MngomaLab/cluster
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
cluster/k3s-cluster/ansible/create-loadbalancer.yml
Khwezi Mngoma 0410dc3950 first commit
2026-02-22 16:43:17 +02:00

131 lines
4.2 KiB
YAML
Raw Permalink Blame History

# create-loadbalancer.yml
- name: Install and configure HAProxy with SSL termination and managed DNS
hosts: alpha
become: yes
vars:
ssl_cert_path: "/etc/ssl/certs/haproxy.pem"
dns_server: "192.168.1.151"
tasks:
- name: Install HAProxy and dependencies
apt:
name:
- haproxy
- openssl
state: present
update_cache: yes
- name: Ensure cert directory exists
file:
path: /etc/ssl/certs
state: directory
owner: root
group: root
mode: '0755'
- name: Generate private key for HAProxy
community.crypto.openssl_privatekey:
path: /etc/ssl/certs/haproxy.key
size: 2048
type: RSA
mode: '0600'
- name: Generate a Certificate Signing Request (CSR) for HAProxy
community.crypto.openssl_csr:
path: /etc/ssl/certs/haproxy.csr
privatekey_path: /etc/ssl/certs/haproxy.key
common_name: "{{ inventory_hostname }}"
subject_alt_name:
- "DNS:{{ inventory_hostname }}"
mode: "0644"
- name: Generate self-signed certificate for HAProxy
community.crypto.x509_certificate:
path: /etc/ssl/certs/haproxy.crt
privatekey_path: /etc/ssl/certs/haproxy.key
csr_path: /etc/ssl/certs/haproxy.csr
provider: selfsigned
selfsigned_not_before: "{{ '%Y%m%d%H%M%SZ' | strftime(ansible_date_time.epoch | int) }}"
selfsigned_not_after: "{{ '%Y%m%d%H%M%SZ' | strftime((ansible_date_time.epoch | int) + (365*24*60*60)) }}"
mode: "0644"
- name: Combine key and cert into .pem file for HAProxy
shell: cat /etc/ssl/certs/haproxy.key /etc/ssl/certs/haproxy.crt > {{ ssl_cert_path }}
args:
creates: "{{ ssl_cert_path }}"
- name: Configure systemd-resolved to use custom DNS
become: true
copy:
dest: /etc/systemd/resolved.conf
content: |
[Resolve]
DNS={{ dns_server }}
FallbackDNS=192.168.1.1
Domains=mngoma.lab
DNSStubListener=yes
owner: root
group: root
mode: "0644"
- name: Ensure systemd-resolved service is enabled and restarted
become: true
systemd:
name: systemd-resolved
state: restarted
enabled: yes
- name: Upload custom haproxy.cfg with SSL termination and HTTPS-only backend
copy:
dest: /etc/haproxy/haproxy.cfg
content: |
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
user haproxy
group haproxy
daemon
tune.ssl.default-dh-param 2048
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
option forwardfor
resolvers dns
nameserver dns1 {{ dns_server }}:53
resolve_retries 3
timeout resolve 2s
timeout retry 1s
hold valid 10s
frontend https_front
bind *:443 ssl crt {{ ssl_cert_path }}
mode http
option forwardfor
http-request set-header X-Forwarded-Proto https
http-request set-header Host %[req.hdr(host)]
default_backend app_clusters
backend app_clusters
mode http
balance roundrobin
option httpchk GET /
http-check expect status 100,101,102,103,200,201,202,203,204,205,206,207,208,226,300,301,302,303,304,305,306,307,308,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,421,422,423,424,425,426,428,429,431,451
server lead_https lead.mngoma.lab:443 resolvers dns resolve-prefer ipv4 check ssl verify none
owner: root
group: root
mode: "0644"
- name: Enable and start haproxy
systemd:
name: haproxy
state: restarted
enabled: yes
Reference in New Issue View Git Blame Copy Permalink