Playbook #6

/home/zuul/src/opendev.org/opendev/system-config/playbooks/service-gitea-lb.yaml

Report Status CLI Date Duration Controller User Versions Hosts Plays Tasks Results Files Records
18 Jul 2025 20:47:59 +0000 00:01:10.54 bridge99.opendev.org root Ansible 2.15.13 ara 1.7.2 (client), 1.7.2 (server) Python 3.10.12 1 1 68 66 19 0
check:False tags:all

File: /home/zuul/src/opendev.org/opendev/system-config/playbooks/roles/haproxy/tasks/main.yaml

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
- name: Install socat for haproxy management
  package:
    name: socat
    state: present

- name: Ensure haproxy volume directories exists
  # Note on the host side we create everything under /var/lib/haproxy to
  # make rsyslog apparmor rules for /var/lib/haproxy/dev/log happy.
  # But within the containers /var/haproxy paths are still used.
  file:
    state: directory
    path: "/var/lib/haproxy/{{ item }}"
    owner: 1000
    group: 1000
  loop:
    - etc
    - run
    - dev

- name: Ensure haproxy config template available
  assert:
    that:
      - haproxy_config_template is defined

- name: Fix rsyslog apparmor profile on Noble and newer
  when: ansible_distribution_version is version('24.04', '>=')
  block:
    - name: Edit rsyslogd apparmor profile
      lineinfile:
        path: /etc/apparmor.d/usr.sbin.rsyslogd
        regexp: '^profile rsyslogd /usr/sbin/rsyslogd {'
        line: 'profile rsyslogd /usr/sbin/rsyslogd flags=(attach_disconnected) {'
      register: profile_update

    - name: Reload rsyslogd apparmor profile
      command: apparmor_parser -r /etc/apparmor.d/usr.sbin.rsyslogd
      when: profile_update.changed

- name: Write rsyslog file
  copy:
    src: rsyslog.d/49-haproxy.conf
    dest: /etc/rsyslog.d/
    owner: root
    group: root
    mode: 0644
  register: _rsyslog_added

- name: Restart rsyslog if config updates
  service:
    name: rsyslog
    state: restarted
  when: _rsyslog_added.changed

- name: Add haproxy log rotation
  include_role:
    name: logrotate
  vars:
    logrotate_file_name: '/var/log/haproxy.log'

- name: Write haproxy config file
  template:
    src: '{{ haproxy_config_template }}'
    dest: /var/lib/haproxy/etc/haproxy.cfg
    owner: 1000
    group: 1000
    mode: 0644
  notify: Reload haproxy

# Copy in testing CA so the container can see it.  When running under
# Zuul this CA is created by the test framework.  We use it to
# validate the https check path
- name: Check for OpenDev Infra CA (test only)
  stat:
    path: /etc/opendev-ca/ca.crt
  register: _opendev_ca_crt
- name: Copy in OpenDev Infra CA (test only)
  copy:
    src: /etc/opendev-ca/ca.crt
    dest: /var/lib/haproxy/etc/
  when: _opendev_ca_crt.stat.exists

- name: Ensure docker compose configuration directory
  file:
    path: /etc/haproxy-docker
    state: directory
    owner: root
    group: root
    mode: 0755

- name: Install docker-compose configuration
  template:
    src: docker-compose.yaml.j2
    dest: /etc/haproxy-docker/docker-compose.yaml
    owner: root
    group: root
    mode: 0644
  notify: Reload haproxy

- name: Run docker-compose pull
  shell:
    cmd: docker-compose pull
    chdir: /etc/haproxy-docker/

- name: Run docker-compose up
  shell:
    cmd: docker-compose up -d
    chdir: /etc/haproxy-docker/

- name: Run docker prune to cleanup unneeded images
  shell:
    cmd: docker image prune -f