Compare commits
10 commits
Author | SHA1 | Date | |
---|---|---|---|
3e96c6fd97 | |||
8e3497fbd3 | |||
e9255a168a | |||
9b7ee14b13 | |||
c43442b7a0 | |||
7e4781cb4b | |||
40f7e11be9 | |||
f1744f2bc8 | |||
6ca8c29386 | |||
90d77d0945 |
13 changed files with 204 additions and 79 deletions
18
.forgejo/workflows/molecule.yml
Normal file
18
.forgejo/workflows/molecule.yml
Normal file
|
@ -0,0 +1,18 @@
|
|||
---
|
||||
on: [push]
|
||||
jobs:
|
||||
lint:
|
||||
runs-on: docker
|
||||
container:
|
||||
image: code.waks.be/nishiki/molecule:docker
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- run: ansible-lint .
|
||||
- run: yamllint .
|
||||
molecule:
|
||||
runs-on: docker
|
||||
container:
|
||||
image: code.waks.be/nishiki/molecule:docker
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- run: molecule test
|
10
.gitlab-ci.yml
Normal file
10
.gitlab-ci.yml
Normal file
|
@ -0,0 +1,10 @@
|
|||
---
|
||||
image: nishiki/molecule:docker
|
||||
|
||||
before_script:
|
||||
- molecule --version
|
||||
|
||||
molecule:
|
||||
stage: test
|
||||
script:
|
||||
- molecule test
|
|
@ -2,11 +2,11 @@
|
|||
extends: default
|
||||
|
||||
ignore: |
|
||||
.kitchen/*
|
||||
.kitchen*
|
||||
vendor/
|
||||
.forgejo/
|
||||
|
||||
rules:
|
||||
line-length:
|
||||
max: 120
|
||||
level: warning
|
||||
truthy: false
|
||||
|
|
15
CHANGELOG.md
15
CHANGELOG.md
|
@ -5,6 +5,21 @@ Which is based on [Keep A Changelog](http://keepachangelog.com/)
|
|||
|
||||
## [Unreleased]
|
||||
|
||||
### Added
|
||||
|
||||
- add support alpn in bind option
|
||||
- add error files
|
||||
- use multiple ssl certificates on one frontend
|
||||
- test: add support debian 12
|
||||
|
||||
### Changed
|
||||
|
||||
- test: use personal docker registry
|
||||
|
||||
### Removed
|
||||
|
||||
- test: remove support debian 10
|
||||
|
||||
## v1.1.0 - 2021-08-15
|
||||
|
||||
### Added
|
||||
|
|
52
README.md
52
README.md
|
@ -1,16 +1,17 @@
|
|||
# Ansible role: Haproxy
|
||||
|
||||
[![Version](https://img.shields.io/badge/latest_version-1.1.0-green.svg)](https://git.yaegashi.fr/nishiki/ansible-role-haproxy/releases)
|
||||
[![License](https://img.shields.io/badge/license-Apache--2.0-blue.svg)](https://git.yaegashi.fr/nishiki/ansible-role-haproxy/src/branch/master/LICENSE)
|
||||
[![Version](https://img.shields.io/badge/latest_version-1.1.0-green.svg)](https://code.waks.be/nishiki/ansible-role-haproxy/releases)
|
||||
[![License](https://img.shields.io/badge/license-Apache--2.0-blue.svg)](https://code.waks.be/nishiki/ansible-role-haproxy/src/branch/main/LICENSE)
|
||||
[![Build](https://code.waks.be/nishiki/ansible-role-haproxy/actions/workflows/molecule.yml/badge.svg?branch=main)](https://code.waks.be/nishiki/ansible-role-haproxy/actions?workflow=molecule.yml)
|
||||
|
||||
Install and configure haproxy
|
||||
|
||||
## Requirements
|
||||
|
||||
* Ansible >= 2.9
|
||||
* Debian
|
||||
* Buster
|
||||
* Bullseye
|
||||
- Ansible >= 2.10
|
||||
- Debian
|
||||
- Bullseye
|
||||
- Bookworm
|
||||
|
||||
## Role variables
|
||||
|
||||
|
@ -82,7 +83,7 @@ Install and configure haproxy
|
|||
- dns1 127.0.0.1:53
|
||||
```
|
||||
|
||||
- `haproxy_frontends` - hash with the frontends configuration
|
||||
- `haproxy_frontends` - hash with the frontends configuration
|
||||
|
||||
```
|
||||
fontend-https:
|
||||
|
@ -90,6 +91,9 @@ Install and configure haproxy
|
|||
ip: '*'
|
||||
port: 443
|
||||
ssl:
|
||||
cert:
|
||||
- /etc/haproxy/ssl1.pem
|
||||
- /etc/haproxy/ssl2.pem
|
||||
default_backend: backend-app
|
||||
frontend-http:
|
||||
bind:
|
||||
|
@ -159,6 +163,32 @@ Install and configure haproxy
|
|||
.....
|
||||
```
|
||||
|
||||
- `haproxy_http_errors` - hash with http error groups
|
||||
|
||||
```
|
||||
test:
|
||||
503: test-503
|
||||
```
|
||||
|
||||
- `haproxy_http_errors_file` - hash with http error files
|
||||
|
||||
```
|
||||
test-503: |
|
||||
HTTP/1.1 503 Service Unavailable
|
||||
Cache-Control: no-cache
|
||||
Connection: close
|
||||
Content-Type: text/html
|
||||
|
||||
<!DOCTYPE html>
|
||||
<html lang="en">
|
||||
<body>
|
||||
<main>
|
||||
This is my custom 503 page
|
||||
</main>
|
||||
</body>
|
||||
</html>
|
||||
```
|
||||
|
||||
## How to use
|
||||
|
||||
```
|
||||
|
@ -171,10 +201,10 @@ Install and configure haproxy
|
|||
|
||||
### Test with molecule and docker
|
||||
|
||||
* install [docker](https://docs.docker.com/engine/installation/)
|
||||
* install `python3` and `python3-pip`
|
||||
* install molecule and dependencies `pip3 install molecule 'molecule[docker]' docker ansible-lint testinfra yamllint`
|
||||
* run `molecule test`
|
||||
- install [docker](https://docs.docker.com/engine/installation/)
|
||||
- install `python3` and `python3-pip`
|
||||
- install molecule and dependencies `pip3 install molecule 'molecule[docker]' docker ansible-lint testinfra yamllint`
|
||||
- run `molecule test`
|
||||
|
||||
## License
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
haproxy_apt_release: '{{ ansible_distribution_release }}'
|
||||
haproxy_apt_release: "{{ ansible_distribution_release }}"
|
||||
haproxy_stats_username: admin
|
||||
haproxy_stats_password: secret
|
||||
haproxy_global: {}
|
||||
|
@ -12,7 +12,7 @@ haproxy_default_global:
|
|||
group: haproxy
|
||||
daemon: true
|
||||
stats: socket /var/lib/haproxy/stats group haproxy mode 660
|
||||
haproxy_full_global: '{{ haproxy_default_global|combine(haproxy_global) }}'
|
||||
haproxy_full_global: "{{ haproxy_default_global | combine(haproxy_global) }}"
|
||||
|
||||
haproxy_defaults: {}
|
||||
haproxy_default_defaults:
|
||||
|
@ -34,7 +34,7 @@ haproxy_default_defaults:
|
|||
- http-keep-alive 10s
|
||||
- check 10s
|
||||
maxconn: 4096
|
||||
haproxy_full_defaults: '{{ haproxy_default_defaults|combine(haproxy_defaults) }}'
|
||||
haproxy_full_defaults: "{{ haproxy_default_defaults | combine(haproxy_defaults) }}"
|
||||
|
||||
haproxy_listen_stats: {}
|
||||
haproxy_default_listen_stats:
|
||||
|
@ -49,12 +49,12 @@ haproxy_default_listen_stats:
|
|||
- connect 30s
|
||||
- queue 30s
|
||||
stats:
|
||||
- 'refresh 5s'
|
||||
- 'show-node'
|
||||
- 'realm Haproxy\ Statistics'
|
||||
- 'auth {{ haproxy_stats_username }}:{{ haproxy_stats_password }}'
|
||||
- 'uri /haproxy_stats'
|
||||
haproxy_full_listen_stats: '{{ haproxy_default_listen_stats|combine(haproxy_listen_stats, recursive=True) }}'
|
||||
- "refresh 5s"
|
||||
- "show-node"
|
||||
- "realm Haproxy\ Statistics"
|
||||
- "auth {{ haproxy_stats_username }}:{{ haproxy_stats_password }}"
|
||||
- "uri /haproxy_stats"
|
||||
haproxy_full_listen_stats: "{{ haproxy_default_listen_stats | combine(haproxy_listen_stats, recursive=True) }}"
|
||||
|
||||
haproxy_frontends: {}
|
||||
haproxy_backends: {}
|
||||
|
@ -62,3 +62,5 @@ haproxy_ssl_certificates: {}
|
|||
haproxy_ips_lists: {}
|
||||
haproxy_resolvers: {}
|
||||
haproxy_userlists: {}
|
||||
haproxy_http_errors: {}
|
||||
haproxy_http_error_files: {}
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
- name: reload haproxy
|
||||
service:
|
||||
- name: Reload haproxy
|
||||
ansible.builtin.service:
|
||||
name: haproxy
|
||||
state: reloaded
|
||||
|
|
|
@ -1,18 +1,19 @@
|
|||
---
|
||||
galaxy_info:
|
||||
role_name: haproxy
|
||||
namespace: nishiki
|
||||
author: Adrien Waksberg
|
||||
description: Install and configure Haproxy
|
||||
company: Adrien Waksberg
|
||||
license: Apache2
|
||||
|
||||
min_ansible_version: 2.9
|
||||
min_ansible_version: "2.10"
|
||||
|
||||
platforms:
|
||||
- name: Debian
|
||||
versions:
|
||||
- 10
|
||||
- 11
|
||||
- bullseye
|
||||
- bookworm
|
||||
|
||||
galaxy_tags:
|
||||
- haproxy
|
||||
|
|
|
@ -4,6 +4,24 @@
|
|||
roles:
|
||||
- ansible-role-haproxy
|
||||
vars:
|
||||
haproxy_http_errors:
|
||||
test:
|
||||
503: test
|
||||
haproxy_http_error_files:
|
||||
test: |
|
||||
HTTP/1.1 503 Service Unavailable
|
||||
Cache-Control: no-cache
|
||||
Connection: close
|
||||
Content-Type: text/html
|
||||
|
||||
<!DOCTYPE html>
|
||||
<html lang="en">
|
||||
<body>
|
||||
<main>
|
||||
This is my custom 503 page
|
||||
</main>
|
||||
</body>
|
||||
</html>
|
||||
haproxy_ssl_certificates:
|
||||
www-example-com: |
|
||||
-----BEGIN CERTIFICATE-----
|
||||
|
@ -26,6 +44,7 @@
|
|||
bind:
|
||||
ip: '*'
|
||||
port: 5000
|
||||
alpn: h2,http/1.1
|
||||
acl:
|
||||
- url_static path_beg -i /static /images /javascript /stylesheets
|
||||
- url_static path_end -i .jpg .gif .png .css .js
|
||||
|
@ -45,6 +64,7 @@
|
|||
- acl_blacklist src -f /etc/haproxy/blacklist.list
|
||||
- acl_auth_path path -i /auth/
|
||||
- acl_auth http_auth(restricted)
|
||||
errorfiles: test
|
||||
http-request:
|
||||
- auth realm restricted if acl_auth_path !acl_auth
|
||||
- return status 200 content-type "text/plain" string "Good" if acl_auth_path
|
||||
|
|
|
@ -2,30 +2,27 @@
|
|||
driver:
|
||||
name: docker
|
||||
platforms:
|
||||
- name: debian10
|
||||
image: nishiki/debian10:molecule
|
||||
- name: debian12
|
||||
image: code.waks.be/nishiki/molecule:debian12
|
||||
privileged: true
|
||||
volumes:
|
||||
- /sys/fs/cgroup:/sys/fs/cgroup:ro
|
||||
- /sys/fs/cgroup:/sys/fs/cgroup:rw
|
||||
cgroupns_mode: host
|
||||
command: /bin/systemd
|
||||
capabilities:
|
||||
- SYS_ADMIN
|
||||
- name: debian11
|
||||
image: nishiki/debian11:molecule
|
||||
image: code.waks.be/nishiki/molecule:debian11
|
||||
privileged: true
|
||||
volumes:
|
||||
- /sys/fs/cgroup:/sys/fs/cgroup:ro
|
||||
- /sys/fs/cgroup:/sys/fs/cgroup:rw
|
||||
cgroupns_mode: host
|
||||
command: /bin/systemd
|
||||
capabilities:
|
||||
- SYS_ADMIN
|
||||
provisioner:
|
||||
inventory:
|
||||
host_vars:
|
||||
debian10:
|
||||
haproxy_apt_release: '{{ ansible_distribution_release }}-backports'
|
||||
lint: |
|
||||
set -e
|
||||
yamllint .
|
||||
ansible-lint
|
||||
ansible-lint .
|
||||
verifier:
|
||||
name: testinfra
|
||||
|
|
|
@ -11,6 +11,7 @@ def test_config_file(host):
|
|||
assert path.user == 'root'
|
||||
assert path.group == 'root'
|
||||
assert path.mode == 0o640
|
||||
assert path.contains('bind \\*:5000 alpn h2,http/1.1')
|
||||
assert path.contains('server host1 127.0.0.1:443 ssl verify none check maxconn 1000 inter 15s')
|
||||
assert path.contains('resolvers dns')
|
||||
|
||||
|
@ -49,3 +50,8 @@ def test_auth(host):
|
|||
cmd = host.run('curl -v -u admin:badpassword http://127.0.0.1/auth/')
|
||||
assert cmd.succeeded
|
||||
assert '401 Unauthorized' in cmd.stdout
|
||||
|
||||
def test_error_file(host):
|
||||
cmd = host.run('curl -v http://127.0.0.1/')
|
||||
assert cmd.succeeded
|
||||
assert 'This is my custom 503 page' in cmd.stdout
|
||||
|
|
|
@ -1,51 +1,70 @@
|
|||
---
|
||||
- name: install package
|
||||
- name: Install package
|
||||
ansible.builtin.apt:
|
||||
name:
|
||||
- haproxy
|
||||
default_release: '{{ haproxy_apt_release }}'
|
||||
retries: 2
|
||||
register: result
|
||||
until: result is succeeded
|
||||
default_release: "{{ haproxy_apt_release }}"
|
||||
tags: haproxy
|
||||
|
||||
- name: copy ssl certificates
|
||||
- name: Copy ssl certificates
|
||||
ansible.builtin.copy:
|
||||
content: '{{ item.value }}'
|
||||
dest: /etc/haproxy/{{ item.key }}.pem
|
||||
content: "{{ item.value }}"
|
||||
dest: "/etc/haproxy/{{ item.key }}.pem"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0600
|
||||
loop: '{{ haproxy_ssl_certificates|dict2items }}'
|
||||
mode: "0600"
|
||||
loop: "{{ haproxy_ssl_certificates | dict2items }}"
|
||||
no_log: true
|
||||
notify: reload haproxy
|
||||
notify: Reload haproxy
|
||||
tags: haproxy
|
||||
|
||||
- name: copy IPs lists
|
||||
- name: Copy IPs lists
|
||||
ansible.builtin.copy:
|
||||
content: "{{ item.value|join('\n') }}"
|
||||
dest: '/etc/haproxy/{{ item.key }}.list'
|
||||
content: "{{ item.value | join('\n') }}"
|
||||
dest: "/etc/haproxy/{{ item.key }}.list"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
loop: "{{ haproxy_ips_lists | dict2items }}"
|
||||
loop_control:
|
||||
label: "{{ item.key }}"
|
||||
notify: Reload haproxy
|
||||
tags: haproxy
|
||||
|
||||
- name: Create http errors directory
|
||||
ansible.builtin.file:
|
||||
path: "/etc/haproxy/errors"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0755"
|
||||
state: directory
|
||||
tags: haproxy
|
||||
|
||||
- name: Copy http errors file
|
||||
ansible.builtin.copy:
|
||||
content: "{{ item.value }}"
|
||||
dest: "/etc/haproxy/errors/{{ item.key }}.http"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
loop: '{{ haproxy_ips_lists|dict2items }}'
|
||||
loop: "{{ haproxy_http_error_files | dict2items }}"
|
||||
loop_control:
|
||||
label: '{{ item.key }}'
|
||||
notify: reload haproxy
|
||||
label: "{{ item.key }}"
|
||||
notify: Reload haproxy
|
||||
tags: haproxy
|
||||
|
||||
- name: copy config file
|
||||
- name: Copy config file
|
||||
ansible.builtin.template:
|
||||
src: haproxy.cfg.j2
|
||||
dest: /etc/haproxy/haproxy.cfg
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0640
|
||||
mode: "0640"
|
||||
validate: haproxy -c -f %s
|
||||
notify: reload haproxy
|
||||
notify: Reload haproxy
|
||||
tags: haproxy
|
||||
|
||||
- name: enable ans start service
|
||||
- name: Enable ans start service
|
||||
ansible.builtin.service:
|
||||
name: haproxy
|
||||
enabled: true
|
||||
|
|
|
@ -3,41 +3,41 @@
|
|||
global
|
||||
{% for key, value in haproxy_full_global.items() %}
|
||||
{% if value is sameas true %}
|
||||
{{ key }}
|
||||
{{ key }}
|
||||
{% elif value is iterable and value is not string %}
|
||||
{% for option in value %}
|
||||
{{ key }} {{ option }}
|
||||
{{ key }} {{ option }}
|
||||
{% endfor %}
|
||||
{% else %}
|
||||
{{ key }} {{ value }}
|
||||
{{ key }} {{ value }}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
|
||||
defaults
|
||||
{% for key, value in haproxy_full_defaults.items() %}
|
||||
{% if value is sameas true %}
|
||||
{{ key }}
|
||||
{{ key }}
|
||||
{% elif value is iterable and value is not string %}
|
||||
{% for option in value %}
|
||||
{{ key }} {{ option }}
|
||||
{{ key }} {{ option }}
|
||||
{% endfor %}
|
||||
{% else %}
|
||||
{{ key }} {{ value }}
|
||||
{{ key }} {{ value }}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
|
||||
listen stats
|
||||
{% for key, value in haproxy_full_listen_stats.items() %}
|
||||
{% if key == "bind" %}
|
||||
bind {{ value["ip"] }}:{{ value["port"] }}
|
||||
bind {{ value["ip"] }}:{{ value["port"] }}
|
||||
{% elif value is sameas true %}
|
||||
{{ key }}
|
||||
{{ key }}
|
||||
{% elif value is iterable and value is not string %}
|
||||
{% for option in value %}
|
||||
{{ key }} {{ option }}
|
||||
{{ key }} {{ option }}
|
||||
{% endfor %}
|
||||
{% else %}
|
||||
{{ key }} {{ value }}
|
||||
{{ key }} {{ value }}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
|
||||
|
@ -46,23 +46,30 @@ resolvers {{ resolver }}
|
|||
{% for key, value in config.items() %}
|
||||
{% if value is iterable and value is not string %}
|
||||
{% for option in value %}
|
||||
{{ key }} {{ option }}
|
||||
{{ key }} {{ option }}
|
||||
{% endfor %}
|
||||
{% else %}
|
||||
{{ key }} {{ value }}
|
||||
{{ key }} {{ value }}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
|
||||
{% endfor %}
|
||||
{% for http_error_name, config in haproxy_http_errors.items() %}
|
||||
http-errors {{ http_error_name }}
|
||||
{% for status_code, file in config.items() %}
|
||||
errorfile {{ status_code }} /etc/haproxy/errors/{{ file }}.http
|
||||
{% endfor %}
|
||||
|
||||
{% endfor %}
|
||||
{% for userlist, config in haproxy_userlists.items() %}
|
||||
userlist {{ userlist }}
|
||||
{% for key, value in config.items() %}
|
||||
{% if value is iterable and value is not string %}
|
||||
{% for option in value %}
|
||||
{{ key }} {{ option }}
|
||||
{{ key }} {{ option }}
|
||||
{% endfor %}
|
||||
{% else %}
|
||||
{{ key }} {{ value }}
|
||||
{{ key }} {{ value }}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
|
||||
|
@ -71,15 +78,15 @@ userlist {{ userlist }}
|
|||
frontend {{ frontend }}
|
||||
{% for key, value in config.items() %}
|
||||
{% if key == "bind" %}
|
||||
bind {{ value["ip"] }}:{{ value["port"] }}{% if value["ssl"] is defined %} ssl{% if value["ssl"]["ciphers"] is defined %} ciphers {{ value["ssl"]["ciphers"]|join(':') }}{% endif %}{% if value["ssl"]["crt"]%} crt {{ value["ssl"]["crt"] }}{% endif %}
|
||||
bind {{ value["ip"] }}:{{ value["port"] }}{% if value["alpn"] is defined %} alpn {{ value["alpn"] }}{% endif %}{% if value["ssl"] is defined %} ssl{% if value["ssl"]["ciphers"] is defined %} ciphers {{ value["ssl"]["ciphers"]|join(':') }}{% endif %}{% if value["ssl"]["crt"]%} crt {% if value["ssl"]["crt"] is string %}{{ value["ssl"]["crt"] }}{% else %}{{ value["ssl"]["crt"]|join(' crt ') }}{% endif %}{% endif %}
|
||||
{% endif %}
|
||||
|
||||
{% elif value is iterable and value is not string %}
|
||||
{% for option in value %}
|
||||
{{ key }} {{ option }}
|
||||
{{ key }} {{ option }}
|
||||
{% endfor %}
|
||||
{% else %}
|
||||
{{ key }} {{ value }}
|
||||
{{ key }} {{ value }}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
|
||||
|
@ -89,13 +96,13 @@ frontend {{ frontend }}
|
|||
backend {{ backend }}
|
||||
{% for key, value in config.items() %}
|
||||
{% if value is sameas true %}
|
||||
{{ key }}
|
||||
{{ key }}
|
||||
{% elif value is iterable and value is not string %}
|
||||
{% for option in value %}
|
||||
{{ key }} {{ option }}
|
||||
{{ key }} {{ option }}
|
||||
{% endfor %}
|
||||
{% else %}
|
||||
{{ key }} {{ value }}
|
||||
{{ key }} {{ value }}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
|
||||
|
|
Loading…
Reference in a new issue