---
# Tasks to set up haproxy

- name: Install needed packages
  ansible.builtin.package: name={{ item }} state=present
  with_items:
  - haproxy
  - socat
  tags:
  - packages
  - haproxy

- name: Install haproxy/cfg
  ansible.builtin.template: src={{ item.file }}
        dest={{ item.dest }}
        owner=root group=root mode=0600
  with_items:
  - { file: haproxy.cfg, dest: /etc/haproxy/haproxy.cfg }
  notify:
  - Restart haproxy
  tags:
  - haproxy

- name: Install limits.conf and 503.http
  ansible.builtin.copy: src={{ item.file }}
        dest={{ item.dest }}
        owner=root group=root mode=0600
  with_items:
  - { file: limits.conf, dest: /etc/security/limits.conf }
  - { file: 503.http, dest: /etc/haproxy/503.http }
  tags:
  - haproxy

- name: Install pem cert
  ansible.builtin.copy: src={{ item.file }}
        dest={{ item.dest }}
        owner=root group=root mode=0600
  with_items:
  - { file: "ipa.{{env}}-iad2.pem", dest: /etc/haproxy/ipa.pem }
  - { file: "ocp.{{env_short}}-iad2.pem", dest: "/etc/haproxy/ocp-{{env_short}}.pem" }
  tags:
  - haproxy

- name: Install ocp api pem cert
  ansible.builtin.copy: src={{ private }}/files/httpd/api-int.ocp{{ env_suffix }}.fedoraproject.org.pem
        dest=/etc/haproxy/ocp4.pem
        owner=root group=root mode=0600
  tags:
  - haproxy

- name: Install libsemanage
  ansible.builtin.package:
    state: present
    name:
    - libsemanage-python
  tags:
  - haproxy
  - selinux
  when: (ansible_distribution == 'RedHat' and ansible_distribution_major_version|int < 8) or (ansible_distribution_major_version|int < 30 and ansible_distribution == 'Fedora')

- name: Install libsemanage in a python3 manner
  ansible.builtin.package:
    state: present
    name:
    - python3-libsemanage
  tags:
  - haproxy
  - selinux
  when: (ansible_distribution_major_version|int >= 30 and ansible_distribution == 'Fedora') or (ansible_distribution == 'RedHat' and ansible_distribution_major_version|int >= 8)

- name: Turn on certain selinux booleans so haproxy can bind to ports
  seboolean: name={{ item }} state=true persistent=true
  with_items:
  - haproxy_connect_any
  tags:
  - haproxy
  - selinux

# These following four tasks are used for copying over our custom selinux
# module.
- name: Ensure a directory exists for our custom selinux module
  ansible.builtin.file: dest=/usr/share/haproxy state=directory
  tags:
  - haproxy
  - selinux

- name: Copy over our general haproxy selinux module
  ansible.builtin.copy: src=selinux/fi-haproxy.pp dest=/usr/share/haproxy/fi-haproxy.pp
  register: fi_haproxy_module
  tags:
  - haproxy
  - selinux

- name: Check to see if its even installed yet
  ansible.builtin.shell: semodule -l | grep fi-haproxy | wc -l
  register: fi_haproxy_grep
  check_mode: no
  changed_when: "'0' in fi_haproxy_grep.stdout"
  tags:
  - haproxy
  - selinux

- name: Install our general haproxy selinux module
  ansible.builtin.command: semodule -i /usr/share/haproxy/fi-haproxy.pp
  when: fi_haproxy_module is changed or fi_haproxy_grep is changed
  tags:
  - haproxy
  - selinux


- name: Check haproxy cfg to make sure it is valid
  ansible.builtin.command: haproxy -c -f /etc/haproxy/haproxy.cfg
  check_mode: no
  register: haproxyconfigcheck
  changed_when: haproxyconfigcheck.rc != 0
  tags:
  - haproxy

- name: Make sure haproxy is awake and reporting for duty
  service: name=haproxy state=started enabled=yes
  tags:
  - haproxy