WarlockFish/fedora-infra_ansible
1
0
Fork 0
mirror of https://pagure.io/fedora-infra/ansible.git synced 2026-04-26 03:23:08 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
2955b27656fa123793ca560648a0b4c2c94bbcf8
fedora-infra_ansible/roles/haproxy/tasks/main.yml
Greg Sutcliffe 0a4a78bf9a Zabbix: Add HAProxy monitoring template 
Signed-off-by: Greg Sutcliffe <fedora@emeraldreverie.org>
2025-11-03 15:54:57 +00:00

198 lines
5.6 KiB
YAML
Raw Blame History

---
# Tasks to set up haproxy
- name: Install needed packages
ansible.builtin.package: name={{ item }} state=present
with_items:
- haproxy
- socat
tags:
- packages
- haproxy
- name: Install haproxy/cfg
ansible.builtin.template: src={{ item.file }}
dest={{ item.dest }}
owner=root group=root mode=0600
with_items:
- { file: haproxy.cfg, dest: /etc/haproxy/haproxy.cfg }
notify:
- Restart haproxy
tags:
- haproxy
- name: Install limits.conf and 503.http
ansible.builtin.copy: src={{ item.file }}
dest={{ item.dest }}
owner=root group=root mode=0600
with_items:
- { file: limits.conf, dest: /etc/security/limits.conf }
- { file: 503.http, dest: /etc/haproxy/503.http }
tags:
- haproxy
- name: Install pem cert
ansible.builtin.copy: src={{ item.file }}
dest={{ item.dest }}
owner=root group=root mode=0600
with_items:
# this one does not necessarily change when we move DCs, due to replication
- { file: "ipa.{{env}}.pem", dest: /etc/haproxy/ipa.pem }
- { file: "ocp.{{env_short}}-rdu3.pem", dest: "/etc/haproxy/ocp-{{env_short}}.pem" }
- { file: "ocp.{{env_short}}-rdu3.pem", dest: "/etc/haproxy/ocp-{{env_short}}-rdu3.pem" }
tags:
- haproxy
- name: Install ocp api pem cert
ansible.builtin.copy: src={{ private }}/files/httpd/api-int.ocp{{ env_suffix }}.fedoraproject.org.pem
dest=/etc/haproxy/ocp4.pem
owner=root group=root mode=0600
tags:
- haproxy
- name: Install libsemanage
ansible.builtin.package:
state: present
name:
- libsemanage-python
tags:
- haproxy
- selinux
when: (ansible_distribution == 'RedHat' and ansible_distribution_major_version|int < 8) or (ansible_distribution_major_version|int < 30 and ansible_distribution == 'Fedora')
- name: Install libsemanage in a python3 manner
ansible.builtin.package:
state: present
name:
- python3-libsemanage
tags:
- haproxy
- selinux
when: (ansible_distribution_major_version|int >= 30 and ansible_distribution == 'Fedora') or (ansible_distribution == 'RedHat' and ansible_distribution_major_version|int >= 8)
- name: Turn on certain selinux booleans so haproxy can bind to ports
seboolean: name={{ item }} state=true persistent=true
with_items:
- haproxy_connect_any
tags:
- haproxy
- selinux
# These following four tasks are used for copying over our custom selinux
# module.
- name: Ensure a directory exists for our custom selinux module
ansible.builtin.file: dest=/usr/share/haproxy state=directory
tags:
- haproxy
- selinux
- name: Copy over our general haproxy selinux module
ansible.builtin.copy: src=selinux/fi-haproxy.pp dest=/usr/share/haproxy/fi-haproxy.pp
register: fi_haproxy_module
tags:
- haproxy
- selinux
- name: Check to see if its even installed yet
ansible.builtin.shell: semodule -l | grep fi-haproxy | wc -l
register: fi_haproxy_grep
check_mode: no
changed_when: "'0' in fi_haproxy_grep.stdout"
tags:
- haproxy
- selinux
- name: Install our general haproxy selinux module
ansible.builtin.command: semodule -i /usr/share/haproxy/fi-haproxy.pp
when: fi_haproxy_module is changed or fi_haproxy_grep is changed
tags:
- haproxy
- selinux
- name: Install our rsyslog drop-in for where to send local0 messages
ansible.builtin.copy: src=rsyslog.conf dest=/etc/rsyslog.d/haproxy.conf
notify:
- Restart rsyslog
tags:
- haproxy
- rsyslogd
- name: Check haproxy cfg to make sure it is valid
ansible.builtin.command: haproxy -c -f /etc/haproxy/haproxy.cfg
check_mode: no
register: haproxyconfigcheck
changed_when: haproxyconfigcheck.rc != 0
tags:
- haproxy
- name: Make sure haproxy is awake and reporting for duty
service: name=haproxy state=started enabled=yes
tags:
- haproxy
### Monitoring config
# Custom SELinux requirements for Zabbix to execute monitoring
- name: Ensure a directory exists for HAProxy Zabbix selinux module
ansible.builtin.file:
path: /usr/local/share/zabbix
state: directory
mode: '0755'
tags:
- haproxy
- selinux
- zabbix_agent
- name: Copy HAProxy Zabbix SELinux module
ansible.builtin.copy:
src: zabbix/selinux-haproxy.te
dest: /usr/local/share/zabbix/zabbix_haproxy.te
owner: root
group: root
mode: '0644'
register: selinux_zabbix_file
tags:
- haproxy
- selinux
- zabbix_agent
- name: Compile and install SELinux module
ansible.builtin.include_tasks: "{{ tasks_path }}/compile-selinux.yml"
vars:
selinux_module_dir: /usr/local/share/zabbix
selinux_module_name: zabbix_haproxy
when: selinux_zabbix_file.changed
tags:
- haproxy
- selinux
- zabbix_agent
- name: Zabbix API Block
vars:
ansible_zabbix_auth_key: "{{ zabbix_auth_key }}"
ansible_network_os: "{{ zabbix_network_os }}"
ansible_connection: "{{ zabbix_connection }}"
ansible_httpapi_port: "{{ zabbix_httpapi_port }}"
ansible_httpapi_use_ssl: "{{ zabbix_httpapi_use_ssl }}"
ansible_httpapi_validate_certs: "{{ zabbix_httpapi_validate_certs }}"
ansible_host: "{{ zabbix_server }}"
ansible_zabbix_url_path: "{{ zabbix_url_path }}"
tags:
- haproxy
- zabbix_api
block:
- name: Import HAProxy template file
community.zabbix.zabbix_template:
template_yaml: "{{ lookup('file', 'zabbix/template-haproxy.yml') }}"
state: present
- name: Ensure HAProxy hostgroup is present
community.zabbix.zabbix_group:
host_groups:
- HAProxy servers
state: present
- name: Add self to HAProxy in Zabbix
community.zabbix.zabbix_host:
host_name: "{{ inventory_hostname }}"
host_groups: HAProxy servers
link_templates: HAProxy Monitoring
force: false
Reference in New Issue View Git Blame Copy Permalink