Feat(domserver): add haproxy support

roles/configure_haproxy/files/haproxy.cfg

@@ -0,0 +1,52 @@
+global
+    default-path config
+    #zero-warning
+    maxconn     20000
+    log         127.0.0.1 local0
+    user        haproxy
+    #pidfile     /run/haproxy.pid
+    hard-stop-after 5m
+    daemon
+    user haproxy
+    group haproxy
+
+    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+    ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
+
+# default settings common to all HTTP proxies below
+defaults
+    mode http
+    log global
+    timeout client 1m
+    timeout server 1m
+    timeout connect 10s
+    timeout http-keep-alive 2m
+    timeout queue 15s
+    timeout tunnel 4h  # for websocket
+
+frontend external
+    bind :443 name secure ssl crt /etc/haproxy/cert.pem
+
+.if feature(QUIC)
+    bind quic4@:443 name quic ssl crt /etc/haproxy/cert.pem
+    http-response add-header alt-svc 'h3=":443"; ma=90000'
+.endif
+    
+    http-request redirect scheme https code 308 unless { ssl_fc }
+    http-request del-header x-forwarded-for
+    option forwardfor
+    option httplog
+
+    http-request set-header X-Forwarded-Proto https if { ssl_fc }
+
+    # enable HTTP compression of text contents
+    compression algo deflate gzip
+    compression type text/ application/javascript application/xhtml+xml image/x-icon
+
+    default_backend domserver
+
+backend domserver
+    balance leastconn
+    option abortonclose
+    server gitea1 127.0.0.1:8080 maxconn 100 check inter 1s

roles/configure_haproxy/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: Restart haproxy
+  ansible.builtin.systemd_service:
+    name: haproxy.service
+    state: restarted

roles/configure_haproxy/tasks/main.yml

@@ -0,0 +1,27 @@
+---
+- name: Update package cache
+  community.general.pacman:
+    update_cache: true
+- name: Install haproxy
+  community.general.pacman:
+    pkg:
+      - haproxy
+  notify: Upgrade packages
+
+- name: Install haproxy.cfg
+  ansible.builtin.copy:
+    src: haproxy.cfg
+    dest: /etc/haproxy/haproxy.cfg
+    mode: '0644'
+    owner: haproxy
+    group: haproxy
+  notify: Restart haproxy
+- name: Prompt for manually install cert
+  ansible.builtin.pause:
+    prompt: "Make sure the cert and key pair are store in /etc/haproxy/cert.pem"
+
+- name: Enable and start haproxy
+  ansible.builtin.systemd_service:
+    name: haproxy.service
+    state: started
+    enabled: true