rene/ansible-pull
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

new role and FWCNs

Browse Source
This commit is contained in:
Rene Mewissen
2025-11-27 10:02:06 +01:00
parent 24d0ce3385
commit d96bb79a5a
10 changed files with 169 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
host_vars/caddy.universe.local.yml Normal file
View File

@@ -0,0 +1 @@
caddy: true

4
hosts
View File

@@ -52,6 +52,7 @@ mastodon
nameserver nameserver
printspooler printspooler
proxyserver proxyserver
reverseproxy
webservers webservers
[auth] [auth]
@@ -150,6 +151,9 @@ podman02.universe.local
[proxyserver] [proxyserver]
tinyproxy.universe.local tinyproxy.universe.local
[reverseproxy]
caddy.universe.local
[video_editing] [video_editing]
endor.universe.local endor.universe.local
endorvm.universe.local endorvm.universe.local

40
local.yml
View File

@@ -1,7 +1,7 @@
--- ---
- hosts: all - hosts: all
handlers: handlers:
- import_tasks: global_handlers/global_handlers.yml - ansible.builtin.import_tasks: global_handlers/global_handlers.yml
connection: local connection: local
vars_files: vars_files:
- "{{ lookup('first_found', ['os_vars/' + (ansible_distribution | lower) + '.yml'], errors='ignore') }}" - "{{ lookup('first_found', ['os_vars/' + (ansible_distribution | lower) + '.yml'], errors='ignore') }}"
@@ -62,7 +62,7 @@
# run roles # run roles
- hosts: all - hosts: all
handlers: handlers:
- import_tasks: global_handlers/global_handlers.yml - ansible.builtin.import_tasks: global_handlers/global_handlers.yml
tags: base tags: base
become: true become: true
roles: roles:
@@ -82,18 +82,18 @@
roles: roles:
- server - server
handlers: handlers:
- import_tasks: global_handlers/global_handlers.yml - ansible.builtin.import_tasks: global_handlers/global_handlers.yml
- hosts: bastionhost - hosts: bastionhost
tags: server,bastionhost tags: server,bastionhost
handlers: handlers:
- import_tasks: global_handlers/global_handlers.yml - ansible.builtin.import_tasks: global_handlers/global_handlers.yml
become: true become: true
roles: roles:
- bastionhost - bastionhost
post_tasks: post_tasks:
- name: Update AIDE database if changes were made - name: Update AIDE database if changes were made
include_role: ansible.builtin.include_role:
name: bastionhost name: bastionhost
tasks_from: system_setup/aide_update.yml tasks_from: system_setup/aide_update.yml
when: (aide_db_needs_update is defined and aide_db_needs_update) and (aide_db is defined and aide_db.stat.exists) when: (aide_db_needs_update is defined and aide_db_needs_update) and (aide_db is defined and aide_db.stat.exists)
@@ -101,7 +101,7 @@
- hosts: nameserver - hosts: nameserver
tags: server,nameserver tags: server,nameserver
handlers: handlers:
- import_tasks: global_handlers/global_handlers.yml - ansible.builtin.import_tasks: global_handlers/global_handlers.yml
become: true become: true
roles: roles:
- nameserver - nameserver
@@ -110,7 +110,7 @@
tags: server,webservers tags: server,webservers
become: true become: true
handlers: handlers:
- import_tasks: global_handlers/global_handlers.yml - ansible.builtin.import_tasks: global_handlers/global_handlers.yml
roles: roles:
- webservers - webservers
@@ -118,7 +118,7 @@
tags: server,mailserver tags: server,mailserver
become: true become: true
handlers: handlers:
- import_tasks: global_handlers/global_handlers.yml - ansible.builtin.import_tasks: global_handlers/global_handlers.yml
roles: roles:
- mailserver - mailserver
@@ -126,7 +126,7 @@
tags: server,database tags: server,database
become: true become: true
handlers: handlers:
- import_tasks: global_handlers/global_handlers.yml - ansible.builtin.import_tasks: global_handlers/global_handlers.yml
roles: roles:
- database - database
@@ -139,7 +139,7 @@
- hosts: docker - hosts: docker
tags: server,docker tags: server,docker
handlers: handlers:
- import_tasks: global_handlers/global_handlers.yml - ansible.builtin.import_tasks: global_handlers/global_handlers.yml
become: true become: true
roles: roles:
- docker - docker
@@ -148,7 +148,7 @@
tags: server,podman tags: server,podman
become: true become: true
handlers: handlers:
- import_tasks: global_handlers/global_handlers.yml - ansible.builtin.import_tasks: global_handlers/global_handlers.yml
roles: roles:
- podman - podman
@@ -156,7 +156,7 @@
tags: server,docker,drone tags: server,docker,drone
become: true become: true
handlers: handlers:
- import_tasks: global_handlers/global_handlers.yml - ansible.builtin.import_tasks: global_handlers/global_handlers.yml
roles: roles:
- drone - drone
@@ -169,7 +169,7 @@
- hosts: mastodon - hosts: mastodon
tags: server,mastodon tags: server,mastodon
handlers: handlers:
- import_tasks: global_handlers/global_handlers.yml - ansible.builtin.import_tasks: global_handlers/global_handlers.yml
become: true become: true
roles: roles:
- mastodon - mastodon
@@ -183,7 +183,7 @@
- hosts: jitsimeet - hosts: jitsimeet
tags: server,jitsimeet,webservers tags: server,jitsimeet,webservers
handlers: handlers:
- import_tasks: global_handlers/global_handlers.yml - ansible.builtin.import_tasks: global_handlers/global_handlers.yml
become: true become: true
roles: roles:
- jitsimeet - jitsimeet
@@ -192,7 +192,7 @@
tags: server,omada_controller tags: server,omada_controller
become: true become: true
handlers: handlers:
- import_tasks: global_handlers/global_handlers.yml - ansible.builtin.import_tasks: global_handlers/global_handlers.yml
roles: roles:
- omada-controller - omada-controller
@@ -200,10 +200,18 @@
tags: server,backup tags: server,backup
become: true become: true
handlers: handlers:
- import_tasks: global_handlers/global_handlers.yml - ansible.builtin.import_tasks: global_handlers/global_handlers.yml
roles: roles:
- backup - backup
- hosts: reverseproxy
tags: server,reverseproxy
become: true
handlers:
- ansible.builtin.import_tasks: global_handlers/global_handlers.yml
roles:
- reverseproxy
# - hosts: proxyserver # - hosts: proxyserver
# tags: server,proxyserver # tags: server,proxyserver
# become: true # become: true

17
roles/reverseproxy/tasks/caddy.yml Normal file
View File

@@ -0,0 +1,17 @@
# Load distro-specific variables
- include_vars: "{{ ansible_distribution | lower }}.yml"
tags: always
ignore_errors: True
- block:
- debug:
msg: Debug
# Perform remaining tasks:
- ansible.builtin.import_tasks: caddy_install.yml
- ansible.builtin.import_tasks: caddy_config.yml
- ansible.builtin.import_tasks: caddy_service.yml
rescue:
- set_fact: task_failed=true

18
roles/reverseproxy/tasks/caddy_config.yml Normal file
View File

@@ -0,0 +1,18 @@
---
- name: Create Caddy config dir
file:
path: /etc/caddy
state: directory
mode: 0755
- name: Deploy Caddyfile
template:
src: Caddyfile.j2
dest: /etc/caddy/Caddyfile
mode: 0644
- name: Deploy PowerDNS env file
template:
src: powerdns.env.j2
dest: /etc/caddy/powerdns.env
mode: 0600

37
roles/reverseproxy/tasks/caddy_install.yml Normal file
View File

@@ -0,0 +1,37 @@
---
- name: Install dependencies
apt:
name:
- curl
- unzip
- git
- build-essential
state: present
update_cache: yes
- name: Download xcaddy
get_url:
url: https://github.com/caddyserver/xcaddy/releases/download/v0.9.5/xcaddy_0.9.5_linux_amd64.tar.gz
dest: /tmp/xcaddy.tar.gz
- name: Extract xcaddy
unarchive:
src: /tmp/xcaddy.tar.gz
dest: /usr/local/bin/
mode: 0755
remote_src: yes
- name: Build Caddy with PowerDNS DNS plugin
command: >
xcaddy build
--with github.com/caddy-dns/powerdns
args:
chdir: /usr/local/bin
creates: /usr/local/bin/caddy-custom
- name: Move custom caddy binary
copy:
src: /usr/local/bin/caddy
dest: /usr/local/bin/caddy
mode: 0755
remote_src: yes

31
roles/reverseproxy/tasks/caddy_service.yml Normal file
View File

@@ -0,0 +1,31 @@
---
- name: Install systemd service
copy:
dest: /etc/systemd/system/caddy.service
mode: 0644
content: |
[Unit]
Description=Caddy
After=network-online.target
Wants=network-online.target
[Service]
EnvironmentFile=/etc/caddy/powerdns.env
ExecStart=/usr/local/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/local/bin/caddy reload --config /etc/caddy/Caddyfile --force
Restart=on-failure
User=root
Group=root
[Install]
WantedBy=multi-user.target
- name: Reload systemd
systemd:
daemon_reload: yes
- name: Enable and start Caddy
systemd:
name: caddy
state: started
enabled: yes

11
roles/reverseproxy/tasks/main.yml Normal file
View File

@@ -0,0 +1,11 @@
# Load distro specific variables
- include_vars: "{{ ansible_distribution | lower }}.yml"
tags: always
ignore_errors: True
- include_vars: "{{ ansible_fqdn | lower }}.yml"
ignore_errors: True
- include_tasks: caddy.yml
when:
- caddy is defined
- caddy == true

23
roles/reverseproxy/templates/Caddyfile.j2 Normal file
View File

@@ -0,0 +1,23 @@
{
email admin@example.net
acme_dns powerdns {
api_url {env.PDNS_API_URL}
api_key {env.PDNS_API_KEY}
server_id {env.PDNS_SERVER_ID}
}
}
nextcloud.example.net {
reverse_proxy 10.10.20.10:443
tls {
dns powerdns
}
}
gitea.example.org {
reverse_proxy 10.10.30.20:3000
tls {
dns powerdns
}
}

3
roles/reverseproxy/templates/powerdns.env.j2 Normal file
View File

@@ -0,0 +1,3 @@
PDNS_API_KEY="{{ pdns_api_key }}"
PDNS_API_URL="{{ pdns_api_url }}"
PDNS_SERVER_ID="{{ pdns_server_id }}"