aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--group_vars/all.yml11
-rw-r--r--host_vars/dc0.yml6
-rw-r--r--roles/relayd/defaults/main.yml12
-rw-r--r--roles/relayd/handlers/main.yml4
-rw-r--r--roles/relayd/meta/main.yml45
-rw-r--r--roles/relayd/tasks/main.yml18
-rw-r--r--roles/relayd/templates/relayd.conf.j238
7 files changed, 99 insertions, 35 deletions
diff --git a/group_vars/all.yml b/group_vars/all.yml
index fc3b760..2ae2bbc 100644
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@@ -8,11 +8,16 @@ ansible_become_method: su
# roles overrides
wireguard_domain_controller: "{{ __global_domain_controller }}"
-relayd_domain_name: "{{ __global_domain_name }}"
+relayd_domain_name: "{{ __domain_name }}"
acme_domain_name: "{{ __global_domain_name }}"
nfsclient_server: stack0
httpd_use_nfs: true
-relayd_rules: "{{ __services }}"
+relayd_rules: "[
+ {% for rule in __services if
+ 'domain' in rule and 'port' in rule %}
+ {{ {'name': rule.name, 'domain': rule.domain, 'port': rule.port} }},
+ {% endfor %}
+ ]"
pf_rules: "[
{% for rule in __services if
'port' in rule and 'protocol' in rule and 'name' in rule %}
@@ -30,9 +35,9 @@ __ip:
internal:
__services: {}
+__domain_name: rgoncalves.se
__global_domain_controller: dc0
-__global_domain_name: rgoncalves.se
__global_domain_name_hosts: owo
__global_domain_name_servers:
- 8.8.8.8
diff --git a/host_vars/dc0.yml b/host_vars/dc0.yml
index fc9b3cc..1ab8872 100644
--- a/host_vars/dc0.yml
+++ b/host_vars/dc0.yml
@@ -5,6 +5,7 @@ ansible_port: 71
httpd_use_nfs: false
git_dir: /var/www/data/git
sshd_listen_port: "{{ ansible_port }}"
+relayd_connected_hosts: servers
__is_vm: true
@@ -22,6 +23,7 @@ __services:
port: 53
- name: http
+ domain: rgoncalves.se
protocol: tcp
port: 80
@@ -29,7 +31,7 @@ __services:
protocol: tcp
port: 443
- - name: cgit
- domain: git
+ - name: git
+ domain: git.rgoncalves.se
protocol: tcp
port: 1235
diff --git a/roles/relayd/defaults/main.yml b/roles/relayd/defaults/main.yml
index 66eef3b..2028ef1 100644
--- a/roles/relayd/defaults/main.yml
+++ b/roles/relayd/defaults/main.yml
@@ -3,6 +3,14 @@
relayd_rules: {}
relayd_configuration_file: /etc/relayd.conf
-relayd_domain_name: example.com
-relayd_transparent: true
relayd_block_msg: aah!
+
+relayd_tls_ciphers:
+ - HIGH
+ - "!AES128"
+ - "!kRSA"
+ - "!aNULL"
+relayd_tls_elliptic_curves:
+ - P-384
+ - P-256
+ - X25519
diff --git a/roles/relayd/handlers/main.yml b/roles/relayd/handlers/main.yml
deleted file mode 100644
index 58e1171..0000000
--- a/roles/relayd/handlers/main.yml
+++ /dev/null
@@ -1,4 +0,0 @@
----
-
-- name: lint relayd configuration
- ansible.builtin.command: "relayd -nf {{ relayd_configuration_file }}"
diff --git a/roles/relayd/meta/main.yml b/roles/relayd/meta/main.yml
new file mode 100644
index 0000000..e2da9c2
--- /dev/null
+++ b/roles/relayd/meta/main.yml
@@ -0,0 +1,45 @@
+---
+
+argument_specs:
+ main:
+ short_description: relayd main entrypoint.
+ options:
+
+ relayd_rules:
+ type: list
+ elements: dict
+ required: true
+ options:
+ domain:
+ type: str
+ required: true
+ description: Domain name
+ name:
+ type: str
+ required: true
+ description: Rule name
+ port:
+ type: int
+ required: true
+ description: Port to be configured
+
+ relayd_configuration_file:
+ type: path
+ required: true
+ description: Relayd configuration file
+
+ relayd_domain_name:
+ type: str
+ required: true
+ description: Relayd domain name
+
+ relayd_connected_hosts:
+ type: str
+ required: true
+ description: Group name of hosts that are behind relayd
+
+ relayd_tls_ciphers:
+ type: list
+ elements: str
+ required: true
+ description: Relayd tls ciphers
diff --git a/roles/relayd/tasks/main.yml b/roles/relayd/tasks/main.yml
index e8e18a3..8dc2837 100644
--- a/roles/relayd/tasks/main.yml
+++ b/roles/relayd/tasks/main.yml
@@ -7,11 +7,23 @@
owner: 0
group: 0
mode: "0640"
- notify:
- - lint relayd configuration
+ register: relayd_result_generate_configuration
-- name: enable and restart relayd
+- name: lint relayd configuration
+ ansible.builtin.command: "relayd -nf {{ relayd_configuration_file }}"
+ register: relayd_result_lint_configuration
+ changed_when:
+ - relayd_result_generate_configuration.changed
+ - relayd_result_lint_configuration.rc != 0
+
+- name: restart relayd # noqa: no-handler
ansible.builtin.service:
name: relayd
state: restarted
+ when: relayd_result_generate_configuration.changed
+ or relayd_result_lint_configuration.changed
+
+- name: enable relayd
+ ansible.builtin.service:
+ name: relayd
enabled: true
diff --git a/roles/relayd/templates/relayd.conf.j2 b/roles/relayd/templates/relayd.conf.j2
index b66ffa7..67b9e13 100644
--- a/roles/relayd/templates/relayd.conf.j2
+++ b/roles/relayd/templates/relayd.conf.j2
@@ -6,10 +6,11 @@ log connection errors
# hosts
table <local> { 127.0.0.1 }
-{% call(h) macros.loop_valid_hosts("servers") -%}
-table <{{ h.inventory_hostname }}> { {{ h.__ip.internal }} }
-{% for name, rules in h.relayd_rules.items() if rules.domain is defined %}
-table <{{ h.inventory_hostname }}_{{ rules.domain }}> { {{ h.__ip.internal }} }
+{% call(h) macros.loop_valid_hosts(relayd_connected_hosts) -%}
+{% set relayd_rule_ip = "127.0.0.1" if h.inventory_hostname == inventory_hostname else h.__ip.internal %}
+table <{{ h.inventory_hostname }}> { {{ relayd_rule_ip }} }
+{% for rule in h.relayd_rules %}
+table <{{ h.inventory_hostname }}_{{ rule.name }}> { {{ relayd_rule_ip }} }
{% endfor %}
{%- endcall %}
@@ -17,8 +18,8 @@ table <{{ h.inventory_hostname }}_{{ rules.domain }}> { {{ h.__ip.internal }} }
http protocol "https" {
- tls ciphers "HIGH:!AES128:!kRSA:!aNULL"
- tls ecdhe "P-384,P-256,X25519"
+ tls ciphers "{{ relayd_tls_ciphers | join(':') }}"
+ tls ecdhe "{{ relayd_tls_elliptic_curves | join(',') }}"
tcp { sack, backlog 128 }
@@ -31,13 +32,10 @@ http protocol "https" {
match response header set "Referrer-Policy" value "no-referrer"
match response header set "X-XSS-Protection" value "1; mode=block"
- tls keypair "{{ relayd_domain_name }}"
- pass request quick header "Host" value "{{ relayd_domain_name }}" forward to <local>
-{% call(h) macros.loop_valid_hosts("servers") -%}
-{% for name, rules in h.relayd_rules.items() if rules.domain is defined %}
- {% set domain_name = rules.domain ~ "." ~ relayd_domain_name -%}
- tls keypair "{{ domain_name }}"
- pass request quick header "Host" value "{{ domain_name }}" forward to <{{ h.inventory_hostname }}_{{ rules.domain }}>
+{% call(h) macros.loop_valid_hosts(relayd_connected_hosts) -%}
+{% for rule in h.relayd_rules %}
+ tls keypair "{{ rule.domain }}"
+ pass request quick header "Host" value "{{ rule.domain }}" forward to <{{ h.inventory_hostname }}_{{ rule.name }}>
{% endfor %}
{%- endcall %}
@@ -50,11 +48,9 @@ http protocol "http" {
# acme
pass request quick path "/.well-known/acme-challenge/*" forward to <local>
- pass request quick header "Host" value "{{ relayd_domain_name }}" forward to <local>
-{% call(h) macros.loop_valid_hosts("servers") -%}
-{% for name, rules in h.relayd_rules.items() if rules.domain is defined %}
- {% set domain_name = rules.domain ~ "." ~ relayd_domain_name -%}
- pass request quick header "Host" value "{{ domain_name }}" forward to <{{ h.inventory_hostname }}_{{ rules.domain }}>
+{% call(h) macros.loop_valid_hosts(relayd_connected_hosts) -%}
+{% for rule in h.relayd_rules %}
+ pass request quick header "Host" value "{{ rule.domain }}" forward to <{{ h.inventory_hostname }}_{{ rule.name }}>
{% endfor %}
{%- endcall %}
@@ -74,9 +70,9 @@ relay "wwwtls" {
listen on egress port 443 tls
protocol "https"
forward to <local> port 80 check http "/" code 200
-{% call(h) macros.loop_valid_hosts("servers") -%}
-{% for name, rules in h.relayd_rules.items() if rules.domain is defined %}
- forward to <{{ h.inventory_hostname }}_{{ rules.domain }}> port {{ rules.port }} check tcp
+{% call(h) macros.loop_valid_hosts(relayd_connected_hosts) -%}
+{% for rule in h.relayd_rules %}
+ forward to <{{ h.inventory_hostname }}_{{ rule.name }}> port {{ rule.port }} check tcp
{% endfor %}
{%- endcall %}
}
remember that computers suck.