first commit

tasks/firewalld.yml

@@ -0,0 +1,46 @@
+- name: Ensure firewalld is enabled
+  service:
+    name: firewalld
+    enabled: true
+    state: started
+
+- name: Set external interface
+  firewalld:
+    state: enabled
+    interface: eth1
+    zone: external
+    permanent: yes
+    immediate: yes
+
+- name: Set internal interface
+  firewalld:
+    state: enabled
+    interface: eth2
+    zone: internal
+    permanent: yes
+    immediate: yes
+
+- name: Open firewalld ports
+  firewalld:
+    port: "{{ item.port }}"
+    state: enabled
+    zone: "{{ item.zone }}"
+    immediate: yes
+    permanent: yes
+  loop:
+    - port: 80/tcp
+      zone: external
+    - port: 443/tcp
+      zone: external
+    - port: 80/tcp
+      zone: internal
+    - port: 443/tcp
+      zone: internal
+    - port: 22623/tcp
+      zone: internal
+    - port: 8000/tcp
+      zone: internal
+    - port: 6443/tcp
+      zone: internal
+    - port: 6443/tcp
+      zone: external

tasks/haproxy.yml

@@ -0,0 +1,36 @@
+- name: Enable epel
+  yum:
+    name: epel-release 
+
+- name: Install haproxy
+  yum:
+    name: haproxy
+
+- name: python selinux package
+  yum:
+    name: python3-libselinux, policycoreutils-python-utils
+
+- name: Allow haproxy to connect to any port
+  seboolean:
+    name: haproxy_connect_any
+    persistent: yes
+    state: yes
+
+- name: Allow haproxy to listen on required ports
+  seport:
+    setype: http_port_t
+    ports: ["80", "443", "6443", "22623"]
+    proto: tcp
+
+- name: Haproxy configuration
+  template:
+    src: haproxy.cfg.j2
+    dest: /etc/haproxy/haproxy.cfg
+    mode: 0644
+  notify: Reload haproxy
+
+- name: Haproxy service
+  service:
+    name: haproxy
+    enabled: true
+    state: started

tasks/main.yml

@@ -0,0 +1,10 @@
+- name: Enable ipv4 forwarding
+  sysctl:
+    name: net.ipv4.ip_forward
+    value: '1'
+    sysctl_set: yes
+    state: present
+    reload: yes
+
+- import_tasks: firewalld.yml
+- import_tasks: haproxy.yml