mirror of
https://github.com/kevinveenbirkenbach/computer-playbook.git
synced 2025-07-17 22:14:25 +02:00
Renamed server roles by osi they work on
This commit is contained in:
parent
c94d623f8f
commit
96268e7161
@ -24,19 +24,19 @@ For a complete list of role categories and detailed definitions, see:
|
|||||||
|
|
||||||
## Webserver & HTTP
|
## Webserver & HTTP
|
||||||
|
|
||||||
- **srv-web-core**
|
- **srv-web-7-4-core**
|
||||||
Installs and configures the base Nginx server.
|
Installs and configures the base Nginx server.
|
||||||
|
|
||||||
- **srv-web-tls-***
|
- **srv-web-6-6-tls-***
|
||||||
Manages TLS certificates and renewal (formerly “https”; e.g. `srv-web-tls-deploy`, `srv-web-tls-renew`).
|
Manages TLS certificates and renewal (formerly “https”; e.g. `srv-web-6-6-tls-deploy`, `srv-web-6-6-tls-renew`).
|
||||||
|
|
||||||
- **srv-web-proxy-***
|
- **srv-web-proxy-***
|
||||||
Proxy and vhost orchestration roles (domain setup, OAuth2 proxy, etc.)
|
Proxy and vhost orchestration roles (domain setup, OAuth2 proxy, etc.)
|
||||||
|
|
||||||
- **srv-web-injector-***
|
- **srv-web-7-7-inj-***
|
||||||
HTML response modifiers: CSS, JS, Matomo tracking, iframe notifier.
|
HTML response modifiers: CSS, JS, Matomo tracking, iframe notifier.
|
||||||
|
|
||||||
- **srv-web-composer**
|
- **srv-web-7-6-composer**
|
||||||
Aggregates multiple sub-filters into one include for your vhost.
|
Aggregates multiple sub-filters into one include for your vhost.
|
||||||
|
|
||||||
- **web-svc-***
|
- **web-svc-***
|
||||||
|
@ -25,11 +25,11 @@ categories:
|
|||||||
srv:
|
srv:
|
||||||
web:
|
web:
|
||||||
core:
|
core:
|
||||||
title: "srv-web-core"
|
title: "srv-web-7-4-core"
|
||||||
description: "Install & configure base Nginx server"
|
description: "Install & configure base Nginx server"
|
||||||
icon: "fas fa-server"
|
icon: "fas fa-server"
|
||||||
tls:
|
tls:
|
||||||
title: "srv-web-tls-*"
|
title: "srv-web-6-6-tls-*"
|
||||||
description: "Deploy & renew TLS certificates"
|
description: "Deploy & renew TLS certificates"
|
||||||
icon: "fas fa-lock"
|
icon: "fas fa-lock"
|
||||||
proxy:
|
proxy:
|
||||||
@ -38,27 +38,27 @@ categories:
|
|||||||
icon: "fas fa-project-diagram"
|
icon: "fas fa-project-diagram"
|
||||||
injector:
|
injector:
|
||||||
core:
|
core:
|
||||||
title: "srv-web-injector-compose"
|
title: "srv-web-7-7-inj-compose"
|
||||||
description: "Inject core HTML modifiers"
|
description: "Inject core HTML modifiers"
|
||||||
icon: "fas fa-code"
|
icon: "fas fa-code"
|
||||||
css:
|
css:
|
||||||
title: "srv-web-injector-css"
|
title: "srv-web-7-7-inj-css"
|
||||||
description: "Inject CSS into responses"
|
description: "Inject CSS into responses"
|
||||||
icon: "fas fa-paint-brush"
|
icon: "fas fa-paint-brush"
|
||||||
iframe:
|
iframe:
|
||||||
title: "srv-web-injector-iframe"
|
title: "srv-web-7-7-inj-iframe"
|
||||||
description: "Inject iframe notifier"
|
description: "Inject iframe notifier"
|
||||||
icon: "fas fa-window-maximize"
|
icon: "fas fa-window-maximize"
|
||||||
javascript:
|
javascript:
|
||||||
title: "srv-web-injector-javascript"
|
title: "srv-web-7-7-inj-javascript"
|
||||||
description: "Inject JS into responses"
|
description: "Inject JS into responses"
|
||||||
icon: "fas fa-code"
|
icon: "fas fa-code"
|
||||||
matomo:
|
matomo:
|
||||||
title: "srv-web-injector-matomo"
|
title: "srv-web-7-7-inj-matomo"
|
||||||
description: "Inject Matomo tracking code"
|
description: "Inject Matomo tracking code"
|
||||||
icon: "fas fa-chart-pie"
|
icon: "fas fa-chart-pie"
|
||||||
composer:
|
composer:
|
||||||
title: "srv-web-composer"
|
title: "srv-web-7-6-composer"
|
||||||
description: "Compose multiple filters into one include"
|
description: "Compose multiple filters into one include"
|
||||||
icon: "fas fa-layer-group"
|
icon: "fas fa-layer-group"
|
||||||
|
|
||||||
|
@ -21,5 +21,5 @@ galaxy_info:
|
|||||||
issue_tracker_url: "https://s.veen.world/cymaisissues"
|
issue_tracker_url: "https://s.veen.world/cymaisissues"
|
||||||
documentation: "https://s.veen.world/cymais"
|
documentation: "https://s.veen.world/cymais"
|
||||||
dependencies:
|
dependencies:
|
||||||
- srv-web-core
|
- srv-web-7-4-core
|
||||||
- core-daemon
|
- core-daemon
|
@ -8,4 +8,4 @@ This role builds on `cmp-db-docker` by adding a reverse-proxy frontend for HTTP
|
|||||||
Leverages the `cmp-db-docker` role to stand up your containerized database (PostgreSQL, MariaDB, etc.) with backups and user management.
|
Leverages the `cmp-db-docker` role to stand up your containerized database (PostgreSQL, MariaDB, etc.) with backups and user management.
|
||||||
|
|
||||||
- **Reverse Proxy**
|
- **Reverse Proxy**
|
||||||
Includes the `srv-web-proxy-domain` role to configure a proxy (e.g. nginx) for routing HTTP(S) traffic to your database UI or management endpoint.
|
Includes the `srv-proxy-6-6-domain` role to configure a proxy (e.g. nginx) for routing HTTP(S) traffic to your database UI or management endpoint.
|
@ -1,7 +1,7 @@
|
|||||||
galaxy_info:
|
galaxy_info:
|
||||||
author: "Kevin Veen-Birkenbach"
|
author: "Kevin Veen-Birkenbach"
|
||||||
description: >
|
description: >
|
||||||
Extends cmp-db-docker by adding an HTTP reverse proxy via srv-web-proxy-domain.
|
Extends cmp-db-docker by adding an HTTP reverse proxy via srv-proxy-6-6-domain.
|
||||||
company: |
|
company: |
|
||||||
Kevin Veen-Birkenbach
|
Kevin Veen-Birkenbach
|
||||||
Consulting & Coaching Solutions
|
Consulting & Coaching Solutions
|
||||||
|
@ -2,9 +2,9 @@
|
|||||||
include_role:
|
include_role:
|
||||||
name: cmp-db-docker
|
name: cmp-db-docker
|
||||||
|
|
||||||
- name: "include role srv-web-proxy-domain for {{application_id}}"
|
- name: "include role srv-proxy-6-6-domain for {{application_id}}"
|
||||||
include_role:
|
include_role:
|
||||||
name: srv-web-proxy-domain
|
name: srv-proxy-6-6-domain
|
||||||
vars:
|
vars:
|
||||||
domain: "{{ domains | get_domain(application_id) }}"
|
domain: "{{ domains | get_domain(application_id) }}"
|
||||||
http_port: "{{ ports.localhost.http[application_id] }}"
|
http_port: "{{ ports.localhost.http[application_id] }}"
|
@ -8,4 +8,4 @@ This role combines the standard Docker Compose setup with a reverse-proxy for an
|
|||||||
Brings up containers, networks, and volumes via the `docker-compose` role.
|
Brings up containers, networks, and volumes via the `docker-compose` role.
|
||||||
|
|
||||||
- **Reverse Proxy**
|
- **Reverse Proxy**
|
||||||
Uses the `srv-web-proxy-domain` role to expose your application under a custom domain and port.
|
Uses the `srv-proxy-6-6-domain` role to expose your application under a custom domain and port.
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
galaxy_info:
|
galaxy_info:
|
||||||
author: "Kevin Veen-Birkenbach"
|
author: "Kevin Veen-Birkenbach"
|
||||||
description: >
|
description: >
|
||||||
Combines the docker-compose role with srv-web-proxy-domain to
|
Combines the docker-compose role with srv-proxy-6-6-domain to
|
||||||
deploy applications behind a reverse proxy.
|
deploy applications behind a reverse proxy.
|
||||||
company: |
|
company: |
|
||||||
Kevin Veen-Birkenbach
|
Kevin Veen-Birkenbach
|
||||||
|
@ -2,9 +2,9 @@
|
|||||||
include_role:
|
include_role:
|
||||||
name: docker-compose
|
name: docker-compose
|
||||||
|
|
||||||
- name: "include role srv-web-proxy-domain for {{application_id}}"
|
- name: "include role srv-proxy-6-6-domain for {{application_id}}"
|
||||||
include_role:
|
include_role:
|
||||||
name: srv-web-proxy-domain
|
name: srv-proxy-6-6-domain
|
||||||
vars:
|
vars:
|
||||||
domain: "{{ domains | get_domain(application_id) }}"
|
domain: "{{ domains | get_domain(application_id) }}"
|
||||||
http_port: "{{ ports.localhost.http[application_id] }}"
|
http_port: "{{ ports.localhost.http[application_id] }}"
|
@ -20,7 +20,7 @@ To offer a centralized, extensible system for managing containerized application
|
|||||||
- **Reset Logic:** Cleans previous Compose project files and data when `mode_reset` is enabled.
|
- **Reset Logic:** Cleans previous Compose project files and data when `mode_reset` is enabled.
|
||||||
- **Handlers for Runtime Control:** Automatically builds, sets up, or restarts containers based on handlers.
|
- **Handlers for Runtime Control:** Automatically builds, sets up, or restarts containers based on handlers.
|
||||||
- **Template-ready Service Files:** Predefined service base and health check templates.
|
- **Template-ready Service Files:** Predefined service base and health check templates.
|
||||||
- **Integration Support:** Compatible with `srv-web-proxy-core` and other CyMaIS service roles.
|
- **Integration Support:** Compatible with `srv-proxy-7-4-core` and other CyMaIS service roles.
|
||||||
|
|
||||||
## Administration Tips
|
## Administration Tips
|
||||||
|
|
||||||
|
@ -23,4 +23,4 @@ galaxy_info:
|
|||||||
issue_tracker_url: "https://s.veen.world/cymaisissues"
|
issue_tracker_url: "https://s.veen.world/cymaisissues"
|
||||||
documentation: "https://s.veen.world/cymais"
|
documentation: "https://s.veen.world/cymais"
|
||||||
dependencies:
|
dependencies:
|
||||||
- srv-web-tls-renew
|
- srv-web-6-6-tls-renew
|
||||||
|
@ -6,11 +6,11 @@ This role bootstraps **per-domain Nginx configuration**: it requests TLS certifi
|
|||||||
|
|
||||||
## Overview
|
## Overview
|
||||||
|
|
||||||
A higher-level orchestration wrapper, *srv-web-proxy-domain* ties together several lower-level roles:
|
A higher-level orchestration wrapper, *srv-proxy-6-6-domain* ties together several lower-level roles:
|
||||||
|
|
||||||
1. **`srv-web-injector-compose`** – applies global tweaks and includes.
|
1. **`srv-web-7-7-inj-compose`** – applies global tweaks and includes.
|
||||||
2. **`srv-web-tls-core`** – obtains Let’s Encrypt certificates.
|
2. **`srv-web-6-6-tls-core`** – obtains Let’s Encrypt certificates.
|
||||||
3. **Domain template deployment** – copies a Jinja2 vHost from *srv-web-proxy-core*.
|
3. **Domain template deployment** – copies a Jinja2 vHost from *srv-proxy-7-4-core*.
|
||||||
4. **`web-app-oauth2-proxy`** *(optional)* – protects the site with OAuth2.
|
4. **`web-app-oauth2-proxy`** *(optional)* – protects the site with OAuth2.
|
||||||
|
|
||||||
The result is a complete, reproducible domain rollout in a single playbook task.
|
The result is a complete, reproducible domain rollout in a single playbook task.
|
@ -2,4 +2,4 @@
|
|||||||
vhost_flavour: "basic" # valid: basic | ws_generic
|
vhost_flavour: "basic" # valid: basic | ws_generic
|
||||||
|
|
||||||
# build the full template path from the flavour
|
# build the full template path from the flavour
|
||||||
vhost_template_src: "roles/srv-web-proxy-core/templates/vhost/{{ vhost_flavour }}.conf.j2"
|
vhost_template_src: "roles/srv-proxy-7-4-core/templates/vhost/{{ vhost_flavour }}.conf.j2"
|
@ -24,4 +24,4 @@ galaxy_info:
|
|||||||
issue_tracker_url: https://s.veen.world/cymaisissues
|
issue_tracker_url: https://s.veen.world/cymaisissues
|
||||||
documentation: https://s.veen.world/cymais
|
documentation: https://s.veen.world/cymais
|
||||||
dependencies:
|
dependencies:
|
||||||
- srv-web-proxy-core
|
- srv-proxy-7-4-core
|
@ -1,6 +1,6 @@
|
|||||||
- name: "include role for {{domain}} to receive certificates and do the modification routines"
|
- name: "include role for {{domain}} to receive certificates and do the modification routines"
|
||||||
include_role:
|
include_role:
|
||||||
name: srv-web-composer
|
name: srv-web-7-6-composer
|
||||||
|
|
||||||
- name: "Copy nginx config to {{ configuration_destination }}"
|
- name: "Copy nginx config to {{ configuration_destination }}"
|
||||||
template:
|
template:
|
@ -21,7 +21,7 @@ This Ansible role simplifies the deployment of **Let's Encrypt certificates** in
|
|||||||
|
|
||||||
### **1️⃣ Main Tasks**
|
### **1️⃣ Main Tasks**
|
||||||
1. **Add Deployment Script**
|
1. **Add Deployment Script**
|
||||||
- Copies `srv-web-proxy-tls-deploy.sh` to the administrator scripts directory.
|
- Copies `srv-proxy-6-6-tls-deploy.sh` to the administrator scripts directory.
|
||||||
|
|
||||||
2. **Create Certificate Directory**
|
2. **Create Certificate Directory**
|
||||||
- Ensures `cert_mount_directory` exists with proper permissions.
|
- Ensures `cert_mount_directory` exists with proper permissions.
|
||||||
@ -34,14 +34,14 @@ This Ansible role simplifies the deployment of **Let's Encrypt certificates** in
|
|||||||
|
|
||||||
### **2️⃣ Handlers**
|
### **2️⃣ Handlers**
|
||||||
- **Restart Nginx Service**
|
- **Restart Nginx Service**
|
||||||
- Restarts `srv-web-proxy-tls-deploy` whenever a certificate update occurs.
|
- Restarts `srv-proxy-6-6-tls-deploy` whenever a certificate update occurs.
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
## **🔧 Deploying Certificates into Docker Containers**
|
## **🔧 Deploying Certificates into Docker Containers**
|
||||||
The role **automates copying certificates** into Docker Compose setups.
|
The role **automates copying certificates** into Docker Compose setups.
|
||||||
|
|
||||||
### **1️⃣ Deployment Script (`srv-web-proxy-tls-deploy.sh`)**
|
### **1️⃣ Deployment Script (`srv-proxy-6-6-tls-deploy.sh`)**
|
||||||
This script:
|
This script:
|
||||||
- **Copies certificates** to the correct container directory.
|
- **Copies certificates** to the correct container directory.
|
||||||
- **Reloads Nginx** inside all running containers.
|
- **Reloads Nginx** inside all running containers.
|
||||||
@ -49,7 +49,7 @@ This script:
|
|||||||
|
|
||||||
**Usage:**
|
**Usage:**
|
||||||
```sh
|
```sh
|
||||||
sh srv-web-proxy-tls-deploy.sh primary_domain /path/to/docker/compose
|
sh srv-proxy-6-6-tls-deploy.sh primary_domain /path/to/docker/compose
|
||||||
```
|
```
|
||||||
|
|
||||||
---
|
---
|
7
roles/srv-proxy-6-6-tls-deploy/handlers/main.yml
Normal file
7
roles/srv-proxy-6-6-tls-deploy/handlers/main.yml
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
---
|
||||||
|
- name: "restart srv-proxy-6-6-tls-deploy.cymais.service"
|
||||||
|
systemd:
|
||||||
|
name: srv-proxy-6-6-tls-deploy.{{application_id}}.cymais.service
|
||||||
|
state: restarted
|
||||||
|
enabled: yes
|
||||||
|
daemon_reload: yes
|
@ -15,7 +15,7 @@ galaxy_info:
|
|||||||
- systemd
|
- systemd
|
||||||
repository: "https://github.com/kevinveenbirkenbach/cymais"
|
repository: "https://github.com/kevinveenbirkenbach/cymais"
|
||||||
issue_tracker_url: "https://github.com/kevinveenbirkenbach/cymais/issues"
|
issue_tracker_url: "https://github.com/kevinveenbirkenbach/cymais/issues"
|
||||||
documentation: "https://github.com/kevinveenbirkenbach/cymais/tree/main/roles/srv-web-proxy-tls-deploy"
|
documentation: "https://github.com/kevinveenbirkenbach/cymais/tree/main/roles/srv-proxy-6-6-tls-deploy"
|
||||||
min_ansible_version: "2.9"
|
min_ansible_version: "2.9"
|
||||||
platforms:
|
platforms:
|
||||||
- name: Any
|
- name: Any
|
@ -1,9 +1,9 @@
|
|||||||
- name: add srv-web-proxy-tls-deploy.sh
|
- name: add srv-proxy-6-6-tls-deploy.sh
|
||||||
copy:
|
copy:
|
||||||
src: "srv-web-proxy-tls-deploy.sh"
|
src: "srv-proxy-6-6-tls-deploy.sh"
|
||||||
dest: "{{nginx_docker_cert_deploy_script}}"
|
dest: "{{nginx_docker_cert_deploy_script}}"
|
||||||
when: run_once_nginx_docker_cert_deploy is not defined
|
when: run_once_nginx_docker_cert_deploy is not defined
|
||||||
notify: restart srv-web-proxy-tls-deploy.cymais.service
|
notify: restart srv-proxy-6-6-tls-deploy.cymais.service
|
||||||
|
|
||||||
- name: run the nginx_docker_cert_deploy tasks once
|
- name: run the nginx_docker_cert_deploy tasks once
|
||||||
set_fact:
|
set_fact:
|
||||||
@ -15,18 +15,18 @@
|
|||||||
path: "{{cert_mount_directory}}"
|
path: "{{cert_mount_directory}}"
|
||||||
state: directory
|
state: directory
|
||||||
mode: 0755
|
mode: 0755
|
||||||
notify: restart srv-web-proxy-tls-deploy.cymais.service
|
notify: restart srv-proxy-6-6-tls-deploy.cymais.service
|
||||||
|
|
||||||
- name: configure srv-web-proxy-tls-deploy.cymais.service
|
- name: configure srv-proxy-6-6-tls-deploy.cymais.service
|
||||||
template:
|
template:
|
||||||
src: "srv-web-proxy-tls-deploy.service.j2"
|
src: "srv-proxy-6-6-tls-deploy.service.j2"
|
||||||
dest: "/etc/systemd/system/srv-web-proxy-tls-deploy.{{application_id}}.cymais.service"
|
dest: "/etc/systemd/system/srv-proxy-6-6-tls-deploy.{{application_id}}.cymais.service"
|
||||||
notify: restart srv-web-proxy-tls-deploy.cymais.service
|
notify: restart srv-proxy-6-6-tls-deploy.cymais.service
|
||||||
|
|
||||||
- name: "include role for gen-timer for {{service_name}}"
|
- name: "include role for gen-timer for {{service_name}}"
|
||||||
include_role:
|
include_role:
|
||||||
name: gen-timer
|
name: gen-timer
|
||||||
vars:
|
vars:
|
||||||
on_calendar: "{{on_calendar_deploy_certificates}}"
|
on_calendar: "{{on_calendar_deploy_certificates}}"
|
||||||
service_name: "srv-web-proxy-tls-deploy.{{application_id}}"
|
service_name: "srv-proxy-6-6-tls-deploy.{{application_id}}"
|
||||||
persistent: "true"
|
persistent: "true"
|
@ -4,4 +4,4 @@ OnFailure=alert-compose.cymais@%n.service
|
|||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
Type=oneshot
|
Type=oneshot
|
||||||
ExecStart=/usr/bin/bash {{path_administrator_scripts}}/srv-web-proxy-tls-deploy.sh {{ssl_cert_folder}} {{docker_compose.directories.instance}}
|
ExecStart=/usr/bin/bash {{path_administrator_scripts}}/srv-proxy-6-6-tls-deploy.sh {{ssl_cert_folder}} {{docker_compose.directories.instance}}
|
@ -1 +1 @@
|
|||||||
nginx_docker_cert_deploy_script: "{{path_administrator_scripts}}srv-web-proxy-tls-deploy.sh"
|
nginx_docker_cert_deploy_script: "{{path_administrator_scripts}}srv-proxy-6-6-tls-deploy.sh"
|
@ -16,7 +16,7 @@ The goal of this role is to deliver a **hassle-free, production-ready reverse pr
|
|||||||
|
|
||||||
## Features
|
## Features
|
||||||
|
|
||||||
- **Automatic TLS & HSTS** — integrates with the *srv-web-https* role for certificate management.
|
- **Automatic TLS & HSTS** — integrates with the *srv-web-7-6-https* role for certificate management.
|
||||||
- **Flexible vHost templates** — *basic* and *ws_generic* flavours cover standard HTTP and WebSocket applications.
|
- **Flexible vHost templates** — *basic* and *ws_generic* flavours cover standard HTTP and WebSocket applications.
|
||||||
- **Security headers** — sensible defaults plus optional X-Frame-Options / CSP based on application settings.
|
- **Security headers** — sensible defaults plus optional X-Frame-Options / CSP based on application settings.
|
||||||
- **WebSocket & HTTP/2 aware** — upgrades, keep-alive tuning, and gzip already configured.
|
- **WebSocket & HTTP/2 aware** — upgrades, keep-alive tuning, and gzip already configured.
|
@ -24,5 +24,5 @@ galaxy_info:
|
|||||||
issue_tracker_url: https://s.veen.world/cymaisissues
|
issue_tracker_url: https://s.veen.world/cymaisissues
|
||||||
documentation: https://s.veen.world/cymais
|
documentation: https://s.veen.world/cymais
|
||||||
dependencies:
|
dependencies:
|
||||||
- srv-web-https
|
- srv-web-7-6-https
|
||||||
- srv-web-core
|
- srv-web-7-4-core
|
@ -14,7 +14,7 @@ location {{location | default("/")}}
|
|||||||
proxy_set_header X-Forwarded-Port 443;
|
proxy_set_header X-Forwarded-Port 443;
|
||||||
proxy_set_header Accept-Encoding "";
|
proxy_set_header Accept-Encoding "";
|
||||||
|
|
||||||
{% include 'roles/srv-web-proxy-core/templates/headers/content_security_policy.conf.j2' %}
|
{% include 'roles/srv-proxy-7-4-core/templates/headers/content_security_policy.conf.j2' %}
|
||||||
|
|
||||||
# WebSocket specific header
|
# WebSocket specific header
|
||||||
proxy_http_version 1.1;
|
proxy_http_version 1.1;
|
@ -6,7 +6,7 @@ server
|
|||||||
{% include 'roles/web-app-oauth2-proxy/templates/endpoint.conf.j2'%}
|
{% include 'roles/web-app-oauth2-proxy/templates/endpoint.conf.j2'%}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
{% include 'roles/srv-web-injector-compose/templates/global.includes.conf.j2'%}
|
{% include 'roles/srv-web-7-7-inj-compose/templates/global.includes.conf.j2'%}
|
||||||
|
|
||||||
{% if proxy_extra_configuration is defined %}
|
{% if proxy_extra_configuration is defined %}
|
||||||
{# Additional Domain Specific Configuration #}
|
{# Additional Domain Specific Configuration #}
|
||||||
@ -22,38 +22,38 @@ server
|
|||||||
{# 1. Expose everything by default, then protect blacklisted paths #}
|
{# 1. Expose everything by default, then protect blacklisted paths #}
|
||||||
{% set oauth2_proxy_enabled = false %}
|
{% set oauth2_proxy_enabled = false %}
|
||||||
{% set location = "/" %}
|
{% set location = "/" %}
|
||||||
{% include 'roles/srv-web-proxy-core/templates/location/proxy_basic.conf.j2' %}
|
{% include 'roles/srv-proxy-7-4-core/templates/location/proxy_basic.conf.j2' %}
|
||||||
|
|
||||||
{% for loc in acl.blacklist %}
|
{% for loc in acl.blacklist %}
|
||||||
{% set oauth2_proxy_enabled = true %}
|
{% set oauth2_proxy_enabled = true %}
|
||||||
{% set location = loc %}
|
{% set location = loc %}
|
||||||
{% include 'roles/srv-web-proxy-core/templates/location/proxy_basic.conf.j2' %}
|
{% include 'roles/srv-proxy-7-4-core/templates/location/proxy_basic.conf.j2' %}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
||||||
{% elif acl.whitelist is defined %}
|
{% elif acl.whitelist is defined %}
|
||||||
{# 2. Protect everything by default, then expose whitelisted paths #}
|
{# 2. Protect everything by default, then expose whitelisted paths #}
|
||||||
{% set oauth2_proxy_enabled = true %}
|
{% set oauth2_proxy_enabled = true %}
|
||||||
{% set location = "/" %}
|
{% set location = "/" %}
|
||||||
{% include 'roles/srv-web-proxy-core/templates/location/proxy_basic.conf.j2' %}
|
{% include 'roles/srv-proxy-7-4-core/templates/location/proxy_basic.conf.j2' %}
|
||||||
|
|
||||||
{% for loc in acl.whitelist %}
|
{% for loc in acl.whitelist %}
|
||||||
{% set oauth2_proxy_enabled = false %}
|
{% set oauth2_proxy_enabled = false %}
|
||||||
{% set location = loc %}
|
{% set location = loc %}
|
||||||
{% include 'roles/srv-web-proxy-core/templates/location/proxy_basic.conf.j2' %}
|
{% include 'roles/srv-proxy-7-4-core/templates/location/proxy_basic.conf.j2' %}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
||||||
{% else %}
|
{% else %}
|
||||||
{# 3. OAuth2 enabled but no (or empty) ACL — protect all #}
|
{# 3. OAuth2 enabled but no (or empty) ACL — protect all #}
|
||||||
{% set oauth2_proxy_enabled = true %}
|
{% set oauth2_proxy_enabled = true %}
|
||||||
{% set location = "/" %}
|
{% set location = "/" %}
|
||||||
{% include 'roles/srv-web-proxy-core/templates/location/proxy_basic.conf.j2' %}
|
{% include 'roles/srv-proxy-7-4-core/templates/location/proxy_basic.conf.j2' %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
{% else %}
|
{% else %}
|
||||||
{# 4. OAuth2 completely disabled — expose all #}
|
{# 4. OAuth2 completely disabled — expose all #}
|
||||||
{% set oauth2_proxy_enabled = false %}
|
{% set oauth2_proxy_enabled = false %}
|
||||||
{% set location = "/" %}
|
{% set location = "/" %}
|
||||||
{% include 'roles/srv-web-proxy-core/templates/location/proxy_basic.conf.j2' %}
|
{% include 'roles/srv-proxy-7-4-core/templates/location/proxy_basic.conf.j2' %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
}
|
}
|
@ -7,7 +7,7 @@ server {
|
|||||||
server_name {{ domain }};
|
server_name {{ domain }};
|
||||||
|
|
||||||
{% include 'roles/net-letsencrypt/templates/ssl_header.j2' %}
|
{% include 'roles/net-letsencrypt/templates/ssl_header.j2' %}
|
||||||
{% include 'roles/srv-web-injector-compose/templates/global.includes.conf.j2' %}
|
{% include 'roles/srv-web-7-7-inj-compose/templates/global.includes.conf.j2' %}
|
||||||
|
|
||||||
client_max_body_size {{ client_max_body_size | default('100m') }};
|
client_max_body_size {{ client_max_body_size | default('100m') }};
|
||||||
keepalive_timeout 70;
|
keepalive_timeout 70;
|
||||||
@ -24,7 +24,7 @@ server {
|
|||||||
|
|
||||||
add_header Strict-Transport-Security "max-age=31536000";
|
add_header Strict-Transport-Security "max-age=31536000";
|
||||||
|
|
||||||
{% include 'roles/srv-web-proxy-core/templates/location/proxy_basic.conf.j2' %}
|
{% include 'roles/srv-proxy-7-4-core/templates/location/proxy_basic.conf.j2' %}
|
||||||
|
|
||||||
{% if ws_path is defined %}
|
{% if ws_path is defined %}
|
||||||
location {{ ws_path }} {
|
location {{ ws_path }} {
|
@ -28,4 +28,4 @@ galaxy_info:
|
|||||||
issue_tracker_url: "https://s.veen.world/cymaisissues"
|
issue_tracker_url: "https://s.veen.world/cymaisissues"
|
||||||
documentation: "https://s.veen.world/cymais"
|
documentation: "https://s.veen.world/cymais"
|
||||||
dependencies:
|
dependencies:
|
||||||
- srv-web-https
|
- srv-web-7-6-https
|
@ -1,6 +1,6 @@
|
|||||||
- name: "reload certbot service"
|
- name: "reload certbot service"
|
||||||
systemd:
|
systemd:
|
||||||
name: srv-web-tls-renew.cymais.service
|
name: srv-web-6-6-tls-renew.cymais.service
|
||||||
state: reloaded
|
state: reloaded
|
||||||
enabled: yes
|
enabled: yes
|
||||||
daemon_reload: yes
|
daemon_reload: yes
|
@ -28,6 +28,6 @@ galaxy_info:
|
|||||||
documentation: "https://s.veen.world/cymais"
|
documentation: "https://s.veen.world/cymais"
|
||||||
dependencies:
|
dependencies:
|
||||||
- gen-certbot
|
- gen-certbot
|
||||||
- srv-web-core
|
- srv-web-7-4-core
|
||||||
- alert-compose
|
- alert-compose
|
||||||
- cln-certs
|
- cln-certs
|
@ -5,10 +5,10 @@
|
|||||||
state: present
|
state: present
|
||||||
when: run_once_nginx_certbot is not defined
|
when: run_once_nginx_certbot is not defined
|
||||||
|
|
||||||
- name: configure srv-web-tls-renew.cymais.service
|
- name: configure srv-web-6-6-tls-renew.cymais.service
|
||||||
template:
|
template:
|
||||||
src: srv-web-tls-renew.service.j2
|
src: srv-web-6-6-tls-renew.service.j2
|
||||||
dest: /etc/systemd/system/srv-web-tls-renew.cymais.service
|
dest: /etc/systemd/system/srv-web-6-6-tls-renew.cymais.service
|
||||||
notify: reload certbot service
|
notify: reload certbot service
|
||||||
when: run_once_nginx_certbot is not defined
|
when: run_once_nginx_certbot is not defined
|
||||||
|
|
@ -18,7 +18,7 @@ galaxy_info:
|
|||||||
- performance
|
- performance
|
||||||
repository: "https://github.com/kevinveenbirkenbach/cymais"
|
repository: "https://github.com/kevinveenbirkenbach/cymais"
|
||||||
issue_tracker_url: "https://github.com/kevinveenbirkenbach/cymais/issues"
|
issue_tracker_url: "https://github.com/kevinveenbirkenbach/cymais/issues"
|
||||||
documentation: "https://github.com/kevinveenbirkenbach/cymais/roles/srv-web-core"
|
documentation: "https://github.com/kevinveenbirkenbach/cymais/roles/srv-web-7-4-core"
|
||||||
dependencies:
|
dependencies:
|
||||||
- mon-bot-webserver
|
- mon-bot-webserver
|
||||||
- mon-bot-csp
|
- mon-bot-csp
|
@ -1,10 +1,10 @@
|
|||||||
# Role: srv-web-composer
|
# Role: srv-web-7-6-composer
|
||||||
|
|
||||||
This Ansible role composes and orchestrates all necessary HTTPS-layer tasks and HTML-content injections for your webserver domains. It integrates two key sub-roles into a unified workflow:
|
This Ansible role composes and orchestrates all necessary HTTPS-layer tasks and HTML-content injections for your webserver domains. It integrates two key sub-roles into a unified workflow:
|
||||||
|
|
||||||
1. **`srv-web-injector-compose`**
|
1. **`srv-web-7-7-inj-compose`**
|
||||||
Injects global HTML snippets (CSS, Matomo tracking, iFrame notifier, custom JavaScript) into responses using Nginx `sub_filter`.
|
Injects global HTML snippets (CSS, Matomo tracking, iFrame notifier, custom JavaScript) into responses using Nginx `sub_filter`.
|
||||||
2. **`srv-web-tls-core`**
|
2. **`srv-web-6-6-tls-core`**
|
||||||
Handles issuing, renewing, and managing TLS certificates via ACME/Certbot.
|
Handles issuing, renewing, and managing TLS certificates via ACME/Certbot.
|
||||||
|
|
||||||
By combining encryption setup with content enhancements, this role streamlines domain provisioning for secure, fully-featured HTTP/HTTPS delivery.
|
By combining encryption setup with content enhancements, this role streamlines domain provisioning for secure, fully-featured HTTP/HTTPS delivery.
|
||||||
@ -16,7 +16,7 @@ By combining encryption setup with content enhancements, this role streamlines d
|
|||||||
* **Content Injection**
|
* **Content Injection**
|
||||||
Adds global theming, analytics, and custom scripts before `</head>` and tracking noscript tags before `</body>`.
|
Adds global theming, analytics, and custom scripts before `</head>` and tracking noscript tags before `</body>`.
|
||||||
* **Certificate Management**
|
* **Certificate Management**
|
||||||
Automates cert issuance and renewal via `srv-web-tls-core`.
|
Automates cert issuance and renewal via `srv-web-6-6-tls-core`.
|
||||||
* **Idempotent Workflow**
|
* **Idempotent Workflow**
|
||||||
Ensures each component runs only once per domain.
|
Ensures each component runs only once per domain.
|
||||||
* **Simplified Playbooks**
|
* **Simplified Playbooks**
|
@ -27,7 +27,7 @@ galaxy_info:
|
|||||||
- orchestration
|
- orchestration
|
||||||
repository: "https://github.com/kevinveenbirkenbach/cymais"
|
repository: "https://github.com/kevinveenbirkenbach/cymais"
|
||||||
issue_tracker_url: "https://github.com/kevinveenbirkenbach/cymais/issues"
|
issue_tracker_url: "https://github.com/kevinveenbirkenbach/cymais/issues"
|
||||||
documentation: "https://github.com/kevinveenbirkenbach/cymais/roles/srv-web-composer"
|
documentation: "https://github.com/kevinveenbirkenbach/cymais/roles/srv-web-7-6-composer"
|
||||||
dependencies:
|
dependencies:
|
||||||
- srv-web-injector-compose
|
- srv-web-7-7-inj-compose
|
||||||
- srv-web-tls-core
|
- srv-web-6-6-tls-core
|
7
roles/srv-web-7-6-composer/tasks/main.yml
Normal file
7
roles/srv-web-7-6-composer/tasks/main.yml
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
- name: "include role srv-web-7-7-inj-compose for {{domain}}"
|
||||||
|
include_role:
|
||||||
|
name: srv-web-7-7-inj-compose
|
||||||
|
|
||||||
|
- name: "include role srv-web-6-6-tls-core for {{domain}}"
|
||||||
|
include_role:
|
||||||
|
name: srv-web-6-6-tls-core
|
@ -1,21 +1,21 @@
|
|||||||
# Webserver HTTPS Provisioning 🚀
|
# Webserver HTTPS Provisioning 🚀
|
||||||
|
|
||||||
## Description
|
## Description
|
||||||
The **srv-web-https** role extends a basic Nginx installation by wiring in everything you need to serve content over HTTPS:
|
The **srv-web-7-6-https** role extends a basic Nginx installation by wiring in everything you need to serve content over HTTPS:
|
||||||
|
|
||||||
1. Ensures your Nginx server is configured for SSL/TLS.
|
1. Ensures your Nginx server is configured for SSL/TLS.
|
||||||
2. Pulls in Let’s Encrypt ACME challenge handling.
|
2. Pulls in Let’s Encrypt ACME challenge handling.
|
||||||
3. Applies global cleanup of unused domain configs.
|
3. Applies global cleanup of unused domain configs.
|
||||||
|
|
||||||
This role is built on top of your existing `srv-web-core` role, and it automates the end-to-end process of turning HTTP sites into secure HTTPS sites.
|
This role is built on top of your existing `srv-web-7-4-core` role, and it automates the end-to-end process of turning HTTP sites into secure HTTPS sites.
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
## Overview
|
## Overview
|
||||||
|
|
||||||
When you apply **srv-web-https**, it will:
|
When you apply **srv-web-7-6-https**, it will:
|
||||||
|
|
||||||
1. **Include** the `srv-web-core` role to install and configure Nginx.
|
1. **Include** the `srv-web-7-4-core` role to install and configure Nginx.
|
||||||
2. **Clean up** any stale vHost files under `cln-domains`.
|
2. **Clean up** any stale vHost files under `cln-domains`.
|
||||||
3. **Deploy** the Let’s Encrypt challenge-and-redirect snippet from `net-letsencrypt`.
|
3. **Deploy** the Let’s Encrypt challenge-and-redirect snippet from `net-letsencrypt`.
|
||||||
4. **Reload** Nginx automatically when any template changes.
|
4. **Reload** Nginx automatically when any template changes.
|
||||||
@ -42,7 +42,7 @@ All tasks are idempotent—once your certificates are in place and your configur
|
|||||||
|
|
||||||
## Requirements
|
## Requirements
|
||||||
|
|
||||||
- A working `srv-web-core` setup.
|
- A working `srv-web-7-4-core` setup.
|
||||||
- DNS managed via Cloudflare (for CAA record tasks) or equivalent ACME DNS flow.
|
- DNS managed via Cloudflare (for CAA record tasks) or equivalent ACME DNS flow.
|
||||||
- Variables:
|
- Variables:
|
||||||
- `certbot_webroot_path`
|
- `certbot_webroot_path`
|
@ -24,6 +24,6 @@ galaxy_info:
|
|||||||
issue_tracker_url: "https://s.veen.world/cymaisissues"
|
issue_tracker_url: "https://s.veen.world/cymaisissues"
|
||||||
|
|
||||||
dependencies:
|
dependencies:
|
||||||
- srv-web-core
|
- srv-web-7-4-core
|
||||||
- cln-domains
|
- cln-domains
|
||||||
- net-letsencrypt
|
- net-letsencrypt
|
@ -15,7 +15,7 @@ galaxy_info:
|
|||||||
- theming
|
- theming
|
||||||
repository: "https://github.com/kevinveenbirkenbach/cymais"
|
repository: "https://github.com/kevinveenbirkenbach/cymais"
|
||||||
issue_tracker_url: "https://github.com/kevinveenbirkenbach/cymais/issues"
|
issue_tracker_url: "https://github.com/kevinveenbirkenbach/cymais/issues"
|
||||||
documentation: "https://github.com/kevinveenbirkenbach/cymais/tree/main/roles/srv-web-injector-compose"
|
documentation: "https://github.com/kevinveenbirkenbach/cymais/tree/main/roles/srv-web-7-7-inj-compose"
|
||||||
min_ansible_version: "2.9"
|
min_ansible_version: "2.9"
|
||||||
platforms:
|
platforms:
|
||||||
- name: Any
|
- name: Any
|
||||||
@ -23,5 +23,5 @@ galaxy_info:
|
|||||||
- all
|
- all
|
||||||
dependencies:
|
dependencies:
|
||||||
# The injections are called in the script. Keep the logic there.
|
# The injections are called in the script. Keep the logic there.
|
||||||
- srv-web-core
|
- srv-web-7-4-core
|
||||||
|
|
@ -1,19 +1,19 @@
|
|||||||
- name: "Activate Global CSS for {{domain}}"
|
- name: "Activate Global CSS for {{domain}}"
|
||||||
include_role:
|
include_role:
|
||||||
name: srv-web-injector-css
|
name: srv-web-7-7-inj-css
|
||||||
when: applications | is_feature_enabled('css',application_id)
|
when: applications | is_feature_enabled('css',application_id)
|
||||||
|
|
||||||
- name: "Activate Global Matomo Tracking for {{domain}}"
|
- name: "Activate Global Matomo Tracking for {{domain}}"
|
||||||
include_role:
|
include_role:
|
||||||
name: srv-web-injector-matomo
|
name: srv-web-7-7-inj-matomo
|
||||||
when: applications | is_feature_enabled('matomo',application_id)
|
when: applications | is_feature_enabled('matomo',application_id)
|
||||||
|
|
||||||
- name: "Activate Portfolio iFrame Notifier for {{ domain }}"
|
- name: "Activate Portfolio iFrame Notifier for {{ domain }}"
|
||||||
include_role:
|
include_role:
|
||||||
name: srv-web-injector-iframe
|
name: srv-web-7-7-inj-iframe
|
||||||
when: applications | is_feature_enabled('portfolio_iframe', application_id)
|
when: applications | is_feature_enabled('portfolio_iframe', application_id)
|
||||||
|
|
||||||
- name: "Activate Javascript for {{ domain }}"
|
- name: "Activate Javascript for {{ domain }}"
|
||||||
include_role:
|
include_role:
|
||||||
name: srv-web-injector-javascript
|
name: srv-web-7-7-inj-javascript
|
||||||
when: applications | is_feature_enabled('javascript', application_id)
|
when: applications | is_feature_enabled('javascript', application_id)
|
@ -10,24 +10,24 @@ sub_filter_types text/html;
|
|||||||
{% if modifier_iframe_enabled or modifier_css_enabled or modifier_matomo_enabled or modifier_javascript_enabled %}
|
{% if modifier_iframe_enabled or modifier_css_enabled or modifier_matomo_enabled or modifier_javascript_enabled %}
|
||||||
sub_filter '</head>' '
|
sub_filter '</head>' '
|
||||||
{%- if modifier_css_enabled -%}
|
{%- if modifier_css_enabled -%}
|
||||||
{%- include "roles/srv-web-injector-css/templates/head_sub.j2" -%}
|
{%- include "roles/srv-web-7-7-inj-css/templates/head_sub.j2" -%}
|
||||||
{%- endif -%}
|
{%- endif -%}
|
||||||
{%- if modifier_matomo_enabled -%}
|
{%- if modifier_matomo_enabled -%}
|
||||||
{%- include "roles/srv-web-injector-matomo/templates/head_sub.j2" -%}
|
{%- include "roles/srv-web-7-7-inj-matomo/templates/head_sub.j2" -%}
|
||||||
{%- endif -%}
|
{%- endif -%}
|
||||||
{%- if modifier_iframe_enabled -%}
|
{%- if modifier_iframe_enabled -%}
|
||||||
{%- include "roles/srv-web-injector-iframe/templates/head_sub.j2" -%}
|
{%- include "roles/srv-web-7-7-inj-iframe/templates/head_sub.j2" -%}
|
||||||
{%- endif -%}
|
{%- endif -%}
|
||||||
{%- if modifier_javascript_enabled -%}
|
{%- if modifier_javascript_enabled -%}
|
||||||
{%- include "roles/srv-web-injector-javascript/templates/head_sub.j2" -%}
|
{%- include "roles/srv-web-7-7-inj-javascript/templates/head_sub.j2" -%}
|
||||||
{%- endif -%}
|
{%- endif -%}
|
||||||
</head>';
|
</head>';
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
{% if modifier_css_enabled | bool %}
|
{% if modifier_css_enabled | bool %}
|
||||||
{% include 'roles/srv-web-injector-css/templates/location.conf.j2' %}
|
{% include 'roles/srv-web-7-7-inj-css/templates/location.conf.j2' %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
{% if modifier_matomo_enabled %}
|
{% if modifier_matomo_enabled %}
|
||||||
{% include 'roles/srv-web-injector-matomo/templates/matomo-tracking.conf.j2' %}
|
{% include 'roles/srv-web-7-7-inj-matomo/templates/matomo-tracking.conf.j2' %}
|
||||||
{% endif %}
|
{% endif %}
|
@ -26,4 +26,4 @@ galaxy_info:
|
|||||||
issue_tracker_url: https://s.veen.world/cymaisissues
|
issue_tracker_url: https://s.veen.world/cymaisissues
|
||||||
documentation: https://s.veen.world/cymais
|
documentation: https://s.veen.world/cymais
|
||||||
dependencies:
|
dependencies:
|
||||||
- srv-web-core
|
- srv-web-7-4-core
|
@ -1,4 +1,4 @@
|
|||||||
# Load this role via srv-web-injector-compose for consistency
|
# Load this role via srv-web-7-7-inj-compose for consistency
|
||||||
|
|
||||||
- name: Generate color palette with colorscheme-generator
|
- name: Generate color palette with colorscheme-generator
|
||||||
set_fact:
|
set_fact:
|
@ -25,4 +25,4 @@ galaxy_info:
|
|||||||
- security
|
- security
|
||||||
- postMessage
|
- postMessage
|
||||||
dependencies:
|
dependencies:
|
||||||
- srv-web-core
|
- srv-web-7-4-core
|
@ -25,4 +25,4 @@ galaxy_info:
|
|||||||
issue_tracker_url: "https://s.veen.world/cymaisissues"
|
issue_tracker_url: "https://s.veen.world/cymaisissues"
|
||||||
|
|
||||||
dependencies:
|
dependencies:
|
||||||
- srv-web-core
|
- srv-web-7-4-core
|
@ -14,11 +14,11 @@ galaxy_info:
|
|||||||
- analytics
|
- analytics
|
||||||
repository: "https://github.com/kevinveenbirkenbach/cymais"
|
repository: "https://github.com/kevinveenbirkenbach/cymais"
|
||||||
issue_tracker_url: "https://github.com/kevinveenbirkenbach/cymais/issues"
|
issue_tracker_url: "https://github.com/kevinveenbirkenbach/cymais/issues"
|
||||||
documentation: "https://github.com/kevinveenbirkenbach/cymais/tree/main/roles/srv-web-injector-matomo"
|
documentation: "https://github.com/kevinveenbirkenbach/cymais/tree/main/roles/srv-web-7-7-inj-matomo"
|
||||||
min_ansible_version: "2.9"
|
min_ansible_version: "2.9"
|
||||||
platforms:
|
platforms:
|
||||||
- name: Any
|
- name: Any
|
||||||
versions: [ all ]
|
versions: [ all ]
|
||||||
dependencies:
|
dependencies:
|
||||||
- srv-web-core
|
- srv-web-7-4-core
|
||||||
|
|
@ -1,4 +1,4 @@
|
|||||||
# Load this role via srv-web-injector-compose for consistency
|
# Load this role via srv-web-7-7-inj-compose for consistency
|
||||||
|
|
||||||
- name: "Relevant variables for role: {{ role_path | basename }}"
|
- name: "Relevant variables for role: {{ role_path | basename }}"
|
||||||
debug:
|
debug:
|
@ -1,7 +0,0 @@
|
|||||||
- name: "include role srv-web-injector-compose for {{domain}}"
|
|
||||||
include_role:
|
|
||||||
name: srv-web-injector-compose
|
|
||||||
|
|
||||||
- name: "include role srv-web-tls-core for {{domain}}"
|
|
||||||
include_role:
|
|
||||||
name: srv-web-tls-core
|
|
@ -1,7 +0,0 @@
|
|||||||
---
|
|
||||||
- name: "restart srv-web-proxy-tls-deploy.cymais.service"
|
|
||||||
systemd:
|
|
||||||
name: srv-web-proxy-tls-deploy.{{application_id}}.cymais.service
|
|
||||||
state: restarted
|
|
||||||
enabled: yes
|
|
||||||
daemon_reload: yes
|
|
@ -5,7 +5,7 @@
|
|||||||
|
|
||||||
- name: "include role for {{application_id}} to receive certs & do modification routines"
|
- name: "include role for {{application_id}} to receive certs & do modification routines"
|
||||||
include_role:
|
include_role:
|
||||||
name: srv-web-composer
|
name: srv-web-7-6-composer
|
||||||
vars:
|
vars:
|
||||||
domain: "{{ item }}"
|
domain: "{{ item }}"
|
||||||
http_port: "{{ ports.localhost.http[application_id] }}"
|
http_port: "{{ ports.localhost.http[application_id] }}"
|
||||||
@ -15,7 +15,7 @@
|
|||||||
|
|
||||||
- name: configure {{domains | get_domain(application_id)}}.conf
|
- name: configure {{domains | get_domain(application_id)}}.conf
|
||||||
template:
|
template:
|
||||||
src: roles/srv-web-proxy-core/templates/vhost/basic.conf.j2
|
src: roles/srv-proxy-7-4-core/templates/vhost/basic.conf.j2
|
||||||
dest: "{{nginx.directories.http.servers}}{{domains | get_domain(application_id)}}.conf"
|
dest: "{{nginx.directories.http.servers}}{{domains | get_domain(application_id)}}.conf"
|
||||||
notify: restart nginx
|
notify: restart nginx
|
||||||
|
|
||||||
|
@ -35,7 +35,7 @@ By default, BigBlueButton is deployed with best-practice hardening, modular secr
|
|||||||
## System Requirements
|
## System Requirements
|
||||||
|
|
||||||
- Arch Linux with Docker, Compose, and Nginx roles pre-installed
|
- Arch Linux with Docker, Compose, and Nginx roles pre-installed
|
||||||
- DNS and reverse proxy configuration using `srv-web-proxy-core`
|
- DNS and reverse proxy configuration using `srv-proxy-7-4-core`
|
||||||
- Functional email system for Greenlight SMTP
|
- Functional email system for Greenlight SMTP
|
||||||
|
|
||||||
## Important Resources
|
## Important Resources
|
||||||
|
@ -17,9 +17,9 @@
|
|||||||
database_username: "postgres"
|
database_username: "postgres"
|
||||||
database_name: "" # Multiple databases
|
database_name: "" # Multiple databases
|
||||||
|
|
||||||
- name: "include role srv-web-proxy-domain for {{application_id}}"
|
- name: "include role srv-proxy-6-6-domain for {{application_id}}"
|
||||||
include_role:
|
include_role:
|
||||||
name: srv-web-proxy-domain
|
name: srv-proxy-6-6-domain
|
||||||
|
|
||||||
- name: pull docker repository
|
- name: pull docker repository
|
||||||
git:
|
git:
|
||||||
|
@ -2,9 +2,9 @@
|
|||||||
include_role:
|
include_role:
|
||||||
name: docker-compose
|
name: docker-compose
|
||||||
|
|
||||||
- name: "include role srv-web-proxy-domain for {{application_id}}"
|
- name: "include role srv-proxy-6-6-domain for {{application_id}}"
|
||||||
include_role:
|
include_role:
|
||||||
name: srv-web-proxy-domain
|
name: srv-proxy-6-6-domain
|
||||||
vars:
|
vars:
|
||||||
domain: "{{ item.domain }}"
|
domain: "{{ item.domain }}"
|
||||||
http_port: "{{ item.http_port }}"
|
http_port: "{{ item.http_port }}"
|
||||||
|
@ -3,13 +3,13 @@ server {
|
|||||||
|
|
||||||
{% include 'roles/net-letsencrypt/templates/ssl_header.j2' %}
|
{% include 'roles/net-letsencrypt/templates/ssl_header.j2' %}
|
||||||
|
|
||||||
{% include 'roles/srv-web-injector-compose/templates/global.includes.conf.j2'%}
|
{% include 'roles/srv-web-7-7-inj-compose/templates/global.includes.conf.j2'%}
|
||||||
|
|
||||||
{% include 'roles/srv-web-proxy-core/templates/headers/content_security_policy.conf.j2' %}
|
{% include 'roles/srv-proxy-7-4-core/templates/headers/content_security_policy.conf.j2' %}
|
||||||
|
|
||||||
{% include 'roles/srv-web-proxy-core/templates/location/proxy_basic.conf.j2' %}
|
{% include 'roles/srv-proxy-7-4-core/templates/location/proxy_basic.conf.j2' %}
|
||||||
|
|
||||||
{% set location = '^~ /cool/' %}
|
{% set location = '^~ /cool/' %}
|
||||||
|
|
||||||
{% include 'roles/srv-web-proxy-core/templates/location/proxy_basic.conf.j2' %}
|
{% include 'roles/srv-proxy-7-4-core/templates/location/proxy_basic.conf.j2' %}
|
||||||
}
|
}
|
@ -23,4 +23,4 @@ galaxy_info:
|
|||||||
- all
|
- all
|
||||||
dependencies:
|
dependencies:
|
||||||
- docker-compose
|
- docker-compose
|
||||||
- srv-web-proxy-domain
|
- srv-proxy-6-6-domain
|
||||||
|
@ -1,8 +1,8 @@
|
|||||||
---
|
---
|
||||||
|
|
||||||
- name: "include role srv-web-proxy-domain for {{application_id}}"
|
- name: "include role srv-proxy-6-6-domain for {{application_id}}"
|
||||||
include_role:
|
include_role:
|
||||||
name: srv-web-proxy-domain
|
name: srv-proxy-6-6-domain
|
||||||
vars:
|
vars:
|
||||||
domain: "{{ domains | get_domain(application_id) }}"
|
domain: "{{ domains | get_domain(application_id) }}"
|
||||||
http_port: "{{ ports.localhost.http[application_id] }}"
|
http_port: "{{ ports.localhost.http[application_id] }}"
|
||||||
|
@ -9,7 +9,7 @@ This Ansible role deploys and configures [FusionDirectory](https://www.fusiondir
|
|||||||
- Loads and templating of FusionDirectory-specific variables
|
- Loads and templating of FusionDirectory-specific variables
|
||||||
- Generates a `.env` file for the container environment
|
- Generates a `.env` file for the container environment
|
||||||
- Deploys the FusionDirectory container via Docker Compose
|
- Deploys the FusionDirectory container via Docker Compose
|
||||||
- Configures NGINX (via the `srv-web-proxy-domain` role) to expose the service
|
- Configures NGINX (via the `srv-proxy-6-6-domain` role) to expose the service
|
||||||
- Integrates with your central LDAP server for authentication
|
- Integrates with your central LDAP server for authentication
|
||||||
|
|
||||||
## Features
|
## Features
|
||||||
|
@ -4,9 +4,9 @@
|
|||||||
name: cmp-db-docker-proxy
|
name: cmp-db-docker-proxy
|
||||||
when: run_once_docker_mailu is not defined
|
when: run_once_docker_mailu is not defined
|
||||||
|
|
||||||
- name: "Include the srv-web-proxy-tls-deploy role"
|
- name: "Include the srv-proxy-6-6-tls-deploy role"
|
||||||
include_role:
|
include_role:
|
||||||
name: srv-web-proxy-tls-deploy
|
name: srv-proxy-6-6-tls-deploy
|
||||||
when: run_once_docker_mailu is not defined
|
when: run_once_docker_mailu is not defined
|
||||||
|
|
||||||
- name: Flush docker service handlers
|
- name: Flush docker service handlers
|
||||||
|
@ -5,7 +5,7 @@
|
|||||||
|
|
||||||
- name: "Include setup for domain '{{ domain }}'"
|
- name: "Include setup for domain '{{ domain }}'"
|
||||||
include_role:
|
include_role:
|
||||||
name: srv-web-proxy-domain
|
name: srv-proxy-6-6-domain
|
||||||
loop: "{{ domains.mastodon }}"
|
loop: "{{ domains.mastodon }}"
|
||||||
loop_control:
|
loop_control:
|
||||||
loop_var: domain
|
loop_var: domain
|
||||||
|
@ -24,4 +24,4 @@ galaxy_info:
|
|||||||
logo:
|
logo:
|
||||||
class: "fa-solid fa-satellite-dish"
|
class: "fa-solid fa-satellite-dish"
|
||||||
dependencies:
|
dependencies:
|
||||||
- srv-web-proxy-core
|
- srv-proxy-7-4-core
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
---
|
---
|
||||||
- name: "include role srv-web-proxy-domain for {{application_id}}"
|
- name: "include role srv-proxy-6-6-domain for {{application_id}}"
|
||||||
include_role:
|
include_role:
|
||||||
name: srv-web-proxy-domain
|
name: srv-proxy-6-6-domain
|
||||||
loop:
|
loop:
|
||||||
- "{{domains.matrix.element}}"
|
- "{{domains.matrix.element}}"
|
||||||
- "{{domains.matrix.synapse}}"
|
- "{{domains.matrix.synapse}}"
|
||||||
|
@ -14,7 +14,7 @@
|
|||||||
|
|
||||||
- name: "include role for {{application_id}} to receive certs & do modification routines"
|
- name: "include role for {{application_id}} to receive certs & do modification routines"
|
||||||
include_role:
|
include_role:
|
||||||
name: srv-web-composer
|
name: srv-web-7-6-composer
|
||||||
vars:
|
vars:
|
||||||
domain: "{{domains.matrix.synapse}}"
|
domain: "{{domains.matrix.synapse}}"
|
||||||
http_port: "{{ports.localhost.http.synapse}}"
|
http_port: "{{ports.localhost.http.synapse}}"
|
||||||
@ -39,9 +39,9 @@
|
|||||||
http_port: "{{ports.localhost.http.synapse}}"
|
http_port: "{{ports.localhost.http.synapse}}"
|
||||||
notify: restart nginx
|
notify: restart nginx
|
||||||
|
|
||||||
- name: "include role srv-web-proxy-domain for {{application_id}}"
|
- name: "include role srv-proxy-6-6-domain for {{application_id}}"
|
||||||
include_role:
|
include_role:
|
||||||
name: srv-web-proxy-domain
|
name: srv-proxy-6-6-domain
|
||||||
vars:
|
vars:
|
||||||
domain: "{{domains.matrix.element}}"
|
domain: "{{domains.matrix.element}}"
|
||||||
http_port: "{{ports.localhost.http.element}}"
|
http_port: "{{ports.localhost.http.element}}"
|
||||||
|
@ -11,6 +11,6 @@ server {
|
|||||||
listen 8448 ssl default_server;
|
listen 8448 ssl default_server;
|
||||||
listen [::]:8448 ssl default_server;
|
listen [::]:8448 ssl default_server;
|
||||||
|
|
||||||
{% include 'roles/srv-web-injector-compose/templates/global.includes.conf.j2'%}
|
{% include 'roles/srv-web-7-7-inj-compose/templates/global.includes.conf.j2'%}
|
||||||
{% include 'roles/srv-web-proxy-core/templates/location/proxy_basic.conf.j2' %}
|
{% include 'roles/srv-proxy-7-4-core/templates/location/proxy_basic.conf.j2' %}
|
||||||
}
|
}
|
@ -24,4 +24,4 @@ galaxy_info:
|
|||||||
- web-app-keycloak
|
- web-app-keycloak
|
||||||
- web-app-mailu
|
- web-app-mailu
|
||||||
dependencies:
|
dependencies:
|
||||||
- srv-web-proxy-core
|
- srv-proxy-7-4-core
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
x
Reference in New Issue
Block a user