mirror of
https://github.com/kevinveenbirkenbach/computer-playbook.git
synced 2025-08-29 15:06:26 +02:00
Refactor role naming for TLS and proxy stack
- Renamed role `srv-tls-core` → `sys-svc-certs` - Renamed role `srv-https-stack` → `sys-stk-front-pure` - Renamed role `sys-stk-front` → `sys-stk-front-proxy` - Updated all includes, READMEs, meta, and dependent roles accordingly This improves clarity and consistency of naming conventions for certificate management and proxy orchestration. See: https://chatgpt.com/share/68b19f2c-22b0-800f-ba9b-3f2c8fd427b0
This commit is contained in:
@@ -4,7 +4,7 @@ This Ansible role composes and orchestrates all necessary HTTPS-layer tasks and
|
||||
|
||||
1. **`sys-srv-web-inj-compose`**
|
||||
Injects global HTML snippets (CSS, Matomo tracking, iFrame notifier, custom JavaScript) into responses using Nginx `sub_filter`.
|
||||
2. **`srv-tls-core`**
|
||||
2. **`sys-svc-certs`**
|
||||
Handles issuing, renewing, and managing TLS certificates via ACME/Certbot.
|
||||
|
||||
By combining encryption setup with content enhancements, this role streamlines domain provisioning for secure, fully-featured HTTP/HTTPS delivery.
|
||||
@@ -16,7 +16,7 @@ By combining encryption setup with content enhancements, this role streamlines d
|
||||
* **Content Injection**
|
||||
Adds global theming, analytics, and custom scripts before `</head>` and tracking noscript tags before `</body>`.
|
||||
* **Certificate Management**
|
||||
Automates cert issuance and renewal via `srv-tls-core`.
|
||||
Automates cert issuance and renewal via `sys-svc-certs`.
|
||||
* **Idempotent Workflow**
|
||||
Ensures each component runs only once per domain.
|
||||
* **Simplified Playbooks**
|
||||
|
||||
@@ -4,6 +4,6 @@
|
||||
include_role:
|
||||
name: sys-srv-web-inj-compose
|
||||
|
||||
- name: "include role srv-tls-core for '{{ domain }}'"
|
||||
- name: "include role sys-svc-certs for '{{ domain }}'"
|
||||
include_role:
|
||||
name: srv-tls-core
|
||||
name: sys-svc-certs
|
||||
|
||||
@@ -16,7 +16,7 @@ The goal of this role is to deliver a **hassle-free, production-ready reverse pr
|
||||
|
||||
## Features
|
||||
|
||||
- **Automatic TLS & HSTS** — integrates with the *srv-https-stack* role for certificate management.
|
||||
- **Automatic TLS & HSTS** — integrates with the *sys-stk-front-pure* role for certificate management.
|
||||
- **Flexible vHost templates** — *basic* and *ws_generic* flavours cover standard HTTP and WebSocket applications.
|
||||
- **Security headers** — sensible defaults plus optional X-Frame-Options / CSP based on application settings.
|
||||
- **WebSocket & HTTP/2 aware** — upgrades, keep-alive tuning, and gzip already configured.
|
||||
|
||||
@@ -3,7 +3,7 @@
|
||||
include_role:
|
||||
name: '{{ item }}'
|
||||
loop:
|
||||
- srv-https-stack
|
||||
- sys-stk-front-pure
|
||||
- srv-core
|
||||
- include_tasks: utils/run_once.yml
|
||||
when: run_once_srv_proxy_core is not defined
|
||||
|
||||
@@ -6,10 +6,10 @@ This role bootstraps **per-domain Nginx configuration**: it requests TLS certifi
|
||||
|
||||
## Overview
|
||||
|
||||
A higher-level orchestration wrapper, *sys-stk-front* ties together several lower-level roles:
|
||||
A higher-level orchestration wrapper, *sys-stk-front-proxy* ties together several lower-level roles:
|
||||
|
||||
1. **`sys-srv-web-inj-compose`** – applies global tweaks and includes.
|
||||
2. **`srv-tls-core`** – obtains Let’s Encrypt certificates.
|
||||
2. **`sys-svc-certs`** – obtains Let’s Encrypt certificates.
|
||||
3. **Domain template deployment** – copies a Jinja2 vHost from *srv-proxy-core*.
|
||||
4. **`web-app-oauth2-proxy`** *(optional)* – protects the site with OAuth2.
|
||||
|
||||
@@ -4,7 +4,7 @@
|
||||
name: srv-proxy-core
|
||||
when: run_once_srv_proxy_core is not defined
|
||||
- include_tasks: utils/run_once.yml
|
||||
when: run_once_sys_stk_front is not defined
|
||||
when: run_once_sys_stk_front_proxy is not defined
|
||||
|
||||
- include_tasks: "01_cloudflare.yml"
|
||||
when: DNS_PROVIDER == "cloudflare"
|
||||
@@ -1,7 +1,7 @@
|
||||
# Webserver HTTPS Provisioning 🚀
|
||||
|
||||
## Description
|
||||
The **srv-https-stack** role extends a basic Nginx installation by wiring in everything you need to serve content over HTTPS:
|
||||
The **sys-stk-front-pure** role extends a basic Nginx installation by wiring in everything you need to serve content over HTTPS:
|
||||
|
||||
1. Ensures your Nginx server is configured for SSL/TLS.
|
||||
2. Pulls in Let’s Encrypt ACME challenge handling.
|
||||
@@ -13,7 +13,7 @@ This role is built on top of your existing `srv-core` role, and it automates the
|
||||
|
||||
## Overview
|
||||
|
||||
When you apply **srv-https-stack**, it will:
|
||||
When you apply **sys-stk-front-pure**, it will:
|
||||
|
||||
1. **Include** the `srv-core` role to install and configure Nginx.
|
||||
2. **Clean up** any stale vHost files under `sys-svc-cln-domains`.
|
||||
@@ -7,4 +7,4 @@
|
||||
- sys-svc-cln-domains
|
||||
- srv-letsencrypt
|
||||
- include_tasks: utils/run_once.yml
|
||||
when: run_once_srv_https_stack is not defined
|
||||
when: run_once_sys_stk_front_pure is not defined
|
||||
@@ -8,4 +8,4 @@ This role builds on `sys-stk-back-stateful` by adding a reverse-proxy frontend f
|
||||
Leverages the `sys-stk-back-stateful` role to stand up your containerized database (PostgreSQL, MariaDB, etc.) with backups and user management.
|
||||
|
||||
- **Reverse Proxy**
|
||||
Includes the `sys-stk-front` role to configure a proxy (e.g. nginx) for routing HTTP(S) traffic to your database UI or management endpoint.
|
||||
Includes the `sys-stk-front-proxy` role to configure a proxy (e.g. nginx) for routing HTTP(S) traffic to your database UI or management endpoint.
|
||||
@@ -1,7 +1,7 @@
|
||||
galaxy_info:
|
||||
author: "Kevin Veen-Birkenbach"
|
||||
description: >
|
||||
Extends sys-stk-back-stateful by adding an HTTP reverse proxy via sys-stk-front.
|
||||
Extends sys-stk-back-stateful by adding an HTTP reverse proxy via sys-stk-front-proxy.
|
||||
company: |
|
||||
Kevin Veen-Birkenbach
|
||||
Consulting & Coaching Solutions
|
||||
|
||||
@@ -4,9 +4,9 @@
|
||||
vars:
|
||||
handler_role_name: "svc-prx-openresty"
|
||||
|
||||
- name: "For '{{ application_id }}': include role sys-stk-front"
|
||||
- name: "For '{{ application_id }}': include role sys-stk-front-proxy"
|
||||
include_role:
|
||||
name: sys-stk-front
|
||||
name: sys-stk-front-proxy
|
||||
vars:
|
||||
domain: "{{ domains | get_domain(application_id) }}"
|
||||
http_port: "{{ ports.localhost.http[application_id] }}"
|
||||
|
||||
@@ -8,4 +8,4 @@ This role combines the standard Docker Compose setup with a reverse-proxy for an
|
||||
Brings up containers, networks, and volumes via the `docker-compose` role.
|
||||
|
||||
- **Reverse Proxy**
|
||||
Uses the `sys-stk-front` role to expose your application under a custom domain and port.
|
||||
Uses the `sys-stk-front-proxy` role to expose your application under a custom domain and port.
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
galaxy_info:
|
||||
author: "Kevin Veen-Birkenbach"
|
||||
description: >
|
||||
Combines the docker-compose role with sys-stk-front to
|
||||
Combines the docker-compose role with sys-stk-front-proxy to
|
||||
deploy applications behind a reverse proxy.
|
||||
company: |
|
||||
Kevin Veen-Birkenbach
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
# run_once_sys_stk_full_stateless: deactivated
|
||||
|
||||
# Load the proxy first, so that openresty handlers are flushed before the main docker compose
|
||||
- name: "For '{{ application_id }}': include role sys-stk-front"
|
||||
- name: "For '{{ application_id }}': include role sys-stk-front-proxy"
|
||||
include_role:
|
||||
name: sys-stk-front
|
||||
name: sys-stk-front-proxy
|
||||
vars:
|
||||
domain: "{{ domains | get_domain(application_id) }}"
|
||||
http_port: "{{ ports.localhost.http[application_id] }}"
|
||||
|
||||
@@ -1,10 +1,10 @@
|
||||
- block:
|
||||
- name: Include dependency 'srv-https-stack'
|
||||
- name: Include dependency 'sys-stk-front-pure'
|
||||
include_role:
|
||||
name: srv-https-stack
|
||||
when: run_once_srv_https_stack is not defined
|
||||
name: sys-stk-front-pure
|
||||
when: run_once_sys_stk_front_pure is not defined
|
||||
- include_tasks: utils/run_once.yml
|
||||
when: run_once_srv_tls_core is not defined
|
||||
when: run_once_sys_svc_certs is not defined
|
||||
|
||||
- name: "Include flavor '{{ CERTBOT_FLAVOR }}' for '{{ domain }}'"
|
||||
include_tasks: "{{ [role_path, 'tasks/flavors', CERTBOT_FLAVOR ~'.yml'] | path_join }}"
|
||||
@@ -2,9 +2,9 @@
|
||||
include_role:
|
||||
name: docker-compose
|
||||
|
||||
- name: "include role sys-stk-front for {{ application_id }}"
|
||||
- name: "include role sys-stk-front-proxy for {{ application_id }}"
|
||||
include_role:
|
||||
name: sys-stk-front
|
||||
name: sys-stk-front-proxy
|
||||
vars:
|
||||
domain: "{{ item.domain }}"
|
||||
http_port: "{{ item.http_port }}"
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
---
|
||||
|
||||
- name: "include role sys-stk-front for {{ application_id }}"
|
||||
- name: "include role sys-stk-front-proxy for {{ application_id }}"
|
||||
include_role:
|
||||
name: sys-stk-front
|
||||
name: sys-stk-front-proxy
|
||||
vars:
|
||||
domain: "{{ domains | get_domain(application_id) }}"
|
||||
http_port: "{{ ports.localhost.http[application_id] }}"
|
||||
|
||||
@@ -9,7 +9,7 @@ This Ansible role deploys and configures [FusionDirectory](https://www.fusiondir
|
||||
- Loads and templating of FusionDirectory-specific variables
|
||||
- Generates a `.env` file for the container environment
|
||||
- Deploys the FusionDirectory container via Docker Compose
|
||||
- Configures NGINX (via the `sys-stk-front` role) to expose the service
|
||||
- Configures NGINX (via the `sys-stk-front-proxy` role) to expose the service
|
||||
- Integrates with your central LDAP server for authentication
|
||||
|
||||
## Features
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
---
|
||||
- name: "Include role sys-stk-front for {{ application_id }}"
|
||||
- name: "Include role sys-stk-front-proxy for {{ application_id }}"
|
||||
include_role:
|
||||
name: sys-stk-front
|
||||
name: sys-stk-front-proxy
|
||||
loop: "{{ JOOMLA_DOMAINS }}"
|
||||
loop_control:
|
||||
loop_var: domain
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
---
|
||||
- name: "Include setup for domain '{{ domain }}'"
|
||||
include_role:
|
||||
name: sys-stk-front
|
||||
name: sys-stk-front-proxy
|
||||
loop: "{{ domains['web-app-mastodon'] }}"
|
||||
loop_control:
|
||||
loop_var: domain
|
||||
|
||||
@@ -9,9 +9,9 @@
|
||||
src: "well-known.j2"
|
||||
dest: "{{ MATRIX_WELL_KNOWN_FILE }}"
|
||||
|
||||
- name: "include role sys-stk-front for {{ MATRIX_ELEMENT_DOMAIN }}"
|
||||
- name: "include role sys-stk-front-proxy for {{ MATRIX_ELEMENT_DOMAIN }}"
|
||||
include_role:
|
||||
name: sys-stk-front
|
||||
name: sys-stk-front-proxy
|
||||
vars:
|
||||
domain: "{{ MATRIX_ELEMENT_DOMAIN }}"
|
||||
http_port: "{{ MATRIX_ELEMENT_PORT }}"
|
||||
|
||||
@@ -39,7 +39,7 @@ By using this role, teams can set up Taiga in minutes on Arch Linux systems —
|
||||
- [taiga-contrib-oidc-auth (official)](https://github.com/taigaio/taiga-contrib-oidc-auth)
|
||||
- 📨 **Email Backend:** Supports SMTP and console backends for development.
|
||||
- 🔁 **Async & Realtime Events:** Includes RabbitMQ and support for Taiga’s event system.
|
||||
- 🌐 **Reverse Proxy Ready:** Integrates with Nginx using the `sys-stk-front` role.
|
||||
- 🌐 **Reverse Proxy Ready:** Integrates with Nginx using the `sys-stk-front-proxy` role.
|
||||
- 🧩 **Composable Design:** Integrates cleanly with other Infinito.Nexus infrastructure roles.
|
||||
|
||||
---
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
---
|
||||
- name: "Include role sys-stk-front for {{ application_id }}"
|
||||
- name: "Include role sys-stk-front-proxy for {{ application_id }}"
|
||||
include_role:
|
||||
name: sys-stk-front
|
||||
name: sys-stk-front-proxy
|
||||
loop: "{{ WORDPRESS_DOMAINS }}"
|
||||
loop_control:
|
||||
loop_var: domain
|
||||
|
||||
@@ -9,7 +9,7 @@ This Ansible role configures Nginx to perform 301 redirects from one domain to a
|
||||
|
||||
## Dependencies
|
||||
|
||||
- `srv-https-stack`: A role for setting up HTTPS for Nginx
|
||||
- `sys-stk-front-pure`: A role for setting up HTTPS for Nginx
|
||||
- `letsencrypt`: A role for managing SSL certificates with Let's Encrypt
|
||||
|
||||
## Author Information
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
- block:
|
||||
- name: Include dependency 'srv-https-stack'
|
||||
- name: Include dependency 'sys-stk-front-pure'
|
||||
include_role:
|
||||
name: srv-https-stack
|
||||
when: run_once_srv_https_stack is not defined
|
||||
name: sys-stk-front-pure
|
||||
when: run_once_sys_stk_front_pure is not defined
|
||||
- include_tasks: utils/run_once.yml
|
||||
when: run_once_web_opt_rdr_domains is not defined
|
||||
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
- name: "include task receive certbot certificate"
|
||||
include_role:
|
||||
name: srv-tls-core
|
||||
name: sys-svc-certs
|
||||
|
||||
- name: "Deploying NGINX redirect configuration for '{{ domain }}'"
|
||||
template:
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
include_role:
|
||||
name: '{{ item }}'
|
||||
loop:
|
||||
- srv-https-stack
|
||||
- sys-stk-front-pure
|
||||
- dev-git
|
||||
|
||||
- name: "include role for {{ application_id }} to receive certs & do modification routines"
|
||||
|
||||
@@ -3,7 +3,7 @@
|
||||
include_role:
|
||||
name: '{{ item }}'
|
||||
loop:
|
||||
- srv-https-stack
|
||||
- sys-stk-front-pure
|
||||
- dev-git
|
||||
- include_tasks: utils/run_once.yml
|
||||
when: run_once_web_svc_file is not defined
|
||||
|
||||
@@ -3,7 +3,7 @@
|
||||
include_role:
|
||||
name: '{{ item }}'
|
||||
loop:
|
||||
- srv-https-stack
|
||||
- sys-stk-front-pure
|
||||
- dev-git
|
||||
- include_tasks: utils/run_once.yml
|
||||
when: run_once_web_svc_html is not defined
|
||||
|
||||
Reference in New Issue
Block a user