---
- name: Configure HAProxy Load Balancer (ALT Linux)
  hosts: proxy
  become: true
  vars:
    vip_address: "172.16.1.253"
    backend_servers: "{{ groups['server'] }}"
    backend_port: 443
    stats_port: 9000
    stats_uri: "/haproxy_stats"
    stats_user: "admin"
    stats_password: "haproxy_secure_pass"
    ssl_cert_path: "/etc/haproxy/ssl/www.au.team.pem"
    server_name: "www.au.team"

  tasks:
    - name: Install HAProxy package (ALT Linux)
      ansible.builtin.package:
        name: haproxy
        state: present
      tags:
        - haproxy

    - name: Create SSL directory for HAProxy
      ansible.builtin.file:
        path: /etc/haproxy/ssl
        state: directory
        mode: '0755'
        owner: root
        group: root
      tags:
        - ssl

    - name: Copy SSL certificate to HAProxy (from web server)
      ansible.builtin.shell: |
        cat /etc/angie/ssl/www.au.team.crt /etc/angie/ssl/www.au.team.key > {{ ssl_cert_path }}
        chmod 600 {{ ssl_cert_path }}
      args:
        creates: "{{ ssl_cert_path }}"
      tags:
        - ssl

    - name: Configure HAProxy with SSL termination
      ansible.builtin.copy:
        content: |
          global
            log /dev/log local0
            log /dev/log local1 notice
            chroot /var/lib/haproxy
            stats socket /run/haproxy/admin.sock mode 660 level admin
            stats timeout 30s
            user haproxy
            group haproxy
            daemon

          defaults
            log     global
            mode    http
            option  httplog
            option  dontlognull
            timeout connect 5000
            timeout client  50000
            timeout server  50000

          frontend https_front
            bind {{ vip_address }}:443 ssl crt {{ ssl_cert_path }}
            bind {{ vip_address }}:80
            server_name {{ server_name }}
            http-request redirect scheme https unless { ssl_fc }
            default_backend web_backend

          backend web_backend
            balance roundrobin
            option httpchk GET / HTTP/1.1\r\nHost:\ {{ server_name }}
            {% for server in backend_servers %}
            server {{ server }} {{ hostvars[server]['ansible_host'] | default(server) }}:{{ backend_port }} check ssl verify none
            {% endfor %}

          backend stats_backend
            stats enable
            stats uri {{ stats_uri }}
            stats auth {{ stats_user }}:{{ stats_password }}
        dest: /etc/haproxy/haproxy.cfg
        mode: '0644'
        backup: true
      notify: Reload haproxy
      tags:
        - haproxy

    - name: Enable and start HAProxy service
      ansible.builtin.systemd:
        name: haproxy
        enabled: true
        state: started
      tags:
        - haproxy

  handlers:
    - name: Reload haproxy
      ansible.builtin.systemd:
        name: haproxy
        state: reloaded