From 4c6df5199e6267adbd7ac3dd990cf2d4808c9e9a Mon Sep 17 00:00:00 2001
From: Andrea Dell'Amico <adellam@isti.cnr.it>
Date: Tue, 5 Jul 2016 12:45:01 +0200
Subject: [PATCH] library/roles/haproxy: Support floating IPs via
 net.ipv4.ip_nonlocal_bind. Enabled by default.

---
 haproxy/defaults/main.yml         |  1 +
 haproxy/tasks/haproxy-service.yml | 25 ++++++++++---------------
 haproxy/tasks/main.yml            | 18 ++++++++++++++++++
 3 files changed, 29 insertions(+), 15 deletions(-)

diff --git a/haproxy/defaults/main.yml b/haproxy/defaults/main.yml
index b7741d6..8254b91 100644
--- a/haproxy/defaults/main.yml
+++ b/haproxy/defaults/main.yml
@@ -6,6 +6,7 @@ haproxy_debian_latest_repo: "deb http://haproxy.debian.net {{ ansible_lsb.codena
 haproxy_ubuntu_latest_repo: "ppa:vbernat/haproxy-{{ haproxy_version }}"
 haproxy_pkg_state: latest
 haproxy_enabled: True
+haproxy_k_bind_non_local_ip: True
 
 haproxy_default_port: 80
 haproxy_terminate_tls: False
diff --git a/haproxy/tasks/haproxy-service.yml b/haproxy/tasks/haproxy-service.yml
index 773e234..83770fa 100644
--- a/haproxy/tasks/haproxy-service.yml
+++ b/haproxy/tasks/haproxy-service.yml
@@ -40,20 +40,15 @@
   register: install_haproxy
   tags: haproxy
 
-- name: Ensure that haproxy is enabled and started
-  service: name=haproxy state=started enabled=yes
-  when: haproxy_enabled
-  ignore_errors: True
-  tags: haproxy
+- name: Enable kernel binding non local IP addresses
+  sysctl: name={{ item }} value=1 reload=yes state=present
+  with_items:
+    - net.ipv4.ip_nonlocal_bind
+  when: haproxy_k_bind_non_local_ip
 
-- name: Haproxy puts a new rsyslog directive. Restart rsyslog to activate it. Reload is not sufficient
-  service: name=rsyslog state=restarted
-  when:
-    - haproxy_enabled
-    - ( install_haproxy | changed )
-  tags: haproxy
+- name: Disable kernel binding non local IP addresses
+  sysctl: name={{ item }} value=0 reload=yes state=present
+  with_items:
+    - net.ipv4.ip_nonlocal_bind
+  when: not haproxy_k_bind_non_local_ip
 
-- name: Ensure that haproxy is stopped and disabled if needed
-  service: name=haproxy state=stopped enabled=no
-  when: not haproxy_enabled
-  tags: haproxy
diff --git a/haproxy/tasks/main.yml b/haproxy/tasks/main.yml
index 8c2f9fd..0de9040 100644
--- a/haproxy/tasks/main.yml
+++ b/haproxy/tasks/main.yml
@@ -8,3 +8,21 @@
   when:
     - haproxy_letsencrypt_managed
     - letsencrypt_acme_install is defined
+
+- name: Ensure that haproxy is enabled and started
+  service: name=haproxy state=started enabled=yes
+  when: haproxy_enabled
+  ignore_errors: True
+  tags: haproxy
+
+- name: Haproxy puts a new rsyslog directive. Restart rsyslog to activate it. Reload is not sufficient
+  service: name=rsyslog state=restarted
+  when:
+    - haproxy_enabled
+    - ( install_haproxy | changed )
+  tags: haproxy
+
+- name: Ensure that haproxy is stopped and disabled if needed
+  service: name=haproxy state=stopped enabled=no
+  when: not haproxy_enabled
+  tags: haproxy