From adfb09b9e19f7a31632eab01171693cb81ec75ef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Romain=20Gon=C3=A7alves?= Date: Thu, 8 Feb 2024 13:32:37 +0100 Subject: refactor(roles): new variable naming standard --- roles/relayd/defaults/main.yml | 14 ++++++------- roles/relayd/meta/main.yml | 10 ++++----- roles/relayd/tasks/main.yml | 38 +++++++++++++++++------------------ roles/relayd/templates/relayd.conf.j2 | 31 ++++++++++++++-------------- 4 files changed, 47 insertions(+), 46 deletions(-) (limited to 'roles/relayd') diff --git a/roles/relayd/defaults/main.yml b/roles/relayd/defaults/main.yml index 998ff5c..17d325d 100644 --- a/roles/relayd/defaults/main.yml +++ b/roles/relayd/defaults/main.yml @@ -1,19 +1,19 @@ --- -relayd_rules: {} +relayd__rules: {} -relayd_configuration_file: /etc/relayd.conf -relayd_block_msg: aah! +relayd__configuration_file: /etc/relayd.conf +relayd__block_msg: aah! -relayd_ssl_certificates_dir: /etc/ssl -relayd_ssl_keys_dir: /etc/ssl/private +relayd__ssl_certificates_dir: /etc/ssl +relayd__ssl_keys_dir: /etc/ssl/private -relayd_tls_ciphers: +relayd__tls_ciphers: - HIGH - "!AES128" - "!kRSA" - "!aNULL" -relayd_tls_elliptic_curves: +relayd__tls_elliptic_curves: - P-384 - P-256 - X25519 diff --git a/roles/relayd/meta/main.yml b/roles/relayd/meta/main.yml index e2da9c2..64efc3a 100644 --- a/roles/relayd/meta/main.yml +++ b/roles/relayd/meta/main.yml @@ -5,7 +5,7 @@ argument_specs: short_description: relayd main entrypoint. options: - relayd_rules: + relayd__rules: type: list elements: dict required: true @@ -23,22 +23,22 @@ argument_specs: required: true description: Port to be configured - relayd_configuration_file: + relayd__configuration_file: type: path required: true description: Relayd configuration file - relayd_domain_name: + relayd__domain_name: type: str required: true description: Relayd domain name - relayd_connected_hosts: + relayd__connected_hosts: type: str required: true description: Group name of hosts that are behind relayd - relayd_tls_ciphers: + relayd__tls_ciphers: type: list elements: str required: true diff --git a/roles/relayd/tasks/main.yml b/roles/relayd/tasks/main.yml index 1346675..6485eb2 100644 --- a/roles/relayd/tasks/main.yml +++ b/roles/relayd/tasks/main.yml @@ -8,57 +8,57 @@ -newkey rsa:4096 -nodes -subj "/CN={{ item.domain }}" - -keyout {{ relayd_ssl_keys_dir }}/{{ item.domain }}.key - -out {{ relayd_ssl_certificates_dir }}/{{ item.domain }}.pem - creates: "{{ relayd_ssl_keys_dir }}/{{ item.domain }}.key" - loop: "{{ relayd_rules }}" + -keyout {{ relayd__ssl_keys_dir }}/{{ item.domain }}.key + -out {{ relayd__ssl_certificates_dir }}/{{ item.domain }}.pem + creates: "{{ relayd__ssl_keys_dir }}/{{ item.domain }}.key" + loop: "{{ relayd__rules }}" - name: apply restrictive permissions on ssl keys ansible.builtin.file: - path: "{{ relayd_ssl_keys_dir }}/{{ item.domain }}.key" + path: "{{ relayd__ssl_keys_dir }}/{{ item.domain }}.key" owner: 0 group: 0 mode: "0600" - loop: "{{ relayd_rules }}" + loop: "{{ relayd__rules }}" - name: retrieve certificate files ansible.builtin.stat: - path: "{{ relayd_ssl_certificates_dir }}/{{ item.domain }}.crt" - loop: "{{ relayd_rules }}" - register: relayd_result_stat_certificates + path: "{{ relayd__ssl_certificates_dir }}/{{ item.domain }}.crt" + loop: "{{ relayd__rules }}" + register: relayd__result_stat_certificates - name: link pem files to certificate files if required ansible.builtin.file: - src: "{{ relayd_ssl_certificates_dir }}/{{ item.item.domain }}.pem" + src: "{{ relayd__ssl_certificates_dir }}/{{ item.item.domain }}.pem" dest: "{{ item.invocation.module_args.path }}" owner: 0 group: 0 state: link when: not item.stat.exists - loop: "{{ relayd_result_stat_certificates.results }}" + loop: "{{ relayd__result_stat_certificates.results }}" - name: generate relayd configuration ansible.builtin.template: src: relayd.conf.j2 - dest: "{{ relayd_configuration_file }}" + dest: "{{ relayd__configuration_file }}" owner: 0 group: 0 mode: "0640" - register: relayd_result_generate_configuration + register: relayd__result_generate_configuration - name: lint relayd configuration - ansible.builtin.command: "relayd -nf {{ relayd_configuration_file }}" - register: relayd_result_lint_configuration + ansible.builtin.command: "relayd -nf {{ relayd__configuration_file }}" + register: relayd__result_lint_configuration changed_when: - - relayd_result_generate_configuration.changed - - relayd_result_lint_configuration.rc != 0 + - relayd__result_generate_configuration.changed + - relayd__result_lint_configuration.rc != 0 - name: restart relayd # noqa: no-handler ansible.builtin.service: name: relayd state: restarted - when: relayd_result_generate_configuration.changed - or relayd_result_lint_configuration.changed + when: relayd__result_generate_configuration.changed + or relayd__result_lint_configuration.changed - name: enable relayd ansible.builtin.service: diff --git a/roles/relayd/templates/relayd.conf.j2 b/roles/relayd/templates/relayd.conf.j2 index 67b9e13..4169251 100644 --- a/roles/relayd/templates/relayd.conf.j2 +++ b/roles/relayd/templates/relayd.conf.j2 @@ -6,11 +6,11 @@ log connection errors # hosts table { 127.0.0.1 } -{% call(h) macros.loop_valid_hosts(relayd_connected_hosts) -%} -{% set relayd_rule_ip = "127.0.0.1" if h.inventory_hostname == inventory_hostname else h.__ip.internal %} -table <{{ h.inventory_hostname }}> { {{ relayd_rule_ip }} } -{% for rule in h.relayd_rules %} -table <{{ h.inventory_hostname }}_{{ rule.name }}> { {{ relayd_rule_ip }} } +{% call(h) macros.loop_valid_hosts(relayd__connected_hosts) -%} +{% set relayd__rule_ip = "127.0.0.1" if h.inventory_hostname == inventory_hostname else h.__ip.internal %} +table <{{ h.inventory_hostname }}> { {{ relayd__rule_ip }} } +{% for rule in h.relayd__rules %} +table <{{ h.inventory_hostname }}_{{ rule.name }}> { {{ relayd__rule_ip }} } {% endfor %} {%- endcall %} @@ -18,8 +18,8 @@ table <{{ h.inventory_hostname }}_{{ rule.name }}> { {{ relayd_rule_ip }} } http protocol "https" { - tls ciphers "{{ relayd_tls_ciphers | join(':') }}" - tls ecdhe "{{ relayd_tls_elliptic_curves | join(',') }}" + tls ciphers "{{ relayd__tls_ciphers | join(':') }}" + tls ecdhe "{{ relayd__tls_elliptic_curves | join(',') }}" tcp { sack, backlog 128 } @@ -27,19 +27,20 @@ http protocol "https" { match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT" match request header set "Connection" value "close" match request header set "X-Forwarded-Proto" value "https" - match request header set "X-Forwarded-Port" value "443" + match request header set "X-Forwarded-For" value "$REMOTE_ADDR" + match request header set "X-Forwarded-Port" value "$REMOTE_PORT" match response header set "Content-Security-Policy" value "upgrade-insecure-requests" match response header set "Referrer-Policy" value "no-referrer" match response header set "X-XSS-Protection" value "1; mode=block" -{% call(h) macros.loop_valid_hosts(relayd_connected_hosts) -%} -{% for rule in h.relayd_rules %} +{% call(h) macros.loop_valid_hosts(relayd__connected_hosts) -%} +{% for rule in h.relayd__rules %} tls keypair "{{ rule.domain }}" pass request quick header "Host" value "{{ rule.domain }}" forward to <{{ h.inventory_hostname }}_{{ rule.name }}> {% endfor %} {%- endcall %} - block label "{{ relayd_block_msg }}" + block label "{{ relayd__block_msg }}" return error } @@ -48,8 +49,8 @@ http protocol "http" { # acme pass request quick path "/.well-known/acme-challenge/*" forward to -{% call(h) macros.loop_valid_hosts(relayd_connected_hosts) -%} -{% for rule in h.relayd_rules %} +{% call(h) macros.loop_valid_hosts(relayd__connected_hosts) -%} +{% for rule in h.relayd__rules %} pass request quick header "Host" value "{{ rule.domain }}" forward to <{{ h.inventory_hostname }}_{{ rule.name }}> {% endfor %} {%- endcall %} @@ -70,8 +71,8 @@ relay "wwwtls" { listen on egress port 443 tls protocol "https" forward to port 80 check http "/" code 200 -{% call(h) macros.loop_valid_hosts(relayd_connected_hosts) -%} -{% for rule in h.relayd_rules %} +{% call(h) macros.loop_valid_hosts(relayd__connected_hosts) -%} +{% for rule in h.relayd__rules %} forward to <{{ h.inventory_hostname }}_{{ rule.name }}> port {{ rule.port }} check tcp {% endfor %} {%- endcall %} -- cgit v1.2.3