From 8ce56f15e0751870b56805010241dcfe8389b10f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Romain=20Gon=C3=A7alves?= <me@rgoncalves.se>
Date: Sat, 17 Dec 2022 21:59:58 +0100
Subject: refactor: remove global __services from roles

---
 group_vars/all.yml                       | 17 +++++++++--------
 host_vars/dc0.yml                        | 10 +++++-----
 host_vars/stack0-dev0.yml                |  7 +------
 roles/acme/defaults/main.yml             |  2 ++
 roles/acme/templates/acme-client.conf.j2 |  6 +++---
 roles/pf/defaults/main.yml               |  8 ++++++++
 roles/pf/templates/pf.conf.j2            |  5 +++--
 roles/relayd/defaults/main.yml           |  2 ++
 roles/relayd/templates/relayd.conf.j2    | 20 ++++++++++----------
 9 files changed, 43 insertions(+), 34 deletions(-)

diff --git a/group_vars/all.yml b/group_vars/all.yml
index 808f4de..63697e8 100644
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@@ -1,13 +1,22 @@
 ---
 
+# ansible overrides
+
 ansible_hostname: "{{ ansible_host }}"
 ansible_become_method: su
 
+# roles overrides
+
 wireguard_domain_controller: "{{ __global_domain_controller }}"
 relayd_domain_name: "{{ __global_domain_name }}"
 acme_domain_name: "{{ __global_domain_name }}"
 nfsclient_server: stack0
 httpd_use_nfs: true
+relayd_rules: "{{ __services }}"
+pf_rules: "{{ __services }}"
+acme_rules: "{{ __services }}"
+
+# playbook specific
 
 __is_vm: false
 
@@ -33,11 +42,3 @@ __global_services:
     protocol: tcp
     port: 8000
     is_public: true
-
-# __services:
-#   - domain: status.test
-#     is_public: true
-#     port: 120
-#     protocols:
-#       - tcp
-#       - udp
diff --git a/host_vars/dc0.yml b/host_vars/dc0.yml
index fc9b3cc..80c7ef5 100644
--- a/host_vars/dc0.yml
+++ b/host_vars/dc0.yml
@@ -13,23 +13,23 @@ __ip:
   internal: 10.10.0.1
 
 __services:
-  - name: ssh
+  ssh:
     protocol: tcp
     port: 22
 
-  - name: wireguard
+  wireguard:
     protocol: udp
     port: 53
 
-  - name: http
+  http:
     protocol: tcp
     port: 80
 
-  - name: https
+  https:
     protocol: tcp
     port: 443
 
-  - name: cgit
+  cgit:
     domain: git
     protocol: tcp
     port: 1235
diff --git a/host_vars/stack0-dev0.yml b/host_vars/stack0-dev0.yml
index 905627a..fe6204c 100644
--- a/host_vars/stack0-dev0.yml
+++ b/host_vars/stack0-dev0.yml
@@ -7,11 +7,6 @@ __ip:
   internal: 10.10.0.61
 
 __services:
-  - name: ssh
+  ssh:
     protocol: tcp
     port: 22
-
-#  - name: cgit
-#    domain: git
-#    protocol: tcp
-#    port: 1235
diff --git a/roles/acme/defaults/main.yml b/roles/acme/defaults/main.yml
index 24201bd..66ca704 100644
--- a/roles/acme/defaults/main.yml
+++ b/roles/acme/defaults/main.yml
@@ -1,4 +1,6 @@
 ---
 
+acme_rules: {}
+
 acme_configuration_file: /etc/acme-client.conf
 acme_domain_name: null
diff --git a/roles/acme/templates/acme-client.conf.j2 b/roles/acme/templates/acme-client.conf.j2
index 3792009..583c3d5 100644
--- a/roles/acme/templates/acme-client.conf.j2
+++ b/roles/acme/templates/acme-client.conf.j2
@@ -14,9 +14,9 @@ domain {{ acme_domain_name }} {
 }
 
 {% call(h) macros.loop_valid_hosts("servers") -%}
-{% for service in h.__services if service.domain is defined %}
-domain {{ service.domain }}.{{ acme_domain_name }} {
-	{% set domain = service.domain ~ "." ~ acme_domain_name %}
+{% for name, rules in h.acme_rules.items() if rules.domain is defined %}
+domain {{ rules.domain }}.{{ acme_domain_name }} {
+	{% set domain = rules.domain ~ "." ~ acme_domain_name %}
 	alternative names { www.{{ domain }} }
 	domain key "/etc/ssl/private/{{ domain }}.key"
 	domain full chain certificate "/etc/ssl/{{ domain }}.crt"
diff --git a/roles/pf/defaults/main.yml b/roles/pf/defaults/main.yml
index edba159..29a53f8 100644
--- a/roles/pf/defaults/main.yml
+++ b/roles/pf/defaults/main.yml
@@ -1,5 +1,13 @@
 ---
 
+pf_rules: null
+# name: ...
+#   protocol: ...
+#   port: ...
+# name: ...
+#   protocol: ...
+#   port: ...
+
 pf_configuration_file: /etc/pf.conf
 pf_test_ports:
   - "{{ ansible_port }}"
diff --git a/roles/pf/templates/pf.conf.j2 b/roles/pf/templates/pf.conf.j2
index 1b51fe7..e60b4a6 100644
--- a/roles/pf/templates/pf.conf.j2
+++ b/roles/pf/templates/pf.conf.j2
@@ -11,8 +11,9 @@ block all
 pass in quick on egress proto tcp to port {{ ansible_port }}
 
 # host services
-{% for service in __services %}
-pass in quick on egress proto {{ service["protocol"] }} to port {{ service["port"] }}
+{% for name, rules in pf_rules.items() %}
+# {{ name }}
+pass in quick on egress proto {{ rules.protocol }} to port {{ rules.port }}
 {% endfor %}
 
 # wireguard
diff --git a/roles/relayd/defaults/main.yml b/roles/relayd/defaults/main.yml
index 7171f53..66eef3b 100644
--- a/roles/relayd/defaults/main.yml
+++ b/roles/relayd/defaults/main.yml
@@ -1,5 +1,7 @@
 ---
 
+relayd_rules: {}
+
 relayd_configuration_file: /etc/relayd.conf
 relayd_domain_name: example.com
 relayd_transparent: true
diff --git a/roles/relayd/templates/relayd.conf.j2 b/roles/relayd/templates/relayd.conf.j2
index c97e9da..b66ffa7 100644
--- a/roles/relayd/templates/relayd.conf.j2
+++ b/roles/relayd/templates/relayd.conf.j2
@@ -8,8 +8,8 @@ log connection errors
 table <local> { 127.0.0.1 }
 {% call(h) macros.loop_valid_hosts("servers") -%}
 table <{{ h.inventory_hostname }}> { {{ h.__ip.internal }} }
-{% for service in h.__services if service.domain is defined %}
-table <{{ h.inventory_hostname }}_{{ service.domain }}> { {{ h.__ip.internal }} }
+{% for name, rules in h.relayd_rules.items() if rules.domain is defined %}
+table <{{ h.inventory_hostname }}_{{ rules.domain }}> { {{ h.__ip.internal }} }
 {% endfor %}
 {%- endcall %}
 
@@ -34,10 +34,10 @@ http protocol "https" {
 	tls keypair "{{ relayd_domain_name }}"
 	pass request quick header "Host" value "{{ relayd_domain_name }}" forward to <local>
 {% call(h) macros.loop_valid_hosts("servers") -%}
-{% for service in h.__services if service.domain is defined %}
-	{% set domain_name = service.domain ~ "." ~ relayd_domain_name -%}
+{% for name, rules in h.relayd_rules.items() if rules.domain is defined %}
+	{% set domain_name = rules.domain ~ "." ~ relayd_domain_name -%}
 	tls keypair "{{ domain_name }}"
-	pass request quick header "Host" value "{{ domain_name }}" forward to <{{ h.inventory_hostname }}_{{ service.domain }}>
+	pass request quick header "Host" value "{{ domain_name }}" forward to <{{ h.inventory_hostname }}_{{ rules.domain }}>
 {% endfor %}
 {%- endcall %}
 
@@ -52,9 +52,9 @@ http protocol "http" {
 
 	pass request quick header "Host" value "{{ relayd_domain_name }}" forward to <local>
 {% call(h) macros.loop_valid_hosts("servers") -%}
-{% for service in h.__services if service.domain is defined %}
-	{% set domain_name = service.domain ~ "." ~ relayd_domain_name -%}
-	pass request quick header "Host" value "{{ domain_name }}" forward to <{{ h.inventory_hostname }}_{{ service.domain }}>
+{% for name, rules in h.relayd_rules.items() if rules.domain is defined %}
+	{% set domain_name = rules.domain ~ "." ~ relayd_domain_name -%}
+	pass request quick header "Host" value "{{ domain_name }}" forward to <{{ h.inventory_hostname }}_{{ rules.domain }}>
 {% endfor %}
 {%- endcall %}
 
@@ -75,8 +75,8 @@ relay "wwwtls" {
 	protocol "https"
 	forward to <local> port 80 check http "/" code 200
 {% call(h) macros.loop_valid_hosts("servers") -%}
-{% for service in h.__services if service.domain is defined %}
-	forward to <{{ h.inventory_hostname }}_{{ service.domain }}> port {{ service.port }} check tcp
+{% for name, rules in h.relayd_rules.items() if rules.domain is defined %}
+	forward to <{{ h.inventory_hostname }}_{{ rules.domain }}> port {{ rules.port }} check tcp
 {% endfor %}
 {%- endcall %}
 }
-- 
cgit v1.2.3