148 lines
5.4 KiB
YAML
148 lines
5.4 KiB
YAML
---
|
|
- name: "set the user variables"
|
|
ansible.builtin.import_role:
|
|
name: "services/include"
|
|
vars_from: "user"
|
|
|
|
- name: "set the version variables"
|
|
ansible.builtin.import_role:
|
|
name: "services/deploy/include"
|
|
vars_from: "versions"
|
|
|
|
- name: "set the rproxy variables"
|
|
ansible.builtin.include_vars:
|
|
file: "nginx.yml"
|
|
|
|
- block:
|
|
|
|
- name: "create nginx conf.d"
|
|
ansible.builtin.file:
|
|
path: "\
|
|
{{ services_service_user_home }}/.config/{{ services_service_user_name }}/nginx-conf.d"
|
|
state: "directory"
|
|
mode: 0755
|
|
|
|
- name: "configure reverse proxy nginx"
|
|
ansible.builtin.copy:
|
|
src: "./config/{{ item }}"
|
|
dest: "{{ services_service_user_home }}/.config/{{ services_service_user_name }}/{{ item }}"
|
|
mode: 0644
|
|
loop: "{{ services_rproxy_nginx_conf_d_files }}"
|
|
register: services_deploy_lrproxy_config_files
|
|
|
|
- name: "configure systemd service"
|
|
ansible.builtin.template:
|
|
src: "./systemd/{{ item }}"
|
|
dest: "{{ services_service_user_home }}/.config/systemd/user/{{ item }}"
|
|
mode: 0600
|
|
loop:
|
|
- "pod-lrproxy.service"
|
|
- "container-lrproxy-nginx.service"
|
|
register: services_deploy_lrproxy_systemd_files
|
|
|
|
- name: "systemd user daemon reload"
|
|
ansible.builtin.systemd:
|
|
daemon_reload: true
|
|
scope: "user"
|
|
when:
|
|
services_deploy_lrproxy_systemd_files.changed
|
|
|
|
- name: "generate diffie hellman ephemeral parameters"
|
|
ansible.builtin.command: >-
|
|
openssl dhparam
|
|
--out /{{ services_service_user_home }}/.config/{{ services_service_user_name }}/dhparam.pem
|
|
4096
|
|
args:
|
|
creates: "\
|
|
{{ services_service_user_home }}/.config/{{ services_service_user_name }}/dhparam.pem"
|
|
register: services_deploy_lrproxy_dhparam
|
|
|
|
- block:
|
|
|
|
- name: "configure rsync-certificates service"
|
|
ansible.builtin.template:
|
|
src: "./systemd/{{ item }}"
|
|
dest: "{{ services_service_user_home }}/.config/systemd/user/{{ item }}"
|
|
mode: 0600
|
|
loop:
|
|
- "rsync-certificates.service"
|
|
- "rsync-certificates.timer"
|
|
register: services_deploy_lrproxy_rsync_certificates_files
|
|
|
|
- name: "systemd user daemon reload"
|
|
ansible.builtin.systemd:
|
|
daemon_reload: true
|
|
scope: "user"
|
|
when:
|
|
services_deploy_lrproxy_rsync_certificates_files.changed
|
|
|
|
- name: "enable rsync-certificates timer"
|
|
ansible.builtin.systemd:
|
|
name: "rsync-certificates.timer"
|
|
enabled: true
|
|
scope: "user"
|
|
register: services_deploy_lrproxy_rsync_certificates_timer
|
|
|
|
- name: "create the .ssh directory"
|
|
ansible.builtin.file:
|
|
path: "{{ services_service_user_home }}/.ssh"
|
|
state: "directory"
|
|
mode: 0700
|
|
|
|
- name: "generate ssh keypair for rsync"
|
|
community.crypto.openssh_keypair:
|
|
path: "\
|
|
{{ services_service_user_home }}/.ssh/\
|
|
{{ services_host_services.lrproxy.rproxy_host }}-\
|
|
{{ services_host_services.lrproxy.rproxy_user }}"
|
|
type: "ed25519"
|
|
register: services_deploy_lrproxy_keypair
|
|
|
|
- name: "configure public key on {{ services_host_services.lrproxy.rproxy_host }}"
|
|
ignore_unreachable: "{{ services_deploy_lrproxy_ignore_unreachable_rproxy }}"
|
|
delegate_to: "{{ services_host_services.lrproxy.rproxy_host }}"
|
|
become_user: "{{ services_host_services.lrproxy.rproxy_user }}"
|
|
ansible.posix.authorized_key:
|
|
user: "{{ services_host_services.lrproxy.rproxy_user }}"
|
|
state: "present"
|
|
key: "{{ services_deploy_lrproxy_keypair.public_key }}"
|
|
key_options: "\
|
|
command=\"rsync --server --sender -avz . \
|
|
{{ hostvars[services_host_services.lrproxy.rproxy_host].services_data_directory }}/\
|
|
{{ services_host_services.lrproxy.rproxy_user }}/etc-letsencrypt/\
|
|
\",from=\"{{ vpn_wireguard_address }}\",\
|
|
no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-x11-forwarding"
|
|
|
|
when:
|
|
services_host_services.lrproxy.rproxy_host is defined
|
|
|
|
- name: "get uid"
|
|
ansible.builtin.getent:
|
|
database: "passwd"
|
|
key: "{{ services_service_user_name }}"
|
|
|
|
- name: "get service status"
|
|
ansible.builtin.command: >-
|
|
systemctl --user show --property ActiveState --value
|
|
{{ services_service_user_name }}.service
|
|
environment:
|
|
XDG_RUNTIME_DIR: "/run/user/{{ getent_passwd[services_service_user_name].1 }}"
|
|
changed_when: false
|
|
register: services_deploy_lrproxy_service_active_state
|
|
|
|
- name: "restart the service"
|
|
ansible.builtin.systemd:
|
|
name: "pod-{{ services_service_name }}.service"
|
|
state: "restarted"
|
|
scope: "user"
|
|
when:
|
|
(services_deploy_lrproxy_config_files.changed or
|
|
services_deploy_lrproxy_systemd_files.changed or
|
|
services_deploy_lrproxy_rsync_certificates_files.changed or
|
|
services_deploy_lrproxy_rsync_certificates_timer.changed or
|
|
services_deploy_lrproxy_dhparam.changed or
|
|
services_deploy_lrproxy_keypair.changed) and
|
|
services_deploy_lrproxy_service_active_state.stdout == "active"
|
|
|
|
become_user: "{{ services_service_user_name }}"
|