cluster/k3s-cluster/ansible/create-loadbalancer.yml

# create-loadbalancer.yml
- name: Install and configure HAProxy with SSL termination and managed DNS
  hosts: alpha
  become: yes
  vars:
    ssl_cert_path: "/etc/ssl/certs/haproxy.pem"
    dns_server: "192.168.1.151"

  tasks:
    - name: Install HAProxy and dependencies
      apt:
        name:
          - haproxy
          - openssl
        state: present
        update_cache: yes

    - name: Ensure cert directory exists
      file:
        path: /etc/ssl/certs
        state: directory
        owner: root
        group: root
        mode: '0755'

    - name: Generate private key for HAProxy
      community.crypto.openssl_privatekey:
        path: /etc/ssl/certs/haproxy.key
        size: 2048
        type: RSA
        mode: '0600'

    - name: Generate a Certificate Signing Request (CSR) for HAProxy
      community.crypto.openssl_csr:
        path: /etc/ssl/certs/haproxy.csr
        privatekey_path: /etc/ssl/certs/haproxy.key
        common_name: "{{ inventory_hostname }}"
        subject_alt_name:
          - "DNS:{{ inventory_hostname }}"
        mode: "0644"

    - name: Generate self-signed certificate for HAProxy
      community.crypto.x509_certificate:
        path: /etc/ssl/certs/haproxy.crt
        privatekey_path: /etc/ssl/certs/haproxy.key
        csr_path: /etc/ssl/certs/haproxy.csr
        provider: selfsigned
        selfsigned_not_before: "{{ '%Y%m%d%H%M%SZ' | strftime(ansible_date_time.epoch | int) }}"
        selfsigned_not_after: "{{ '%Y%m%d%H%M%SZ' | strftime((ansible_date_time.epoch | int) + (365*24*60*60)) }}"
        mode: "0644"

    - name: Combine key and cert into .pem file for HAProxy
      shell: cat /etc/ssl/certs/haproxy.key /etc/ssl/certs/haproxy.crt > {{ ssl_cert_path }}
      args:
        creates: "{{ ssl_cert_path }}"

    - name: Configure systemd-resolved to use custom DNS
      become: true
      copy:
        dest: /etc/systemd/resolved.conf
        content: |
          [Resolve]
          DNS={{ dns_server }}
          FallbackDNS=192.168.1.1
          Domains=mngoma.lab
          DNSStubListener=yes
        owner: root
        group: root
        mode: "0644"

    - name: Ensure systemd-resolved service is enabled and restarted
      become: true
      systemd:
        name: systemd-resolved
        state: restarted
        enabled: yes

    - name: Upload custom haproxy.cfg with SSL termination and HTTPS-only backend
      copy:
        dest: /etc/haproxy/haproxy.cfg
        content: |
          global
              log /dev/log local0
              log /dev/log local1 notice
              chroot /var/lib/haproxy
              stats socket /run/haproxy/admin.sock mode 660 level admin
              user haproxy
              group haproxy
              daemon
              tune.ssl.default-dh-param 2048

          defaults
              log     global
              mode    http
              option  httplog
              option  dontlognull
              timeout connect 5000
              timeout client  50000
              timeout server  50000
              option forwardfor

          resolvers dns
              nameserver dns1 {{ dns_server }}:53
              resolve_retries       3
              timeout resolve       2s
              timeout retry         1s
              hold valid            10s

          frontend https_front
              bind *:443 ssl crt {{ ssl_cert_path }}
              mode http
              option  forwardfor
              http-request set-header X-Forwarded-Proto https
              http-request set-header Host %[req.hdr(host)]
              default_backend app_clusters

          backend app_clusters
              mode http
              balance roundrobin
              option httpchk GET /
              http-check expect status 100,101,102,103,200,201,202,203,204,205,206,207,208,226,300,301,302,303,304,305,306,307,308,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,421,422,423,424,425,426,428,429,431,451
              server lead_https lead.mngoma.lab:443 resolvers dns resolve-prefer ipv4 check ssl verify none
        owner: root
        group: root
        mode: "0644"

    - name: Enable and start haproxy
      systemd:
        name: haproxy
        state: restarted
        enabled: yes