admin/ansiblerazvert
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4fd9aed61d693982432b04582f5334e9ae5d39a1
ansiblerazvert/playbook3_haproxy.yml

175 lines
5.1 KiB
YAML
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
---
- name: Configure Nginx Load Balancer (ALT Linux)
hosts: proxy
become: true
vars:
vip_address: "172.16.1.253"
backend_servers: "{{ groups['server'] }}"
backend_port: 443
stats_port: 9000
server_name: "www.au.team"
ssl_cert_path: "/etc/nginx/ssl/www.au.team.crt"
ssl_key_path: "/etc/nginx/ssl/www.au.team.key"
tasks:
- name: Install Nginx package (ALT Linux)
ansible.builtin.package:
name: nginx
state: present
# update_cache: no # Не обновляем кэш автоматически
ignore_errors: true # Игнорируем ошибки если пакет не найден
tags:
- nginx
- name: Install Nginx if package cache is outdated
ansible.builtin.command:
cmd: apt-get install -y nginx
when: nginx_install is failed
register: nginx_install_cmd
tags:
- nginx
- name: Create SSL directory for Nginx
ansible.builtin.file:
path: /etc/nginx/ssl
state: directory
mode: '0755'
owner: root
group: root
tags:
- ssl
- name: Copy SSL certificate to Nginx (from web server)
ansible.builtin.shell: |
cat /etc/angie/ssl/www.au.team.crt /etc/angie/ssl/www.au.team.key > /etc/nginx/ssl/www.au.team.pem
chmod 600 /etc/nginx/ssl/www.au.team.pem
args:
creates: /etc/nginx/ssl/www.au.team.pem
tags:
- ssl
- name: Create directories for Nginx config
ansible.builtin.file:
path: "{{ item }}"
state: directory
mode: '0755'
owner: root
group: root
loop:
- /etc/nginx/conf.d
- /etc/nginx/sites-available
- /etc/nginx/sites-enabled
tags:
- nginx
- name: Configure Nginx upstream for backend servers
ansible.builtin.copy:
content: |
upstream backend_servers {
least_conn;
{% for server in backend_servers %}
server {{ hostvars[server]['ansible_host'] | default(server) }}:{{ backend_port }} weight=1 max_fails=3 fail_timeout=30s;
{% endfor %}
}
dest: /etc/nginx/conf.d/upstream.conf
mode: '0644'
backup: true
notify: Reload nginx
tags:
- nginx
- name: Configure Nginx vhost with SSL and load balancing
ansible.builtin.copy:
content: |
# HTTP server - redirect to HTTPS
server {
listen {{ vip_address }}:80;
listen [::]:80;
server_name {{ server_name }};
return 301 https://$host$request_uri;
}
# HTTPS server with load balancing
server {
listen {{ vip_address }}:443 ssl;
listen [::]:443 ssl;
server_name {{ server_name }};
ssl_certificate /etc/nginx/ssl/www.au.team.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
# Proxy to backend servers
location / {
proxy_pass https://backend_servers;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_ssl_verify off;
proxy_connect_timeout 10s;
proxy_send_timeout 30s;
proxy_read_timeout 30s;
}
# HSTS header
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
}
# Stats server
server {
listen {{ vip_address }}:{{ stats_port }};
server_name {{ server_name }};
location / {
stub_status on;
allow 127.0.0.1;
allow 10.0.0.0/8;
allow 172.16.0.0/12;
allow 192.168.0.0/16;
deny all;
}
location /haproxy_stats {
return 200 "Nginx Stats\nActive connections: $connections_active\n";
add_header Content-Type text/plain;
}
}
dest: /etc/nginx/sites-available/www.au.team.conf
mode: '0644'
backup: true
notify: Reload nginx
tags:
- nginx
- name: Enable site configuration
ansible.builtin.file:
src: /etc/nginx/sites-available/www.au.team.conf
dest: /etc/nginx/sites-enabled/www.au.team.conf
state: link
notify: Reload nginx
tags:
- nginx
- name: Remove default Nginx site
ansible.builtin.file:
path: /etc/nginx/sites-enabled/default
state: absent
ignore_errors: true
tags:
- nginx
- name: Enable and start Nginx service
ansible.builtin.systemd:
name: nginx
enabled: true
state: started
tags:
- nginx
handlers:
- name: Reload nginx
ansible.builtin.systemd:
name: nginx
state: reloaded
Reference in New Issue View Git Blame Copy Permalink