refactor(roles): new variable naming standard

author: Romain Gonçalves <me@rgoncalves.se> 2024-02-08 13:32:37 +0100
committer: Romain Gonçalves <me@rgoncalves.se> 2024-02-08 13:33:36 +0100
commit: adfb09b9e19f7a31632eab01171693cb81ec75ef (patch)
tree: 7b05135581ff49e7a5655ab07af7bba2ada43585 /roles/relayd
parent: 5c5b0fbf68dca224b7f92f5de0913fd684e7d3d9 (diff)
download: rules-adfb09b9e19f7a31632eab01171693cb81ec75ef.tar.gz
4 files changed, 47 insertions, 46 deletions
diff --git a/roles/relayd/defaults/main.yml b/roles/relayd/defaults/main.yml
index 998ff5c..17d325d 100644
--- a/roles/relayd/defaults/main.yml
+++ b/roles/relayd/defaults/main.yml
@@ -1,19 +1,19 @@
 ---
 
-relayd_rules: {}
+relayd__rules: {}
 
-relayd_configuration_file: /etc/relayd.conf
-relayd_block_msg: aah!
+relayd__configuration_file: /etc/relayd.conf
+relayd__block_msg: aah!
 
-relayd_ssl_certificates_dir: /etc/ssl
-relayd_ssl_keys_dir: /etc/ssl/private
+relayd__ssl_certificates_dir: /etc/ssl
+relayd__ssl_keys_dir: /etc/ssl/private
 
-relayd_tls_ciphers:
+relayd__tls_ciphers:
   - HIGH
   - "!AES128"
   - "!kRSA"
   - "!aNULL"
-relayd_tls_elliptic_curves:
+relayd__tls_elliptic_curves:
   - P-384
   - P-256
   - X25519
diff --git a/roles/relayd/meta/main.yml b/roles/relayd/meta/main.yml
index e2da9c2..64efc3a 100644
--- a/roles/relayd/meta/main.yml
+++ b/roles/relayd/meta/main.yml
@@ -5,7 +5,7 @@ argument_specs:
     short_description: relayd main entrypoint.
     options:
 
-      relayd_rules:
+      relayd__rules:
         type: list
         elements: dict
         required: true
@@ -23,22 +23,22 @@ argument_specs:
             required: true
             description: Port to be configured
 
-      relayd_configuration_file:
+      relayd__configuration_file:
         type: path
         required: true
         description: Relayd configuration file
 
-      relayd_domain_name:
+      relayd__domain_name:
         type: str
         required: true
         description: Relayd domain name
 
-      relayd_connected_hosts:
+      relayd__connected_hosts:
         type: str
         required: true
         description: Group name of hosts that are behind relayd
 
-      relayd_tls_ciphers:
+      relayd__tls_ciphers:
         type: list
         elements: str
         required: true
diff --git a/roles/relayd/tasks/main.yml b/roles/relayd/tasks/main.yml
index 1346675..6485eb2 100644
--- a/roles/relayd/tasks/main.yml
+++ b/roles/relayd/tasks/main.yml
@@ -8,57 +8,57 @@
       -newkey rsa:4096
       -nodes
       -subj "/CN={{ item.domain }}"
-      -keyout {{ relayd_ssl_keys_dir }}/{{ item.domain }}.key
-      -out {{ relayd_ssl_certificates_dir }}/{{ item.domain }}.pem
-    creates: "{{ relayd_ssl_keys_dir }}/{{ item.domain }}.key"
-  loop: "{{ relayd_rules }}"
+      -keyout {{ relayd__ssl_keys_dir }}/{{ item.domain }}.key
+      -out {{ relayd__ssl_certificates_dir }}/{{ item.domain }}.pem
+    creates: "{{ relayd__ssl_keys_dir }}/{{ item.domain }}.key"
+  loop: "{{ relayd__rules }}"
 
 - name: apply restrictive permissions on ssl keys
   ansible.builtin.file:
-    path: "{{ relayd_ssl_keys_dir }}/{{ item.domain }}.key"
+    path: "{{ relayd__ssl_keys_dir }}/{{ item.domain }}.key"
     owner: 0
     group: 0
     mode: "0600"
-  loop: "{{ relayd_rules }}"
+  loop: "{{ relayd__rules }}"
 
 - name: retrieve certificate files
   ansible.builtin.stat:
-    path: "{{ relayd_ssl_certificates_dir }}/{{ item.domain }}.crt"
-  loop: "{{ relayd_rules }}"
-  register: relayd_result_stat_certificates
+    path: "{{ relayd__ssl_certificates_dir }}/{{ item.domain }}.crt"
+  loop: "{{ relayd__rules }}"
+  register: relayd__result_stat_certificates
 
 - name: link pem files to certificate files if required
   ansible.builtin.file:
-    src: "{{ relayd_ssl_certificates_dir }}/{{ item.item.domain }}.pem"
+    src: "{{ relayd__ssl_certificates_dir }}/{{ item.item.domain }}.pem"
     dest: "{{ item.invocation.module_args.path }}"
     owner: 0
     group: 0
     state: link
   when: not item.stat.exists
-  loop: "{{ relayd_result_stat_certificates.results }}"
+  loop: "{{ relayd__result_stat_certificates.results }}"
 
 - name: generate relayd configuration
   ansible.builtin.template:
     src: relayd.conf.j2
-    dest: "{{ relayd_configuration_file }}"
+    dest: "{{ relayd__configuration_file }}"
     owner: 0
     group: 0
     mode: "0640"
-  register: relayd_result_generate_configuration
+  register: relayd__result_generate_configuration
 
 - name: lint relayd configuration
-  ansible.builtin.command: "relayd -nf {{ relayd_configuration_file }}"
-  register: relayd_result_lint_configuration
+  ansible.builtin.command: "relayd -nf {{ relayd__configuration_file }}"
+  register: relayd__result_lint_configuration
   changed_when:
-    - relayd_result_generate_configuration.changed
-    - relayd_result_lint_configuration.rc != 0
+    - relayd__result_generate_configuration.changed
+    - relayd__result_lint_configuration.rc != 0
 
 - name: restart relayd  # noqa: no-handler
   ansible.builtin.service:
     name: relayd
     state: restarted
-  when: relayd_result_generate_configuration.changed
-    or relayd_result_lint_configuration.changed
+  when: relayd__result_generate_configuration.changed
+    or relayd__result_lint_configuration.changed
 
 - name: enable relayd
   ansible.builtin.service:
diff --git a/roles/relayd/templates/relayd.conf.j2 b/roles/relayd/templates/relayd.conf.j2
index 67b9e13..4169251 100644
--- a/roles/relayd/templates/relayd.conf.j2
+++ b/roles/relayd/templates/relayd.conf.j2
@@ -6,11 +6,11 @@ log connection errors
 
 # hosts
 table <local> { 127.0.0.1 }
-{% call(h) macros.loop_valid_hosts(relayd_connected_hosts) -%}
-{% set relayd_rule_ip = "127.0.0.1" if h.inventory_hostname == inventory_hostname else h.__ip.internal %}
-table <{{ h.inventory_hostname }}> { {{ relayd_rule_ip }} }
-{% for rule in h.relayd_rules %}
-table <{{ h.inventory_hostname }}_{{ rule.name }}> { {{ relayd_rule_ip }} }
+{% call(h) macros.loop_valid_hosts(relayd__connected_hosts) -%}
+{% set relayd__rule_ip = "127.0.0.1" if h.inventory_hostname == inventory_hostname else h.__ip.internal %}
+table <{{ h.inventory_hostname }}> { {{ relayd__rule_ip }} }
+{% for rule in h.relayd__rules %}
+table <{{ h.inventory_hostname }}_{{ rule.name }}> { {{ relayd__rule_ip }} }
 {% endfor %}
 {%- endcall %}
 
@@ -18,8 +18,8 @@ table <{{ h.inventory_hostname }}_{{ rule.name }}> { {{ relayd_rule_ip }} }
 
 http protocol "https" {
 	
-	tls ciphers "{{ relayd_tls_ciphers | join(':') }}"
-	tls ecdhe "{{ relayd_tls_elliptic_curves | join(',') }}"
+	tls ciphers "{{ relayd__tls_ciphers | join(':') }}"
+	tls ecdhe "{{ relayd__tls_elliptic_curves | join(',') }}"
 
 	tcp { sack, backlog 128 }
 
@@ -27,19 +27,20 @@ http protocol "https" {
 	match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"
 	match request header set "Connection" value "close"
 	match request header set "X-Forwarded-Proto" value "https"
-	match request header set "X-Forwarded-Port" value "443"
+	match request header set "X-Forwarded-For" value "$REMOTE_ADDR"
+	match request header set "X-Forwarded-Port" value "$REMOTE_PORT"
 	match response header set "Content-Security-Policy" value "upgrade-insecure-requests"
 	match response header set "Referrer-Policy" value "no-referrer"
 	match response header set "X-XSS-Protection" value "1; mode=block"
 
-{% call(h) macros.loop_valid_hosts(relayd_connected_hosts) -%}
-{% for rule in h.relayd_rules %}
+{% call(h) macros.loop_valid_hosts(relayd__connected_hosts) -%}
+{% for rule in h.relayd__rules %}
 	tls keypair "{{ rule.domain }}"
 	pass request quick header "Host" value "{{ rule.domain }}" forward to <{{ h.inventory_hostname }}_{{ rule.name }}>
 {% endfor %}
 {%- endcall %}
 
-	block label "{{ relayd_block_msg }}"
+	block label "{{ relayd__block_msg }}"
 	return error
 }
 
@@ -48,8 +49,8 @@ http protocol "http" {
 	# acme
 	pass request quick path "/.well-known/acme-challenge/*" forward to <local>
 
-{% call(h) macros.loop_valid_hosts(relayd_connected_hosts) -%}
-{% for rule in h.relayd_rules %}
+{% call(h) macros.loop_valid_hosts(relayd__connected_hosts) -%}
+{% for rule in h.relayd__rules %}
 	pass request quick header "Host" value "{{ rule.domain }}" forward to <{{ h.inventory_hostname }}_{{ rule.name }}>
 {% endfor %}
 {%- endcall %}
@@ -70,8 +71,8 @@ relay "wwwtls" {
 	listen on egress port 443 tls
 	protocol "https"
 	forward to <local> port 80 check http "/" code 200
-{% call(h) macros.loop_valid_hosts(relayd_connected_hosts) -%}
-{% for rule in h.relayd_rules %}
+{% call(h) macros.loop_valid_hosts(relayd__connected_hosts) -%}
+{% for rule in h.relayd__rules %}
 	forward to <{{ h.inventory_hostname }}_{{ rule.name }}> port {{ rule.port }} check tcp
 {% endfor %}
 {%- endcall %}
author	Romain Gonçalves <me@rgoncalves.se>	2024-02-08 13:32:37 +0100
committer	Romain Gonçalves <me@rgoncalves.se>	2024-02-08 13:33:36 +0100
commit	adfb09b9e19f7a31632eab01171693cb81ec75ef (patch)
tree	7b05135581ff49e7a5655ab07af7bba2ada43585 /roles/relayd
parent	5c5b0fbf68dca224b7f92f5de0913fd684e7d3d9 (diff)
download	rules-adfb09b9e19f7a31632eab01171693cb81ec75ef.tar.gz