aboutsummaryrefslogtreecommitdiffstats
path: root/roles
diff options
context:
space:
mode:
authorRomain Gonçalves <me@rgoncalves.se>2024-02-08 13:32:37 +0100
committerRomain Gonçalves <me@rgoncalves.se>2024-02-08 13:33:36 +0100
commitadfb09b9e19f7a31632eab01171693cb81ec75ef (patch)
tree7b05135581ff49e7a5655ab07af7bba2ada43585 /roles
parent5c5b0fbf68dca224b7f92f5de0913fd684e7d3d9 (diff)
downloadrules-adfb09b9e19f7a31632eab01171693cb81ec75ef.tar.gz
refactor(roles): new variable naming standard
Diffstat (limited to 'roles')
-rw-r--r--roles/acme/defaults/main.yml12
-rw-r--r--roles/acme/meta/main.yml16
-rw-r--r--roles/acme/tasks/main.yml23
-rw-r--r--roles/acme/templates/acme-client.conf.j218
-rw-r--r--roles/cgit/meta/main.yml2
-rw-r--r--roles/git/meta/main.yml4
-rw-r--r--roles/httpd/defaults/main.yml11
-rw-r--r--roles/httpd/tasks/main.yml32
-rw-r--r--roles/httpd/templates/httpd.conf.j222
-rw-r--r--roles/pf/defaults/main.yml8
-rw-r--r--roles/pf/meta/main.yml8
-rw-r--r--roles/pf/tasks/main.yml28
-rw-r--r--roles/pf/templates/pf.conf.j22
-rw-r--r--roles/prerequisites/tasks/main.yml6
-rw-r--r--roles/relayd/defaults/main.yml14
-rw-r--r--roles/relayd/meta/main.yml10
-rw-r--r--roles/relayd/tasks/main.yml38
-rw-r--r--roles/relayd/templates/relayd.conf.j231
-rw-r--r--roles/sshd/defaults/main.yml6
-rw-r--r--roles/sshd/meta/main.yml6
-rw-r--r--roles/sshd/tasks/main.yml12
-rw-r--r--roles/sshd/templates/sshd_config.j24
-rw-r--r--roles/sshd_keys/defaults/main.yml13
-rw-r--r--roles/sshd_keys/meta/main.yml16
-rw-r--r--roles/sshd_keys/tasks/main.yml23
-rw-r--r--roles/update/tasks/main.yml8
-rw-r--r--roles/vmm/meta/main.yml2
-rw-r--r--roles/vmm/tasks/autoinstall_configuration.yml2
28 files changed, 171 insertions, 206 deletions
diff --git a/roles/acme/defaults/main.yml b/roles/acme/defaults/main.yml
index 81d3b2b..1665d3a 100644
--- a/roles/acme/defaults/main.yml
+++ b/roles/acme/defaults/main.yml
@@ -1,9 +1,9 @@
---
-acme_configuration_file: /etc/acme-client.conf
-acme_certificates_dir: /etc/ssl
-acme_keys_dir: /etc/ssl/private
+acme__configuration_file: /etc/acme-client.conf
+acme__certificates_dir: /etc/ssl
+acme__keys_dir: /etc/ssl/private
-acme_authority_name: letsencrypt
-acme_authority_url: https://acme-v02.api.letsencrypt.org/directory
-acme_authority_key: /etc/acme/letsencrypt-privkey.pem
+acme__authority_name: letsencrypt
+acme__authority_url: https://acme-v02.api.letsencrypt.org/directory
+acme__authority_key: /etc/acme/letsencrypt-privkey.pem
diff --git a/roles/acme/meta/main.yml b/roles/acme/meta/main.yml
index 0458175..f3eccc3 100644
--- a/roles/acme/meta/main.yml
+++ b/roles/acme/meta/main.yml
@@ -5,7 +5,7 @@ argument_specs:
short_description: acme main entrypoint.
options:
- acme_rules:
+ acme__rules:
type: list
elements: dict
required: true
@@ -15,37 +15,37 @@ argument_specs:
required: true
description: Acme domain name
- acme_authority_name:
+ acme__authority_name:
type: str
required: true
description: Acme authority name
- acme_authority_url:
+ acme__authority_url:
type: str
required: true
description: Acme authority api url
- acme_authority_key:
+ acme__authority_key:
type: path
required: true
description: Acme authority key file
- acme_certificates_dir:
+ acme__certificates_dir:
type: path
required: true
description: Acme certificates directory
- acme_keys_dir:
+ acme__keys_dir:
type: path
required: true
description: Acme keys directory
- acme_configuration_file:
+ acme__configuration_file:
type: path
required: true
description: Acme configuration file
- relayd_connected_hosts:
+ relayd__connected_hosts:
type: str
required: true
description: Group name of hosts for generating certificates
diff --git a/roles/acme/tasks/main.yml b/roles/acme/tasks/main.yml
index 040c176..0435265 100644
--- a/roles/acme/tasks/main.yml
+++ b/roles/acme/tasks/main.yml
@@ -3,7 +3,7 @@
- name: generate acme-client configuration
ansible.builtin.template:
src: acme-client.conf.j2
- dest: "{{ acme_configuration_file }}"
+ dest: "{{ acme__configuration_file }}"
owner: 0
group: 0
mode: "0644"
@@ -11,20 +11,20 @@
- name: retrieve enabled domains
ansible.builtin.shell: |
set -o pipefail
- grep "^domain" {{ acme_configuration_file }} | cut -d " " -f 2
- register: acme_result_subdomains
+ grep "^domain" {{ acme__configuration_file }} | cut -d " " -f 2
+ register: acme__result_subdomains
changed_when: false
- name: generate acme certificates
ansible.builtin.command: acme-client -v {{ item }}
- loop: "{{ acme_result_subdomains.stdout_lines }}"
- register: acme_result_generation
- failed_when: acme_result_generation.rc == 1
- changed_when: acme_result_generation.rc != 2
+ loop: "{{ acme__result_subdomains.stdout_lines }}"
+ register: acme__result_generation
+ failed_when: acme__result_generation.rc == 1
+ changed_when: acme__result_generation.rc != 2
- name: display registered certificates
ansible.builtin.debug:
- msg: "{{ acme_result_generation.results | map(attribute='stderr')
+ msg: "{{ acme__result_generation.results | map(attribute='stderr')
| join('\n') }}"
- name: enable automatic acme certificates update
@@ -33,4 +33,9 @@
minute: 0
hour: 6,18
job: "acme-client -v {{ item }} && rcctl reload relayd"
- loop: "{{ acme_result_subdomains.stdout_lines }}"
+ loop: "{{ acme__result_subdomains.stdout_lines }}"
+
+- name: restart relayd
+ ansible.builtin.service:
+ name: relayd
+ state: restarted
diff --git a/roles/acme/templates/acme-client.conf.j2 b/roles/acme/templates/acme-client.conf.j2
index 9453cec..00c2f60 100644
--- a/roles/acme/templates/acme-client.conf.j2
+++ b/roles/acme/templates/acme-client.conf.j2
@@ -1,19 +1,19 @@
# managed by Ansible
{% import 'macros.j2' as macros with context %}
-authority {{ acme_authority_name }} {
- api url "{{ acme_authority_url }}"
- account key "{{ acme_authority_key }}"
+authority {{ acme__authority_name }} {
+ api url "{{ acme__authority_url }}"
+ account key "{{ acme__authority_key }}"
}
-{% call(h) macros.loop_valid_hosts(relayd_connected_hosts) -%}
-{% for rule in h.acme_rules %}
+{% call(h) macros.loop_valid_hosts(relayd__connected_hosts) -%}
+{% for rule in h.acme__rules %}
domain {{ rule.domain }} {
- alternative names { www.{{ rule.domain }} }
- domain key "{{ acme_keys_dir }}/{{ rule.domain }}.key"
- domain full chain certificate "{{ acme_certificates_dir }}/{{ rule.domain }}.crt"
- sign with {{ acme_authority_name }}
+ # alternative names { www.{{ rule.domain }} }
+ domain key "{{ acme__keys_dir }}/{{ rule.domain }}.key"
+ domain full chain certificate "{{ acme__certificates_dir }}/{{ rule.domain }}.crt"
+ sign with {{ acme__authority_name }}
}
{% endfor %}
{%- endcall %}
diff --git a/roles/cgit/meta/main.yml b/roles/cgit/meta/main.yml
index ddd865d..1efbc4b 100644
--- a/roles/cgit/meta/main.yml
+++ b/roles/cgit/meta/main.yml
@@ -2,7 +2,7 @@
dependencies:
- role: git
- - role: httpd_pre
+ - role: httpd__pre
argument_specs:
main:
diff --git a/roles/git/meta/main.yml b/roles/git/meta/main.yml
index 1117027..8877ff2 100644
--- a/roles/git/meta/main.yml
+++ b/roles/git/meta/main.yml
@@ -1,8 +1,8 @@
---
dependencies:
- - role: sshd_keys
- sshd_keys_users:
+ - role: sshd__keys
+ sshd__keys_users:
- "{{ git_user }}"
argument_specs:
diff --git a/roles/httpd/defaults/main.yml b/roles/httpd/defaults/main.yml
index f5e0a43..c0f92ed 100644
--- a/roles/httpd/defaults/main.yml
+++ b/roles/httpd/defaults/main.yml
@@ -1,15 +1,6 @@
---
-httpd_configuration_file: /etc/httpd.conf
-httpd_configuration_dir: /etc/httpd.d
-httpd_chroot_dir: /var/www
-httpd_passwords_dir: "{{ httpd_chroot_dir }}/htpasswd"
-httpd_sites_dir: "{{ httpd_chroot_dir }}/htdocs"
-
-httpd_user: www
-httpd_group: www
-
-httpd_supported_types:
+httpd__supported_types:
- application/xml xml rss
- image/gif gif
- image/jpeg jpeg jpg
diff --git a/roles/httpd/tasks/main.yml b/roles/httpd/tasks/main.yml
index 584ae0b..194f198 100644
--- a/roles/httpd/tasks/main.yml
+++ b/roles/httpd/tasks/main.yml
@@ -1,39 +1,25 @@
---
-- name: create httpd directory
+- name: create static sites directories
ansible.builtin.file:
- path: "{{ httpd_configuration_dir }}"
+ path: "{{ httpd_pre__sites_dir }}/{{ item.domain }}"
state: directory
- owner: 0
- group: 0
- mode: "0644"
-
-- name: create passwords directory
- ansible.builtin.file:
- path: "{{ httpd_passwords_dir }}"
- state: directory
- owner: "{{ httpd_user }}"
- group: "{{ httpd_group }}"
- mode: "0700"
-
-- name: create sites directory
- ansible.builtin.file:
- path: "{{ httpd_sites_dir }}"
- state: directory
- owner: 0
- group: 0
+ owner: "{{ httpd_pre__user }}"
+ group: "{{ httpd_pre__group }}"
mode: "0755"
+ loop: "{{ httpd__rules }}"
+ when: item.extra.type is defined and item.extra.type == "static"
- name: retrieve all configuration files
ansible.builtin.find:
- path: "{{ httpd_configuration_dir }}"
+ path: "{{ httpd_pre__configuration_dir }}"
patterns: "*.conf"
- register: httpd_configuration_files
+ register: httpd__configuration_files
- name: generate httpd configuration
ansible.builtin.template:
src: httpd.conf.j2
- dest: "{{ httpd_configuration_file }}"
+ dest: "{{ httpd_pre__configuration_file }}"
owner: 0
group: 0
mode: "0644"
diff --git a/roles/httpd/templates/httpd.conf.j2 b/roles/httpd/templates/httpd.conf.j2
index 49e928d..9225244 100644
--- a/roles/httpd/templates/httpd.conf.j2
+++ b/roles/httpd/templates/httpd.conf.j2
@@ -1,24 +1,38 @@
# managed by Ansible
types {
-{% for type in httpd_supported_types %}
+{% for type in httpd__supported_types %}
{{ type }}
{% endfor %}
}
-server "acme" {
- listen on localhost port 8888
+server "default" {
+ listen on * port 8888
+ log style {{ httpd__log_format }}
+ # acme tls challenge
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
+ # redirection
location * {
block return 302 "https://$HTTP_HOST$REQUEST_URI"
}
}
-{% for file in httpd_configuration_files.files %}
+{% for item in httpd__rules %}
+{% if item.extra.type is defined and item.extra.type == "static" %}
+server "{{ item.domain }}" {
+ listen on localhost port {{ item.port }}
+ log style {{ httpd__log_format }}
+ root "{{ httpd_pre__chroot_sites_dir }}/{{ item.domain }}"
+}
+
+{% endif %}
+{% endfor %}
+
+{% for file in httpd__configuration_files.files %}
include "{{ file.path }}"
{% endfor %}
diff --git a/roles/pf/defaults/main.yml b/roles/pf/defaults/main.yml
index 90b4c7e..7e8ac41 100644
--- a/roles/pf/defaults/main.yml
+++ b/roles/pf/defaults/main.yml
@@ -1,8 +1,8 @@
---
-pf_rules: null
+pf__rules: null
-pf_configuration_file: /etc/pf.conf
-pf_test_delay: 2
-pf_test_ports:
+pf__configuration_file: /etc/pf.conf
+pf__test_delay: 2
+pf__test_ports:
- "{{ ansible_port }}"
diff --git a/roles/pf/meta/main.yml b/roles/pf/meta/main.yml
index 8a6aa88..9c02951 100644
--- a/roles/pf/meta/main.yml
+++ b/roles/pf/meta/main.yml
@@ -5,7 +5,7 @@ argument_specs:
short_description: pf main entrypoint.
options:
- pf_rules:
+ pf__rules:
type: list
elements: dict
required: true
@@ -25,17 +25,17 @@ argument_specs:
required: true
description: Port to be configured
- pf_configuration_file:
+ pf__configuration_file:
type: path
required: true
description: Pf configuration file
- pf_test_delay:
+ pf__test_delay:
type: int
required: true
description: Pf test delay
- pf_test_ports:
+ pf__test_ports:
type: list
element: int
required: true
diff --git a/roles/pf/tasks/main.yml b/roles/pf/tasks/main.yml
index 4fba69e..9737315 100644
--- a/roles/pf/tasks/main.yml
+++ b/roles/pf/tasks/main.yml
@@ -3,35 +3,35 @@
- name: generate pf configuration
ansible.builtin.template:
src: pf.conf.j2
- dest: "{{ pf_configuration_file }}"
+ dest: "{{ pf__configuration_file }}"
owner: 0
group: 0
mode: "0600"
- register: pf_result_generate_configuration
+ register: pf__result_generate_configuration
- name: lint pf configuration # noqa: no-handler
- ansible.builtin.command: "pfctl -nf {{ pf_configuration_file }}"
- register: pf_result_lint_configuration
+ ansible.builtin.command: "pfctl -nf {{ pf__configuration_file }}"
+ register: pf__result_lint_configuration
changed_when:
- - pf_result_generate_configuration.changed
- - pf_result_lint_configuration.rc != 0
+ - pf__result_generate_configuration.changed
+ - pf__result_lint_configuration.rc != 0
- name: restart pf # noqa: no-handler
- ansible.builtin.command: pfctl -f "{{ pf_configuration_file }}"
- when: pf_result_generate_configuration.changed
+ ansible.builtin.command: pfctl -f "{{ pf__configuration_file }}"
+ when: pf__result_generate_configuration.changed
- name: test pf rules
ansible.builtin.wait_for:
port: "{{ item }}"
- delay: "{{ pf_test_delay }}"
+ delay: "{{ pf__test_delay }}"
state: started
- loop: "{{ pf_test_ports }}"
+ loop: "{{ pf__test_ports }}"
- name: enable pf
ansible.builtin.command: pfctl -e
- register: pf_result_enable
+ register: pf__result_enable
changed_when:
- - "'already enabled' not in pf_result_enable.stderr"
+ - "'already enabled' not in pf__result_enable.stderr"
failed_when:
- - pf_result_enable.rc != 0
- - "'already enabled' not in pf_result_enable.stderr"
+ - pf__result_enable.rc != 0
+ - "'already enabled' not in pf__result_enable.stderr"
diff --git a/roles/pf/templates/pf.conf.j2 b/roles/pf/templates/pf.conf.j2
index 193c9d2..2f159b4 100644
--- a/roles/pf/templates/pf.conf.j2
+++ b/roles/pf/templates/pf.conf.j2
@@ -11,7 +11,7 @@ block all
pass in quick on egress proto tcp to port {{ ansible_port }}
# host services
-{% for rule in pf_rules %}
+{% for rule in pf__rules %}
# {{ rule.name }}
pass in quick on egress proto {{ rule.protocol }} to port {{ rule.port }}
{% endfor %}
diff --git a/roles/prerequisites/tasks/main.yml b/roles/prerequisites/tasks/main.yml
index b1f4215..cd241a6 100644
--- a/roles/prerequisites/tasks/main.yml
+++ b/roles/prerequisites/tasks/main.yml
@@ -2,8 +2,8 @@
- name: retrieve python installation
ansible.builtin.raw: command -v python3
- register: prerequisites_register_python_present
- changed_when: prerequisites_register_python_present.rc != 0
+ register: prerequisites__register_python_present
+ changed_when: prerequisites__register_python_present.rc != 0
- name: bruteforce python installation with all packages possiblity
ansible.builtin.raw: |
@@ -14,4 +14,4 @@
ignore_errors: true
failed_when: result.rc not in [0, 1]
poll: 0
- when: prerequisites_register_python_present.rc != 0
+ when: prerequisites__register_python_present.rc != 0
diff --git a/roles/relayd/defaults/main.yml b/roles/relayd/defaults/main.yml
index 998ff5c..17d325d 100644
--- a/roles/relayd/defaults/main.yml
+++ b/roles/relayd/defaults/main.yml
@@ -1,19 +1,19 @@
---
-relayd_rules: {}
+relayd__rules: {}
-relayd_configuration_file: /etc/relayd.conf
-relayd_block_msg: aah!
+relayd__configuration_file: /etc/relayd.conf
+relayd__block_msg: aah!
-relayd_ssl_certificates_dir: /etc/ssl
-relayd_ssl_keys_dir: /etc/ssl/private
+relayd__ssl_certificates_dir: /etc/ssl
+relayd__ssl_keys_dir: /etc/ssl/private
-relayd_tls_ciphers:
+relayd__tls_ciphers:
- HIGH
- "!AES128"
- "!kRSA"
- "!aNULL"
-relayd_tls_elliptic_curves:
+relayd__tls_elliptic_curves:
- P-384
- P-256
- X25519
diff --git a/roles/relayd/meta/main.yml b/roles/relayd/meta/main.yml
index e2da9c2..64efc3a 100644
--- a/roles/relayd/meta/main.yml
+++ b/roles/relayd/meta/main.yml
@@ -5,7 +5,7 @@ argument_specs:
short_description: relayd main entrypoint.
options:
- relayd_rules:
+ relayd__rules:
type: list
elements: dict
required: true
@@ -23,22 +23,22 @@ argument_specs:
required: true
description: Port to be configured
- relayd_configuration_file:
+ relayd__configuration_file:
type: path
required: true
description: Relayd configuration file
- relayd_domain_name:
+ relayd__domain_name:
type: str
required: true
description: Relayd domain name
- relayd_connected_hosts:
+ relayd__connected_hosts:
type: str
required: true
description: Group name of hosts that are behind relayd
- relayd_tls_ciphers:
+ relayd__tls_ciphers:
type: list
elements: str
required: true
diff --git a/roles/relayd/tasks/main.yml b/roles/relayd/tasks/main.yml
index 1346675..6485eb2 100644
--- a/roles/relayd/tasks/main.yml
+++ b/roles/relayd/tasks/main.yml
@@ -8,57 +8,57 @@
-newkey rsa:4096
-nodes
-subj "/CN={{ item.domain }}"
- -keyout {{ relayd_ssl_keys_dir }}/{{ item.domain }}.key
- -out {{ relayd_ssl_certificates_dir }}/{{ item.domain }}.pem
- creates: "{{ relayd_ssl_keys_dir }}/{{ item.domain }}.key"
- loop: "{{ relayd_rules }}"
+ -keyout {{ relayd__ssl_keys_dir }}/{{ item.domain }}.key
+ -out {{ relayd__ssl_certificates_dir }}/{{ item.domain }}.pem
+ creates: "{{ relayd__ssl_keys_dir }}/{{ item.domain }}.key"
+ loop: "{{ relayd__rules }}"
- name: apply restrictive permissions on ssl keys
ansible.builtin.file:
- path: "{{ relayd_ssl_keys_dir }}/{{ item.domain }}.key"
+ path: "{{ relayd__ssl_keys_dir }}/{{ item.domain }}.key"
owner: 0
group: 0
mode: "0600"
- loop: "{{ relayd_rules }}"
+ loop: "{{ relayd__rules }}"
- name: retrieve certificate files
ansible.builtin.stat:
- path: "{{ relayd_ssl_certificates_dir }}/{{ item.domain }}.crt"
- loop: "{{ relayd_rules }}"
- register: relayd_result_stat_certificates
+ path: "{{ relayd__ssl_certificates_dir }}/{{ item.domain }}.crt"
+ loop: "{{ relayd__rules }}"
+ register: relayd__result_stat_certificates
- name: link pem files to certificate files if required
ansible.builtin.file:
- src: "{{ relayd_ssl_certificates_dir }}/{{ item.item.domain }}.pem"
+ src: "{{ relayd__ssl_certificates_dir }}/{{ item.item.domain }}.pem"
dest: "{{ item.invocation.module_args.path }}"
owner: 0
group: 0
state: link
when: not item.stat.exists
- loop: "{{ relayd_result_stat_certificates.results }}"
+ loop: "{{ relayd__result_stat_certificates.results }}"
- name: generate relayd configuration
ansible.builtin.template:
src: relayd.conf.j2
- dest: "{{ relayd_configuration_file }}"
+ dest: "{{ relayd__configuration_file }}"
owner: 0
group: 0
mode: "0640"
- register: relayd_result_generate_configuration
+ register: relayd__result_generate_configuration
- name: lint relayd configuration
- ansible.builtin.command: "relayd -nf {{ relayd_configuration_file }}"
- register: relayd_result_lint_configuration
+ ansible.builtin.command: "relayd -nf {{ relayd__configuration_file }}"
+ register: relayd__result_lint_configuration
changed_when:
- - relayd_result_generate_configuration.changed
- - relayd_result_lint_configuration.rc != 0
+ - relayd__result_generate_configuration.changed
+ - relayd__result_lint_configuration.rc != 0
- name: restart relayd # noqa: no-handler
ansible.builtin.service:
name: relayd
state: restarted
- when: relayd_result_generate_configuration.changed
- or relayd_result_lint_configuration.changed
+ when: relayd__result_generate_configuration.changed
+ or relayd__result_lint_configuration.changed
- name: enable relayd
ansible.builtin.service:
diff --git a/roles/relayd/templates/relayd.conf.j2 b/roles/relayd/templates/relayd.conf.j2
index 67b9e13..4169251 100644
--- a/roles/relayd/templates/relayd.conf.j2
+++ b/roles/relayd/templates/relayd.conf.j2
@@ -6,11 +6,11 @@ log connection errors
# hosts
table <local> { 127.0.0.1 }
-{% call(h) macros.loop_valid_hosts(relayd_connected_hosts) -%}
-{% set relayd_rule_ip = "127.0.0.1" if h.inventory_hostname == inventory_hostname else h.__ip.internal %}
-table <{{ h.inventory_hostname }}> { {{ relayd_rule_ip }} }
-{% for rule in h.relayd_rules %}
-table <{{ h.inventory_hostname }}_{{ rule.name }}> { {{ relayd_rule_ip }} }
+{% call(h) macros.loop_valid_hosts(relayd__connected_hosts) -%}
+{% set relayd__rule_ip = "127.0.0.1" if h.inventory_hostname == inventory_hostname else h.__ip.internal %}
+table <{{ h.inventory_hostname }}> { {{ relayd__rule_ip }} }
+{% for rule in h.relayd__rules %}
+table <{{ h.inventory_hostname }}_{{ rule.name }}> { {{ relayd__rule_ip }} }
{% endfor %}
{%- endcall %}
@@ -18,8 +18,8 @@ table <{{ h.inventory_hostname }}_{{ rule.name }}> { {{ relayd_rule_ip }} }
http protocol "https" {
- tls ciphers "{{ relayd_tls_ciphers | join(':') }}"
- tls ecdhe "{{ relayd_tls_elliptic_curves | join(',') }}"
+ tls ciphers "{{ relayd__tls_ciphers | join(':') }}"
+ tls ecdhe "{{ relayd__tls_elliptic_curves | join(',') }}"
tcp { sack, backlog 128 }
@@ -27,19 +27,20 @@ http protocol "https" {
match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"
match request header set "Connection" value "close"
match request header set "X-Forwarded-Proto" value "https"
- match request header set "X-Forwarded-Port" value "443"
+ match request header set "X-Forwarded-For" value "$REMOTE_ADDR"
+ match request header set "X-Forwarded-Port" value "$REMOTE_PORT"
match response header set "Content-Security-Policy" value "upgrade-insecure-requests"
match response header set "Referrer-Policy" value "no-referrer"
match response header set "X-XSS-Protection" value "1; mode=block"
-{% call(h) macros.loop_valid_hosts(relayd_connected_hosts) -%}
-{% for rule in h.relayd_rules %}
+{% call(h) macros.loop_valid_hosts(relayd__connected_hosts) -%}
+{% for rule in h.relayd__rules %}
tls keypair "{{ rule.domain }}"
pass request quick header "Host" value "{{ rule.domain }}" forward to <{{ h.inventory_hostname }}_{{ rule.name }}>
{% endfor %}
{%- endcall %}
- block label "{{ relayd_block_msg }}"
+ block label "{{ relayd__block_msg }}"
return error
}
@@ -48,8 +49,8 @@ http protocol "http" {
# acme
pass request quick path "/.well-known/acme-challenge/*" forward to <local>
-{% call(h) macros.loop_valid_hosts(relayd_connected_hosts) -%}
-{% for rule in h.relayd_rules %}
+{% call(h) macros.loop_valid_hosts(relayd__connected_hosts) -%}
+{% for rule in h.relayd__rules %}
pass request quick header "Host" value "{{ rule.domain }}" forward to <{{ h.inventory_hostname }}_{{ rule.name }}>
{% endfor %}
{%- endcall %}
@@ -70,8 +71,8 @@ relay "wwwtls" {
listen on egress port 443 tls
protocol "https"
forward to <local> port 80 check http "/" code 200
-{% call(h) macros.loop_valid_hosts(relayd_connected_hosts) -%}
-{% for rule in h.relayd_rules %}
+{% call(h) macros.loop_valid_hosts(relayd__connected_hosts) -%}
+{% for rule in h.relayd__rules %}
forward to <{{ h.inventory_hostname }}_{{ rule.name }}> port {{ rule.port }} check tcp
{% endfor %}
{%- endcall %}
diff --git a/roles/sshd/defaults/main.yml b/roles/sshd/defaults/main.yml
index 87933b9..85df472 100644
--- a/roles/sshd/defaults/main.yml
+++ b/roles/sshd/defaults/main.yml
@@ -1,5 +1,5 @@
---
-sshd_configuration_file: /etc/ssh/sshd_config
-sshd_listen_port: 22
-sshd_enable_x11_forwarding: false
+sshd__configuration_file: /etc/ssh/sshd_config
+sshd__listen_port: 22
+sshd__enable_x11_forwarding: false
diff --git a/roles/sshd/meta/main.yml b/roles/sshd/meta/main.yml
index e0d60ee..7edf5cf 100644
--- a/roles/sshd/meta/main.yml
+++ b/roles/sshd/meta/main.yml
@@ -5,17 +5,17 @@ argument_specs:
short_description: sshd main entrypoint.
options:
- sshd_configuration_file:
+ sshd__configuration_file:
type: path
required: true
description: Sshd configuration file
- sshd_listen_port:
+ sshd__listen_port:
type: int
required: true
description: Sshd listen port
- sshd_enable_x11_forwarding:
+ sshd__enable_x11_forwarding:
type: bool
required: true
description: Enable X11 forwarding
diff --git a/roles/sshd/tasks/main.yml b/roles/sshd/tasks/main.yml
index 6a622d2..05221fd 100644
--- a/roles/sshd/tasks/main.yml
+++ b/roles/sshd/tasks/main.yml
@@ -9,22 +9,22 @@
- name: generate sshd configuration
ansible.builtin.template:
src: sshd_config.j2
- dest: "{{ sshd_configuration_file }}"
+ dest: "{{ sshd__configuration_file }}"
owner: 0
group: 0
mode: "0644"
- register: sshd_result_generate_configuration
+ register: sshd__result_generate_configuration
- name: lint sshd configuration
- ansible.builtin.command: "sshd -tf {{ sshd_configuration_file }}"
- register: sshd_result_lint
+ ansible.builtin.command: "sshd -tf {{ sshd__configuration_file }}"
+ register: sshd__result_lint
changed_when: false
- name: restart sshd # noqa: no-handler
ansible.builtin.service:
name: sshd
state: restarted
- when: sshd_result_generate_configuration.changed
+ when: sshd__result_generate_configuration.changed
- name: enable sshd
ansible.builtin.service:
@@ -33,6 +33,6 @@
- name: check ssh connection
ansible.builtin.wait_for:
- port: "{{ sshd_listen_port }}"
+ port: "{{ sshd__listen_port }}"
delay: 1
state: started
diff --git a/roles/sshd/templates/sshd_config.j2 b/roles/sshd/templates/sshd_config.j2
index b8affa8..179738a 100644
--- a/roles/sshd/templates/sshd_config.j2
+++ b/roles/sshd/templates/sshd_config.j2
@@ -1,7 +1,7 @@
# managed by Ansible
# network
-Port {{ sshd_listen_port }}
+Port {{ sshd__listen_port }}
# security
PermitRootLogin yes
@@ -13,7 +13,7 @@ AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
PermitEmptyPasswords no
ClientAliveInterval 180
-X11Forwarding {{ "yes" if sshd_enable_x11_forwarding else "no" }}
+X11Forwarding {{ "yes" if sshd__enable_x11_forwarding else "no" }}
{% if ansible_distribution == "Debian" %}
Subsystem sftp /usr/lib/openssh/sftp-server
diff --git a/roles/sshd_keys/defaults/main.yml b/roles/sshd_keys/defaults/main.yml
index 1b97a4a..d0b5466 100644
--- a/roles/sshd_keys/defaults/main.yml
+++ b/roles/sshd_keys/defaults/main.yml
@@ -1,13 +1,4 @@
---
-sshd_keys_users: null
-sshd_keys_dir: files/keys
-sshd_keys_paths: "[
- {% if sshd_keys_users is none %}
- '{{ sshd_keys_dir }}',
- {% else %}
- {% for user in sshd_keys_users %}
- '{{ sshd_keys_dir }}/{{ user }}',
- {% endfor %}
- {% endif %}
- ]"
+sshd_keys__users: null
+sshd_keys__dir: null
diff --git a/roles/sshd_keys/meta/main.yml b/roles/sshd_keys/meta/main.yml
index e790d71..ccf16eb 100644
--- a/roles/sshd_keys/meta/main.yml
+++ b/roles/sshd_keys/meta/main.yml
@@ -1,27 +1,17 @@
---
-dependencies:
- - role: sshd
- tags: dependency
-
argument_specs:
main:
- short_description: sshd_keys main entrypoint.
+ short_description: sshd__keys main entrypoint.
options:
- sshd_keys_users:
+ sshd_keys__users:
type: list
elements: str
required: true
description: Users to be synced
- sshd_keys_dir:
+ sshd_keys__dir:
type: path
required: true
description: Local directory with public keys
-
- sshd_keys_paths:
- type: list
- elements: path
- required: true
- description: Local directory with public keys
diff --git a/roles/sshd_keys/tasks/main.yml b/roles/sshd_keys/tasks/main.yml
index 5d45e34..168f64d 100644
--- a/roles/sshd_keys/tasks/main.yml
+++ b/roles/sshd_keys/tasks/main.yml
@@ -2,34 +2,21 @@
- name: get ssh keys for all users
ansible.builtin.find:
- paths: "{{ sshd_keys_paths }}"
+ paths: "{{ sshd__keys_paths }}"
file_type: link
recurse: true
delegate_to: localhost
run_once: true
- register: sshd_keys_result_find
+ register: sshd__keys_result_find
-- name: set sshd_keys_found_users variable
+- name: set sshd__keys_found_users variable
ansible.builtin.set_fact:
- sshd_keys_found_users: "{{ sshd_keys_result_find.files
+ sshd__keys_found_users: "{{ sshd__keys_result_find.files
| map(attribute='path')
| map('dirname')
| map('basename')
| unique }}"
-- name: create groups for users with ssh keys
- ansible.builtin.group:
- name: "{{ item }}"
- state: present
- loop: "{{ sshd_keys_found_users }}"
-
-- name: create users with ssh keys
- ansible.builtin.user:
- name: "{{ item }}"
- group: "{{ item }}"
- state: present
- loop: "{{ sshd_keys_found_users }}"
-
- name: synchronize ssh keys
ansible.posix.authorized_key:
user: "{{ item.path | dirname | basename }}"
@@ -37,5 +24,5 @@
key: "{{ lookup('file', item.path) }}"
loop_control:
label: "{{ item.path }}: {{ item.path | dirname | basename }}"
- loop: "{{ sshd_keys_result_find.files }}"
+ loop: "{{ sshd__keys_result_find.files }}"
failed_when: false
diff --git a/roles/update/tasks/main.yml b/roles/update/tasks/main.yml
index 1719611..0c10aa7 100644
--- a/roles/update/tasks/main.yml
+++ b/roles/update/tasks/main.yml
@@ -2,12 +2,12 @@
- name: apply system update
ansible.builtin.command: syspatch
- register: update_result_system_update
+ register: update__result_system_update
failed_when:
- - update_result_system_update.rc > 0
- - update_result_system_update.rc != 2
+ - update__result_system_update.rc > 0
+ - update__result_system_update.rc != 2
changed_when:
- - update_result_system_update.rc == 0
+ - update__result_system_update.rc == 0
when: ansible_distribution == "OpenBSD"
- name: apply package update
diff --git a/roles/vmm/meta/main.yml b/roles/vmm/meta/main.yml
index dd93239..4bf5e0a 100644
--- a/roles/vmm/meta/main.yml
+++ b/roles/vmm/meta/main.yml
@@ -1,5 +1,5 @@
---
dependencies:
- - role: httpd_pre
+ - role: httpd__pre
tags: dependency
diff --git a/roles/vmm/tasks/autoinstall_configuration.yml b/roles/vmm/tasks/autoinstall_configuration.yml
index 4901b61..a131cb3 100644
--- a/roles/vmm/tasks/autoinstall_configuration.yml
+++ b/roles/vmm/tasks/autoinstall_configuration.yml
@@ -40,7 +40,7 @@
ansible.builtin.template:
<<: *generation_steps
src: httpd.conf.j2
- dest: "{{ httpd_configuration_dir }}/autoinstall.conf"
+ dest: "{{ httpd__configuration_dir }}/autoinstall.conf"
owner: 0
group: 0
remember that computers suck.