artefactual-labs
diff --git a/‎README.md‎
Lines changed: 29 additions & 3 deletions b/‎README.md‎
Lines changed: 29 additions & 3 deletions
diff --git a/‎defaults/main.yml‎
Lines changed: 11 additions & 22 deletions b/‎defaults/main.yml‎
Lines changed: 11 additions & 22 deletions
diff --git a/‎tasks/config.yml‎
Lines changed: 20 additions & 0 deletions b/‎tasks/config.yml‎
Lines changed: 20 additions & 0 deletions
diff --git a/‎tasks/haproxy.yml‎
Lines changed: 8 additions & 0 deletions b/‎tasks/haproxy.yml‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎tasks/install-debian.yml‎
Lines changed: 6 additions & 0 deletions b/‎tasks/install-debian.yml‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎tasks/install-redhat.yml‎
Lines changed: 27 additions & 20 deletions b/‎tasks/install-redhat.yml‎
Lines changed: 27 additions & 20 deletions
diff --git a/‎tasks/install.yml‎
Lines changed: 6 additions & 0 deletions b/‎tasks/install.yml‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎tasks/main.yml‎
Lines changed: 22 additions & 0 deletions b/‎tasks/main.yml‎
Lines changed: 22 additions & 0 deletions
@@ -51,16 +51,24 @@ required repositories configured.
 | Variable | Default | Description |
 | --- | --- | --- |
 | `haproxy_decision_manage_repo` | `true` | Toggle repository management. |
-| `haproxy_decision_haproxy_package` | `haproxy` | Package name used to install HAProxy. Override if you need a specific NEVRA. |
+| `haproxy_decision_haproxy_repo` | `artefactual-labs/haproxy-el-packaging` | GitHub repository hosting the HAProxy RPM release assets. |
+| `haproxy_decision_haproxy_version` | `2.8.16` | Release tag used to compose download URLs for HAProxy RPMs. |
+| `haproxy_decision_haproxy_release_number` | `1` | Packaging release identifier appended to the RPM name (e.g. `-1.el9`). |
+| `haproxy_decision_haproxy_rpm_arch` | `x86_64` | Architecture suffix used when deriving the default RPM filename. |
+| `haproxy_decision_haproxy_rpm` | `""` | Optional override for the full HAProxy RPM filename. Leave empty to derive `haproxy-<version>-<release>.el<major>.<arch>.rpm` automatically. |
+| `haproxy_decision_haproxy_checksums` | `{}` | Optional checksum map keyed by EL major version (e.g. `"9": "sha256:..."`). |
+| `haproxy_decision_spoa_releases` | see defaults | Mapping keyed by SPOA name (`decision`, `coraza`, `cookie_guard`) that exposes per-OS package URLs (`rh_package_url`, `debian_package_url`, or `package_urls.*`) plus optional checksum settings (`use_checksum`, `checksums_url`, `checksums`). Override entries to point at your own builds. |
+| `haproxy_decision_haproxy_package` | `haproxy` | (Debian/Ubuntu) Package name used with `apt`. Override if you need a specific NEVRA. |
 | `haproxy_decision_manage_config` | `true` | When `true` the role renders `haproxy.cfg` from `templates/haproxy.cfg.j2`. |
 | `haproxy_decision_global_settings` / `haproxy_decision_defaults_settings` | see defaults | Lists of directives written to the `global` and `defaults` sections. |
 | `haproxy_decision_listeners`, `haproxy_decision_frontends`, `haproxy_decision_backends` | `[]` | Optional lists of sections appended to the generated configuration. |
-| `haproxy_decision_spoas` | see defaults | Dictionary describing each SPOA daemon. Set `enabled: true` to activate one, and override `backend`, `env_opts`, or template-specific options as required. |
+| `haproxy_decision_spoas` | see defaults | Dictionary describing each SPOA daemon. Set `enabled: true` to activate one, adjust service/backend data, and rely on `haproxy_decision_spoa_releases` for download metadata when installing from GitHub releases. |
 | `haproxy_decision_manage_spoa_configs` | `true` | Controls whether the role writes SPOE configuration snippets. |
 | `haproxy_decision_manage_spoa_env` | `true` | Controls whether `/etc/default/*` files are managed for SPOAs. |
 | `haproxy_decision_manage_spoa_services` | `true` | Enable or disable service/timer management for SPOAs. |
 | `haproxy_decision_coraza_spoa_relax_systemd` | `false` | When `true` the role installs a systemd drop-in that removes the `BindReadOnlyPaths=-/etc/ld.so.cache` restriction from the `coraza-spoa` service. |
-| `haproxy_decision_release_url_template` | `https://github.com/{repo}/releases/download/{version}/{asset}` | Template used to compose download URLs for HAProxy RPM assets. Override when mirroring artifacts to a private host. The default asset map expects keys matching the OS major version (e.g. `"8"`, `"9"`). |
+| `haproxy_decision_release_url_template` | `https://github.com/{repo}/releases/download/{version}/{asset}` | Base template used to compose download URLs for GitHub releases. |
+| `haproxy_decision_haproxy_url_template` | `haproxy_decision_release_url_template` | Template applied to HAProxy downloads. Package entries may override it per release. |
 | `haproxy_decision_rhel_disable_gpg_check` | `false` | Disable RPM signature verification for HAProxy and SPOA downloads (useful in CI if upstream artifacts are unsigned). |
 | `haproxy_decision_spoa_release_url_template` | same as above | Base template used for SPOA downloads. Individual entries may override it with `haproxy_decision_spoas.<name>.release.url_template`. |
 
@@ -115,9 +123,27 @@ Each SPOA definition accepts overrides that feed directly into the templates:
 - Override runtime arguments through `env_opts`.
 - Inject extra HAProxy directives with `spoa.backend.extra_lines` or
   `spoa.extra_config`.
+- Provide direct package URLs via `haproxy_decision_spoa_releases.<name>` when
+  you need to source binaries from somewhere other than the defaults.
 - Supply additional messages or groups for the Cookie Guard SPOA using the
   `messages` or `group_definitions` structures.
 
+Example release override:
+
+```yaml
+haproxy_decision_spoa_releases:
+  decision:
+    rh_package_url: https://downloads.example.com/decision-spoa-1.2.3-2.el9.x86_64.rpm
+    debian_package_url: https://downloads.example.com/decision-spoa_1.2.3_amd64.deb
+    use_checksum: true
+    checksums_url: https://downloads.example.com/decision-spoa-1.2.3.sha256
+```
+
+Legacy overrides that supply `haproxy_decision_spoas.<name>.release.assets`
+still work, but migrating to the central `haproxy_decision_spoa_releases`
+structure keeps package metadata in a single place.
+```
+
 If a more drastic change is required, point `config_template` or `env_template`
 to a custom template shipped alongside your playbook.
 
 
@@ -2,15 +2,19 @@
 haproxy_decision_manage_repo: true
 
 haproxy_decision_rhel_download_dir: /var/cache/ansible/haproxy-decision
-haproxy_decision_haproxy_release:
-  repo: artefactual-labs/haproxy-el-packaging
-  version: "2.8.16"
-  assets:
-    "8": haproxy-2.8.16-1.el8.x86_64.rpm
-    "9": haproxy-2.8.16-1.el9.x86_64.rpm
-  checksums: {}
+haproxy_decision_haproxy_repo: artefactual-labs/haproxy-el-packaging
+haproxy_decision_haproxy_version: "2.8.16"
+haproxy_decision_haproxy_release_number: "1"
+haproxy_decision_haproxy_rpm: ""
+haproxy_decision_haproxy_rpm_arch: x86_64
+haproxy_decision_haproxy_checksums: {}
 haproxy_decision_rhel_disable_gpg_check: false
 haproxy_decision_release_url_template: "https://github.com/{repo}/releases/download/{version}/{asset}"
+haproxy_decision_haproxy_url_template: "{{ haproxy_decision_release_url_template }}"
+haproxy_decision_spoa_releases:
+  decision: {}
+  coraza: {}
+  cookie_guard: {}
 
 haproxy_decision_apt_repos: []
 haproxy_decision_ubuntu_repo: "ppa:vbernat/haproxy-2.8"
@@ -121,11 +125,6 @@ haproxy_decision_spoas:
       - "--metrics-host-label"
     config_template: spoa/decision-spoa.cfg.j2
     config_path: "{{ haproxy_decision_spoe_configs_dir }}/decision-spoa.cfg"
-    release:
-      repo: artefactual-labs/decision-spoa
-      version: ""
-      assets: {}
-      checksums: {}
     backend:
       name: decision_spoa_backend
       balance: roundrobin
@@ -147,11 +146,6 @@ haproxy_decision_spoas:
       - "-config /etc/coraza-spoa/config.yaml"
     config_template: spoa/coraza-spoa.cfg.j2
     config_path: "{{ haproxy_decision_spoe_configs_dir }}/coraza-spoa.cfg"
-    release:
-      repo: artefactual-labs/coraza-spoa-crs-package
-      version: ""
-      assets: {}
-      checksums: {}
     backend:
       name: coraza_spoa_backend
       balance: roundrobin
@@ -177,11 +171,6 @@ haproxy_decision_spoas:
       - "-expected-len 168"
     config_template: spoa/cookie-guard-spoa.cfg.j2
     config_path: "{{ haproxy_decision_spoe_configs_dir }}/cookie-guard-spoa.cfg"
-    release:
-      repo: artefactual-labs/cookie-guard-spoa
-      version: ""
-      assets: {}
-      checksums: {}
     backend:
       name: cookie_guard_spoa_backend
       balance: roundrobin
 
@@ -6,6 +6,10 @@
     owner: "{{ haproxy_decision_config_owner }}"
     group: "{{ haproxy_decision_config_group }}"
     mode: "0755"
+  tags:
+    - haproxy-decision
+    - haproxy-decision-config
+    - haproxy-decision-files
 
 - name: Ensure SPOE configuration directory exists
   ansible.builtin.file:
@@ -14,6 +18,10 @@
     owner: "{{ haproxy_decision_config_owner }}"
     group: "{{ haproxy_decision_config_group }}"
     mode: "0750"
+  tags:
+    - haproxy-decision
+    - haproxy-decision-config
+    - haproxy-decision-files
 
 - name: Ensure HAProxy runtime directory exists
   ansible.builtin.file:
@@ -22,6 +30,10 @@
     owner: "{{ haproxy_decision_runtime_dir_owner }}"
     group: "{{ haproxy_decision_runtime_dir_group }}"
     mode: "{{ haproxy_decision_runtime_dir_mode }}"
+  tags:
+    - haproxy-decision
+    - haproxy-decision-config
+    - haproxy-decision-files
 
 - name: Apply SELinux port labels for HAProxy
   community.general.seport:
@@ -35,6 +47,10 @@
   when:
     - haproxy_decision_selinux_port_labels | length > 0
     - ansible_selinux.status | default('disabled') == 'enabled'
+  tags:
+    - haproxy-decision
+    - haproxy-decision-config
+    - haproxy-decision-selinux
 
 - name: Apply SELinux booleans for HAProxy
   ansible.posix.seboolean:
@@ -47,3 +63,7 @@
   when:
     - haproxy_decision_selinux_booleans | length > 0
     - ansible_selinux.status | default('disabled') == 'enabled'
+  tags:
+    - haproxy-decision
+    - haproxy-decision-config
+    - haproxy-decision-selinux
@@ -1,6 +1,10 @@
 - name: Ensure HAProxy binary has CAP_NET_BIND_SERVICE
   become: true
   when: haproxy_decision_setcap_net_bind_service | bool
+  tags:
+    - haproxy-decision
+    - haproxy-decision-config
+    - haproxy-decision-haproxy
   block:
     - name: Check HAProxy binary capabilities
       ansible.builtin.command: "getcap {{ haproxy_decision_binary_path }}"
@@ -21,3 +25,7 @@
     mode: "{{ haproxy_decision_config_mode }}"
   when: haproxy_decision_manage_config | bool
   notify: reload haproxy
+  tags:
+    - haproxy-decision
+    - haproxy-decision-config
+    - haproxy-decision-haproxy
@@ -4,9 +4,15 @@
     name: "{{ haproxy_decision_haproxy_package }}"
     state: "{{ haproxy_decision_package_state }}"
   register: haproxy_decision_package_result
+  tags:
+    - haproxy-decision
+    - haproxy-decision-install
 
 - name: Install additional HAProxy dependencies
   ansible.builtin.package:
     name: "{{ haproxy_decision_extra_packages }}"
     state: "{{ haproxy_decision_package_state }}"
   when: haproxy_decision_extra_packages | length > 0
+  tags:
+    - haproxy-decision
+    - haproxy-decision-install
@@ -1,46 +1,53 @@
----
-- name: Determine HAProxy release asset for EL{{ haproxy_decision_rhel_major_version }}
+- name: Capture HAProxy RPM filename
   ansible.builtin.set_fact:
-    haproxy_decision_haproxy_asset: "{{ haproxy_decision_haproxy_release.assets[haproxy_decision_rhel_major_version] | default('') }}"
-
-- name: Ensure HAProxy release asset is defined
-  ansible.builtin.assert:
-    that:
-      - haproxy_decision_haproxy_asset | length > 0
-    fail_msg: >-
-      No HAProxy RPM asset configured for EL{{ haproxy_decision_rhel_major_version }}.
-      Override haproxy_decision_haproxy_release.assets with the filename published in
-      the haproxy-el-packaging release.
+    haproxy_decision_haproxy_filename: "{{ haproxy_decision_haproxy_rpm_effective | trim }}"
+  tags:
+    - haproxy-decision
+    - haproxy-decision-install
 
 - name: Determine HAProxy release download URL
   ansible.builtin.set_fact:
     haproxy_decision_haproxy_asset_url: >-
-      {{ (haproxy_decision_haproxy_release.url_template
-          | default(haproxy_decision_release_url_template))
-         | replace('{repo}', haproxy_decision_haproxy_release.repo)
-         | replace('{version}', haproxy_decision_haproxy_release.version)
-         | replace('{asset}', haproxy_decision_haproxy_asset) }}
+      {{
+        (haproxy_decision_haproxy_url_template
+         | replace('{repo}', haproxy_decision_haproxy_repo | trim)
+         | replace('{version}', haproxy_decision_haproxy_version | trim)
+         | replace('{asset}', haproxy_decision_haproxy_filename | trim)
+        ) | trim
+      }}
+  tags:
+    - haproxy-decision
+    - haproxy-decision-install
 
 - name: Download HAProxy release artifact
   ansible.builtin.get_url:
     url: "{{ haproxy_decision_haproxy_asset_url }}"
-    dest: "{{ haproxy_decision_rhel_download_dir }}/{{ haproxy_decision_haproxy_asset }}"
+    dest: "{{ (haproxy_decision_rhel_download_dir ~ '/' ~ haproxy_decision_haproxy_filename) | trim }}"
     mode: "0644"
-    checksum: "{{ haproxy_decision_haproxy_release.checksums[haproxy_decision_rhel_major_version] | default(omit) }}"
+    checksum: "{{ haproxy_decision_haproxy_checksums[haproxy_decision_rhel_major_version] | default(omit) }}"
   register: haproxy_decision_haproxy_download
   retries: "{{ haproxy_decision_download_retries }}"
   delay: "{{ haproxy_decision_download_delay }}"
   until: haproxy_decision_haproxy_download is succeeded
+  tags:
+    - haproxy-decision
+    - haproxy-decision-install
 
 - name: Install HAProxy from downloaded RPM
   ansible.builtin.dnf:
-    name: "{{ haproxy_decision_rhel_download_dir }}/{{ haproxy_decision_haproxy_asset }}"
+    name: "{{ (haproxy_decision_rhel_download_dir ~ '/' ~ haproxy_decision_haproxy_filename) | trim }}"
     state: "{{ haproxy_decision_package_state }}"
     disable_gpg_check: "{{ haproxy_decision_rhel_disable_gpg_check | bool }}"
+  tags:
+    - haproxy-decision
+    - haproxy-decision-install
 
 - name: Install additional HAProxy dependencies
   ansible.builtin.dnf:
     name: "{{ haproxy_decision_extra_packages }}"
     state: "{{ haproxy_decision_package_state }}"
     disable_gpg_check: "{{ haproxy_decision_rhel_disable_gpg_check | bool }}"
   when: haproxy_decision_extra_packages | length > 0
+  tags:
+    - haproxy-decision
+    - haproxy-decision-install
@@ -2,7 +2,13 @@
 - name: Install HAProxy packages on Debian-based systems
   ansible.builtin.include_tasks: install-debian.yml
   when: ansible_os_family == "Debian"
+  tags:
+    - haproxy-decision
+    - haproxy-decision-install
 
 - name: Install HAProxy packages on Red Hat-based systems
   ansible.builtin.include_tasks: install-redhat.yml
   when: ansible_os_family == "RedHat"
+  tags:
+    - haproxy-decision
+    - haproxy-decision-install
@@ -6,21 +6,43 @@
     fail_msg: >-
       ansible-haproxy-decision only supports RedHat and Debian families.
       Detected: {{ ansible_os_family }}
+  tags:
+    - haproxy-decision
+    - haproxy-decision-verify
 
 - name: Include platform setup tasks
   ansible.builtin.include_tasks: "setup-{{ ansible_os_family | lower }}.yml"
+  tags:
+    - haproxy-decision
+    - haproxy-decision-setup
 
 - name: Install HAProxy packages
   ansible.builtin.include_tasks: install.yml
+  tags:
+    - haproxy-decision
+    - haproxy-decision-install
 
 - name: Prepare HAProxy layout and configuration files
   ansible.builtin.include_tasks: config.yml
+  tags:
+    - haproxy-decision
+    - haproxy-decision-config
 
 - name: Configure optional SPOA services
   ansible.builtin.include_tasks: spoa.yml
+  tags:
+    - haproxy-decision
+    - haproxy-decision-spoa
 
 - name: Render HAProxy configuration
   ansible.builtin.include_tasks: haproxy.yml
+  tags:
+    - haproxy-decision
+    - haproxy-decision-config
+    - haproxy-decision-haproxy
 
 - name: Ensure services are enabled and running
   ansible.builtin.include_tasks: services.yml
+  tags:
+    - haproxy-decision
+    - haproxy-decision-services