---
# Ensures that HAProxy on target host only allows port 443.
#
# XXX: This role is completely ROL-specific and requires HAProxy already
#       deployed on the target host, using a very specific config file format.
#
- name: Ensure the entire insecure frontend section is commented out.
  become: yes
  ansible.builtin.replace:
    path: /etc/haproxy/haproxy.cfg
    after: "# round robin balancing for OCP4 Ingress Insecure Port"
    before: "# round robin balancing for OCP4 Ingress Secure Port"
    regexp: "^([^#])"
    replace: "#\\g<1>"
  notify:
    - restart haproxy

- name: Ensure there is a redirect block for incoming requests on 80.
  become: yes
  ansible.builtin.blockinfile:
    path: /etc/haproxy/haproxy.cfg
    marker: "# {mark} FRONTEND REDIRECT FOR INSECURE HTTP"
    marker_begin: "START"
    marker_end: "END"
    insertafter: EOF
    block: |
      frontend ingress_insecure_redirect
        bind 192.168.50.254:80
        mode http
        http-request redirect scheme https code 301 unless { ssl_fc }
  notify:
    - restart haproxy
...