roles/haproxy: Basic setup for HAproxy

The *haproxy* installs HAproxy and sets up basic configuration for it.
It configures the systemd unit to launch the service with the `-f
/etc/haproxy` arguments, which will cause it to load all files from the
`/etc/haproxy` directory, instead of just `/etc/haproxy/haproxy.cfg`.
This will allow other roles to add frontend and backend configuration by
adding additional files to this directory.

roles/haproxy/files/haproxy-config.conf

@@ -0,0 +1,2 @@
+[Service]
+Environment=CONFIG=/etc/haproxy

roles/haproxy/files/haproxy.cfg

@@ -0,0 +1,8 @@
+# DO NOT put HAProxy configuration in this file! The configuration is split
+# into several files:
+#
+# * 10-global.cfg: Global settings
+# * 20-defaults.cfg: Settings common to all frontends and backends
+#
+# Applications should create new files for their front- and backend
+# configuration.

roles/haproxy/handlers/main.yml

@@ -0,0 +1,10 @@
+- name: reload systemd
+  command: systemctl daemon-reload
+- name: restart haproxy
+  service:
+    name=haproxy
+    state=restarted
+- name: reload haproxy
+  service:
+    name=haproxy
+    state=reloaded

roles/haproxy/tasks/main.yml

@@ -0,0 +1,43 @@
+- name: ensure haproxy is installed
+  package:
+    name=haproxy
+    state=present
+  tags:
+  - install
+
+- name: ensure haproxy unit configuration extension directory exists
+  file:
+    path=/etc/systemd/system/haproxy.service.d
+    mode=0755
+    state=directory
+- name: ensure haproxy config variable override is set
+  copy:
+    src=haproxy-config.conf
+    dest=/etc/systemd/system/haproxy.service.d/config.conf
+    mode=0644
+  notify:
+  - reload systemd
+  - restart haproxy
+- name: ensure default haproxy configuration file is empty
+  copy:
+    src=haproxy.cfg
+    dest=/etc/haproxy
+    mode=0644
+  notify: restart haproxy
+- name: ensure haproxy global configuration is set
+  template:
+    src=global.cfg.j2
+    dest=/etc/haproxy/10-global.cfg
+    mode=0644
+  notify: restart haproxy
+- name: ensure haproxy defaults are set
+  template:
+    src=defaults.cfg.j2
+    dest=/etc/haproxy/20-defaults.cfg
+    mode=0644
+  notify: restart haproxy
+
+- name: ensure haproxy starts at boot
+  service:
+    name=haproxy
+    enabled=yes

roles/haproxy/templates/defaults.cfg.j2

@@ -0,0 +1,21 @@
+#---------------------------------------------------------------------
+# common defaults that all the 'listen' and 'backend' sections will
+# use if not designated in their block
+#---------------------------------------------------------------------
+defaults
+    mode                    http
+    log                     global
+    option                  httplog
+    option                  dontlognull
+    option http-server-close
+    option forwardfor       except 127.0.0.0/8
+    option                  redispatch
+    retries                 3
+    timeout http-request    10s
+    timeout queue           1m
+    timeout connect         10s
+    timeout client          1m
+    timeout server          1m
+    timeout http-keep-alive 10s
+    timeout check           10s
+    maxconn                 3000

roles/haproxy/templates/global.cfg.j2

@@ -0,0 +1,18 @@
+#---------------------------------------------------------------------
+# Global settings
+#---------------------------------------------------------------------
+global
+    log         /dev/log local0
+
+    pidfile     /var/run/haproxy.pid
+    maxconn     4000
+    user        haproxy
+    group       haproxy
+    daemon
+
+    # turn on stats unix socket
+    stats socket /var/lib/haproxy/stats
+
+    # utilize system-wide crypto-policies
+    ssl-default-bind-ciphers PROFILE=SYSTEM
+    ssl-default-server-ciphers PROFILE=SYSTEM