aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--group_vars/all.yml17
-rw-r--r--host_vars/dc0.yml10
-rw-r--r--host_vars/stack0-dev0.yml7
-rw-r--r--roles/acme/defaults/main.yml2
-rw-r--r--roles/acme/templates/acme-client.conf.j26
-rw-r--r--roles/pf/defaults/main.yml8
-rw-r--r--roles/pf/templates/pf.conf.j25
-rw-r--r--roles/relayd/defaults/main.yml2
-rw-r--r--roles/relayd/templates/relayd.conf.j220
9 files changed, 43 insertions, 34 deletions
diff --git a/group_vars/all.yml b/group_vars/all.yml
index 808f4de..63697e8 100644
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@@ -1,13 +1,22 @@
---
+# ansible overrides
+
ansible_hostname: "{{ ansible_host }}"
ansible_become_method: su
+# roles overrides
+
wireguard_domain_controller: "{{ __global_domain_controller }}"
relayd_domain_name: "{{ __global_domain_name }}"
acme_domain_name: "{{ __global_domain_name }}"
nfsclient_server: stack0
httpd_use_nfs: true
+relayd_rules: "{{ __services }}"
+pf_rules: "{{ __services }}"
+acme_rules: "{{ __services }}"
+
+# playbook specific
__is_vm: false
@@ -33,11 +42,3 @@ __global_services:
protocol: tcp
port: 8000
is_public: true
-
-# __services:
-# - domain: status.test
-# is_public: true
-# port: 120
-# protocols:
-# - tcp
-# - udp
diff --git a/host_vars/dc0.yml b/host_vars/dc0.yml
index fc9b3cc..80c7ef5 100644
--- a/host_vars/dc0.yml
+++ b/host_vars/dc0.yml
@@ -13,23 +13,23 @@ __ip:
internal: 10.10.0.1
__services:
- - name: ssh
+ ssh:
protocol: tcp
port: 22
- - name: wireguard
+ wireguard:
protocol: udp
port: 53
- - name: http
+ http:
protocol: tcp
port: 80
- - name: https
+ https:
protocol: tcp
port: 443
- - name: cgit
+ cgit:
domain: git
protocol: tcp
port: 1235
diff --git a/host_vars/stack0-dev0.yml b/host_vars/stack0-dev0.yml
index 905627a..fe6204c 100644
--- a/host_vars/stack0-dev0.yml
+++ b/host_vars/stack0-dev0.yml
@@ -7,11 +7,6 @@ __ip:
internal: 10.10.0.61
__services:
- - name: ssh
+ ssh:
protocol: tcp
port: 22
-
-# - name: cgit
-# domain: git
-# protocol: tcp
-# port: 1235
diff --git a/roles/acme/defaults/main.yml b/roles/acme/defaults/main.yml
index 24201bd..66ca704 100644
--- a/roles/acme/defaults/main.yml
+++ b/roles/acme/defaults/main.yml
@@ -1,4 +1,6 @@
---
+acme_rules: {}
+
acme_configuration_file: /etc/acme-client.conf
acme_domain_name: null
diff --git a/roles/acme/templates/acme-client.conf.j2 b/roles/acme/templates/acme-client.conf.j2
index 3792009..583c3d5 100644
--- a/roles/acme/templates/acme-client.conf.j2
+++ b/roles/acme/templates/acme-client.conf.j2
@@ -14,9 +14,9 @@ domain {{ acme_domain_name }} {
}
{% call(h) macros.loop_valid_hosts("servers") -%}
-{% for service in h.__services if service.domain is defined %}
-domain {{ service.domain }}.{{ acme_domain_name }} {
- {% set domain = service.domain ~ "." ~ acme_domain_name %}
+{% for name, rules in h.acme_rules.items() if rules.domain is defined %}
+domain {{ rules.domain }}.{{ acme_domain_name }} {
+ {% set domain = rules.domain ~ "." ~ acme_domain_name %}
alternative names { www.{{ domain }} }
domain key "/etc/ssl/private/{{ domain }}.key"
domain full chain certificate "/etc/ssl/{{ domain }}.crt"
diff --git a/roles/pf/defaults/main.yml b/roles/pf/defaults/main.yml
index edba159..29a53f8 100644
--- a/roles/pf/defaults/main.yml
+++ b/roles/pf/defaults/main.yml
@@ -1,5 +1,13 @@
---
+pf_rules: null
+# name: ...
+# protocol: ...
+# port: ...
+# name: ...
+# protocol: ...
+# port: ...
+
pf_configuration_file: /etc/pf.conf
pf_test_ports:
- "{{ ansible_port }}"
diff --git a/roles/pf/templates/pf.conf.j2 b/roles/pf/templates/pf.conf.j2
index 1b51fe7..e60b4a6 100644
--- a/roles/pf/templates/pf.conf.j2
+++ b/roles/pf/templates/pf.conf.j2
@@ -11,8 +11,9 @@ block all
pass in quick on egress proto tcp to port {{ ansible_port }}
# host services
-{% for service in __services %}
-pass in quick on egress proto {{ service["protocol"] }} to port {{ service["port"] }}
+{% for name, rules in pf_rules.items() %}
+# {{ name }}
+pass in quick on egress proto {{ rules.protocol }} to port {{ rules.port }}
{% endfor %}
# wireguard
diff --git a/roles/relayd/defaults/main.yml b/roles/relayd/defaults/main.yml
index 7171f53..66eef3b 100644
--- a/roles/relayd/defaults/main.yml
+++ b/roles/relayd/defaults/main.yml
@@ -1,5 +1,7 @@
---
+relayd_rules: {}
+
relayd_configuration_file: /etc/relayd.conf
relayd_domain_name: example.com
relayd_transparent: true
diff --git a/roles/relayd/templates/relayd.conf.j2 b/roles/relayd/templates/relayd.conf.j2
index c97e9da..b66ffa7 100644
--- a/roles/relayd/templates/relayd.conf.j2
+++ b/roles/relayd/templates/relayd.conf.j2
@@ -8,8 +8,8 @@ log connection errors
table <local> { 127.0.0.1 }
{% call(h) macros.loop_valid_hosts("servers") -%}
table <{{ h.inventory_hostname }}> { {{ h.__ip.internal }} }
-{% for service in h.__services if service.domain is defined %}
-table <{{ h.inventory_hostname }}_{{ service.domain }}> { {{ h.__ip.internal }} }
+{% for name, rules in h.relayd_rules.items() if rules.domain is defined %}
+table <{{ h.inventory_hostname }}_{{ rules.domain }}> { {{ h.__ip.internal }} }
{% endfor %}
{%- endcall %}
@@ -34,10 +34,10 @@ http protocol "https" {
tls keypair "{{ relayd_domain_name }}"
pass request quick header "Host" value "{{ relayd_domain_name }}" forward to <local>
{% call(h) macros.loop_valid_hosts("servers") -%}
-{% for service in h.__services if service.domain is defined %}
- {% set domain_name = service.domain ~ "." ~ relayd_domain_name -%}
+{% for name, rules in h.relayd_rules.items() if rules.domain is defined %}
+ {% set domain_name = rules.domain ~ "." ~ relayd_domain_name -%}
tls keypair "{{ domain_name }}"
- pass request quick header "Host" value "{{ domain_name }}" forward to <{{ h.inventory_hostname }}_{{ service.domain }}>
+ pass request quick header "Host" value "{{ domain_name }}" forward to <{{ h.inventory_hostname }}_{{ rules.domain }}>
{% endfor %}
{%- endcall %}
@@ -52,9 +52,9 @@ http protocol "http" {
pass request quick header "Host" value "{{ relayd_domain_name }}" forward to <local>
{% call(h) macros.loop_valid_hosts("servers") -%}
-{% for service in h.__services if service.domain is defined %}
- {% set domain_name = service.domain ~ "." ~ relayd_domain_name -%}
- pass request quick header "Host" value "{{ domain_name }}" forward to <{{ h.inventory_hostname }}_{{ service.domain }}>
+{% for name, rules in h.relayd_rules.items() if rules.domain is defined %}
+ {% set domain_name = rules.domain ~ "." ~ relayd_domain_name -%}
+ pass request quick header "Host" value "{{ domain_name }}" forward to <{{ h.inventory_hostname }}_{{ rules.domain }}>
{% endfor %}
{%- endcall %}
@@ -75,8 +75,8 @@ relay "wwwtls" {
protocol "https"
forward to <local> port 80 check http "/" code 200
{% call(h) macros.loop_valid_hosts("servers") -%}
-{% for service in h.__services if service.domain is defined %}
- forward to <{{ h.inventory_hostname }}_{{ service.domain }}> port {{ service.port }} check tcp
+{% for name, rules in h.relayd_rules.items() if rules.domain is defined %}
+ forward to <{{ h.inventory_hostname }}_{{ rules.domain }}> port {{ rules.port }} check tcp
{% endfor %}
{%- endcall %}
}
remember that computers suck.