

ansible/plays/base_server_setup.yml

@@ -0,0 +1,24 @@
+---
+- name: Check if vault is reachable for dynamic config
+  hosts: all
+  connection: local
+  gather_facts: false
+  pre_tasks:
+  - name: Check for vault env variables
+    set_fact:
+      has_vault: "{{ lookup('env', 'VAULT_ADDR') and lookup('env', 'VAULT_TOKEN') and lookup('env', 'HAS_VAULT') != 'FALSE' }}"
+  roles:
+    - { role: roles/vault-config, when: has_vault }
+
+- name: Basic setup, brute force protection, firewall and log shipping
+  hosts: all
+  roles:
+    - role: roles/apt
+    - role: roles/base                  # - Basic server setup and configuration
+    # - role: roles/fail2ban              # - SSH Brute force protection
+    # - role: roles/prox-qemu-agent       # - If proxmox vm insatll qemu agent
+    - role: roles/firewall              # - Firewall, if firewall_enable is true
+    - role: roles/ssh                   # - Sets up the ssh role, with keys, ssh_config and sshd_config
+    - role: roles/oh-my-zsh
+    - role: roles/motd
+#    - role: roles/bacula

ansible/plays/bind9.yml

@@ -0,0 +1,16 @@
+---
+- name: Check if vault is reachable for dynamic config
+  hosts: all
+  connection: local
+  gather_facts: false
+  pre_tasks:
+  - name: Check for vault env variables
+    set_fact:
+      has_vault: "{{ lookup('env', 'VAULT_ADDR') and lookup('env', 'VAULT_TOKEN') and lookup('env', 'HAS_VAULT') != 'FALSE' }}"
+  roles:
+    - { role: roles/vault-config, when: has_vault }
+
+- name: Install all bind9 service and transfer zone files
+  hosts: all
+  roles:
+    - role: roles/bind9

ansible/plays/consul.yml

@@ -0,0 +1,5 @@
+---
+- name: Consul
+  hosts: all
+  roles:
+    - role: roles/consul

ansible/plays/cve-2024-3094.yml

@@ -0,0 +1,6 @@
+---
+- name: patch xz-utils
+  hosts: all
+  roles:
+    - roles/xz_utils_patch
+

ansible/plays/docker.yml

@@ -0,0 +1,5 @@
+---
+- name: Install docker on linux host
+  hosts: all
+  roles:
+    - role: roles/docker

ansible/plays/firewall.yml

@@ -0,0 +1,6 @@
+---
+- name: Install all ufw service and enable ports
+  hosts: all
+  roles:
+    - role: roles/firewall
+

ansible/plays/get_os.yml

@@ -0,0 +1,7 @@
+- hosts: all
+  tasks:
+  - debug:
+      msg:
+      - "ansible_distribution {{ hostvars[inventory_hostname].ansible_distribution }}"
+      - "major version {{ hostvars[inventory_hostname].ansible_distribution_major_version }}"
+      - "version {{ hostvars[inventory_hostname].ansible_distribution_version }}"

ansible/plays/gitea.yml

@@ -0,0 +1,5 @@
+---
+- name: Provision git server with gitea
+  hosts: all
+  roles:
+    - role: roles/gitea

ansible/plays/haproxy.yml

@@ -0,0 +1,7 @@
+---
+- name: Configure HAProxy edge + Certbot Cloudflare plugin
+  hosts: haproxy
+
+  roles:
+    # - role: roles/certbot
+    - role: roles/haproxy

ansible/plays/immich.yml

@@ -0,0 +1,7 @@
+---
+- name: Install and setup immich backup service
+  hosts: all
+  roles:
+    #    - role: roles/docker
+    - role: roles/immich
+

ansible/plays/ip_list.yml

@@ -0,0 +1,6 @@
+- hosts: all
+  tasks:
+    - name: Print IPv4 addresse and hostname for all hosts
+      debug:
+        msg: '{{ ansible_default_ipv4.address }} - {{ ansible_hostname }}'
+

ansible/plays/minecraft.yml

@@ -0,0 +1,7 @@
+---
+- name: Setup minecraft requirements w/ latest server jar
+  hosts: all
+  roles:
+    - role: roles/apt
+    - role: roles/minecraft
+

ansible/plays/motd.yml

@@ -0,0 +1,5 @@
+---
+- name: Generate motd figlet hostnames
+  hosts: all
+  roles:
+    - role: roles/motd

ansible/plays/openssl_upgrade_3.0.7.yml

@@ -0,0 +1,13 @@
+---
+- name: Get openssl version
+  hosts: all
+
+  tasks:
+    - name: Gather the package facts
+      ansible.builtin.package_facts:
+        manager: auto
+
+    - name: Install openssl version 3.0.6
+      ansible.builtin.package:
+        name: openssl=3.0.6
+        state: present      

ansible/plays/openssl_version.yml

@@ -0,0 +1,11 @@
+---
+- name: Get openssl version
+  hosts: all
+
+  tasks:
+    - name: Gather the package facts
+      ansible.builtin.package_facts:
+        manager: auto
+
+    - name: print openssl version
+      debug: var=ansible_facts.packages.openssl[0].version

ansible/plays/ping.yml

@@ -0,0 +1,5 @@
+- hosts: all
+
+  tasks:
+    - name: Ping all hosts
+      ping:

ansible/plays/prox-node.yml

@@ -0,0 +1,19 @@
+---
+- name: Check if vault is reachable for dynamic config
+  hosts: all
+  connection: local
+  gather_facts: false
+  pre_tasks:
+  - name: Check for vault env variables
+    set_fact:
+      has_vault: "{{ lookup('env', 'VAULT_ADDR') and lookup('env', 'VAULT_TOKEN') }}"
+      TELEGRAF_TOKEN: "{{ lookup('env', 'TELEGRAF_TOKEN') }}"
+  roles:
+    - { role: roles/vault-config, when: has_vault }
+
+- name: Basic setup for proxmox vm clients
+  hosts: proxmox_nodes
+  roles:
+    # - role: roles/prox-telegraf-metrics
+    - role: roles/prox-templates
+

ansible/plays/ssh_config.yml

@@ -0,0 +1,7 @@
+---
+- name: create ssh config
+  hosts: all
+  roles:
+    - role: roles/ssh
+      ssh_skip_sshd_config: true
+      ssh_skip_ssh_keys: true

ansible/plays/ssh_keys.yml

@@ -0,0 +1,10 @@
+---
+- name: Deploy ssh keys
+  hosts: all
+  roles:
+    - role: roles/ssh
+      ssh_skip_sshd_config: true
+      ssh_skip_ssh_config: true
+      ssh_keys_users:
+        - 'root'
+

ansible/plays/sshd_config.yml

@@ -0,0 +1,7 @@
+---
+- name: create ssh server config
+  hosts: all
+  roles:
+    - role: roles/ssh
+      ssh_skip_ssh_config: true
+      ssh_skip_ssh_keys: true

ansible/plays/syncthing.yml

@@ -0,0 +1,5 @@
+---
+- name: Install & configure syncthing
+  hosts: all
+  roles:
+    - role: roles/syncthing

ansible/plays/traefik.yml

@@ -0,0 +1,6 @@
+---
+- name: Install traefik binary & config
+  hosts: all
+  roles:
+    - role: roles/traefik
+

ansible/plays/upgrade.yml

@@ -0,0 +1,15 @@
+---
+- name: Upgrade all machines
+  hosts: all
+
+  tasks:
+    - name: update debian hosts
+      become: true
+      apt:
+        upgrade: yes
+        update_cache: yes
+        cache_valid_time: 86400
+      when:
+        - ansible_os_family == 'Debian'
+
+

ansible/plays/varnish.yml

@@ -0,0 +1,9 @@
+---
+- name: Install and configure systemd for varnish
+  hosts: varnish
+  roles:
+    - role: roles/firewall
+      enable_80_ufw_port: true
+      enable_443_ufw_port: true
+
+    - role: roles/varnish

ansible/plays/vault.yml

@@ -0,0 +1,7 @@
+---
+- name: Install all required packages, built and start service for vault
+  hosts: all
+  roles:
+    - role: roles/vault
+    - role: roles/firewall
+      enable_vault_ufw_port: true

ansible/plays/vim.yml

@@ -0,0 +1,6 @@
+---
+- name: Install vim
+  hosts: all
+  
+  roles:
+    - role: roles/vim

ansible/plays/vinlottis.yml

@@ -0,0 +1,5 @@
+---
+- name: Install all required packages, built and start service for vinlottis
+  hosts: all
+  roles:
+    - role: roles/vinlottis

ansible/plays/wireguard.yml

@@ -0,0 +1,6 @@
+- name: Setup wireguard
+  hosts: all
+  roles:
+    - role: roles/docker
+    - role: roles/firewall
+    - role: roles/wireguard

ansible/plays/xwiki.yml

@@ -0,0 +1,21 @@
+---
+- name: Check if vault is reachable for dynamic config
+  hosts: all
+  connection: local
+  gather_facts: false
+  pre_tasks:
+  - name: Check for vault env variables
+    set_fact:
+      has_vault: "{{ lookup('env', 'VAULT_ADDR') and lookup('env', 'VAULT_TOKEN') }}"
+      XWIKI_DB_USER: "{{ lookup('env', 'XWIKI_DB_USER') }}"
+      XWIKI_DB_PASSWORD: "{{ lookup('env', 'XWIKI_DB_PASSWORD') }}"
+      XWIKI_DB_ROOT_PASSWORD: "{{ lookup('env', 'XWIKI_DB_ROOT_PASSWORD') }}"
+  roles:
+    - { role: roles/vault-config, when: has_vault }
+
+- name: Setup xwiki working directory and move docker-compose file
+  hosts: all
+  roles:
+    - role: roles/docker
+    - role: roles/firewall
+    - role: roles/xwiki

ansible/plays/zsh.yml

@@ -0,0 +1,7 @@
+- name: Install oh-my-zsh
+  hosts: all
+  roles:
+    - role: roles/oh-my-zsh
+      oh_my_zsh:
+        theme: robbyrussell
+

ansible/roles/certbot/defaults/main.yml

@@ -0,0 +1,3 @@
+certbot_packages:
+  - certbot
+  - python3-certbot-dns-cloudflare

ansible/roles/certbot/handlers/main.yml

@@ -0,0 +1,4 @@
+---
+- name: noop
+  debug:
+    msg: "Certbot role completed"

ansible/roles/certbot/tasks/install.yml

@@ -0,0 +1,8 @@
+---
+- apt:
+    update_cache: true
+  when: ansible_facts.os_family == "Debian"
+
+- package:
+    name: "{{ certbot_packages }}"
+    state: present

ansible/roles/certbot/tasks/main.yml

@@ -0,0 +1,3 @@
+---
+- import_tasks: install.yml
+- import_tasks: secrets.yml

ansible/roles/certbot/tasks/secrets.yml

@@ -0,0 +1,14 @@
+---
+- file:
+    path: "{{ certbot_cloudflare_secrets_dir }}"
+    state: directory
+    owner: root
+    group: root
+    mode: "0700"
+
+- template:
+    src: cloudflare.ini.j2
+    dest: "{{ certbot_cloudflare_ini_path }}"
+    owner: root
+    group: root
+    mode: "0600"

ansible/roles/certbot/templates/cloudflare.ini.j2

@@ -0,0 +1 @@
+dns_cloudflare_api_token = {{ certbot_cloudflare_api_token }}

ansible/roles/docker/defaults/main.yml

@@ -0,0 +1,15 @@
+clean_install_remove_packages:
+  - docker.io
+  - docker-doc
+  - docker-compose
+  - podman-docker
+  - containerd
+  - runc
+
+install_packages:
+  - docker-ce
+  - docker-ce-cli
+  - containerd.io
+  - docker-buildx-plugin
+  - docker-compose
+  # - docker-compose-plugin

ansible/roles/docker/tasks/main.yml

@@ -0,0 +1,62 @@
+---
+- name: Clean install by removing any docker package
+  package: name={{ item }} state=absent
+  with_items: "{{ clean_install_remove_packages }}"
+
+- name: Ensure curl & ca-certs are installed 
+  package:
+    name:
+      - ca-certificates
+      - curl
+      - gnupg
+    state: latest
+
+# Map Ansible distro -> Docker repo distro segment
+- name: Determine Docker repository distro (ubuntu/debian)
+  set_fact:
+    docker_repo_distro: >-
+      {{
+        'ubuntu' if ansible_distribution | lower == 'ubuntu'
+        else 'debian' if ansible_distribution | lower == 'debian'
+        else ansible_distribution | lower
+      }}
+
+# Prefer the suite/codename Ansible already knows; fall back to os-release.
+- name: Determine OS suite/codename
+  set_fact:
+    docker_repo_codename: "{{ ansible_distribution_release | default(ansible_lsb.codename, true) }}"
+
+- name: Ensure docker keyring file exists
+  file:
+    path: /etc/apt/keyrings/docker.gpg
+    state: touch
+  
+- name: Download docker gpg key and add to keyrings
+  shell: |
+    curl -fsSL "https://download.docker.com/linux/{{ docker_repo_distro }}/gpg" \
+      | gpg --dearmor --yes -o /etc/apt/keyrings/docker.gpg
+    chmod a+r /etc/apt/keyrings/docker.gpg
+  args:
+    creates: /etc/apt/keyrings/docker.gpg
+
+- name: Sign and add docker deb source (Ubuntu/Debian)
+  copy:
+    dest: /etc/apt/sources.list.d/docker.list
+    mode: "0644"
+    content: |
+      deb [signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/{{ docker_repo_distro }} {{ docker_repo_codename }} stable
+
+- name: Update apt sources
+#  become: true
+  apt:
+    update_cache: yes
+    cache_valid_time: 10
+
+- name: Install docker packages
+  package: name={{ item }} state=latest
+  with_items: "{{ install_packages }}"
+
+- name: Ensure group docker exists
+  user:
+    name: docker
+    state: present

ansible/roles/haproxy/defaults/main.yml

@@ -0,0 +1,3 @@
+haproxy_package_name: haproxy
+haproxy_cfg_path: /etc/haproxy/haproxy.cfg
+haproxy_service_name: haproxy

ansible/roles/haproxy/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: reload haproxy
+  service:
+    name: haproxy
+    state: reloaded

ansible/roles/haproxy/tasks/config.yml

@@ -0,0 +1,20 @@
+---
+- file:
+    path: "{{ haproxy_certs_dir }}"
+    state: directory
+    owner: root
+    group: root
+    mode: "0755"
+
+- template:
+    src: haproxy.cfg.j2
+    dest: "{{ haproxy_cfg_path }}"
+    owner: root
+    group: root
+    mode: "0644"
+    validate: "haproxy -c -f %s"
+  notify: reload haproxy
+
+- service:
+    name: haproxy
+    state: started

ansible/roles/haproxy/tasks/install.yml

@@ -0,0 +1,8 @@
+---
+- package:
+    name: haproxy
+    state: present
+
+- service:
+    name: haproxy
+    enabled: true

ansible/roles/haproxy/tasks/main.yml

@@ -0,0 +1,4 @@
+---
+- import_tasks: install.yml
+- import_tasks: snakeoil.yml
+- import_tasks: config.yml

ansible/roles/haproxy/tasks/snakeoil.yml

@@ -0,0 +1,48 @@
+---
+# tasks/snakeoil.yml
+- name: Ensure snakeoil certificate tooling is installed
+  ansible.builtin.package:
+    name: ssl-cert
+    state: present
+
+- name: Check whether HAProxy snakeoil PEM already exists
+  ansible.builtin.stat:
+    path: /etc/haproxy/certs/ssl-cert-snakeoil.pem
+  register: haproxy_pem
+
+# Validate cert structure if the file exists
+- name: Validate certificate structure in HAProxy PEM
+  ansible.builtin.command: >
+    openssl x509 -in /etc/haproxy/certs/ssl-cert-snakeoil.pem -noout
+  register: pem_cert_check
+  changed_when: false
+  failed_when: false
+  when: haproxy_pem.stat.exists
+
+- name: Ensure HAProxy cert directory exists
+  ansible.builtin.file:
+    path: /etc/haproxy/certs
+    state: directory
+    owner: root
+    group: root
+    mode: "0755"
+
+- name: Decide if we must (re)create PEM (missing/empty/invalid)
+  ansible.builtin.set_fact:
+    haproxy_pem_needs_create: >-
+        {{
+            (not haproxy_pem.stat.exists)
+            or ((pem_cert_check | default({'rc': 'undef'})).rc != 0)
+        }}
+
+# Generate the snakeoil cert/key if we need to (re)create bundle
+- name: Generate default snakeoil cert/key
+  ansible.builtin.command: make-ssl-cert generate-default-snakeoil
+  when: haproxy_pem_needs_create
+  changed_when: true
+
+- name: Assemble HAProxy snakeoil PEM bundle (cert + key)
+  shell:
+    cmd: "cat /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/private/ssl-cert-snakeoil.key > /etc/haproxy/certs/ssl-cert-snakeoil.pem"
+  when: haproxy_pem_needs_create
+  notify: reload haproxy

ansible/roles/haproxy/templates/haproxy.cfg.j2

@@ -0,0 +1,134 @@
+global
+    log /dev/log    local0
+    log /dev/log    local1 notice
+    chroot /var/lib/haproxy
+    stats socket /run/haproxy/admin.sock mode 660 level admin
+    stats timeout 30s
+    user haproxy
+    group haproxy
+    daemon
+
+    limited-quic
+
+    # Default SSL material locations
+    ca-base /etc/ssl/certs
+    crt-base /etc/ssl/private
+
+    # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
+    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+    ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
+
+defaults
+    log     global
+    mode    http
+    option  httplog
+    option  dontlognull
+    timeout connect 5000
+    timeout client  50000
+    timeout server  50000
+    errorfile 400 /etc/haproxy/errors/400.http
+    errorfile 403 /etc/haproxy/errors/403.http
+    errorfile 408 /etc/haproxy/errors/408.http
+    errorfile 500 /etc/haproxy/errors/500.http
+    errorfile 502 /etc/haproxy/errors/502.http
+    errorfile 503 /etc/haproxy/errors/503.http
+    errorfile 504 /etc/haproxy/errors/504.http
+
+# Front door: public HTTP
+frontend fe_http
+    bind :80
+
+    http-request set-header X-Forwarded-Proto https
+    option forwardfor
+
+    default_backend be_traefik_http
+
+# Front door: public HTTPS
+frontend fe_https
+    mode http
+    bind :443 ssl crt {{ haproxy_certs_dir }} alpn h2,http/1.1
+    bind quic4@:443 ssl crt {{ haproxy_certs_dir }} alpn h3
+
+    # Add forwarding headers so Traefik/apps can know original client info
+    http-request set-header X-Forwarded-Proto https
+    option forwardfor
+
+    # DISABLED: Advertise HTTP3
+    # acl is_h2 ssl_fc_alpn -i h2
+    # http-response set-header Alt-Svc "h3=\":443\"; ma=900" if is_h2
+
+    # =========================================================
+    # Debug response headers (enabled via ?debug=1)
+
+    # Read debug query parameter
+    http-request set-var(txn.debug) urlp(debug)
+
+    # Define what "debug enabled" means
+    acl debug_enabled var(txn.debug) -m str -i 1 true yes on
+
+    http-request set-var(txn.http_ver) req.ver
+    http-response add-header X-Debug-HTTP-Version %[var(txn.http_ver)] if debug_enabled
+    http-response add-header X-Debug-Served-By haproxy-https if debug_enabled
+    http-response add-header X-Debug-Frontend %[fe_name]    if debug_enabled
+    http-response add-header X-Debug-Backend  %[be_name]    if debug_enabled
+    http-response add-header X-Debug-Server   %[srv_name]   if debug_enabled
+
+    # Client & network
+    http-response add-header X-Debug-Client-IP   %[src] if debug_enabled
+    # http-response add-header X-Debug-Client-Port %[sp]  if debug_enabled
+    # http-response add-header X-Debug-XFF %[req.hdr(X-Forwarded-For)] if debug_enabled
+
+    # TLS / HTTPS details
+    http-response add-header X-Debug-TLS %[ssl_fc] if debug_enabled
+    http-response add-header X-Debug-TLS-Version %[ssl_fc_protocol] if debug_enabled
+    http-response add-header X-Debug-TLS-Cipher  %[ssl_fc_cipher]   if debug_enabled
+
+    # Request identity & correlation
+    http-response add-header X-Debug-Request-ID %[unique-id] if debug_enabled
+    http-response add-header X-Debug-Method     %[method]   if debug_enabled
+
+    # Safety: prevent caching of debug responses
+    http-response add-header Cache-Control no-store if debug_enabled
+
+    default_backend be_traefik_http
+
+
+# Backend: Traefik VM
+backend be_traefik_http
+    mode http
+    balance roundrobin
+    cookie LB_SERVER insert indirect nocache dynamic
+    dynamic-cookie-key {{ haproxy_dynamic_cookie_key }}
+
+    # Health check: Traefik should respond with 404 for unknown host; that's still "alive".
+    # We'll just do a TCP check (simpler and reliable).
+    option tcp-check
+
+    {% for ip in haproxy_traefik_ip %}
+        server traefik{{ loop.index }} {{ ip }}:{{ haproxy_traefik_port }} check cookie {{ haproxy_cookie_value }}
+    {% endfor %}
+
+# Frontend: HAProxy prometheus exporter metrics
+frontend fe_metrics
+    bind :8405
+    mode http
+
+    http-request use-service prometheus-exporter if { path /metrics }
+
+# ============================
+# HAProxy Stats (metrics UI)
+# ============================
+listen haproxy_stats
+    bind :8404
+    mode http
+
+    stats enable
+    stats uri /stats
+    stats refresh 10s
+
+    # Optional basic auth
+    stats auth {{ haproxy_stats_auth }}
+
+    # Show extra info (handy for debugging)
+    stats show-legends

ansible/roles/haproxy/vars/main.yml

@@ -0,0 +1,2 @@
+---
+haproxy_service_name: haproxy

ansible/roles/varnish/tasks/main.yml

@@ -0,0 +1,57 @@
+---
+  - name: update apt
+    become: true
+    apt:
+      update_cache: yes
+      cache_valid_time: 86400
+
+  - name: install required packages
+    package:
+      name:
+        - debian-archive-keyring
+        - curl
+        - gnupg
+        - apt-transport-https
+
+  - name: add varnish apt key & repo
+    block:
+      - name: add varnish key
+        apt_key:
+          url: https://packagecloud.io/varnishcache/varnish60lts/gpgkey
+          state: present
+
+      - name: add varnish repo
+        apt_repository:
+          repo: 'deb https://packagecloud.io/varnishcache/varnish60lts/{{ varnish_release }} {{ varnish_release_codename }} main'
+          state: present
+
+      - name: add varnish repo src
+        apt_repository:
+          repo: 'deb-src https://packagecloud.io/varnishcache/varnish60lts/{{ varnish_release }} {{ varnish_release_codename }} main'
+          state: present
+
+      - name: update apt
+        become: true
+        apt:
+          update_cache: yes
+          cache_valid_time: 86400
+
+  - name: install varnish package
+    package:
+      name: varnish
+
+  - name: copy systemd template
+    template:
+      src: varnish-systemd.j2
+      dest: /lib/systemd/system/varnish.service
+      owner: root
+      mode: 644
+
+  - name: restart systemd daemon
+    systemd:
+      daemon_reload: yes
+
+  - name: restart varnish service
+    systemd:
+      name: varnish.service
+      state: reloaded

ansible/roles/varnish/templates/varnish-systemd.j2

@@ -0,0 +1,44 @@
+[Unit]
+Description=Varnish HTTP accelerator
+Documentation=https://www.varnish-cache.org/docs/6.1/ man:varnishd
+
+[Service]
+Type=simple
+
+# Maximum number of open files (for ulimit -n)
+LimitNOFILE=131072
+
+# Locked shared memory - should suffice to lock the shared memory log
+# (varnishd -l argument)
+# Default log size is 80MB vsl + 1M vsm + header -> 82MB
+# unit is bytes
+# LimitMEMLOCK=85983232
+
+# Varnish default
+LimitMEMLOCK=82000
+
+# Enable this to avoid "fork failed" on reload.
+TasksMax=infinity
+
+# Maximum size of the corefile.
+LimitCORE=infinity
+
+ExecStart=/usr/sbin/varnishd \
+    -j unix,user=vcache \
+    -F \
+    -a :80 \
+    -a :443 \
+    -p feature=+http2 \
+    -T localhost:6082 \
+    -f /etc/varnish/default.vcl \
+    -S /etc/varnish/secret \
+    -s malloc,256m
+
+ExecReload=/usr/share/varnish/varnishreload
+ProtectSystem=full
+ProtectHome=true
+PrivateTmp=true
+PrivateDevices=true
+
+[Install]
+WantedBy=multi-user.target