aboutsummaryrefslogtreecommitdiffstats
path: root/roles/relayd/templates
diff options
context:
space:
mode:
authorRomain Gonçalves <me@rgoncalves.se>2023-01-13 00:15:52 +0100
committerRomain Gonçalves <me@rgoncalves.se>2023-04-02 11:45:09 +0200
commit28332d389dd3644aeb3973d4ca472820f6b45b07 (patch)
treec458ec9899a90942e726ed92f2c1a49e99d1f805 /roles/relayd/templates
parent1ff0fc1803fc71d925a0f2d0cf9c27058914044a (diff)
downloadrules-28332d389dd3644aeb3973d4ca472820f6b45b07.tar.gz
feat(roles/relayd): add argument specs
Diffstat (limited to 'roles/relayd/templates')
-rw-r--r--roles/relayd/templates/relayd.conf.j238
1 files changed, 17 insertions, 21 deletions
diff --git a/roles/relayd/templates/relayd.conf.j2 b/roles/relayd/templates/relayd.conf.j2
index b66ffa7..67b9e13 100644
--- a/roles/relayd/templates/relayd.conf.j2
+++ b/roles/relayd/templates/relayd.conf.j2
@@ -6,10 +6,11 @@ log connection errors
# hosts
table <local> { 127.0.0.1 }
-{% call(h) macros.loop_valid_hosts("servers") -%}
-table <{{ h.inventory_hostname }}> { {{ h.__ip.internal }} }
-{% for name, rules in h.relayd_rules.items() if rules.domain is defined %}
-table <{{ h.inventory_hostname }}_{{ rules.domain }}> { {{ h.__ip.internal }} }
+{% call(h) macros.loop_valid_hosts(relayd_connected_hosts) -%}
+{% set relayd_rule_ip = "127.0.0.1" if h.inventory_hostname == inventory_hostname else h.__ip.internal %}
+table <{{ h.inventory_hostname }}> { {{ relayd_rule_ip }} }
+{% for rule in h.relayd_rules %}
+table <{{ h.inventory_hostname }}_{{ rule.name }}> { {{ relayd_rule_ip }} }
{% endfor %}
{%- endcall %}
@@ -17,8 +18,8 @@ table <{{ h.inventory_hostname }}_{{ rules.domain }}> { {{ h.__ip.internal }} }
http protocol "https" {
- tls ciphers "HIGH:!AES128:!kRSA:!aNULL"
- tls ecdhe "P-384,P-256,X25519"
+ tls ciphers "{{ relayd_tls_ciphers | join(':') }}"
+ tls ecdhe "{{ relayd_tls_elliptic_curves | join(',') }}"
tcp { sack, backlog 128 }
@@ -31,13 +32,10 @@ http protocol "https" {
match response header set "Referrer-Policy" value "no-referrer"
match response header set "X-XSS-Protection" value "1; mode=block"
- tls keypair "{{ relayd_domain_name }}"
- pass request quick header "Host" value "{{ relayd_domain_name }}" forward to <local>
-{% call(h) macros.loop_valid_hosts("servers") -%}
-{% for name, rules in h.relayd_rules.items() if rules.domain is defined %}
- {% set domain_name = rules.domain ~ "." ~ relayd_domain_name -%}
- tls keypair "{{ domain_name }}"
- pass request quick header "Host" value "{{ domain_name }}" forward to <{{ h.inventory_hostname }}_{{ rules.domain }}>
+{% call(h) macros.loop_valid_hosts(relayd_connected_hosts) -%}
+{% for rule in h.relayd_rules %}
+ tls keypair "{{ rule.domain }}"
+ pass request quick header "Host" value "{{ rule.domain }}" forward to <{{ h.inventory_hostname }}_{{ rule.name }}>
{% endfor %}
{%- endcall %}
@@ -50,11 +48,9 @@ http protocol "http" {
# acme
pass request quick path "/.well-known/acme-challenge/*" forward to <local>
- pass request quick header "Host" value "{{ relayd_domain_name }}" forward to <local>
-{% call(h) macros.loop_valid_hosts("servers") -%}
-{% for name, rules in h.relayd_rules.items() if rules.domain is defined %}
- {% set domain_name = rules.domain ~ "." ~ relayd_domain_name -%}
- pass request quick header "Host" value "{{ domain_name }}" forward to <{{ h.inventory_hostname }}_{{ rules.domain }}>
+{% call(h) macros.loop_valid_hosts(relayd_connected_hosts) -%}
+{% for rule in h.relayd_rules %}
+ pass request quick header "Host" value "{{ rule.domain }}" forward to <{{ h.inventory_hostname }}_{{ rule.name }}>
{% endfor %}
{%- endcall %}
@@ -74,9 +70,9 @@ relay "wwwtls" {
listen on egress port 443 tls
protocol "https"
forward to <local> port 80 check http "/" code 200
-{% call(h) macros.loop_valid_hosts("servers") -%}
-{% for name, rules in h.relayd_rules.items() if rules.domain is defined %}
- forward to <{{ h.inventory_hostname }}_{{ rules.domain }}> port {{ rules.port }} check tcp
+{% call(h) macros.loop_valid_hosts(relayd_connected_hosts) -%}
+{% for rule in h.relayd_rules %}
+ forward to <{{ h.inventory_hostname }}_{{ rule.name }}> port {{ rule.port }} check tcp
{% endfor %}
{%- endcall %}
}
remember that computers suck.