Compare commits
No commits in common. "main" and "v1.0.0" have entirely different histories.
20 changed files with 342 additions and 452 deletions
|
@ -1,18 +0,0 @@
|
||||||
---
|
|
||||||
on: [push]
|
|
||||||
jobs:
|
|
||||||
lint:
|
|
||||||
runs-on: docker
|
|
||||||
container:
|
|
||||||
image: code.waks.be/nishiki/molecule:docker
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@v3
|
|
||||||
- run: ansible-lint .
|
|
||||||
- run: yamllint .
|
|
||||||
molecule:
|
|
||||||
runs-on: docker
|
|
||||||
container:
|
|
||||||
image: code.waks.be/nishiki/molecule:docker
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@v3
|
|
||||||
- run: molecule test
|
|
1
.gitignore
vendored
1
.gitignore
vendored
|
@ -1,2 +1 @@
|
||||||
.kitchen/*
|
.kitchen/*
|
||||||
*.pyc
|
|
||||||
|
|
|
@ -1,10 +0,0 @@
|
||||||
---
|
|
||||||
image: nishiki/molecule:docker
|
|
||||||
|
|
||||||
before_script:
|
|
||||||
- molecule --version
|
|
||||||
|
|
||||||
molecule:
|
|
||||||
stage: test
|
|
||||||
script:
|
|
||||||
- molecule test
|
|
27
.kitchen.yml
Normal file
27
.kitchen.yml
Normal file
|
@ -0,0 +1,27 @@
|
||||||
|
---
|
||||||
|
driver:
|
||||||
|
name: docker_cli
|
||||||
|
|
||||||
|
transport:
|
||||||
|
name: docker_cli
|
||||||
|
|
||||||
|
provisioner:
|
||||||
|
name: ansible_playbook
|
||||||
|
hosts: localhost
|
||||||
|
require_ansible_repo: false
|
||||||
|
require_ansible_omnibus: false
|
||||||
|
require_chef_for_busser: true
|
||||||
|
ansible_verbose: false
|
||||||
|
ansible_inventory: ./test/integration/inventory
|
||||||
|
|
||||||
|
platforms:
|
||||||
|
- name: debian-10
|
||||||
|
driver_config:
|
||||||
|
image: "nishiki/debian10:ansible-<%= ENV['ANSIBLE_VERSION'] ? ENV['ANSIBLE_VERSION'] : '2.8' %>"
|
||||||
|
command: /bin/systemd
|
||||||
|
volume:
|
||||||
|
- /sys/fs/cgroup:/sys/fs/cgroup:ro
|
||||||
|
security_opt: seccomp=unconfined
|
||||||
|
|
||||||
|
suites:
|
||||||
|
- name: default
|
|
@ -2,11 +2,11 @@
|
||||||
extends: default
|
extends: default
|
||||||
|
|
||||||
ignore: |
|
ignore: |
|
||||||
.kitchen*
|
.kitchen/*
|
||||||
vendor/
|
vendor/
|
||||||
.forgejo/
|
|
||||||
|
|
||||||
rules:
|
rules:
|
||||||
line-length:
|
line-length:
|
||||||
max: 120
|
max: 120
|
||||||
level: warning
|
level: warning
|
||||||
|
truthy: false
|
||||||
|
|
32
CHANGELOG.md
32
CHANGELOG.md
|
@ -5,38 +5,6 @@ Which is based on [Keep A Changelog](http://keepachangelog.com/)
|
||||||
|
|
||||||
## [Unreleased]
|
## [Unreleased]
|
||||||
|
|
||||||
### Added
|
|
||||||
|
|
||||||
- add support alpn in bind option
|
|
||||||
- add error files
|
|
||||||
- use multiple ssl certificates on one frontend
|
|
||||||
- test: add support debian 12
|
|
||||||
|
|
||||||
### Changed
|
|
||||||
|
|
||||||
- test: use personal docker registry
|
|
||||||
|
|
||||||
### Removed
|
|
||||||
|
|
||||||
- test: remove support debian 10
|
|
||||||
|
|
||||||
## v1.1.0 - 2021-08-15
|
|
||||||
|
|
||||||
### Added
|
|
||||||
|
|
||||||
- add userlist
|
|
||||||
- can specify the haproxy repository
|
|
||||||
- add resolvers configuration
|
|
||||||
- add debian11 support
|
|
||||||
- add IPs lists
|
|
||||||
|
|
||||||
### Changed
|
|
||||||
|
|
||||||
- change default group for stat socket
|
|
||||||
- reload haproxy after certificate change
|
|
||||||
- chore: use FQCN for module name
|
|
||||||
- test: replace kitchen to molecule
|
|
||||||
|
|
||||||
## v1.0.0 - 2019-11-09
|
## v1.0.0 - 2019-11-09
|
||||||
|
|
||||||
### Added
|
### Added
|
||||||
|
|
8
Gemfile
Normal file
8
Gemfile
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
source 'https://rubygems.org'
|
||||||
|
|
||||||
|
group :development do
|
||||||
|
gem 'kitchen-ansible'
|
||||||
|
gem 'kitchen-docker_cli'
|
||||||
|
gem 'rubocop', '0.50.0'
|
||||||
|
gem 'test-kitchen'
|
||||||
|
end
|
130
Gemfile.lock
Normal file
130
Gemfile.lock
Normal file
|
@ -0,0 +1,130 @@
|
||||||
|
GEM
|
||||||
|
remote: https://rubygems.org/
|
||||||
|
specs:
|
||||||
|
ast (2.4.0)
|
||||||
|
bcrypt_pbkdf (1.0.1)
|
||||||
|
builder (3.2.3)
|
||||||
|
ed25519 (1.2.4)
|
||||||
|
equatable (0.6.1)
|
||||||
|
erubis (2.7.0)
|
||||||
|
ffi (1.11.1)
|
||||||
|
gssapi (1.3.0)
|
||||||
|
ffi (>= 1.0.1)
|
||||||
|
gyoku (1.3.1)
|
||||||
|
builder (>= 2.1.2)
|
||||||
|
httpclient (2.8.3)
|
||||||
|
kitchen-ansible (0.50.1)
|
||||||
|
net-ssh (>= 3)
|
||||||
|
test-kitchen (>= 1.4)
|
||||||
|
kitchen-docker_cli (0.19.0)
|
||||||
|
test-kitchen (>= 1.3)
|
||||||
|
license-acceptance (1.0.13)
|
||||||
|
pastel (~> 0.7)
|
||||||
|
tomlrb (~> 1.2)
|
||||||
|
tty-box (~> 0.3)
|
||||||
|
tty-prompt (~> 0.18)
|
||||||
|
little-plugger (1.1.4)
|
||||||
|
logging (2.2.2)
|
||||||
|
little-plugger (~> 1.1)
|
||||||
|
multi_json (~> 1.10)
|
||||||
|
mixlib-install (3.11.21)
|
||||||
|
mixlib-shellout
|
||||||
|
mixlib-versioning
|
||||||
|
thor
|
||||||
|
mixlib-shellout (3.0.7)
|
||||||
|
mixlib-versioning (1.2.7)
|
||||||
|
multi_json (1.14.1)
|
||||||
|
necromancer (0.5.0)
|
||||||
|
net-scp (2.0.0)
|
||||||
|
net-ssh (>= 2.6.5, < 6.0.0)
|
||||||
|
net-ssh (5.2.0)
|
||||||
|
net-ssh-gateway (2.0.0)
|
||||||
|
net-ssh (>= 4.0.0)
|
||||||
|
nori (2.6.0)
|
||||||
|
parallel (1.18.0)
|
||||||
|
parser (2.6.5.0)
|
||||||
|
ast (~> 2.4.0)
|
||||||
|
pastel (0.7.3)
|
||||||
|
equatable (~> 0.6)
|
||||||
|
tty-color (~> 0.5)
|
||||||
|
powerpack (0.1.2)
|
||||||
|
rainbow (2.2.2)
|
||||||
|
rake
|
||||||
|
rake (13.0.0)
|
||||||
|
rubocop (0.50.0)
|
||||||
|
parallel (~> 1.10)
|
||||||
|
parser (>= 2.3.3.1, < 3.0)
|
||||||
|
powerpack (~> 0.1)
|
||||||
|
rainbow (>= 2.2.2, < 3.0)
|
||||||
|
ruby-progressbar (~> 1.7)
|
||||||
|
unicode-display_width (~> 1.0, >= 1.0.1)
|
||||||
|
ruby-progressbar (1.10.1)
|
||||||
|
rubyntlm (0.6.2)
|
||||||
|
rubyzip (1.3.0)
|
||||||
|
strings (0.1.6)
|
||||||
|
strings-ansi (~> 0.1)
|
||||||
|
unicode-display_width (~> 1.5)
|
||||||
|
unicode_utils (~> 1.4)
|
||||||
|
strings-ansi (0.1.0)
|
||||||
|
test-kitchen (2.3.3)
|
||||||
|
bcrypt_pbkdf (~> 1.0)
|
||||||
|
ed25519 (~> 1.2)
|
||||||
|
license-acceptance (~> 1.0, >= 1.0.11)
|
||||||
|
mixlib-install (~> 3.6)
|
||||||
|
mixlib-shellout (>= 1.2, < 4.0)
|
||||||
|
net-scp (>= 1.1, < 3.0)
|
||||||
|
net-ssh (>= 2.9, < 6.0)
|
||||||
|
net-ssh-gateway (>= 1.2, < 3.0)
|
||||||
|
thor (~> 0.19)
|
||||||
|
winrm (~> 2.0)
|
||||||
|
winrm-elevated (~> 1.0)
|
||||||
|
winrm-fs (~> 1.1)
|
||||||
|
thor (0.20.3)
|
||||||
|
tomlrb (1.2.8)
|
||||||
|
tty-box (0.5.0)
|
||||||
|
pastel (~> 0.7.2)
|
||||||
|
strings (~> 0.1.6)
|
||||||
|
tty-cursor (~> 0.7)
|
||||||
|
tty-color (0.5.0)
|
||||||
|
tty-cursor (0.7.0)
|
||||||
|
tty-prompt (0.19.0)
|
||||||
|
necromancer (~> 0.5.0)
|
||||||
|
pastel (~> 0.7.0)
|
||||||
|
tty-reader (~> 0.6.0)
|
||||||
|
tty-reader (0.6.0)
|
||||||
|
tty-cursor (~> 0.7)
|
||||||
|
tty-screen (~> 0.7)
|
||||||
|
wisper (~> 2.0.0)
|
||||||
|
tty-screen (0.7.0)
|
||||||
|
unicode-display_width (1.6.0)
|
||||||
|
unicode_utils (1.4.0)
|
||||||
|
winrm (2.3.2)
|
||||||
|
builder (>= 2.1.2)
|
||||||
|
erubis (~> 2.7)
|
||||||
|
gssapi (~> 1.2)
|
||||||
|
gyoku (~> 1.0)
|
||||||
|
httpclient (~> 2.2, >= 2.2.0.2)
|
||||||
|
logging (>= 1.6.1, < 3.0)
|
||||||
|
nori (~> 2.0)
|
||||||
|
rubyntlm (~> 0.6.0, >= 0.6.1)
|
||||||
|
winrm-elevated (1.1.1)
|
||||||
|
winrm (~> 2.0)
|
||||||
|
winrm-fs (~> 1.0)
|
||||||
|
winrm-fs (1.3.2)
|
||||||
|
erubis (~> 2.7)
|
||||||
|
logging (>= 1.6.1, < 3.0)
|
||||||
|
rubyzip (~> 1.1)
|
||||||
|
winrm (~> 2.0)
|
||||||
|
wisper (2.0.1)
|
||||||
|
|
||||||
|
PLATFORMS
|
||||||
|
ruby
|
||||||
|
|
||||||
|
DEPENDENCIES
|
||||||
|
kitchen-ansible
|
||||||
|
kitchen-docker_cli
|
||||||
|
rubocop (= 0.50.0)
|
||||||
|
test-kitchen
|
||||||
|
|
||||||
|
BUNDLED WITH
|
||||||
|
2.0.2
|
94
README.md
94
README.md
|
@ -1,21 +1,17 @@
|
||||||
# Ansible role: Haproxy
|
# Ansible role: Haproxy
|
||||||
|
|
||||||
[![Version](https://img.shields.io/badge/latest_version-1.1.0-green.svg)](https://code.waks.be/nishiki/ansible-role-haproxy/releases)
|
[![Version](https://img.shields.io/badge/latest_version-1.0.0-green.svg)](https://git.yaegashi.fr/nishiki/ansible-role-haproxy/releases)
|
||||||
[![License](https://img.shields.io/badge/license-Apache--2.0-blue.svg)](https://code.waks.be/nishiki/ansible-role-haproxy/src/branch/main/LICENSE)
|
[![License](https://img.shields.io/badge/license-Apache--2.0-blue.svg)](https://git.yaegashi.fr/nishiki/ansible-role-haproxy/src/branch/master/LICENSE)
|
||||||
[![Build](https://code.waks.be/nishiki/ansible-role-haproxy/actions/workflows/molecule.yml/badge.svg?branch=main)](https://code.waks.be/nishiki/ansible-role-haproxy/actions?workflow=molecule.yml)
|
|
||||||
|
|
||||||
Install and configure haproxy
|
Install and configure haproxy
|
||||||
|
|
||||||
## Requirements
|
## Requirements
|
||||||
|
|
||||||
- Ansible >= 2.10
|
* Ansible >= 2.8
|
||||||
- Debian
|
* Debian Buster
|
||||||
- Bullseye
|
|
||||||
- Bookworm
|
|
||||||
|
|
||||||
## Role variables
|
## Role variables
|
||||||
|
|
||||||
- `haproxy_apt_release` - set the apt release to use (default: `ansible_distribution_release`)
|
|
||||||
- `haproxy_global` - hash with the global configuration
|
- `haproxy_global` - hash with the global configuration
|
||||||
|
|
||||||
```
|
```
|
||||||
|
@ -75,14 +71,6 @@ Install and configure haproxy
|
||||||
- 'uri /haproxy_stats'
|
- 'uri /haproxy_stats'
|
||||||
```
|
```
|
||||||
|
|
||||||
- `haproxy_resolvers` - hash with the resolvers configuration
|
|
||||||
|
|
||||||
```
|
|
||||||
dns:
|
|
||||||
local:
|
|
||||||
- dns1 127.0.0.1:53
|
|
||||||
```
|
|
||||||
|
|
||||||
- `haproxy_frontends` - hash with the frontends configuration
|
- `haproxy_frontends` - hash with the frontends configuration
|
||||||
|
|
||||||
```
|
```
|
||||||
|
@ -91,9 +79,6 @@ Install and configure haproxy
|
||||||
ip: '*'
|
ip: '*'
|
||||||
port: 443
|
port: 443
|
||||||
ssl:
|
ssl:
|
||||||
cert:
|
|
||||||
- /etc/haproxy/ssl1.pem
|
|
||||||
- /etc/haproxy/ssl2.pem
|
|
||||||
default_backend: backend-app
|
default_backend: backend-app
|
||||||
frontend-http:
|
frontend-http:
|
||||||
bind:
|
bind:
|
||||||
|
@ -107,11 +92,9 @@ Install and configure haproxy
|
||||||
acl:
|
acl:
|
||||||
- acl_test1-https hdr(host) test1.example.net
|
- acl_test1-https hdr(host) test1.example.net
|
||||||
- acl_test2-https hdr(host) test2.example.net
|
- acl_test2-https hdr(host) test2.example.net
|
||||||
- acl_blacklist src -f /etc/haproxy/blacklist.list
|
|
||||||
use_backend:
|
use_backend:
|
||||||
- backend-app if acl_test1-https
|
- backend-app if acl_test1-https
|
||||||
- backend-app if acl_test2-https
|
- backend-app if acl_test2-https
|
||||||
- backend-app if acl_test1-https acl_blacklist
|
|
||||||
```
|
```
|
||||||
|
|
||||||
- `haproxy_backends` - hash with the backend configuration
|
- `haproxy_backends` - hash with the backend configuration
|
||||||
|
@ -132,26 +115,6 @@ Install and configure haproxy
|
||||||
- host2 127.0.0.1:80 check maxconn 1000 inter 15s
|
- host2 127.0.0.1:80 check maxconn 1000 inter 15s
|
||||||
```
|
```
|
||||||
|
|
||||||
- `haproxy_ips_lists` - hash with the ips list to use in haproxy
|
|
||||||
|
|
||||||
```
|
|
||||||
blacklist:
|
|
||||||
- 192.168.0.0/16
|
|
||||||
- 172.10.10.0/24
|
|
||||||
public_withlist:
|
|
||||||
- 8.8.8.8
|
|
||||||
```
|
|
||||||
|
|
||||||
- `haproxy_userlists` - hash with the userlist for basic auth
|
|
||||||
|
|
||||||
```
|
|
||||||
restricted:
|
|
||||||
group:
|
|
||||||
- admin
|
|
||||||
user:
|
|
||||||
- admin password 84375611a53741f7e94b09eb49127f41 groups admin
|
|
||||||
```
|
|
||||||
|
|
||||||
- `haproxy_ssl_certificates` - hash with ssl certificates to copy
|
- `haproxy_ssl_certificates` - hash with ssl certificates to copy
|
||||||
|
|
||||||
```
|
```
|
||||||
|
@ -163,32 +126,6 @@ Install and configure haproxy
|
||||||
.....
|
.....
|
||||||
```
|
```
|
||||||
|
|
||||||
- `haproxy_http_errors` - hash with http error groups
|
|
||||||
|
|
||||||
```
|
|
||||||
test:
|
|
||||||
503: test-503
|
|
||||||
```
|
|
||||||
|
|
||||||
- `haproxy_http_errors_file` - hash with http error files
|
|
||||||
|
|
||||||
```
|
|
||||||
test-503: |
|
|
||||||
HTTP/1.1 503 Service Unavailable
|
|
||||||
Cache-Control: no-cache
|
|
||||||
Connection: close
|
|
||||||
Content-Type: text/html
|
|
||||||
|
|
||||||
<!DOCTYPE html>
|
|
||||||
<html lang="en">
|
|
||||||
<body>
|
|
||||||
<main>
|
|
||||||
This is my custom 503 page
|
|
||||||
</main>
|
|
||||||
</body>
|
|
||||||
</html>
|
|
||||||
```
|
|
||||||
|
|
||||||
## How to use
|
## How to use
|
||||||
|
|
||||||
```
|
```
|
||||||
|
@ -199,12 +136,25 @@ Install and configure haproxy
|
||||||
|
|
||||||
## Development
|
## Development
|
||||||
|
|
||||||
### Test with molecule and docker
|
### Test syntax with yamllint
|
||||||
|
|
||||||
- install [docker](https://docs.docker.com/engine/installation/)
|
* install `python` and `python-pip`
|
||||||
- install `python3` and `python3-pip`
|
* install yamllint `pip install yamllint`
|
||||||
- install molecule and dependencies `pip3 install molecule 'molecule[docker]' docker ansible-lint testinfra yamllint`
|
* run `yamllint .`
|
||||||
- run `molecule test`
|
|
||||||
|
### Test syntax with ansible-lint
|
||||||
|
|
||||||
|
* install `python` and `python-pip`
|
||||||
|
* install yamllint `pip install ansible-lint`
|
||||||
|
* run `ansible-lint .`
|
||||||
|
|
||||||
|
### Tests with docker
|
||||||
|
|
||||||
|
* install [docker](https://docs.docker.com/engine/installation/)
|
||||||
|
* install ruby
|
||||||
|
* install bundler `gem install bundler`
|
||||||
|
* install dependencies `bundle install`
|
||||||
|
* run the tests `kitchen test`
|
||||||
|
|
||||||
## License
|
## License
|
||||||
|
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
---
|
---
|
||||||
haproxy_apt_release: "{{ ansible_distribution_release }}"
|
|
||||||
haproxy_stats_username: admin
|
haproxy_stats_username: admin
|
||||||
haproxy_stats_password: secret
|
haproxy_stats_password: secret
|
||||||
|
|
||||||
haproxy_global: {}
|
haproxy_global: {}
|
||||||
haproxy_default_global:
|
haproxy_default_global:
|
||||||
log-send-hostname: true
|
log-send-hostname: true
|
||||||
|
@ -11,8 +11,8 @@ haproxy_default_global:
|
||||||
user: haproxy
|
user: haproxy
|
||||||
group: haproxy
|
group: haproxy
|
||||||
daemon: true
|
daemon: true
|
||||||
stats: socket /var/lib/haproxy/stats group haproxy mode 660
|
stats: socket /var/lib/haproxy/stats
|
||||||
haproxy_full_global: "{{ haproxy_default_global | combine(haproxy_global) }}"
|
haproxy_full_global: '{{ haproxy_default_global|combine(haproxy_global) }}'
|
||||||
|
|
||||||
haproxy_defaults: {}
|
haproxy_defaults: {}
|
||||||
haproxy_default_defaults:
|
haproxy_default_defaults:
|
||||||
|
@ -34,7 +34,7 @@ haproxy_default_defaults:
|
||||||
- http-keep-alive 10s
|
- http-keep-alive 10s
|
||||||
- check 10s
|
- check 10s
|
||||||
maxconn: 4096
|
maxconn: 4096
|
||||||
haproxy_full_defaults: "{{ haproxy_default_defaults | combine(haproxy_defaults) }}"
|
haproxy_full_defaults: '{{ haproxy_default_defaults|combine(haproxy_defaults) }}'
|
||||||
|
|
||||||
haproxy_listen_stats: {}
|
haproxy_listen_stats: {}
|
||||||
haproxy_default_listen_stats:
|
haproxy_default_listen_stats:
|
||||||
|
@ -49,18 +49,13 @@ haproxy_default_listen_stats:
|
||||||
- connect 30s
|
- connect 30s
|
||||||
- queue 30s
|
- queue 30s
|
||||||
stats:
|
stats:
|
||||||
- "refresh 5s"
|
- 'refresh 5s'
|
||||||
- "show-node"
|
- 'show-node'
|
||||||
- "realm Haproxy\ Statistics"
|
- 'realm Haproxy\ Statistics'
|
||||||
- "auth {{ haproxy_stats_username }}:{{ haproxy_stats_password }}"
|
- 'auth {{ haproxy_stats_username }}:{{ haproxy_stats_password }}'
|
||||||
- "uri /haproxy_stats"
|
- 'uri /haproxy_stats'
|
||||||
haproxy_full_listen_stats: "{{ haproxy_default_listen_stats | combine(haproxy_listen_stats, recursive=True) }}"
|
haproxy_full_listen_stats: '{{ haproxy_default_listen_stats|combine(haproxy_listen_stats, recursive=True) }}'
|
||||||
|
|
||||||
haproxy_frontends: {}
|
haproxy_frontends: {}
|
||||||
haproxy_backends: {}
|
haproxy_backends: {}
|
||||||
haproxy_ssl_certificates: {}
|
haproxy_ssl_certificates: {}
|
||||||
haproxy_ips_lists: {}
|
|
||||||
haproxy_resolvers: {}
|
|
||||||
haproxy_userlists: {}
|
|
||||||
haproxy_http_errors: {}
|
|
||||||
haproxy_http_error_files: {}
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
---
|
---
|
||||||
- name: Reload haproxy
|
- name: reload haproxy
|
||||||
ansible.builtin.service:
|
service:
|
||||||
name: haproxy
|
name: haproxy
|
||||||
state: reloaded
|
state: reloaded
|
||||||
|
|
|
@ -1,19 +1,16 @@
|
||||||
---
|
---
|
||||||
galaxy_info:
|
galaxy_info:
|
||||||
role_name: haproxy
|
|
||||||
namespace: nishiki
|
|
||||||
author: Adrien Waksberg
|
author: Adrien Waksberg
|
||||||
description: Install and configure Haproxy
|
description: Install and configure Haproxy
|
||||||
company: Adrien Waksberg
|
company: Adrien Waksberg
|
||||||
license: Apache2
|
license: Apache2
|
||||||
|
|
||||||
min_ansible_version: "2.10"
|
min_ansible_version: 2.8
|
||||||
|
|
||||||
platforms:
|
platforms:
|
||||||
- name: Debian
|
- name: Debian
|
||||||
versions:
|
versions:
|
||||||
- bullseye
|
- 10
|
||||||
- bookworm
|
|
||||||
|
|
||||||
galaxy_tags:
|
galaxy_tags:
|
||||||
- haproxy
|
- haproxy
|
||||||
|
|
|
@ -1,106 +0,0 @@
|
||||||
---
|
|
||||||
- name: Converge
|
|
||||||
hosts: all
|
|
||||||
roles:
|
|
||||||
- ansible-role-haproxy
|
|
||||||
vars:
|
|
||||||
haproxy_http_errors:
|
|
||||||
test:
|
|
||||||
503: test
|
|
||||||
haproxy_http_error_files:
|
|
||||||
test: |
|
|
||||||
HTTP/1.1 503 Service Unavailable
|
|
||||||
Cache-Control: no-cache
|
|
||||||
Connection: close
|
|
||||||
Content-Type: text/html
|
|
||||||
|
|
||||||
<!DOCTYPE html>
|
|
||||||
<html lang="en">
|
|
||||||
<body>
|
|
||||||
<main>
|
|
||||||
This is my custom 503 page
|
|
||||||
</main>
|
|
||||||
</body>
|
|
||||||
</html>
|
|
||||||
haproxy_ssl_certificates:
|
|
||||||
www-example-com: |
|
|
||||||
-----BEGIN CERTIFICATE-----
|
|
||||||
test
|
|
||||||
haproxy_ips_lists:
|
|
||||||
blacklist:
|
|
||||||
- 172.10.0.0/16
|
|
||||||
- 192.168.1.1
|
|
||||||
haproxy_resolvers:
|
|
||||||
dns:
|
|
||||||
nameserver: dns1 127.0.0.1:53
|
|
||||||
haproxy_userlists:
|
|
||||||
restricted:
|
|
||||||
group:
|
|
||||||
- admin
|
|
||||||
user:
|
|
||||||
- admin insecure-password password groups admin
|
|
||||||
haproxy_frontends:
|
|
||||||
main:
|
|
||||||
bind:
|
|
||||||
ip: '*'
|
|
||||||
port: 5000
|
|
||||||
alpn: h2,http/1.1
|
|
||||||
acl:
|
|
||||||
- url_static path_beg -i /static /images /javascript /stylesheets
|
|
||||||
- url_static path_end -i .jpg .gif .png .css .js
|
|
||||||
frontend-test-https:
|
|
||||||
bind:
|
|
||||||
ip: '*'
|
|
||||||
port: 80
|
|
||||||
mode: http
|
|
||||||
default_backend: backend-test-https
|
|
||||||
option:
|
|
||||||
- 'forwardfor except 127.0.0.0/8'
|
|
||||||
- 'httplog'
|
|
||||||
- 'http-server-close'
|
|
||||||
acl:
|
|
||||||
- acl_test1-https hdr(host) test1.example.net
|
|
||||||
- acl_test2-https hdr(host) test2.example.net
|
|
||||||
- acl_blacklist src -f /etc/haproxy/blacklist.list
|
|
||||||
- acl_auth_path path -i /auth/
|
|
||||||
- acl_auth http_auth(restricted)
|
|
||||||
errorfiles: test
|
|
||||||
http-request:
|
|
||||||
- auth realm restricted if acl_auth_path !acl_auth
|
|
||||||
- return status 200 content-type "text/plain" string "Good" if acl_auth_path
|
|
||||||
use_backend:
|
|
||||||
- backend-test-https if acl_test1-https
|
|
||||||
- backend-test-resolver if acl_test2-https
|
|
||||||
- backend-test-https if acl_test1-https acl_blacklist
|
|
||||||
haproxy_backends:
|
|
||||||
backend-test-https:
|
|
||||||
mode: http
|
|
||||||
balance: roundrobin
|
|
||||||
stick-table: type ip size 512k expire 30m
|
|
||||||
stick: on src
|
|
||||||
option:
|
|
||||||
- 'ssl-hello-chk'
|
|
||||||
- 'tcp-check'
|
|
||||||
- 'log-health-checks'
|
|
||||||
- 'forwardfor header X-Forwarded-For'
|
|
||||||
server:
|
|
||||||
- host1 127.0.0.1:443 ssl verify none check maxconn 1000 inter 15s
|
|
||||||
- host2 127.0.0.1:443 ssl verify none check maxconn 1000 inter 15s
|
|
||||||
backend-test-resolver:
|
|
||||||
mode: http
|
|
||||||
balance: roundrobin
|
|
||||||
stick-table: type ip size 512k expire 30m
|
|
||||||
stick: on src
|
|
||||||
option:
|
|
||||||
- 'ssl-hello-chk'
|
|
||||||
server:
|
|
||||||
- google.fr google.com:443 ssl verify none check resolvers dns init-addr none
|
|
||||||
|
|
||||||
pre_tasks:
|
|
||||||
- name: add backports repository
|
|
||||||
ansible.builtin.apt_repository:
|
|
||||||
repo: 'deb http://deb.debian.org/debian {{ ansible_distribution_release }}-backports main'
|
|
||||||
|
|
||||||
- name: update apt cache
|
|
||||||
ansible.builtin.apt:
|
|
||||||
update_cache: true
|
|
|
@ -1,28 +0,0 @@
|
||||||
---
|
|
||||||
driver:
|
|
||||||
name: docker
|
|
||||||
platforms:
|
|
||||||
- name: debian12
|
|
||||||
image: code.waks.be/nishiki/molecule:debian12
|
|
||||||
privileged: true
|
|
||||||
volumes:
|
|
||||||
- /sys/fs/cgroup:/sys/fs/cgroup:rw
|
|
||||||
cgroupns_mode: host
|
|
||||||
command: /bin/systemd
|
|
||||||
capabilities:
|
|
||||||
- SYS_ADMIN
|
|
||||||
- name: debian11
|
|
||||||
image: code.waks.be/nishiki/molecule:debian11
|
|
||||||
privileged: true
|
|
||||||
volumes:
|
|
||||||
- /sys/fs/cgroup:/sys/fs/cgroup:rw
|
|
||||||
cgroupns_mode: host
|
|
||||||
command: /bin/systemd
|
|
||||||
capabilities:
|
|
||||||
- SYS_ADMIN
|
|
||||||
lint: |
|
|
||||||
set -e
|
|
||||||
yamllint .
|
|
||||||
ansible-lint .
|
|
||||||
verifier:
|
|
||||||
name: testinfra
|
|
|
@ -1,57 +0,0 @@
|
||||||
import testinfra.utils.ansible_runner
|
|
||||||
|
|
||||||
def test_packages(host):
|
|
||||||
package = host.package('haproxy')
|
|
||||||
assert package.is_installed
|
|
||||||
|
|
||||||
def test_config_file(host):
|
|
||||||
path = host.file('/etc/haproxy/haproxy.cfg')
|
|
||||||
assert path.exists
|
|
||||||
assert path.is_file
|
|
||||||
assert path.user == 'root'
|
|
||||||
assert path.group == 'root'
|
|
||||||
assert path.mode == 0o640
|
|
||||||
assert path.contains('bind \\*:5000 alpn h2,http/1.1')
|
|
||||||
assert path.contains('server host1 127.0.0.1:443 ssl verify none check maxconn 1000 inter 15s')
|
|
||||||
assert path.contains('resolvers dns')
|
|
||||||
|
|
||||||
def test_certificate_file(host):
|
|
||||||
path = host.file('/etc/haproxy/www-example-com.pem')
|
|
||||||
assert path.exists
|
|
||||||
assert path.is_file
|
|
||||||
assert path.user == 'root'
|
|
||||||
assert path.group == 'root'
|
|
||||||
assert path.mode == 0o600
|
|
||||||
assert path.contains('test')
|
|
||||||
|
|
||||||
def test_ips_list_file(host):
|
|
||||||
path = host.file('/etc/haproxy/blacklist.list')
|
|
||||||
assert path.exists
|
|
||||||
assert path.is_file
|
|
||||||
assert path.user == 'root'
|
|
||||||
assert path.group == 'root'
|
|
||||||
assert path.mode == 0o644
|
|
||||||
assert path.contains('172.10.0.0/16\n192.168.1.1')
|
|
||||||
|
|
||||||
def test_service(host):
|
|
||||||
service = host.service('haproxy')
|
|
||||||
assert service.is_running
|
|
||||||
assert service.is_enabled
|
|
||||||
|
|
||||||
def test_sockets(host):
|
|
||||||
for port in [80, 5000]:
|
|
||||||
socket = host.socket('tcp://0.0.0.0:%d' % (port))
|
|
||||||
assert socket.is_listening
|
|
||||||
|
|
||||||
def test_auth(host):
|
|
||||||
cmd = host.run('curl -v -u admin:password http://127.0.0.1/auth/')
|
|
||||||
assert cmd.succeeded
|
|
||||||
assert cmd.stdout == 'Good'
|
|
||||||
cmd = host.run('curl -v -u admin:badpassword http://127.0.0.1/auth/')
|
|
||||||
assert cmd.succeeded
|
|
||||||
assert '401 Unauthorized' in cmd.stdout
|
|
||||||
|
|
||||||
def test_error_file(host):
|
|
||||||
cmd = host.run('curl -v http://127.0.0.1/')
|
|
||||||
assert cmd.succeeded
|
|
||||||
assert 'This is my custom 503 page' in cmd.stdout
|
|
|
@ -1,71 +1,36 @@
|
||||||
---
|
---
|
||||||
- name: Install package
|
- name: install Haproxy
|
||||||
ansible.builtin.apt:
|
package:
|
||||||
name:
|
name: haproxy
|
||||||
- haproxy
|
retries: 2
|
||||||
default_release: "{{ haproxy_apt_release }}"
|
register: result
|
||||||
|
until: result is succeeded
|
||||||
tags: haproxy
|
tags: haproxy
|
||||||
|
|
||||||
- name: Copy ssl certificates
|
- name: copy ssl certificates
|
||||||
ansible.builtin.copy:
|
copy:
|
||||||
content: "{{ item.value }}"
|
content: '{{ item.value }}'
|
||||||
dest: "/etc/haproxy/{{ item.key }}.pem"
|
dest: /etc/haproxy/{{ item.key }}.pem
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: "0600"
|
mode: 0600
|
||||||
loop: "{{ haproxy_ssl_certificates | dict2items }}"
|
loop: '{{ haproxy_ssl_certificates|dict2items }}'
|
||||||
no_log: true
|
no_log: true
|
||||||
notify: Reload haproxy
|
|
||||||
tags: haproxy
|
tags: haproxy
|
||||||
|
|
||||||
- name: Copy IPs lists
|
- name: copy config file
|
||||||
ansible.builtin.copy:
|
template:
|
||||||
content: "{{ item.value | join('\n') }}"
|
|
||||||
dest: "/etc/haproxy/{{ item.key }}.list"
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: "0644"
|
|
||||||
loop: "{{ haproxy_ips_lists | dict2items }}"
|
|
||||||
loop_control:
|
|
||||||
label: "{{ item.key }}"
|
|
||||||
notify: Reload haproxy
|
|
||||||
tags: haproxy
|
|
||||||
|
|
||||||
- name: Create http errors directory
|
|
||||||
ansible.builtin.file:
|
|
||||||
path: "/etc/haproxy/errors"
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: "0755"
|
|
||||||
state: directory
|
|
||||||
tags: haproxy
|
|
||||||
|
|
||||||
- name: Copy http errors file
|
|
||||||
ansible.builtin.copy:
|
|
||||||
content: "{{ item.value }}"
|
|
||||||
dest: "/etc/haproxy/errors/{{ item.key }}.http"
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: 0644
|
|
||||||
loop: "{{ haproxy_http_error_files | dict2items }}"
|
|
||||||
loop_control:
|
|
||||||
label: "{{ item.key }}"
|
|
||||||
notify: Reload haproxy
|
|
||||||
tags: haproxy
|
|
||||||
|
|
||||||
- name: Copy config file
|
|
||||||
ansible.builtin.template:
|
|
||||||
src: haproxy.cfg.j2
|
src: haproxy.cfg.j2
|
||||||
dest: /etc/haproxy/haproxy.cfg
|
dest: /etc/haproxy/haproxy.cfg
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: "0640"
|
mode: 0640
|
||||||
validate: haproxy -c -f %s
|
validate: haproxy -c -f %s
|
||||||
notify: Reload haproxy
|
notify: reload haproxy
|
||||||
tags: haproxy
|
tags: haproxy
|
||||||
|
|
||||||
- name: Enable ans start service
|
- name: enable ans start service
|
||||||
ansible.builtin.service:
|
service:
|
||||||
name: haproxy
|
name: haproxy
|
||||||
enabled: true
|
enabled: true
|
||||||
state: started
|
state: started
|
||||||
|
|
|
@ -41,44 +41,11 @@ listen stats
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
||||||
{% for resolver, config in haproxy_resolvers.items() %}
|
|
||||||
resolvers {{ resolver }}
|
|
||||||
{% for key, value in config.items() %}
|
|
||||||
{% if value is iterable and value is not string %}
|
|
||||||
{% for option in value %}
|
|
||||||
{{ key }} {{ option }}
|
|
||||||
{% endfor %}
|
|
||||||
{% else %}
|
|
||||||
{{ key }} {{ value }}
|
|
||||||
{% endif %}
|
|
||||||
{% endfor %}
|
|
||||||
|
|
||||||
{% endfor %}
|
|
||||||
{% for http_error_name, config in haproxy_http_errors.items() %}
|
|
||||||
http-errors {{ http_error_name }}
|
|
||||||
{% for status_code, file in config.items() %}
|
|
||||||
errorfile {{ status_code }} /etc/haproxy/errors/{{ file }}.http
|
|
||||||
{% endfor %}
|
|
||||||
|
|
||||||
{% endfor %}
|
|
||||||
{% for userlist, config in haproxy_userlists.items() %}
|
|
||||||
userlist {{ userlist }}
|
|
||||||
{% for key, value in config.items() %}
|
|
||||||
{% if value is iterable and value is not string %}
|
|
||||||
{% for option in value %}
|
|
||||||
{{ key }} {{ option }}
|
|
||||||
{% endfor %}
|
|
||||||
{% else %}
|
|
||||||
{{ key }} {{ value }}
|
|
||||||
{% endif %}
|
|
||||||
{% endfor %}
|
|
||||||
|
|
||||||
{% endfor %}
|
|
||||||
{% for frontend, config in haproxy_frontends.items() %}
|
{% for frontend, config in haproxy_frontends.items() %}
|
||||||
frontend {{ frontend }}
|
frontend {{ frontend }}
|
||||||
{% for key, value in config.items() %}
|
{% for key, value in config.items()|sort if key != 'acl' and key != 'use_backend' %}
|
||||||
{% if key == "bind" %}
|
{% if key == "bind" %}
|
||||||
bind {{ value["ip"] }}:{{ value["port"] }}{% if value["alpn"] is defined %} alpn {{ value["alpn"] }}{% endif %}{% if value["ssl"] is defined %} ssl{% if value["ssl"]["ciphers"] is defined %} ciphers {{ value["ssl"]["ciphers"]|join(':') }}{% endif %}{% if value["ssl"]["crt"]%} crt {% if value["ssl"]["crt"] is string %}{{ value["ssl"]["crt"] }}{% else %}{{ value["ssl"]["crt"]|join(' crt ') }}{% endif %}{% endif %}
|
bind {{ value["ip"] }}:{{ value["port"] }}{% if value["ssl"] is defined %} ssl{% if value["ssl"]["ciphers"] is defined %} ciphers {{ value["ssl"]["ciphers"]|join(':') }}{% endif %}{% if value["ssl"]["crt"]%} crt {{ value["ssl"]["crt"] }}{% endif %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
{% elif value is iterable and value is not string %}
|
{% elif value is iterable and value is not string %}
|
||||||
|
@ -89,6 +56,16 @@ frontend {{ frontend }}
|
||||||
{{ key }} {{ value }}
|
{{ key }} {{ value }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
{% if 'acl' in config %}
|
||||||
|
{% for option in config['acl'] %}
|
||||||
|
acl {{ option }}
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
|
{% if 'use_backend' in config %}
|
||||||
|
{% for option in config['use_backend'] %}
|
||||||
|
use_backend {{ option }}
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
||||||
|
|
49
test/integration/default/default.yml
Normal file
49
test/integration/default/default.yml
Normal file
|
@ -0,0 +1,49 @@
|
||||||
|
---
|
||||||
|
- hosts: localhost
|
||||||
|
connection: local
|
||||||
|
vars:
|
||||||
|
haproxy_ssl_certificates:
|
||||||
|
www-example-com: |
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
test
|
||||||
|
haproxy_frontends:
|
||||||
|
main:
|
||||||
|
bind:
|
||||||
|
ip: '*'
|
||||||
|
port: 5000
|
||||||
|
acl:
|
||||||
|
- url_static path_beg -i /static /images /javascript /stylesheets
|
||||||
|
- url_static path_end -i .jpg .gif .png .css .js
|
||||||
|
frontend-test-https:
|
||||||
|
bind:
|
||||||
|
ip: 127.0.0.1
|
||||||
|
port: 80
|
||||||
|
mode: http
|
||||||
|
default_backend: backend-test-https
|
||||||
|
option:
|
||||||
|
- 'forwardfor except 127.0.0.0/8'
|
||||||
|
- 'httplog'
|
||||||
|
- 'http-server-close'
|
||||||
|
acl:
|
||||||
|
- acl_test1-https hdr(host) test1.example.net
|
||||||
|
- acl_test2-https hdr(host) test2.example.net
|
||||||
|
use_backend:
|
||||||
|
- backend-test-https if acl_test1-https
|
||||||
|
- backend-test-https if acl_test2-https
|
||||||
|
haproxy_backends:
|
||||||
|
backend-test-https:
|
||||||
|
mode: http
|
||||||
|
balance: roundrobin
|
||||||
|
stick-table: type ip size 512k expire 30m
|
||||||
|
stick: on src
|
||||||
|
option:
|
||||||
|
- 'ssl-hello-chk'
|
||||||
|
- 'tcp-check'
|
||||||
|
- 'log-health-checks'
|
||||||
|
- 'forwardfor header X-Forwarded-For'
|
||||||
|
server:
|
||||||
|
- host1 127.0.0.1:443 ssl verify none check maxconn 1000 inter 15s
|
||||||
|
- host2 127.0.0.1:443 ssl verify none check maxconn 1000 inter 15s
|
||||||
|
|
||||||
|
roles:
|
||||||
|
- ansible-role-haproxy
|
43
test/integration/default/serverspec/default_spec.rb
Normal file
43
test/integration/default/serverspec/default_spec.rb
Normal file
|
@ -0,0 +1,43 @@
|
||||||
|
require 'serverspec'
|
||||||
|
|
||||||
|
set :backend, :exec
|
||||||
|
|
||||||
|
puts
|
||||||
|
puts '================================'
|
||||||
|
puts %x(ansible --version)
|
||||||
|
puts '================================'
|
||||||
|
|
||||||
|
describe package('haproxy') do
|
||||||
|
it { should be_installed }
|
||||||
|
end
|
||||||
|
|
||||||
|
describe file('/etc/haproxy/haproxy.cfg') do
|
||||||
|
it { should be_file }
|
||||||
|
it { should be_mode 640 }
|
||||||
|
it { should be_owned_by 'root' }
|
||||||
|
it { should be_grouped_into 'root' }
|
||||||
|
it { should contain 'server host1 127.0.0.1:443 ssl verify none check maxconn 1000 inter 15s' }
|
||||||
|
end
|
||||||
|
|
||||||
|
describe file('/etc/haproxy/www-example-com.pem') do
|
||||||
|
it { should be_file }
|
||||||
|
it { should be_mode 600 }
|
||||||
|
it { should be_owned_by 'root' }
|
||||||
|
it { should be_grouped_into 'root' }
|
||||||
|
it { should contain 'test' }
|
||||||
|
end
|
||||||
|
|
||||||
|
describe service('haproxy') do
|
||||||
|
it { should be_enabled }
|
||||||
|
it { should be_running.under('systemd') }
|
||||||
|
end
|
||||||
|
|
||||||
|
[80, 5000].each do |port|
|
||||||
|
describe port(port) do
|
||||||
|
it { should be_listening.with('tcp') }
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
describe command('haproxy -c -f /etc/haproxy/haproxy.cfg') do
|
||||||
|
its(:exit_status) { should eq 0 }
|
||||||
|
end
|
1
test/integration/inventory
Normal file
1
test/integration/inventory
Normal file
|
@ -0,0 +1 @@
|
||||||
|
localhost
|
Loading…
Reference in a new issue