Start working on proxy role

2023-11-12 23:16:53 +01:00 · 2023-11-12 23:16:53 +01:00 · 0616ed1b38
parent f11126df9f
commit 0616ed1b38
14 changed files with 105 additions and 33 deletions
--- a/group_vars/app_prod/vars.yml
+++ b/group_vars/app_prod/vars.yml
@ -2,4 +2,4 @@
 # code: language=ansible
 ---
 db_inventory_hostname: sapt-labp-db01
-db_host: "{{ hostvars[db_inventory_hostname].ansible_host }}"
+db_host: "{{ hostvars[db_inventory_hostname].fqdn }}"
--- a/group_vars/app_stage/vars.yml
+++ b/group_vars/app_stage/vars.yml
@ -4,4 +4,4 @@
 apps_base_domain: staging.sapti.me

 db_inventory_hostname: sapt-labs-db01
-db_host: "{{ hostvars[db_inventory_hostname].ansible_host }}"
+db_host: "{{ hostvars[db_inventory_hostname].fqdn }}"
--- a/roles/apps/defaults/main.yml
+++ b/roles/apps/defaults/main.yml
@ -12,6 +12,7 @@ apps_vars:
    backup: false
    sender: false
    extra_tasks: true
+    docker_ipv4: 172.17.2.32
    version: 1.25.3-alpine-slim

  postfix:
--- a/roles/apps/tasks/main.yml
+++ b/roles/apps/tasks/main.yml
@ -7,7 +7,7 @@
    enable_ipv6: true
    ipam_config:
      - subnet: 172.17.2.0/24
-      - subnet: fd02::/64
+        gateway: 172.17.2.1
    state: present

 - name: Create Docker network for Postfix
--- a/roles/apps/templates/compose-files/nextcloud.yml.j2
+++ b/roles/apps/templates/compose-files/nextcloud.yml.j2
@ -24,7 +24,7 @@ services:
      SMTP_AUTHTYPE: PLAIN
      SMTP_HOST: postfix
      SMTP_PORT: 587
-      TRUSTED_PROXIES: "{{ apps_vars.caddy.docker_ipv4 }}"
+      TRUSTED_PROXIES: "{{ apps_vars.nginx.docker_ipv4 }}"
      OVERWRITEHOST: {{ apps_vars.nextcloud.domain }}
      OVERWRITEPROTOCOL: https
      OVERWRITECLIURL: https://{{ apps_vars.nextcloud.domain }}
--- a/roles/apps/templates/compose-files/nginx.yml.j2
+++ b/roles/apps/templates/compose-files/nginx.yml.j2
@ -6,7 +6,8 @@ services:
    image: nginx:{{ apps_vars.nginx.version }}
    restart: always
    networks:
-      - {{ apps_shared_docker_network }}
+      {{ apps_shared_docker_network }}:
+        ipv4_address: {{ apps_vars.nginx.docker_ipv4 }}
    ports:
      - {{ internal_ipv4 }}:8080:8080/tcp
    volumes:
--- a/roles/apps/templates/nextcloud/remoteip.conf.j2
+++ b/roles/apps/templates/nextcloud/remoteip.conf.j2
@ -1,4 +1,4 @@
 # code: language=ansible-jinja

 RemoteIPHeader X-Forwarded-For
-RemoteIPInternalProxy {{ apps_vars.caddy.docker_ipv4 }}
+RemoteIPInternalProxy {{ apps_vars.nginx.docker_ipv4 }}
--- a/roles/proxy/defaults/main.yml
+++ b/roles/proxy/defaults/main.yml
@ -0,0 +1,15 @@
+# vim: ft=yaml.ansible
+# code: language=ansible
+---
+proxy_data_root: /proxy
+proxy_mode: global
+
+proxy_vars:
+  production:
+    app01: "{{ hostvars['sapt-labp-app01'] }}"
+    app02: "{{ hostvars['sapt-labp-app02'] }}"
+  staging:
+    app01: "{{ hostvars['sapt-labs-app01'] }}"
+    app02: "{{ hostvars['sapt-labs-app02'] }}"
+  shared:
+    mon01: "{{ hostvars['sapt-labr-mon01'] }}"
--- a/roles/proxy/tasks/main.yml
+++ b/roles/proxy/tasks/main.yml
@ -0,0 +1,9 @@
+# vim: ft=yaml.ansible
+# code: language=ansible
+---
+- name: Copy Caddyfile
+  ansible.builtin.template:
+    src: caddy/{{ proxy_mode }}.Caddyfile.j2
+    dest: "{{ proxy_data_root }}/caddy/data/Caddyfile"
+    owner: root
+    mode: u=rw,go=
--- a/roles/proxy/templates/caddy/global.Caddyfile.j2
+++ b/roles/proxy/templates/caddy/global.Caddyfile.j2
@ -0,0 +1,34 @@
+# code: language=ansible-jinja
+{
+    admin off
+}
+{% for env in ['production', 'staging'] %}
+
+# Environment: {{ env }}
+
+{{ proxy_vars[env].app01.apps_vars.nextcloud.domain }} {
+    tls {{ secrets.tls_email }}
+
+    header {
+        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+        -Server
+    }
+
+    reverse_proxy {{ proxy_vars[env].app01.internal_ipv4 }}:8080
+}
+
+{{ proxy_vars[env].app02.apps_vars.ipfs.gateway_domain }},
+*.ipfs.{{ proxy_vars[env].app02.apps_vars.ipfs.gateway_domain }},
+*.ipns.{{ proxy_vars[env].app02.apps_vars.ipfs.gateway_domain }} {
+    tls {{ secrets.tls_email }} {
+        dns njalla {{ secrets.caddy.njalla_api_token }}
+    }
+
+    header {
+        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+        -Server
+    }
+
+    reverse_proxy {{ proxy_vars[env].app02.internal_ipv4 }}:8080
+}
+{% endfor %}
--- a/roles/proxy/templates/caddy/local.Caddyfile.j2
+++ b/roles/proxy/templates/caddy/local.Caddyfile.j2
@ -0,0 +1,34 @@
+# code: language=ansible-jinja
+{
+    admin off
+}
+{% for env in ['production', 'staging'] %}
+
+# Environment: {{ env }}
+
+{{ proxy_vars[env].app02.apps_vars.ipfs.domain }} {
+    tls {{ secrets.tls_email }} {
+        dns njalla {{ secrets.caddy.njalla_api_token }}
+    }
+
+    header {
+        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+        -Server
+    }
+
+    reverse_proxy {{ proxy_vars[env].app02.internal_ipv4 }}:8080
+}
+
+{{ proxy_vars[env].app02.apps_vars.monerod.domain }} {
+    tls {{ secrets.tls_email }} {
+        dns njalla {{ secrets.caddy.njalla_api_token }}
+    }
+
+    header {
+        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+        -Server
+    }
+
+    reverse_proxy {{ proxy_vars[env].app02.internal_ipv4 }}:8080
+}
+{% endfor %}
--- a/roles/vm-common/templates/etc/ssh/sshd_config.j2
+++ b/roles/vm-common/templates/etc/ssh/sshd_config.j2
@ -1,6 +1,3 @@
-# code: language=ansible-jinja
-Include /etc/ssh/sshd_config.d/*.conf
-
 Port 22
 AddressFamily any
 ListenAddress 0.0.0.0
@ -8,11 +5,7 @@ ListenAddress ::

 MaxAuthTries 3
 PubkeyAuthentication yes
-{% if hostname in groups['infrastructure'] %}
-PermitRootLogin yes
-{% else %}
 PermitRootLogin no
-{% endif %}
 PermitEmptyPasswords no
 PasswordAuthentication no
 IgnoreRhosts yes
@ -24,7 +17,4 @@ PrintMotd no
 UseDNS no
 AcceptEnv LANG LC_*

-{% if hostname in groups['infrastructure'] %}
-Match User root
-    PasswordAuthentication yes
-{% endif %}
+Include /etc/ssh/sshd_config.d/*.conf
--- a/roles/vm-common/tasks/ssh.yml
+++ b/roles/vm-common/tasks/ssh.yml
@ -2,8 +2,8 @@
 # code: language=ansible
 ---
 - name: Copy sshd_config
-  ansible.builtin.template:
-    src: etc/ssh/sshd_config.j2
+  ansible.builtin.copy:
+    src: etc/ssh/sshd_config
    dest: /etc/ssh/sshd_config
    owner: root
    mode: u=rw,g=r,o=r
--- a/roles/vm-common/templates/etc/hosts.j2
+++ b/roles/vm-common/templates/etc/hosts.j2
@ -1,6 +1,6 @@
 # code: language=ansible-jinja
 127.0.0.1 localhost
-{{ ansible_host }} {{ fqdn }}
+127.0.1.1 {{ fqdn }}

 # The following lines are desirable for IPv6 capable hosts
 ::1 ip6-localhost ip6-loopback
@ -10,19 +10,7 @@ ff02::1 ip6-allnodes
 ff02::2 ip6-allrouters
 ff02::3 ip6-allhosts

-{% if hostname in groups['virtualservers'] %}
-# Static hostnames for other VMs
+# Static hostnames for VMs
 {% for host in groups['virtualservers'] %}
 {{ hostvars[host].internal_ipv4 }} {{ hostvars[host].fqdn }}
 {% endfor %}
-{% elif hostname in groups['control_infra'] %}
-# Static hostnames for VM hosts
-{% for host in groups['proxmox_infra'] %}
-{{ hostvars[host].ansible_host }} {{ hostvars[host].fqdn }}
-{% endfor %}
-
-# Static hostnames for VMs
-{% for host in groups['virtualservers'] %}
-{{ hostvars[host].ansible_host }} {{ hostvars[host].fqdn }}
-{% endfor %}
-{% endif %}