aboutsummaryrefslogtreecommitdiffstats
path: root/roles
diff options
context:
space:
mode:
authorRomain Gonçalves <me@rgoncalves.se>2022-12-17 21:59:58 +0100
committerRomain Gonçalves <me@rgoncalves.se>2022-12-21 17:19:46 +0100
commit8ce56f15e0751870b56805010241dcfe8389b10f (patch)
tree5cb2c136ea8d829c93810d908e63501ff79afd6e /roles
parent783cfa8469c7922f787305e15e95c0619479744b (diff)
downloadrules-8ce56f15e0751870b56805010241dcfe8389b10f.tar.gz
refactor: remove global __services from roles
Diffstat (limited to 'roles')
-rw-r--r--roles/acme/defaults/main.yml2
-rw-r--r--roles/acme/templates/acme-client.conf.j26
-rw-r--r--roles/pf/defaults/main.yml8
-rw-r--r--roles/pf/templates/pf.conf.j25
-rw-r--r--roles/relayd/defaults/main.yml2
-rw-r--r--roles/relayd/templates/relayd.conf.j220
6 files changed, 28 insertions, 15 deletions
diff --git a/roles/acme/defaults/main.yml b/roles/acme/defaults/main.yml
index 24201bd..66ca704 100644
--- a/roles/acme/defaults/main.yml
+++ b/roles/acme/defaults/main.yml
@@ -1,4 +1,6 @@
---
+acme_rules: {}
+
acme_configuration_file: /etc/acme-client.conf
acme_domain_name: null
diff --git a/roles/acme/templates/acme-client.conf.j2 b/roles/acme/templates/acme-client.conf.j2
index 3792009..583c3d5 100644
--- a/roles/acme/templates/acme-client.conf.j2
+++ b/roles/acme/templates/acme-client.conf.j2
@@ -14,9 +14,9 @@ domain {{ acme_domain_name }} {
}
{% call(h) macros.loop_valid_hosts("servers") -%}
-{% for service in h.__services if service.domain is defined %}
-domain {{ service.domain }}.{{ acme_domain_name }} {
- {% set domain = service.domain ~ "." ~ acme_domain_name %}
+{% for name, rules in h.acme_rules.items() if rules.domain is defined %}
+domain {{ rules.domain }}.{{ acme_domain_name }} {
+ {% set domain = rules.domain ~ "." ~ acme_domain_name %}
alternative names { www.{{ domain }} }
domain key "/etc/ssl/private/{{ domain }}.key"
domain full chain certificate "/etc/ssl/{{ domain }}.crt"
diff --git a/roles/pf/defaults/main.yml b/roles/pf/defaults/main.yml
index edba159..29a53f8 100644
--- a/roles/pf/defaults/main.yml
+++ b/roles/pf/defaults/main.yml
@@ -1,5 +1,13 @@
---
+pf_rules: null
+# name: ...
+# protocol: ...
+# port: ...
+# name: ...
+# protocol: ...
+# port: ...
+
pf_configuration_file: /etc/pf.conf
pf_test_ports:
- "{{ ansible_port }}"
diff --git a/roles/pf/templates/pf.conf.j2 b/roles/pf/templates/pf.conf.j2
index 1b51fe7..e60b4a6 100644
--- a/roles/pf/templates/pf.conf.j2
+++ b/roles/pf/templates/pf.conf.j2
@@ -11,8 +11,9 @@ block all
pass in quick on egress proto tcp to port {{ ansible_port }}
# host services
-{% for service in __services %}
-pass in quick on egress proto {{ service["protocol"] }} to port {{ service["port"] }}
+{% for name, rules in pf_rules.items() %}
+# {{ name }}
+pass in quick on egress proto {{ rules.protocol }} to port {{ rules.port }}
{% endfor %}
# wireguard
diff --git a/roles/relayd/defaults/main.yml b/roles/relayd/defaults/main.yml
index 7171f53..66eef3b 100644
--- a/roles/relayd/defaults/main.yml
+++ b/roles/relayd/defaults/main.yml
@@ -1,5 +1,7 @@
---
+relayd_rules: {}
+
relayd_configuration_file: /etc/relayd.conf
relayd_domain_name: example.com
relayd_transparent: true
diff --git a/roles/relayd/templates/relayd.conf.j2 b/roles/relayd/templates/relayd.conf.j2
index c97e9da..b66ffa7 100644
--- a/roles/relayd/templates/relayd.conf.j2
+++ b/roles/relayd/templates/relayd.conf.j2
@@ -8,8 +8,8 @@ log connection errors
table <local> { 127.0.0.1 }
{% call(h) macros.loop_valid_hosts("servers") -%}
table <{{ h.inventory_hostname }}> { {{ h.__ip.internal }} }
-{% for service in h.__services if service.domain is defined %}
-table <{{ h.inventory_hostname }}_{{ service.domain }}> { {{ h.__ip.internal }} }
+{% for name, rules in h.relayd_rules.items() if rules.domain is defined %}
+table <{{ h.inventory_hostname }}_{{ rules.domain }}> { {{ h.__ip.internal }} }
{% endfor %}
{%- endcall %}
@@ -34,10 +34,10 @@ http protocol "https" {
tls keypair "{{ relayd_domain_name }}"
pass request quick header "Host" value "{{ relayd_domain_name }}" forward to <local>
{% call(h) macros.loop_valid_hosts("servers") -%}
-{% for service in h.__services if service.domain is defined %}
- {% set domain_name = service.domain ~ "." ~ relayd_domain_name -%}
+{% for name, rules in h.relayd_rules.items() if rules.domain is defined %}
+ {% set domain_name = rules.domain ~ "." ~ relayd_domain_name -%}
tls keypair "{{ domain_name }}"
- pass request quick header "Host" value "{{ domain_name }}" forward to <{{ h.inventory_hostname }}_{{ service.domain }}>
+ pass request quick header "Host" value "{{ domain_name }}" forward to <{{ h.inventory_hostname }}_{{ rules.domain }}>
{% endfor %}
{%- endcall %}
@@ -52,9 +52,9 @@ http protocol "http" {
pass request quick header "Host" value "{{ relayd_domain_name }}" forward to <local>
{% call(h) macros.loop_valid_hosts("servers") -%}
-{% for service in h.__services if service.domain is defined %}
- {% set domain_name = service.domain ~ "." ~ relayd_domain_name -%}
- pass request quick header "Host" value "{{ domain_name }}" forward to <{{ h.inventory_hostname }}_{{ service.domain }}>
+{% for name, rules in h.relayd_rules.items() if rules.domain is defined %}
+ {% set domain_name = rules.domain ~ "." ~ relayd_domain_name -%}
+ pass request quick header "Host" value "{{ domain_name }}" forward to <{{ h.inventory_hostname }}_{{ rules.domain }}>
{% endfor %}
{%- endcall %}
@@ -75,8 +75,8 @@ relay "wwwtls" {
protocol "https"
forward to <local> port 80 check http "/" code 200
{% call(h) macros.loop_valid_hosts("servers") -%}
-{% for service in h.__services if service.domain is defined %}
- forward to <{{ h.inventory_hostname }}_{{ service.domain }}> port {{ service.port }} check tcp
+{% for name, rules in h.relayd_rules.items() if rules.domain is defined %}
+ forward to <{{ h.inventory_hostname }}_{{ rules.domain }}> port {{ rules.port }} check tcp
{% endfor %}
{%- endcall %}
}
remember that computers suck.