commit c48b02bd78603ff8a8dae277745c0e1fd0a7043c Author: Nils Cant Date: Tue May 5 17:30:40 2020 +0200 first commit diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..951a36e --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,4 @@ +- name: Reload haproxy + service: + name: haproxy + state: reloaded diff --git a/tasks/firewalld.yml b/tasks/firewalld.yml new file mode 100644 index 0000000..367a880 --- /dev/null +++ b/tasks/firewalld.yml @@ -0,0 +1,46 @@ +- name: Ensure firewalld is enabled + service: + name: firewalld + enabled: true + state: started + +- name: Set external interface + firewalld: + state: enabled + interface: eth1 + zone: external + permanent: yes + immediate: yes + +- name: Set internal interface + firewalld: + state: enabled + interface: eth2 + zone: internal + permanent: yes + immediate: yes + +- name: Open firewalld ports + firewalld: + port: "{{ item.port }}" + state: enabled + zone: "{{ item.zone }}" + immediate: yes + permanent: yes + loop: + - port: 80/tcp + zone: external + - port: 443/tcp + zone: external + - port: 80/tcp + zone: internal + - port: 443/tcp + zone: internal + - port: 22623/tcp + zone: internal + - port: 8000/tcp + zone: internal + - port: 6443/tcp + zone: internal + - port: 6443/tcp + zone: external diff --git a/tasks/haproxy.yml b/tasks/haproxy.yml new file mode 100644 index 0000000..3fcce0b --- /dev/null +++ b/tasks/haproxy.yml @@ -0,0 +1,36 @@ +- name: Enable epel + yum: + name: epel-release + +- name: Install haproxy + yum: + name: haproxy + +- name: python selinux package + yum: + name: python3-libselinux, policycoreutils-python-utils + +- name: Allow haproxy to connect to any port + seboolean: + name: haproxy_connect_any + persistent: yes + state: yes + +- name: Allow haproxy to listen on required ports + seport: + setype: http_port_t + ports: ["80", "443", "6443", "22623"] + proto: tcp + +- name: Haproxy configuration + template: + src: haproxy.cfg.j2 + dest: /etc/haproxy/haproxy.cfg + mode: 0644 + notify: Reload haproxy + +- name: Haproxy service + service: + name: haproxy + enabled: true + state: started diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..9ed8f56 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,10 @@ +- name: Enable ipv4 forwarding + sysctl: + name: net.ipv4.ip_forward + value: '1' + sysctl_set: yes + state: present + reload: yes + +- import_tasks: firewalld.yml +- import_tasks: haproxy.yml diff --git a/templates/haproxy.cfg.j2 b/templates/haproxy.cfg.j2 new file mode 100644 index 0000000..52a94c7 --- /dev/null +++ b/templates/haproxy.cfg.j2 @@ -0,0 +1,115 @@ +#--------------------------------------------------------------------- +# Example configuration for a possible web application. See the +# full configuration options online. +# +# https://www.haproxy.org/download/1.8/doc/configuration.txt +# +#--------------------------------------------------------------------- + +#--------------------------------------------------------------------- +# Global settings +#--------------------------------------------------------------------- +global + # to have these messages end up in /var/log/haproxy.log you will + # need to: + # + # 1) configure syslog to accept network log events. This is done + # by adding the '-r' option to the SYSLOGD_OPTIONS in + # /etc/sysconfig/syslog + # + # 2) configure local2 events to go to the /var/log/haproxy.log + # file. A line like the following can be added to + # /etc/sysconfig/syslog + # + # local2.* /var/log/haproxy.log + # + log 127.0.0.1 local2 + + chroot /var/lib/haproxy + pidfile /var/run/haproxy.pid + maxconn 4000 + user haproxy + group haproxy + daemon + + # turn on stats unix socket + stats socket /var/lib/haproxy/stats + + # utilize system-wide crypto-policies + ssl-default-bind-ciphers PROFILE=SYSTEM + ssl-default-server-ciphers PROFILE=SYSTEM + +#--------------------------------------------------------------------- +# common defaults that all the 'listen' and 'backend' sections will +# use if not designated in their block +#--------------------------------------------------------------------- +defaults + mode http + log global +# option httplog + option dontlognull + option http-server-close +# option forwardfor except 127.0.0.0/8 + option redispatch + retries 3 + timeout http-request 10s + timeout queue 1m + timeout connect 10s + timeout client 1m + timeout server 1m + timeout http-keep-alive 10s + timeout check 10s + maxconn 3000 + +#--------------------------------------------------------------------- +# main frontend which proxys to the backends +#--------------------------------------------------------------------- +frontend api + bind *:6443 + mode tcp + default_backend api + +frontend machineconfig + bind *:22623 + mode tcp + default_backend machineconfig + +frontend web + bind *:80 + mode tcp + default_backend nodes-web + +frontend websecure + bind *:443 + mode tcp + default_backend nodes-websecure + +backend api + mode tcp + option ssl-hello-chk + balance roundrobin + server bootstrap 10.32.101.3:6443 check + server master0 10.32.101.4:6443 check + +backend machineconfig + mode tcp + option ssl-hello-chk + balance roundrobin + server bootstrap 10.32.101.3:22623 check + server master0 10.32.101.4:22623 check + +backend nodes-web + mode tcp + option httpchk GET /_______internal_router_healthz + balance roundrobin + server worker0 10.32.101.5:80 check + server worker1 10.32.101.6:80 check + server worker2 10.32.101.7:80 check + +backend nodes-websecure + mode tcp + option ssl-hello-chk + balance roundrobin + server worker0 10.32.101.5:443 check + server worker1 10.32.101.6:443 check + server worker2 10.32.101.7:443 check