roles/haproxy: Add support for Debian hosts

Debian does not support system-wide SSL cipher suite profiles of course,
so these options need to be specified explicitly when deploying HAProxy
on Debian-based machines.

roles/haproxy/defaults/main.yml

@@ -0,0 +1,2 @@
+haproxy_ssl_default_ciphers: '{{ haproxy_default_ssl_default_ciphers }}'
+haproxy_ssl_default_server_ciphers: '{{ haproxy_default_ssl_default_server_ciphers|d("") }}'

roles/haproxy/tasks/main.yml

@@ -1,3 +1,9 @@
+- name: load distribution-specific values
+  include_vars: '{{ item }}'
+  with_first_found:
+  - '{{ ansible_distribution }}.yml'
+  - defaults.yml
+
 - name: ensure haproxy is installed
   package:
     name=haproxy

roles/haproxy/templates/global.cfg.j2

@@ -14,5 +14,10 @@ global
     stats socket /var/lib/haproxy/stats
 
     # utilize system-wide crypto-policies
-    ssl-default-bind-ciphers PROFILE=SYSTEM
-    ssl-default-server-ciphers PROFILE=SYSTEM
+    ssl-default-bind-ciphers {{ haproxy_ssl_default_ciphers }}
+{% if haproxy_ssl_default_server_ciphers|d %}
+    ssl-default-server-ciphers {{ haproxy_ssl_default_server_ciphers }}
+{% endif %}
+{% if haproxy_ssl_default_bind_options %}
+    ssl-default-bind-options {{ haproxy_ssl_default_bind_options }}
+{% endif %}

roles/haproxy/vars/Debian.yml

@@ -0,0 +1,2 @@
+haproxy_ssl_default_bind_options: no-sslv3
+haproxy_default_ssl_default_ciphers: ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS

roles/haproxy/vars/defaults.yml

@@ -0,0 +1,2 @@
+haproxy_default_ssl_default_ciphers: PROFILE=SYSTEM
+haproxy_default_ssl_default_server_ciphers: PROFILE=SYSTEM