- Jinja 81.3%
- Shell 18.7%
| inventory | ||
| roles/haproxy-server | ||
| deploy-lb.yml | ||
| get-haproxyPPAPubkey.sh | ||
| LICENSE | ||
| README.md | ||
haproxy-with-acme
Introduction
This git repository contains a skeleton for automating HAProxy deployment and automation of certificate renewal with Ansible, heavily based on an official HAProxy blog post.
It's intended for use on a single server in my own home lab, and doesn't take into account more advanced requirements, specifically HA clusters, copying certificates between active/backup nodes, etc.
The Ansible role was written for Ubuntu Server 26.04 but should be trivial to modify for other operating systems.
Prerequisites
- Python and Ansible installed on the machine from which the role should be run.
- An empty Ubuntu 26.04 server as the reverse proxy installation target.
- An account with sudo permissions on the reverse proxy.
- An ingress firewall configured to route HTTP and HTTPS traffic to the reverse proxy
- Valid DNS records pointing at the reverse proxy (or likely the ingress firewall, in case of legacy IP + NAT).
Usage
Run ./get-haproxyPPAPubkey.sh and compare the output to what's defined in the haproxy_ppa_pgp_key variable, in roles/haproxy-server/defaults/main.yml. The blank line must be replaced by a single ., and the entire key contents must be indented.
Update inventory/inventory.yml to fit your environment, creating variables to override the role defaults as necessary. At the very least ensure the acme_server, acme_email and haproxy_listener_domains variables should be updated with meaningful values.
Validate the contents of deploy_lb.yml to ensure only hosts you want to configure get hit by the playbook/role.
When you're ready to trigger the playbook, execute Ansible similar to the following:
ansible-playbook deploy-lb.yml -i inventory --ask-become-pass
Bugs and gotchas
None known, at this point.