Add haproxy_certstore feature and fix few issues

README.md

@@ -177,6 +177,21 @@ haproxy_ssl_options: no-sslv3 no-tls-tickets force-tlsv12
 haproxy_ssl_ciphers: AES128+EECDH:AES128+EDH
 haproxy_ssl: 'ssl crt {{ haproxy_ssl_certificate }} ciphers {{ haproxy_ssl_ciphers }} {{ haproxy_ssl_options }}'
 
+## Certificate Storage
+haproxy_certstore:
+  - web:
+      crt_base: /etc/ssl/
+      key_base: /etc/ssl/private/
+      load:
+        - crt "example.com_fullchain.crt" key "example.com.key" alias "example_com"
+  - internal:
+      crt_base: /etc/ssl/
+      key_base: /etc/ssl/private/
+      load:
+        - crt "example.de_fullchain.crt" key "example.de.key" alias "example_de"
+
+haproxy_ssl: 'tfo ssl crt "@web/example_com" alpn h2,http/1.1 ssl-min-ver TLSv1.2'
+
 # Docker
 # see more details in `tasks/docker.yml` and https://docs.ansible.com/ansible/latest/collections/community/general/docker_container_module.html
 haproxy_docker_name: "haproxy"

handlers/main.yml

@@ -4,10 +4,10 @@
   ansible.builtin.service:
     name: "{{ haproxy_service }}"
     state: restarted
-  when: haproxy_mode == "system"
+  when: haproxy_mode == "system" or haproxy_mode == "custom"
 
 - name: Reload haproxy
   ansible.builtin.service:
     name: "{{ haproxy_service }}"
     state: reloaded
-  when: haproxy_mode == "system"
+  when: haproxy_mode == "system" or haproxy_mode == "custom"

tasks/config.yml

@@ -1,6 +1,7 @@
 ---
 # file: roles/haproxy/tasks/config.yml
 - name: Configuring HAproxy
+  tags: [haproxy, haproxy-config]
   ansible.builtin.template:
     src: etc/haproxy/haproxy.cfg.j2
     dest: "{{ haproxy_config }}"

tasks/main.yml

@@ -33,7 +33,7 @@
 - name: Sysctl
   include_tasks: sysctl.yml
   tags: [haproxy, haproxy-sysctl]
-  when: haproxy_mode == "system"
+  when: haproxy_mode == "system" or haproxy_mode == "custom"
 
 - name: Docker
   include_tasks: docker.yml

tasks/sysctl.yml

@@ -1,17 +1,22 @@
 ---
 # file: roles/haproxy/tasks/sysctl.yml
-- name: Enabling/Disabling net.ipv4.ip_nonlocal_bind option
+- name: Enabling/Disabling net.ipvX.ip_nonlocal_bind option
+  tags: [haproxy, haproxy-sysctl]
   ansible.posix.sysctl:
-    name: net.ipv4.ip_nonlocal_bind
+    name: "{{ item }}"
     value: "1"
     sysctl_file: /etc/sysctl.d/10-ip_nonlocal_bind.conf
     sysctl_set: true
     reload: true
     state: present
+  with_items:
+    - net.ipv4.ip_nonlocal_bind
+    - net.ipv6.ip_nonlocal_bind
   notify: Restart haproxy
   when: haproxy_bind_nonlocal_ip | bool
 
 - name: Enabling/Disabling net.ipv4.ip_forward option
+  # tags: [haproxy, haproxy-sysctl]
   ansible.posix.sysctl:
     name: net.ipv4.ip_forward
     value: "1"

templates/etc/haproxy/haproxy-certstore.cfg.j2

@@ -0,0 +1,22 @@
+{% if haproxy_certstore is defined and haproxy_certstore|length %}
+##########################
+#  Certificate Storage   #
+##########################
+    {% for dict_item in haproxy_certstore %}
+        {% for name, value in dict_item.items() %}
+crt-store {{ name }}
+            {% if value.crt_base is defined %}
+    crt-base            {{ value.crt_base }}
+            {% endif %}
+            {% if value.key_base is defined %}
+    key-base  {{ value.key_base }}
+            {% endif %}
+            {% if value.load is defined %}
+                {% for load in value.load %}
+    load            {{ load }}
+                {% endfor %}
+            {% endif %}
+        {% endfor %}
+
+    {% endfor %}
+{% endif %}

templates/etc/haproxy/haproxy-global.cfg.j2

@@ -25,7 +25,9 @@ global
     gid        {{ haproxy_global_gid }}
 {% endif %}
     maxconn    {{ haproxy_global_maxconn | default('4000') }}
+{% if ansible_os_family != 'Debian' %}
     pidfile    {{ haproxy_global_pidfile | default('/var/run/haproxy.pid') }}
+{% endif %}
 {% if haproxy_global_ca_base is defined and haproxy_global_ca_base | length %}
     ca-base    {{ haproxy_global_ca_base }}
 {% endif %}
@@ -53,6 +55,9 @@ global
 {% if haproxy_global_ssl_server_verify is defined and haproxy_global_ssl_server_verify | length %}
     ssl-server-verify           {{ haproxy_global_ssl_server_verify }}
 {% endif %}
+{% if haproxy_global_limited_quic is defined and haproxy_global_limited_quic is true %}
+    limited-quic
+{% endif %}
 {% if haproxy_global_stats is defined and haproxy_global_stats | length %}
     {% for stat in haproxy_global_stats %}
     stats      {{ stat }}

templates/etc/haproxy/haproxy.cfg.j2

@@ -10,6 +10,10 @@
 
 {# USERLIST CONFIGURATION #}
 {% include 'haproxy-userlist.cfg.j2' %}
+
+{# Certificate Storage #}
+{% include 'haproxy-certstore.cfg.j2' %}
+
 {# STATS CONFIGURATION #}
 {% include 'haproxy-stats.cfg.j2' %}