Port lrproxy services
This commit is contained in:
parent
9b0d35279f
commit
21b93f71ce
@ -1,11 +0,0 @@
|
|||||||
- name: Reset reverse proxy hosts variable
|
|
||||||
set_fact:
|
|
||||||
service_rproxy_hosts:
|
|
||||||
|
|
||||||
- name: Collect reverse proxy hosts
|
|
||||||
set_fact:
|
|
||||||
service_rproxy_hosts: "{{ service_rproxy_hosts }} --add-host=pod-{{ item.key }}:{{ item.value.address }}"
|
|
||||||
with_items: "{{ services | dict2items }}"
|
|
||||||
|
|
||||||
- debug:
|
|
||||||
msg: "{{ service_rproxy_hosts }}"
|
|
@ -1,5 +1,3 @@
|
|||||||
- block:
|
- block:
|
||||||
- import_tasks: ../vars.yml
|
|
||||||
- import_tasks: ../vars-user.yml
|
|
||||||
- import_tasks: service-deploy/service.yml
|
- import_tasks: service-deploy/service.yml
|
||||||
tags: "{{ service_name }}"
|
tags: "{{ service_name }}"
|
||||||
|
@ -1,11 +1,5 @@
|
|||||||
- block:
|
- block:
|
||||||
|
|
||||||
- name: Create service configuration directory for {{ service_user_name }}
|
|
||||||
file:
|
|
||||||
path: "{{ service_home }}/.config/{{ service_user_name }}"
|
|
||||||
state: directory
|
|
||||||
mode: 0755
|
|
||||||
|
|
||||||
- name: Check if service configuration exists
|
- name: Check if service configuration exists
|
||||||
become: no
|
become: no
|
||||||
delegate_to: localhost
|
delegate_to: localhost
|
||||||
|
@ -1,19 +0,0 @@
|
|||||||
- name: Set service variables
|
|
||||||
set_fact:
|
|
||||||
service_user_name: "pod-{{ service_name }}"
|
|
||||||
|
|
||||||
- name: Set service variables
|
|
||||||
set_fact:
|
|
||||||
service_home: "/var/lib/{{ ansible_hostname }}/home/{{ service_user_name }}"
|
|
||||||
|
|
||||||
- name: Set service variables
|
|
||||||
set_fact:
|
|
||||||
local_service_home: "./filesystem/{{ ansible_hostname }}/{{ service_home }}"
|
|
||||||
|
|
||||||
- name: Print service variables
|
|
||||||
debug:
|
|
||||||
msg:
|
|
||||||
- "service_name: {{ service_name }}"
|
|
||||||
- "service_user_name: {{ service_user_name }}"
|
|
||||||
- "service_home: {{ service_home }}"
|
|
||||||
- "local_service_home: {{ local_service_home }}"
|
|
1
plays/services/roles/deploy/lrproxy/files/setup
Symbolic link
1
plays/services/roles/deploy/lrproxy/files/setup
Symbolic link
@ -0,0 +1 @@
|
|||||||
|
../../rproxy/files/setup
|
107
plays/services/roles/deploy/lrproxy/tasks/main.yml
Normal file
107
plays/services/roles/deploy/lrproxy/tasks/main.yml
Normal file
@ -0,0 +1,107 @@
|
|||||||
|
- name: "set the user variables"
|
||||||
|
ansible.builtin.import_role:
|
||||||
|
name: "include"
|
||||||
|
vars_from: "user"
|
||||||
|
|
||||||
|
- name: "set the rproxy variables"
|
||||||
|
ansible.builtin.import_role:
|
||||||
|
name: "deploy/rproxy"
|
||||||
|
tasks_from: ""
|
||||||
|
vars_from: "nginx"
|
||||||
|
|
||||||
|
- block:
|
||||||
|
|
||||||
|
- name: "create nginx conf.d"
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: "{{ services_service_user_home }}/.config/{{ services_service_user_name }}/nginx-conf.d"
|
||||||
|
state: "directory"
|
||||||
|
mode: 0755
|
||||||
|
|
||||||
|
- name: "configure reverse proxy nginx"
|
||||||
|
ansible.builtin.copy:
|
||||||
|
src: "setup/{{ item }}"
|
||||||
|
dest: "{{ services_service_user_home }}/.config/{{ services_service_user_name }}/{{ item }}"
|
||||||
|
mode: 0644
|
||||||
|
loop: "{{ services_rproxy_nginx_conf_d_files }}"
|
||||||
|
register: services_deploy_lrproxy_config_files
|
||||||
|
|
||||||
|
- name: "configure systemd service"
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: "./systemd/{{ item }}.j2"
|
||||||
|
dest: "{{ services_service_user_home }}/.config/systemd/user/{{ item }}"
|
||||||
|
mode: 0644
|
||||||
|
loop:
|
||||||
|
- "pod-lrproxy.service"
|
||||||
|
- "container-lrproxy-nginx.service"
|
||||||
|
- "rsync-certificates.service"
|
||||||
|
- "rsync-certificates.timer"
|
||||||
|
register: services_deploy_lrproxy_systemd_files
|
||||||
|
|
||||||
|
- name: "systemd user daemon reload"
|
||||||
|
systemd:
|
||||||
|
daemon_reload: true
|
||||||
|
scope: "user"
|
||||||
|
when:
|
||||||
|
services_deploy_lrproxy_systemd_files.changed
|
||||||
|
|
||||||
|
- name: "enable rsync-certificates timer"
|
||||||
|
ansible.builtin.systemd:
|
||||||
|
name: "rsync-certificates.timer"
|
||||||
|
enabled: true
|
||||||
|
scope: "user"
|
||||||
|
register: services_deploy_lrproxy_rsync_certificates_timer
|
||||||
|
|
||||||
|
- name: "generate diffie hellman ephemeral parameters"
|
||||||
|
ansible.builtin.command: "openssl dhparam --out /{{ services_service_user_home }}/.config/{{ services_service_user_name}}/dhparam.pem 4096"
|
||||||
|
args:
|
||||||
|
creates: "{{ services_service_user_home }}/.config/{{ services_service_user_name }}/dhparam.pem"
|
||||||
|
register: services_deploy_lrproxy_dhparam
|
||||||
|
|
||||||
|
- name: "create the .ssh directory"
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: "{{ services_service_user_home }}/.ssh"
|
||||||
|
state: "directory"
|
||||||
|
mode: 0700
|
||||||
|
|
||||||
|
- name: "generate ssh keypair for rsync"
|
||||||
|
community.crypto.openssh_keypair:
|
||||||
|
path: "{{ services_service_user_home }}/.ssh/valkyrie-pod-rproxy"
|
||||||
|
type: "ed25519"
|
||||||
|
register: services_deploy_lrproxy_keypair
|
||||||
|
|
||||||
|
- name: "configure public key on valkyrie"
|
||||||
|
delegate_to: valkyrie
|
||||||
|
become_user: pod-rproxy
|
||||||
|
ansible.posix.authorized_key:
|
||||||
|
user: "pod-rproxy"
|
||||||
|
state: "present"
|
||||||
|
key: "{{ services_deploy_lrproxy_keypair.public_key }}"
|
||||||
|
key_options: "command=\"rsync --server --sender -avz . /var/lib/valkyrie/data/pod-rproxy/etc-letsencrypt/\",from=\"{{ vpn_wireguard_address }}\",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-x11-forwarding"
|
||||||
|
|
||||||
|
- name: "enable the service"
|
||||||
|
ansible.builtin.systemd:
|
||||||
|
name: "pod-{{ services_service_name }}.service"
|
||||||
|
enabled: true
|
||||||
|
scope: "user"
|
||||||
|
|
||||||
|
- name: "start the service"
|
||||||
|
ansible.builtin.systemd:
|
||||||
|
name: "pod-{{ services_service_name }}.service"
|
||||||
|
state: "started"
|
||||||
|
scope: "user"
|
||||||
|
register: services_deploy_lrproxy_service_start
|
||||||
|
|
||||||
|
- name: "restart the service"
|
||||||
|
ansible.builtin.systemd:
|
||||||
|
name: "pod-{{ services_service_name }}.service"
|
||||||
|
state: restarted
|
||||||
|
scope: user
|
||||||
|
when:
|
||||||
|
(services_deploy_lrproxy_config_files.changed or
|
||||||
|
services_deploy_lrproxy_systemd_files.changed or
|
||||||
|
services_deploy_lrproxy_rsync_certificates_timer.changed or
|
||||||
|
services_deploy_lrproxy_dhparam.changed or
|
||||||
|
services_deploy_lrproxy_keypair.changed) and
|
||||||
|
not services_deploy_lrproxy_service_start.changed
|
||||||
|
|
||||||
|
become_user: "{{ services_service_user_name }}"
|
@ -20,7 +20,7 @@ ExecStart=/usr/bin/podman run \
|
|||||||
--replace \
|
--replace \
|
||||||
--label "io.containers.autoupdate=image" \
|
--label "io.containers.autoupdate=image" \
|
||||||
-dt \
|
-dt \
|
||||||
{{ service_rproxy_hosts }} \
|
{{ services_rproxy_nginx_add_hosts }} \
|
||||||
-v /var/lib/yggdrasil/valkyrie-resolv.conf:/etc/resolv.conf:ro \
|
-v /var/lib/yggdrasil/valkyrie-resolv.conf:/etc/resolv.conf:ro \
|
||||||
-v ./.config/pod-lrproxy/nginx.conf:/etc/nginx/nginx.conf:ro \
|
-v ./.config/pod-lrproxy/nginx.conf:/etc/nginx/nginx.conf:ro \
|
||||||
-v ./.config/pod-lrproxy/nginx-conf.d:/etc/nginx/conf.d:ro \
|
-v ./.config/pod-lrproxy/nginx-conf.d:/etc/nginx/conf.d:ro \
|
@ -8,5 +8,5 @@ Type=oneshot
|
|||||||
ExecStart=/usr/bin/rsync -e 'ssh -i .ssh/valkyrie-pod-rproxy -l pod-rproxy' \
|
ExecStart=/usr/bin/rsync -e 'ssh -i .ssh/valkyrie-pod-rproxy -l pod-rproxy' \
|
||||||
-avz \
|
-avz \
|
||||||
--delete \
|
--delete \
|
||||||
{{ vpn_wg0_remote_address }}:/var/lib/valkyrie/data/pod-rproxy/etc-letsencrypt/ \
|
{{ hostvars['valkyrie'].vpn_wireguard_address }}:/var/lib/valkyrie/data/pod-rproxy/etc-letsencrypt/ \
|
||||||
/var/lib/yggdrasil/data/pod-lrproxy/etc-letsencrypt
|
/var/lib/yggdrasil/data/pod-lrproxy/etc-letsencrypt
|
15
plays/services/roles/deploy/rproxy/vars/nginx.yml
Normal file
15
plays/services/roles/deploy/rproxy/vars/nginx.yml
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
services_all_services: "{{
|
||||||
|
services_all_hosts | map('extract', hostvars, 'services_host_services') | map('dict2items') |
|
||||||
|
flatten | items2dict }}"
|
||||||
|
services_rproxy_nginx_add_hosts: "\
|
||||||
|
{% set add_host_list = [] %}\
|
||||||
|
{% for service in ( services_all_services | dict2items ) %}\
|
||||||
|
{{ add_host_list.append('--add-host=pod-' ~ service.key ~ ':' ~ service.value.address) }}\
|
||||||
|
{% endfor %}\
|
||||||
|
{{ add_host_list | join(' ') }}"
|
||||||
|
services_rproxy_nginx_conf_d_files:
|
||||||
|
- "nginx.conf"
|
||||||
|
- "nginx-conf.d/cloud.wojciechkozlowski.eu.conf"
|
||||||
|
- "nginx-conf.d/git.wojciechkozlowski.eu.conf"
|
||||||
|
- "nginx-conf.d/notes.wojciechkozlowski.eu.conf"
|
||||||
|
- "nginx-conf.d/wojciechkozlowski.eu.conf"
|
@ -1,9 +0,0 @@
|
|||||||
services_all_services: "{{
|
|
||||||
services_all_hosts | map('extract', hostvars, 'services_host_services') | map('dict2items') |
|
|
||||||
flatten | items2dict }}"
|
|
||||||
services_rproxy_add_hosts: "\
|
|
||||||
{% set add_host_list = [] %}\
|
|
||||||
{% for service in ( services_all_services | dict2items ) %}\
|
|
||||||
{{ add_host_list.append('--add-host-' ~ service.key ~ ':' ~ service.value.address) }}\
|
|
||||||
{% endfor %}\
|
|
||||||
{{ add_host_list | join(' ') }}"
|
|
@ -27,6 +27,12 @@
|
|||||||
|
|
||||||
- block:
|
- block:
|
||||||
|
|
||||||
|
- name: "{{ services_service_name }} : directories : create service configuration directory"
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: "{{ services_service_user_home }}/.config/{{ services_service_user_name }}"
|
||||||
|
state: "directory"
|
||||||
|
mode: 0755
|
||||||
|
|
||||||
- name: "{{ services_service_name }} : directories : create systemd directory"
|
- name: "{{ services_service_name }} : directories : create systemd directory"
|
||||||
ansible.builtin.file:
|
ansible.builtin.file:
|
||||||
path: "{{ services_service_user_home }}/.config/systemd/user"
|
path: "{{ services_service_user_home }}/.config/systemd/user"
|
||||||
|
Loading…
Reference in New Issue
Block a user