new role and FWCNs

host_vars/caddy.universe.local.yml

@@ -0,0 +1 @@
+caddy: true

hosts

@@ -52,6 +52,7 @@ mastodon
 nameserver
 printspooler 
 proxyserver
+reverseproxy
 webservers
 
 [auth]
@@ -150,6 +151,9 @@ podman02.universe.local
 [proxyserver]
 tinyproxy.universe.local
 
+[reverseproxy]
+caddy.universe.local
+
 [video_editing]
 endor.universe.local
 endorvm.universe.local

local.yml

@@ -1,7 +1,7 @@
 ---
 - hosts: all
   handlers:
-    - import_tasks: global_handlers/global_handlers.yml
+    - ansible.builtin.import_tasks: global_handlers/global_handlers.yml
   connection: local
   vars_files:
     - "{{ lookup('first_found', ['os_vars/' + (ansible_distribution | lower) + '.yml'], errors='ignore') }}"
@@ -62,7 +62,7 @@
 # run roles
 - hosts: all
   handlers:
-    - import_tasks: global_handlers/global_handlers.yml
+    - ansible.builtin.import_tasks: global_handlers/global_handlers.yml
   tags: base
   become: true
   roles:
@@ -82,18 +82,18 @@
   roles:
     - server
   handlers:
-    - import_tasks: global_handlers/global_handlers.yml
+    - ansible.builtin.import_tasks: global_handlers/global_handlers.yml
 
 - hosts: bastionhost
   tags: server,bastionhost
   handlers:
-    - import_tasks: global_handlers/global_handlers.yml
+    - ansible.builtin.import_tasks: global_handlers/global_handlers.yml
   become: true
   roles:
     - bastionhost
   post_tasks:
     - name: Update AIDE database if changes were made
-      include_role:
+      ansible.builtin.include_role:
         name: bastionhost
         tasks_from: system_setup/aide_update.yml
       when: (aide_db_needs_update is defined and aide_db_needs_update) and (aide_db is defined and aide_db.stat.exists)
@@ -101,7 +101,7 @@
 - hosts: nameserver
   tags: server,nameserver
   handlers:
-    - import_tasks: global_handlers/global_handlers.yml
+    - ansible.builtin.import_tasks: global_handlers/global_handlers.yml
   become: true
   roles:
     - nameserver
@@ -110,7 +110,7 @@
   tags: server,webservers
   become: true
   handlers:
-    - import_tasks: global_handlers/global_handlers.yml
+    - ansible.builtin.import_tasks: global_handlers/global_handlers.yml
   roles:
     - webservers
 
@@ -118,7 +118,7 @@
   tags: server,mailserver
   become: true
   handlers:
-    - import_tasks: global_handlers/global_handlers.yml
+    - ansible.builtin.import_tasks: global_handlers/global_handlers.yml
   roles:
     - mailserver
 
@@ -126,7 +126,7 @@
   tags: server,database
   become: true
   handlers:
-    - import_tasks: global_handlers/global_handlers.yml
+    - ansible.builtin.import_tasks: global_handlers/global_handlers.yml
   roles:
     - database
 
@@ -139,7 +139,7 @@
 - hosts: docker
   tags: server,docker
   handlers:
-    - import_tasks: global_handlers/global_handlers.yml
+    - ansible.builtin.import_tasks: global_handlers/global_handlers.yml
   become: true
   roles:
     - docker
@@ -148,7 +148,7 @@
   tags: server,podman
   become: true
   handlers:
-    - import_tasks: global_handlers/global_handlers.yml
+    - ansible.builtin.import_tasks: global_handlers/global_handlers.yml
   roles:
     - podman
 
@@ -156,7 +156,7 @@
   tags: server,docker,drone
   become: true
   handlers:
-    - import_tasks: global_handlers/global_handlers.yml
+    - ansible.builtin.import_tasks: global_handlers/global_handlers.yml
   roles:
     - drone
 
@@ -169,7 +169,7 @@
 - hosts: mastodon
   tags: server,mastodon
   handlers:
-    - import_tasks: global_handlers/global_handlers.yml
+    - ansible.builtin.import_tasks: global_handlers/global_handlers.yml
   become: true
   roles:
     - mastodon
@@ -183,7 +183,7 @@
 - hosts: jitsimeet
   tags: server,jitsimeet,webservers
   handlers:
-    - import_tasks: global_handlers/global_handlers.yml
+    - ansible.builtin.import_tasks: global_handlers/global_handlers.yml
   become: true
   roles:
     - jitsimeet
@@ -192,7 +192,7 @@
   tags: server,omada_controller
   become: true
   handlers:
-    - import_tasks: global_handlers/global_handlers.yml
+    - ansible.builtin.import_tasks: global_handlers/global_handlers.yml
   roles:
     - omada-controller
 
@@ -200,10 +200,18 @@
   tags: server,backup
   become: true
   handlers:
-    - import_tasks: global_handlers/global_handlers.yml
+    - ansible.builtin.import_tasks: global_handlers/global_handlers.yml
   roles:
     - backup
 
+- hosts: reverseproxy
+  tags: server,reverseproxy
+  become: true
+  handlers:
+    - ansible.builtin.import_tasks: global_handlers/global_handlers.yml
+  roles:
+    - reverseproxy
+
 # - hosts: proxyserver
 #   tags: server,proxyserver
 #   become: true

roles/reverseproxy/tasks/caddy.yml

@@ -0,0 +1,17 @@
+# Load distro-specific variables
+- include_vars: "{{ ansible_distribution | lower }}.yml"
+  tags: always
+  ignore_errors: True
+
+- block:
+  - debug:
+      msg: Debug
+
+  # Perform remaining tasks:
+  - ansible.builtin.import_tasks: caddy_install.yml
+  - ansible.builtin.import_tasks: caddy_config.yml
+  - ansible.builtin.import_tasks: caddy_service.yml
+
+  rescue:
+    - set_fact: task_failed=true
+    

roles/reverseproxy/tasks/caddy_config.yml

@@ -0,0 +1,18 @@
+---
+- name: Create Caddy config dir
+  file:
+    path: /etc/caddy
+    state: directory
+    mode: 0755
+
+- name: Deploy Caddyfile
+  template:
+    src: Caddyfile.j2
+    dest: /etc/caddy/Caddyfile
+    mode: 0644
+
+- name: Deploy PowerDNS env file
+  template:
+    src: powerdns.env.j2
+    dest: /etc/caddy/powerdns.env
+    mode: 0600

roles/reverseproxy/tasks/caddy_install.yml

@@ -0,0 +1,37 @@
+---
+- name: Install dependencies
+  apt:
+    name:
+      - curl
+      - unzip
+      - git
+      - build-essential
+    state: present
+    update_cache: yes
+
+- name: Download xcaddy
+  get_url:
+    url: https://github.com/caddyserver/xcaddy/releases/download/v0.9.5/xcaddy_0.9.5_linux_amd64.tar.gz
+    dest: /tmp/xcaddy.tar.gz
+
+- name: Extract xcaddy
+  unarchive:
+    src: /tmp/xcaddy.tar.gz
+    dest: /usr/local/bin/
+    mode: 0755
+    remote_src: yes
+
+- name: Build Caddy with PowerDNS DNS plugin
+  command: >
+    xcaddy build
+    --with github.com/caddy-dns/powerdns
+  args:
+    chdir: /usr/local/bin
+    creates: /usr/local/bin/caddy-custom
+
+- name: Move custom caddy binary
+  copy:
+    src: /usr/local/bin/caddy
+    dest: /usr/local/bin/caddy
+    mode: 0755
+    remote_src: yes

roles/reverseproxy/tasks/caddy_service.yml

@@ -0,0 +1,31 @@
+---
+- name: Install systemd service
+  copy:
+    dest: /etc/systemd/system/caddy.service
+    mode: 0644
+    content: |
+      [Unit]
+      Description=Caddy
+      After=network-online.target
+      Wants=network-online.target
+
+      [Service]
+      EnvironmentFile=/etc/caddy/powerdns.env
+      ExecStart=/usr/local/bin/caddy run --environ --config /etc/caddy/Caddyfile
+      ExecReload=/usr/local/bin/caddy reload --config /etc/caddy/Caddyfile --force
+      Restart=on-failure
+      User=root
+      Group=root
+
+      [Install]
+      WantedBy=multi-user.target
+
+- name: Reload systemd
+  systemd:
+    daemon_reload: yes
+
+- name: Enable and start Caddy
+  systemd:
+    name: caddy
+    state: started
+    enabled: yes

roles/reverseproxy/tasks/main.yml

@@ -0,0 +1,11 @@
+# Load distro specific variables
+- include_vars: "{{ ansible_distribution | lower }}.yml"
+  tags: always
+  ignore_errors: True
+- include_vars: "{{ ansible_fqdn | lower }}.yml"
+  ignore_errors: True
+
+- include_tasks: caddy.yml
+  when:
+    - caddy is defined
+    - caddy == true

roles/reverseproxy/templates/Caddyfile.j2

@@ -0,0 +1,23 @@
+{
+    email admin@example.net
+
+    acme_dns powerdns {
+        api_url {env.PDNS_API_URL}
+        api_key {env.PDNS_API_KEY}
+        server_id {env.PDNS_SERVER_ID}
+    }
+}
+
+nextcloud.example.net {
+    reverse_proxy 10.10.20.10:443
+    tls {
+        dns powerdns
+    }
+}
+
+gitea.example.org {
+    reverse_proxy 10.10.30.20:3000
+    tls {
+        dns powerdns
+    }
+}

roles/reverseproxy/templates/powerdns.env.j2

@@ -0,0 +1,3 @@
+PDNS_API_KEY="{{ pdns_api_key }}"
+PDNS_API_URL="{{ pdns_api_url }}"
+PDNS_SERVER_ID="{{ pdns_server_id }}"