# create-loadbalancer.yml - name: Install and configure HAProxy with SSL termination and managed DNS hosts: alpha become: yes vars: ssl_cert_path: "/etc/ssl/certs/haproxy.pem" dns_server: "192.168.1.151" tasks: - name: Install HAProxy and dependencies apt: name: - haproxy - openssl state: present update_cache: yes - name: Ensure cert directory exists file: path: /etc/ssl/certs state: directory owner: root group: root mode: '0755' - name: Generate private key for HAProxy community.crypto.openssl_privatekey: path: /etc/ssl/certs/haproxy.key size: 2048 type: RSA mode: '0600' - name: Generate a Certificate Signing Request (CSR) for HAProxy community.crypto.openssl_csr: path: /etc/ssl/certs/haproxy.csr privatekey_path: /etc/ssl/certs/haproxy.key common_name: "{{ inventory_hostname }}" subject_alt_name: - "DNS:{{ inventory_hostname }}" mode: "0644" - name: Generate self-signed certificate for HAProxy community.crypto.x509_certificate: path: /etc/ssl/certs/haproxy.crt privatekey_path: /etc/ssl/certs/haproxy.key csr_path: /etc/ssl/certs/haproxy.csr provider: selfsigned selfsigned_not_before: "{{ '%Y%m%d%H%M%SZ' | strftime(ansible_date_time.epoch | int) }}" selfsigned_not_after: "{{ '%Y%m%d%H%M%SZ' | strftime((ansible_date_time.epoch | int) + (365*24*60*60)) }}" mode: "0644" - name: Combine key and cert into .pem file for HAProxy shell: cat /etc/ssl/certs/haproxy.key /etc/ssl/certs/haproxy.crt > {{ ssl_cert_path }} args: creates: "{{ ssl_cert_path }}" - name: Configure systemd-resolved to use custom DNS become: true copy: dest: /etc/systemd/resolved.conf content: | [Resolve] DNS={{ dns_server }} FallbackDNS=192.168.1.1 Domains=mngoma.lab DNSStubListener=yes owner: root group: root mode: "0644" - name: Ensure systemd-resolved service is enabled and restarted become: true systemd: name: systemd-resolved state: restarted enabled: yes - name: Upload custom haproxy.cfg with SSL termination and HTTPS-only backend copy: dest: /etc/haproxy/haproxy.cfg content: | global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin user haproxy group haproxy daemon tune.ssl.default-dh-param 2048 defaults log global mode http option httplog option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 option forwardfor resolvers dns nameserver dns1 {{ dns_server }}:53 resolve_retries 3 timeout resolve 2s timeout retry 1s hold valid 10s frontend https_front bind *:443 ssl crt {{ ssl_cert_path }} mode http option forwardfor http-request set-header X-Forwarded-Proto https http-request set-header Host %[req.hdr(host)] default_backend app_clusters backend app_clusters mode http balance roundrobin option httpchk GET / http-check expect status 100,101,102,103,200,201,202,203,204,205,206,207,208,226,300,301,302,303,304,305,306,307,308,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,421,422,423,424,425,426,428,429,431,451 server lead_https lead.mngoma.lab:443 resolvers dns resolve-prefer ipv4 check ssl verify none owner: root group: root mode: "0644" - name: Enable and start haproxy systemd: name: haproxy state: restarted enabled: yes