Renamed server roles by osi they work on

This commit is contained in:
Kevin Veen-Birkenbach 2025-07-10 12:33:46 +02:00
parent c94d623f8f
commit 96268e7161
No known key found for this signature in database
GPG Key ID: 44D8F11FD62F878E
120 changed files with 167 additions and 167 deletions

View File

@ -24,19 +24,19 @@ For a complete list of role categories and detailed definitions, see:
## Webserver & HTTP ## Webserver & HTTP
- **srv-web-core** - **srv-web-7-4-core**
Installs and configures the base Nginx server. Installs and configures the base Nginx server.
- **srv-web-tls-*** - **srv-web-6-6-tls-***
Manages TLS certificates and renewal (formerly “https”; e.g. `srv-web-tls-deploy`, `srv-web-tls-renew`). Manages TLS certificates and renewal (formerly “https”; e.g. `srv-web-6-6-tls-deploy`, `srv-web-6-6-tls-renew`).
- **srv-web-proxy-*** - **srv-web-proxy-***
Proxy and vhost orchestration roles (domain setup, OAuth2 proxy, etc.) Proxy and vhost orchestration roles (domain setup, OAuth2 proxy, etc.)
- **srv-web-injector-*** - **srv-web-7-7-inj-***
HTML response modifiers: CSS, JS, Matomo tracking, iframe notifier. HTML response modifiers: CSS, JS, Matomo tracking, iframe notifier.
- **srv-web-composer** - **srv-web-7-6-composer**
Aggregates multiple sub-filters into one include for your vhost. Aggregates multiple sub-filters into one include for your vhost.
- **web-svc-*** - **web-svc-***

View File

@ -25,11 +25,11 @@ categories:
srv: srv:
web: web:
core: core:
title: "srv-web-core" title: "srv-web-7-4-core"
description: "Install & configure base Nginx server" description: "Install & configure base Nginx server"
icon: "fas fa-server" icon: "fas fa-server"
tls: tls:
title: "srv-web-tls-*" title: "srv-web-6-6-tls-*"
description: "Deploy & renew TLS certificates" description: "Deploy & renew TLS certificates"
icon: "fas fa-lock" icon: "fas fa-lock"
proxy: proxy:
@ -38,27 +38,27 @@ categories:
icon: "fas fa-project-diagram" icon: "fas fa-project-diagram"
injector: injector:
core: core:
title: "srv-web-injector-compose" title: "srv-web-7-7-inj-compose"
description: "Inject core HTML modifiers" description: "Inject core HTML modifiers"
icon: "fas fa-code" icon: "fas fa-code"
css: css:
title: "srv-web-injector-css" title: "srv-web-7-7-inj-css"
description: "Inject CSS into responses" description: "Inject CSS into responses"
icon: "fas fa-paint-brush" icon: "fas fa-paint-brush"
iframe: iframe:
title: "srv-web-injector-iframe" title: "srv-web-7-7-inj-iframe"
description: "Inject iframe notifier" description: "Inject iframe notifier"
icon: "fas fa-window-maximize" icon: "fas fa-window-maximize"
javascript: javascript:
title: "srv-web-injector-javascript" title: "srv-web-7-7-inj-javascript"
description: "Inject JS into responses" description: "Inject JS into responses"
icon: "fas fa-code" icon: "fas fa-code"
matomo: matomo:
title: "srv-web-injector-matomo" title: "srv-web-7-7-inj-matomo"
description: "Inject Matomo tracking code" description: "Inject Matomo tracking code"
icon: "fas fa-chart-pie" icon: "fas fa-chart-pie"
composer: composer:
title: "srv-web-composer" title: "srv-web-7-6-composer"
description: "Compose multiple filters into one include" description: "Compose multiple filters into one include"
icon: "fas fa-layer-group" icon: "fas fa-layer-group"

View File

@ -21,5 +21,5 @@ galaxy_info:
issue_tracker_url: "https://s.veen.world/cymaisissues" issue_tracker_url: "https://s.veen.world/cymaisissues"
documentation: "https://s.veen.world/cymais" documentation: "https://s.veen.world/cymais"
dependencies: dependencies:
- srv-web-core - srv-web-7-4-core
- core-daemon - core-daemon

View File

@ -8,4 +8,4 @@ This role builds on `cmp-db-docker` by adding a reverse-proxy frontend for HTTP
Leverages the `cmp-db-docker` role to stand up your containerized database (PostgreSQL, MariaDB, etc.) with backups and user management. Leverages the `cmp-db-docker` role to stand up your containerized database (PostgreSQL, MariaDB, etc.) with backups and user management.
- **Reverse Proxy** - **Reverse Proxy**
Includes the `srv-web-proxy-domain` role to configure a proxy (e.g. nginx) for routing HTTP(S) traffic to your database UI or management endpoint. Includes the `srv-proxy-6-6-domain` role to configure a proxy (e.g. nginx) for routing HTTP(S) traffic to your database UI or management endpoint.

View File

@ -1,7 +1,7 @@
galaxy_info: galaxy_info:
author: "Kevin Veen-Birkenbach" author: "Kevin Veen-Birkenbach"
description: > description: >
Extends cmp-db-docker by adding an HTTP reverse proxy via srv-web-proxy-domain. Extends cmp-db-docker by adding an HTTP reverse proxy via srv-proxy-6-6-domain.
company: | company: |
Kevin Veen-Birkenbach Kevin Veen-Birkenbach
Consulting & Coaching Solutions Consulting & Coaching Solutions

View File

@ -2,9 +2,9 @@
include_role: include_role:
name: cmp-db-docker name: cmp-db-docker
- name: "include role srv-web-proxy-domain for {{application_id}}" - name: "include role srv-proxy-6-6-domain for {{application_id}}"
include_role: include_role:
name: srv-web-proxy-domain name: srv-proxy-6-6-domain
vars: vars:
domain: "{{ domains | get_domain(application_id) }}" domain: "{{ domains | get_domain(application_id) }}"
http_port: "{{ ports.localhost.http[application_id] }}" http_port: "{{ ports.localhost.http[application_id] }}"

View File

@ -8,4 +8,4 @@ This role combines the standard Docker Compose setup with a reverse-proxy for an
Brings up containers, networks, and volumes via the `docker-compose` role. Brings up containers, networks, and volumes via the `docker-compose` role.
- **Reverse Proxy** - **Reverse Proxy**
Uses the `srv-web-proxy-domain` role to expose your application under a custom domain and port. Uses the `srv-proxy-6-6-domain` role to expose your application under a custom domain and port.

View File

@ -1,7 +1,7 @@
galaxy_info: galaxy_info:
author: "Kevin Veen-Birkenbach" author: "Kevin Veen-Birkenbach"
description: > description: >
Combines the docker-compose role with srv-web-proxy-domain to Combines the docker-compose role with srv-proxy-6-6-domain to
deploy applications behind a reverse proxy. deploy applications behind a reverse proxy.
company: | company: |
Kevin Veen-Birkenbach Kevin Veen-Birkenbach

View File

@ -2,9 +2,9 @@
include_role: include_role:
name: docker-compose name: docker-compose
- name: "include role srv-web-proxy-domain for {{application_id}}" - name: "include role srv-proxy-6-6-domain for {{application_id}}"
include_role: include_role:
name: srv-web-proxy-domain name: srv-proxy-6-6-domain
vars: vars:
domain: "{{ domains | get_domain(application_id) }}" domain: "{{ domains | get_domain(application_id) }}"
http_port: "{{ ports.localhost.http[application_id] }}" http_port: "{{ ports.localhost.http[application_id] }}"

View File

@ -20,7 +20,7 @@ To offer a centralized, extensible system for managing containerized application
- **Reset Logic:** Cleans previous Compose project files and data when `mode_reset` is enabled. - **Reset Logic:** Cleans previous Compose project files and data when `mode_reset` is enabled.
- **Handlers for Runtime Control:** Automatically builds, sets up, or restarts containers based on handlers. - **Handlers for Runtime Control:** Automatically builds, sets up, or restarts containers based on handlers.
- **Template-ready Service Files:** Predefined service base and health check templates. - **Template-ready Service Files:** Predefined service base and health check templates.
- **Integration Support:** Compatible with `srv-web-proxy-core` and other CyMaIS service roles. - **Integration Support:** Compatible with `srv-proxy-7-4-core` and other CyMaIS service roles.
## Administration Tips ## Administration Tips

View File

@ -23,4 +23,4 @@ galaxy_info:
issue_tracker_url: "https://s.veen.world/cymaisissues" issue_tracker_url: "https://s.veen.world/cymaisissues"
documentation: "https://s.veen.world/cymais" documentation: "https://s.veen.world/cymais"
dependencies: dependencies:
- srv-web-tls-renew - srv-web-6-6-tls-renew

View File

@ -6,11 +6,11 @@ This role bootstraps **per-domain Nginx configuration**: it requests TLS certifi
## Overview ## Overview
A higher-level orchestration wrapper, *srv-web-proxy-domain* ties together several lower-level roles: A higher-level orchestration wrapper, *srv-proxy-6-6-domain* ties together several lower-level roles:
1. **`srv-web-injector-compose`** applies global tweaks and includes. 1. **`srv-web-7-7-inj-compose`** applies global tweaks and includes.
2. **`srv-web-tls-core`** obtains Lets Encrypt certificates. 2. **`srv-web-6-6-tls-core`** obtains Lets Encrypt certificates.
3. **Domain template deployment** copies a Jinja2 vHost from *srv-web-proxy-core*. 3. **Domain template deployment** copies a Jinja2 vHost from *srv-proxy-7-4-core*.
4. **`web-app-oauth2-proxy`** *(optional)* protects the site with OAuth2. 4. **`web-app-oauth2-proxy`** *(optional)* protects the site with OAuth2.
The result is a complete, reproducible domain rollout in a single playbook task. The result is a complete, reproducible domain rollout in a single playbook task.

View File

@ -2,4 +2,4 @@
vhost_flavour: "basic" # valid: basic | ws_generic vhost_flavour: "basic" # valid: basic | ws_generic
# build the full template path from the flavour # build the full template path from the flavour
vhost_template_src: "roles/srv-web-proxy-core/templates/vhost/{{ vhost_flavour }}.conf.j2" vhost_template_src: "roles/srv-proxy-7-4-core/templates/vhost/{{ vhost_flavour }}.conf.j2"

View File

@ -24,4 +24,4 @@ galaxy_info:
issue_tracker_url: https://s.veen.world/cymaisissues issue_tracker_url: https://s.veen.world/cymaisissues
documentation: https://s.veen.world/cymais documentation: https://s.veen.world/cymais
dependencies: dependencies:
- srv-web-proxy-core - srv-proxy-7-4-core

View File

@ -1,6 +1,6 @@
- name: "include role for {{domain}} to receive certificates and do the modification routines" - name: "include role for {{domain}} to receive certificates and do the modification routines"
include_role: include_role:
name: srv-web-composer name: srv-web-7-6-composer
- name: "Copy nginx config to {{ configuration_destination }}" - name: "Copy nginx config to {{ configuration_destination }}"
template: template:

View File

@ -21,7 +21,7 @@ This Ansible role simplifies the deployment of **Let's Encrypt certificates** in
### **1⃣ Main Tasks** ### **1⃣ Main Tasks**
1. **Add Deployment Script** 1. **Add Deployment Script**
- Copies `srv-web-proxy-tls-deploy.sh` to the administrator scripts directory. - Copies `srv-proxy-6-6-tls-deploy.sh` to the administrator scripts directory.
2. **Create Certificate Directory** 2. **Create Certificate Directory**
- Ensures `cert_mount_directory` exists with proper permissions. - Ensures `cert_mount_directory` exists with proper permissions.
@ -34,14 +34,14 @@ This Ansible role simplifies the deployment of **Let's Encrypt certificates** in
### **2⃣ Handlers** ### **2⃣ Handlers**
- **Restart Nginx Service** - **Restart Nginx Service**
- Restarts `srv-web-proxy-tls-deploy` whenever a certificate update occurs. - Restarts `srv-proxy-6-6-tls-deploy` whenever a certificate update occurs.
--- ---
## **🔧 Deploying Certificates into Docker Containers** ## **🔧 Deploying Certificates into Docker Containers**
The role **automates copying certificates** into Docker Compose setups. The role **automates copying certificates** into Docker Compose setups.
### **1⃣ Deployment Script (`srv-web-proxy-tls-deploy.sh`)** ### **1⃣ Deployment Script (`srv-proxy-6-6-tls-deploy.sh`)**
This script: This script:
- **Copies certificates** to the correct container directory. - **Copies certificates** to the correct container directory.
- **Reloads Nginx** inside all running containers. - **Reloads Nginx** inside all running containers.
@ -49,7 +49,7 @@ This script:
**Usage:** **Usage:**
```sh ```sh
sh srv-web-proxy-tls-deploy.sh primary_domain /path/to/docker/compose sh srv-proxy-6-6-tls-deploy.sh primary_domain /path/to/docker/compose
``` ```
--- ---

View File

@ -0,0 +1,7 @@
---
- name: "restart srv-proxy-6-6-tls-deploy.cymais.service"
systemd:
name: srv-proxy-6-6-tls-deploy.{{application_id}}.cymais.service
state: restarted
enabled: yes
daemon_reload: yes

View File

@ -15,7 +15,7 @@ galaxy_info:
- systemd - systemd
repository: "https://github.com/kevinveenbirkenbach/cymais" repository: "https://github.com/kevinveenbirkenbach/cymais"
issue_tracker_url: "https://github.com/kevinveenbirkenbach/cymais/issues" issue_tracker_url: "https://github.com/kevinveenbirkenbach/cymais/issues"
documentation: "https://github.com/kevinveenbirkenbach/cymais/tree/main/roles/srv-web-proxy-tls-deploy" documentation: "https://github.com/kevinveenbirkenbach/cymais/tree/main/roles/srv-proxy-6-6-tls-deploy"
min_ansible_version: "2.9" min_ansible_version: "2.9"
platforms: platforms:
- name: Any - name: Any

View File

@ -1,9 +1,9 @@
- name: add srv-web-proxy-tls-deploy.sh - name: add srv-proxy-6-6-tls-deploy.sh
copy: copy:
src: "srv-web-proxy-tls-deploy.sh" src: "srv-proxy-6-6-tls-deploy.sh"
dest: "{{nginx_docker_cert_deploy_script}}" dest: "{{nginx_docker_cert_deploy_script}}"
when: run_once_nginx_docker_cert_deploy is not defined when: run_once_nginx_docker_cert_deploy is not defined
notify: restart srv-web-proxy-tls-deploy.cymais.service notify: restart srv-proxy-6-6-tls-deploy.cymais.service
- name: run the nginx_docker_cert_deploy tasks once - name: run the nginx_docker_cert_deploy tasks once
set_fact: set_fact:
@ -15,18 +15,18 @@
path: "{{cert_mount_directory}}" path: "{{cert_mount_directory}}"
state: directory state: directory
mode: 0755 mode: 0755
notify: restart srv-web-proxy-tls-deploy.cymais.service notify: restart srv-proxy-6-6-tls-deploy.cymais.service
- name: configure srv-web-proxy-tls-deploy.cymais.service - name: configure srv-proxy-6-6-tls-deploy.cymais.service
template: template:
src: "srv-web-proxy-tls-deploy.service.j2" src: "srv-proxy-6-6-tls-deploy.service.j2"
dest: "/etc/systemd/system/srv-web-proxy-tls-deploy.{{application_id}}.cymais.service" dest: "/etc/systemd/system/srv-proxy-6-6-tls-deploy.{{application_id}}.cymais.service"
notify: restart srv-web-proxy-tls-deploy.cymais.service notify: restart srv-proxy-6-6-tls-deploy.cymais.service
- name: "include role for gen-timer for {{service_name}}" - name: "include role for gen-timer for {{service_name}}"
include_role: include_role:
name: gen-timer name: gen-timer
vars: vars:
on_calendar: "{{on_calendar_deploy_certificates}}" on_calendar: "{{on_calendar_deploy_certificates}}"
service_name: "srv-web-proxy-tls-deploy.{{application_id}}" service_name: "srv-proxy-6-6-tls-deploy.{{application_id}}"
persistent: "true" persistent: "true"

View File

@ -4,4 +4,4 @@ OnFailure=alert-compose.cymais@%n.service
[Service] [Service]
Type=oneshot Type=oneshot
ExecStart=/usr/bin/bash {{path_administrator_scripts}}/srv-web-proxy-tls-deploy.sh {{ssl_cert_folder}} {{docker_compose.directories.instance}} ExecStart=/usr/bin/bash {{path_administrator_scripts}}/srv-proxy-6-6-tls-deploy.sh {{ssl_cert_folder}} {{docker_compose.directories.instance}}

View File

@ -1 +1 @@
nginx_docker_cert_deploy_script: "{{path_administrator_scripts}}srv-web-proxy-tls-deploy.sh" nginx_docker_cert_deploy_script: "{{path_administrator_scripts}}srv-proxy-6-6-tls-deploy.sh"

View File

@ -16,7 +16,7 @@ The goal of this role is to deliver a **hassle-free, production-ready reverse pr
## Features ## Features
- **Automatic TLS & HSTS** — integrates with the *srv-web-https* role for certificate management. - **Automatic TLS & HSTS** — integrates with the *srv-web-7-6-https* role for certificate management.
- **Flexible vHost templates***basic* and *ws_generic* flavours cover standard HTTP and WebSocket applications. - **Flexible vHost templates***basic* and *ws_generic* flavours cover standard HTTP and WebSocket applications.
- **Security headers** — sensible defaults plus optional X-Frame-Options / CSP based on application settings. - **Security headers** — sensible defaults plus optional X-Frame-Options / CSP based on application settings.
- **WebSocket & HTTP/2 aware** — upgrades, keep-alive tuning, and gzip already configured. - **WebSocket & HTTP/2 aware** — upgrades, keep-alive tuning, and gzip already configured.

View File

@ -24,5 +24,5 @@ galaxy_info:
issue_tracker_url: https://s.veen.world/cymaisissues issue_tracker_url: https://s.veen.world/cymaisissues
documentation: https://s.veen.world/cymais documentation: https://s.veen.world/cymais
dependencies: dependencies:
- srv-web-https - srv-web-7-6-https
- srv-web-core - srv-web-7-4-core

View File

@ -14,7 +14,7 @@ location {{location | default("/")}}
proxy_set_header X-Forwarded-Port 443; proxy_set_header X-Forwarded-Port 443;
proxy_set_header Accept-Encoding ""; proxy_set_header Accept-Encoding "";
{% include 'roles/srv-web-proxy-core/templates/headers/content_security_policy.conf.j2' %} {% include 'roles/srv-proxy-7-4-core/templates/headers/content_security_policy.conf.j2' %}
# WebSocket specific header # WebSocket specific header
proxy_http_version 1.1; proxy_http_version 1.1;

View File

@ -6,7 +6,7 @@ server
{% include 'roles/web-app-oauth2-proxy/templates/endpoint.conf.j2'%} {% include 'roles/web-app-oauth2-proxy/templates/endpoint.conf.j2'%}
{% endif %} {% endif %}
{% include 'roles/srv-web-injector-compose/templates/global.includes.conf.j2'%} {% include 'roles/srv-web-7-7-inj-compose/templates/global.includes.conf.j2'%}
{% if proxy_extra_configuration is defined %} {% if proxy_extra_configuration is defined %}
{# Additional Domain Specific Configuration #} {# Additional Domain Specific Configuration #}
@ -22,38 +22,38 @@ server
{# 1. Expose everything by default, then protect blacklisted paths #} {# 1. Expose everything by default, then protect blacklisted paths #}
{% set oauth2_proxy_enabled = false %} {% set oauth2_proxy_enabled = false %}
{% set location = "/" %} {% set location = "/" %}
{% include 'roles/srv-web-proxy-core/templates/location/proxy_basic.conf.j2' %} {% include 'roles/srv-proxy-7-4-core/templates/location/proxy_basic.conf.j2' %}
{% for loc in acl.blacklist %} {% for loc in acl.blacklist %}
{% set oauth2_proxy_enabled = true %} {% set oauth2_proxy_enabled = true %}
{% set location = loc %} {% set location = loc %}
{% include 'roles/srv-web-proxy-core/templates/location/proxy_basic.conf.j2' %} {% include 'roles/srv-proxy-7-4-core/templates/location/proxy_basic.conf.j2' %}
{% endfor %} {% endfor %}
{% elif acl.whitelist is defined %} {% elif acl.whitelist is defined %}
{# 2. Protect everything by default, then expose whitelisted paths #} {# 2. Protect everything by default, then expose whitelisted paths #}
{% set oauth2_proxy_enabled = true %} {% set oauth2_proxy_enabled = true %}
{% set location = "/" %} {% set location = "/" %}
{% include 'roles/srv-web-proxy-core/templates/location/proxy_basic.conf.j2' %} {% include 'roles/srv-proxy-7-4-core/templates/location/proxy_basic.conf.j2' %}
{% for loc in acl.whitelist %} {% for loc in acl.whitelist %}
{% set oauth2_proxy_enabled = false %} {% set oauth2_proxy_enabled = false %}
{% set location = loc %} {% set location = loc %}
{% include 'roles/srv-web-proxy-core/templates/location/proxy_basic.conf.j2' %} {% include 'roles/srv-proxy-7-4-core/templates/location/proxy_basic.conf.j2' %}
{% endfor %} {% endfor %}
{% else %} {% else %}
{# 3. OAuth2 enabled but no (or empty) ACL — protect all #} {# 3. OAuth2 enabled but no (or empty) ACL — protect all #}
{% set oauth2_proxy_enabled = true %} {% set oauth2_proxy_enabled = true %}
{% set location = "/" %} {% set location = "/" %}
{% include 'roles/srv-web-proxy-core/templates/location/proxy_basic.conf.j2' %} {% include 'roles/srv-proxy-7-4-core/templates/location/proxy_basic.conf.j2' %}
{% endif %} {% endif %}
{% else %} {% else %}
{# 4. OAuth2 completely disabled — expose all #} {# 4. OAuth2 completely disabled — expose all #}
{% set oauth2_proxy_enabled = false %} {% set oauth2_proxy_enabled = false %}
{% set location = "/" %} {% set location = "/" %}
{% include 'roles/srv-web-proxy-core/templates/location/proxy_basic.conf.j2' %} {% include 'roles/srv-proxy-7-4-core/templates/location/proxy_basic.conf.j2' %}
{% endif %} {% endif %}
} }

View File

@ -7,7 +7,7 @@ server {
server_name {{ domain }}; server_name {{ domain }};
{% include 'roles/net-letsencrypt/templates/ssl_header.j2' %} {% include 'roles/net-letsencrypt/templates/ssl_header.j2' %}
{% include 'roles/srv-web-injector-compose/templates/global.includes.conf.j2' %} {% include 'roles/srv-web-7-7-inj-compose/templates/global.includes.conf.j2' %}
client_max_body_size {{ client_max_body_size | default('100m') }}; client_max_body_size {{ client_max_body_size | default('100m') }};
keepalive_timeout 70; keepalive_timeout 70;
@ -24,7 +24,7 @@ server {
add_header Strict-Transport-Security "max-age=31536000"; add_header Strict-Transport-Security "max-age=31536000";
{% include 'roles/srv-web-proxy-core/templates/location/proxy_basic.conf.j2' %} {% include 'roles/srv-proxy-7-4-core/templates/location/proxy_basic.conf.j2' %}
{% if ws_path is defined %} {% if ws_path is defined %}
location {{ ws_path }} { location {{ ws_path }} {

View File

@ -28,4 +28,4 @@ galaxy_info:
issue_tracker_url: "https://s.veen.world/cymaisissues" issue_tracker_url: "https://s.veen.world/cymaisissues"
documentation: "https://s.veen.world/cymais" documentation: "https://s.veen.world/cymais"
dependencies: dependencies:
- srv-web-https - srv-web-7-6-https

View File

@ -1,6 +1,6 @@
- name: "reload certbot service" - name: "reload certbot service"
systemd: systemd:
name: srv-web-tls-renew.cymais.service name: srv-web-6-6-tls-renew.cymais.service
state: reloaded state: reloaded
enabled: yes enabled: yes
daemon_reload: yes daemon_reload: yes

View File

@ -28,6 +28,6 @@ galaxy_info:
documentation: "https://s.veen.world/cymais" documentation: "https://s.veen.world/cymais"
dependencies: dependencies:
- gen-certbot - gen-certbot
- srv-web-core - srv-web-7-4-core
- alert-compose - alert-compose
- cln-certs - cln-certs

View File

@ -5,10 +5,10 @@
state: present state: present
when: run_once_nginx_certbot is not defined when: run_once_nginx_certbot is not defined
- name: configure srv-web-tls-renew.cymais.service - name: configure srv-web-6-6-tls-renew.cymais.service
template: template:
src: srv-web-tls-renew.service.j2 src: srv-web-6-6-tls-renew.service.j2
dest: /etc/systemd/system/srv-web-tls-renew.cymais.service dest: /etc/systemd/system/srv-web-6-6-tls-renew.cymais.service
notify: reload certbot service notify: reload certbot service
when: run_once_nginx_certbot is not defined when: run_once_nginx_certbot is not defined

View File

@ -18,7 +18,7 @@ galaxy_info:
- performance - performance
repository: "https://github.com/kevinveenbirkenbach/cymais" repository: "https://github.com/kevinveenbirkenbach/cymais"
issue_tracker_url: "https://github.com/kevinveenbirkenbach/cymais/issues" issue_tracker_url: "https://github.com/kevinveenbirkenbach/cymais/issues"
documentation: "https://github.com/kevinveenbirkenbach/cymais/roles/srv-web-core" documentation: "https://github.com/kevinveenbirkenbach/cymais/roles/srv-web-7-4-core"
dependencies: dependencies:
- mon-bot-webserver - mon-bot-webserver
- mon-bot-csp - mon-bot-csp

View File

@ -1,10 +1,10 @@
# Role: srv-web-composer # Role: srv-web-7-6-composer
This Ansible role composes and orchestrates all necessary HTTPS-layer tasks and HTML-content injections for your webserver domains. It integrates two key sub-roles into a unified workflow: This Ansible role composes and orchestrates all necessary HTTPS-layer tasks and HTML-content injections for your webserver domains. It integrates two key sub-roles into a unified workflow:
1. **`srv-web-injector-compose`** 1. **`srv-web-7-7-inj-compose`**
Injects global HTML snippets (CSS, Matomo tracking, iFrame notifier, custom JavaScript) into responses using Nginx `sub_filter`. Injects global HTML snippets (CSS, Matomo tracking, iFrame notifier, custom JavaScript) into responses using Nginx `sub_filter`.
2. **`srv-web-tls-core`** 2. **`srv-web-6-6-tls-core`**
Handles issuing, renewing, and managing TLS certificates via ACME/Certbot. Handles issuing, renewing, and managing TLS certificates via ACME/Certbot.
By combining encryption setup with content enhancements, this role streamlines domain provisioning for secure, fully-featured HTTP/HTTPS delivery. By combining encryption setup with content enhancements, this role streamlines domain provisioning for secure, fully-featured HTTP/HTTPS delivery.
@ -16,7 +16,7 @@ By combining encryption setup with content enhancements, this role streamlines d
* **Content Injection** * **Content Injection**
Adds global theming, analytics, and custom scripts before `</head>` and tracking noscript tags before `</body>`. Adds global theming, analytics, and custom scripts before `</head>` and tracking noscript tags before `</body>`.
* **Certificate Management** * **Certificate Management**
Automates cert issuance and renewal via `srv-web-tls-core`. Automates cert issuance and renewal via `srv-web-6-6-tls-core`.
* **Idempotent Workflow** * **Idempotent Workflow**
Ensures each component runs only once per domain. Ensures each component runs only once per domain.
* **Simplified Playbooks** * **Simplified Playbooks**

View File

@ -27,7 +27,7 @@ galaxy_info:
- orchestration - orchestration
repository: "https://github.com/kevinveenbirkenbach/cymais" repository: "https://github.com/kevinveenbirkenbach/cymais"
issue_tracker_url: "https://github.com/kevinveenbirkenbach/cymais/issues" issue_tracker_url: "https://github.com/kevinveenbirkenbach/cymais/issues"
documentation: "https://github.com/kevinveenbirkenbach/cymais/roles/srv-web-composer" documentation: "https://github.com/kevinveenbirkenbach/cymais/roles/srv-web-7-6-composer"
dependencies: dependencies:
- srv-web-injector-compose - srv-web-7-7-inj-compose
- srv-web-tls-core - srv-web-6-6-tls-core

View File

@ -0,0 +1,7 @@
- name: "include role srv-web-7-7-inj-compose for {{domain}}"
include_role:
name: srv-web-7-7-inj-compose
- name: "include role srv-web-6-6-tls-core for {{domain}}"
include_role:
name: srv-web-6-6-tls-core

View File

@ -1,21 +1,21 @@
# Webserver HTTPS Provisioning 🚀 # Webserver HTTPS Provisioning 🚀
## Description ## Description
The **srv-web-https** role extends a basic Nginx installation by wiring in everything you need to serve content over HTTPS: The **srv-web-7-6-https** role extends a basic Nginx installation by wiring in everything you need to serve content over HTTPS:
1. Ensures your Nginx server is configured for SSL/TLS. 1. Ensures your Nginx server is configured for SSL/TLS.
2. Pulls in Lets Encrypt ACME challenge handling. 2. Pulls in Lets Encrypt ACME challenge handling.
3. Applies global cleanup of unused domain configs. 3. Applies global cleanup of unused domain configs.
This role is built on top of your existing `srv-web-core` role, and it automates the end-to-end process of turning HTTP sites into secure HTTPS sites. This role is built on top of your existing `srv-web-7-4-core` role, and it automates the end-to-end process of turning HTTP sites into secure HTTPS sites.
--- ---
## Overview ## Overview
When you apply **srv-web-https**, it will: When you apply **srv-web-7-6-https**, it will:
1. **Include** the `srv-web-core` role to install and configure Nginx. 1. **Include** the `srv-web-7-4-core` role to install and configure Nginx.
2. **Clean up** any stale vHost files under `cln-domains`. 2. **Clean up** any stale vHost files under `cln-domains`.
3. **Deploy** the Lets Encrypt challenge-and-redirect snippet from `net-letsencrypt`. 3. **Deploy** the Lets Encrypt challenge-and-redirect snippet from `net-letsencrypt`.
4. **Reload** Nginx automatically when any template changes. 4. **Reload** Nginx automatically when any template changes.
@ -42,7 +42,7 @@ All tasks are idempotent—once your certificates are in place and your configur
## Requirements ## Requirements
- A working `srv-web-core` setup. - A working `srv-web-7-4-core` setup.
- DNS managed via Cloudflare (for CAA record tasks) or equivalent ACME DNS flow. - DNS managed via Cloudflare (for CAA record tasks) or equivalent ACME DNS flow.
- Variables: - Variables:
- `certbot_webroot_path` - `certbot_webroot_path`

View File

@ -24,6 +24,6 @@ galaxy_info:
issue_tracker_url: "https://s.veen.world/cymaisissues" issue_tracker_url: "https://s.veen.world/cymaisissues"
dependencies: dependencies:
- srv-web-core - srv-web-7-4-core
- cln-domains - cln-domains
- net-letsencrypt - net-letsencrypt

View File

@ -15,7 +15,7 @@ galaxy_info:
- theming - theming
repository: "https://github.com/kevinveenbirkenbach/cymais" repository: "https://github.com/kevinveenbirkenbach/cymais"
issue_tracker_url: "https://github.com/kevinveenbirkenbach/cymais/issues" issue_tracker_url: "https://github.com/kevinveenbirkenbach/cymais/issues"
documentation: "https://github.com/kevinveenbirkenbach/cymais/tree/main/roles/srv-web-injector-compose" documentation: "https://github.com/kevinveenbirkenbach/cymais/tree/main/roles/srv-web-7-7-inj-compose"
min_ansible_version: "2.9" min_ansible_version: "2.9"
platforms: platforms:
- name: Any - name: Any
@ -23,5 +23,5 @@ galaxy_info:
- all - all
dependencies: dependencies:
# The injections are called in the script. Keep the logic there. # The injections are called in the script. Keep the logic there.
- srv-web-core - srv-web-7-4-core

View File

@ -1,19 +1,19 @@
- name: "Activate Global CSS for {{domain}}" - name: "Activate Global CSS for {{domain}}"
include_role: include_role:
name: srv-web-injector-css name: srv-web-7-7-inj-css
when: applications | is_feature_enabled('css',application_id) when: applications | is_feature_enabled('css',application_id)
- name: "Activate Global Matomo Tracking for {{domain}}" - name: "Activate Global Matomo Tracking for {{domain}}"
include_role: include_role:
name: srv-web-injector-matomo name: srv-web-7-7-inj-matomo
when: applications | is_feature_enabled('matomo',application_id) when: applications | is_feature_enabled('matomo',application_id)
- name: "Activate Portfolio iFrame Notifier for {{ domain }}" - name: "Activate Portfolio iFrame Notifier for {{ domain }}"
include_role: include_role:
name: srv-web-injector-iframe name: srv-web-7-7-inj-iframe
when: applications | is_feature_enabled('portfolio_iframe', application_id) when: applications | is_feature_enabled('portfolio_iframe', application_id)
- name: "Activate Javascript for {{ domain }}" - name: "Activate Javascript for {{ domain }}"
include_role: include_role:
name: srv-web-injector-javascript name: srv-web-7-7-inj-javascript
when: applications | is_feature_enabled('javascript', application_id) when: applications | is_feature_enabled('javascript', application_id)

View File

@ -10,24 +10,24 @@ sub_filter_types text/html;
{% if modifier_iframe_enabled or modifier_css_enabled or modifier_matomo_enabled or modifier_javascript_enabled %} {% if modifier_iframe_enabled or modifier_css_enabled or modifier_matomo_enabled or modifier_javascript_enabled %}
sub_filter '</head>' ' sub_filter '</head>' '
{%- if modifier_css_enabled -%} {%- if modifier_css_enabled -%}
{%- include "roles/srv-web-injector-css/templates/head_sub.j2" -%} {%- include "roles/srv-web-7-7-inj-css/templates/head_sub.j2" -%}
{%- endif -%} {%- endif -%}
{%- if modifier_matomo_enabled -%} {%- if modifier_matomo_enabled -%}
{%- include "roles/srv-web-injector-matomo/templates/head_sub.j2" -%} {%- include "roles/srv-web-7-7-inj-matomo/templates/head_sub.j2" -%}
{%- endif -%} {%- endif -%}
{%- if modifier_iframe_enabled -%} {%- if modifier_iframe_enabled -%}
{%- include "roles/srv-web-injector-iframe/templates/head_sub.j2" -%} {%- include "roles/srv-web-7-7-inj-iframe/templates/head_sub.j2" -%}
{%- endif -%} {%- endif -%}
{%- if modifier_javascript_enabled -%} {%- if modifier_javascript_enabled -%}
{%- include "roles/srv-web-injector-javascript/templates/head_sub.j2" -%} {%- include "roles/srv-web-7-7-inj-javascript/templates/head_sub.j2" -%}
{%- endif -%} {%- endif -%}
</head>'; </head>';
{% endif %} {% endif %}
{% if modifier_css_enabled | bool %} {% if modifier_css_enabled | bool %}
{% include 'roles/srv-web-injector-css/templates/location.conf.j2' %} {% include 'roles/srv-web-7-7-inj-css/templates/location.conf.j2' %}
{% endif %} {% endif %}
{% if modifier_matomo_enabled %} {% if modifier_matomo_enabled %}
{% include 'roles/srv-web-injector-matomo/templates/matomo-tracking.conf.j2' %} {% include 'roles/srv-web-7-7-inj-matomo/templates/matomo-tracking.conf.j2' %}
{% endif %} {% endif %}

View File

@ -26,4 +26,4 @@ galaxy_info:
issue_tracker_url: https://s.veen.world/cymaisissues issue_tracker_url: https://s.veen.world/cymaisissues
documentation: https://s.veen.world/cymais documentation: https://s.veen.world/cymais
dependencies: dependencies:
- srv-web-core - srv-web-7-4-core

View File

@ -1,4 +1,4 @@
# Load this role via srv-web-injector-compose for consistency # Load this role via srv-web-7-7-inj-compose for consistency
- name: Generate color palette with colorscheme-generator - name: Generate color palette with colorscheme-generator
set_fact: set_fact:

View File

@ -25,4 +25,4 @@ galaxy_info:
- security - security
- postMessage - postMessage
dependencies: dependencies:
- srv-web-core - srv-web-7-4-core

View File

@ -25,4 +25,4 @@ galaxy_info:
issue_tracker_url: "https://s.veen.world/cymaisissues" issue_tracker_url: "https://s.veen.world/cymaisissues"
dependencies: dependencies:
- srv-web-core - srv-web-7-4-core

View File

@ -14,11 +14,11 @@ galaxy_info:
- analytics - analytics
repository: "https://github.com/kevinveenbirkenbach/cymais" repository: "https://github.com/kevinveenbirkenbach/cymais"
issue_tracker_url: "https://github.com/kevinveenbirkenbach/cymais/issues" issue_tracker_url: "https://github.com/kevinveenbirkenbach/cymais/issues"
documentation: "https://github.com/kevinveenbirkenbach/cymais/tree/main/roles/srv-web-injector-matomo" documentation: "https://github.com/kevinveenbirkenbach/cymais/tree/main/roles/srv-web-7-7-inj-matomo"
min_ansible_version: "2.9" min_ansible_version: "2.9"
platforms: platforms:
- name: Any - name: Any
versions: [ all ] versions: [ all ]
dependencies: dependencies:
- srv-web-core - srv-web-7-4-core

View File

@ -1,4 +1,4 @@
# Load this role via srv-web-injector-compose for consistency # Load this role via srv-web-7-7-inj-compose for consistency
- name: "Relevant variables for role: {{ role_path | basename }}" - name: "Relevant variables for role: {{ role_path | basename }}"
debug: debug:

View File

@ -1,7 +0,0 @@
- name: "include role srv-web-injector-compose for {{domain}}"
include_role:
name: srv-web-injector-compose
- name: "include role srv-web-tls-core for {{domain}}"
include_role:
name: srv-web-tls-core

View File

@ -1,7 +0,0 @@
---
- name: "restart srv-web-proxy-tls-deploy.cymais.service"
systemd:
name: srv-web-proxy-tls-deploy.{{application_id}}.cymais.service
state: restarted
enabled: yes
daemon_reload: yes

View File

@ -5,7 +5,7 @@
- name: "include role for {{application_id}} to receive certs & do modification routines" - name: "include role for {{application_id}} to receive certs & do modification routines"
include_role: include_role:
name: srv-web-composer name: srv-web-7-6-composer
vars: vars:
domain: "{{ item }}" domain: "{{ item }}"
http_port: "{{ ports.localhost.http[application_id] }}" http_port: "{{ ports.localhost.http[application_id] }}"
@ -15,7 +15,7 @@
- name: configure {{domains | get_domain(application_id)}}.conf - name: configure {{domains | get_domain(application_id)}}.conf
template: template:
src: roles/srv-web-proxy-core/templates/vhost/basic.conf.j2 src: roles/srv-proxy-7-4-core/templates/vhost/basic.conf.j2
dest: "{{nginx.directories.http.servers}}{{domains | get_domain(application_id)}}.conf" dest: "{{nginx.directories.http.servers}}{{domains | get_domain(application_id)}}.conf"
notify: restart nginx notify: restart nginx

View File

@ -35,7 +35,7 @@ By default, BigBlueButton is deployed with best-practice hardening, modular secr
## System Requirements ## System Requirements
- Arch Linux with Docker, Compose, and Nginx roles pre-installed - Arch Linux with Docker, Compose, and Nginx roles pre-installed
- DNS and reverse proxy configuration using `srv-web-proxy-core` - DNS and reverse proxy configuration using `srv-proxy-7-4-core`
- Functional email system for Greenlight SMTP - Functional email system for Greenlight SMTP
## Important Resources ## Important Resources

View File

@ -17,9 +17,9 @@
database_username: "postgres" database_username: "postgres"
database_name: "" # Multiple databases database_name: "" # Multiple databases
- name: "include role srv-web-proxy-domain for {{application_id}}" - name: "include role srv-proxy-6-6-domain for {{application_id}}"
include_role: include_role:
name: srv-web-proxy-domain name: srv-proxy-6-6-domain
- name: pull docker repository - name: pull docker repository
git: git:

View File

@ -2,9 +2,9 @@
include_role: include_role:
name: docker-compose name: docker-compose
- name: "include role srv-web-proxy-domain for {{application_id}}" - name: "include role srv-proxy-6-6-domain for {{application_id}}"
include_role: include_role:
name: srv-web-proxy-domain name: srv-proxy-6-6-domain
vars: vars:
domain: "{{ item.domain }}" domain: "{{ item.domain }}"
http_port: "{{ item.http_port }}" http_port: "{{ item.http_port }}"

View File

@ -3,13 +3,13 @@ server {
{% include 'roles/net-letsencrypt/templates/ssl_header.j2' %} {% include 'roles/net-letsencrypt/templates/ssl_header.j2' %}
{% include 'roles/srv-web-injector-compose/templates/global.includes.conf.j2'%} {% include 'roles/srv-web-7-7-inj-compose/templates/global.includes.conf.j2'%}
{% include 'roles/srv-web-proxy-core/templates/headers/content_security_policy.conf.j2' %} {% include 'roles/srv-proxy-7-4-core/templates/headers/content_security_policy.conf.j2' %}
{% include 'roles/srv-web-proxy-core/templates/location/proxy_basic.conf.j2' %} {% include 'roles/srv-proxy-7-4-core/templates/location/proxy_basic.conf.j2' %}
{% set location = '^~ /cool/' %} {% set location = '^~ /cool/' %}
{% include 'roles/srv-web-proxy-core/templates/location/proxy_basic.conf.j2' %} {% include 'roles/srv-proxy-7-4-core/templates/location/proxy_basic.conf.j2' %}
} }

View File

@ -23,4 +23,4 @@ galaxy_info:
- all - all
dependencies: dependencies:
- docker-compose - docker-compose
- srv-web-proxy-domain - srv-proxy-6-6-domain

View File

@ -1,8 +1,8 @@
--- ---
- name: "include role srv-web-proxy-domain for {{application_id}}" - name: "include role srv-proxy-6-6-domain for {{application_id}}"
include_role: include_role:
name: srv-web-proxy-domain name: srv-proxy-6-6-domain
vars: vars:
domain: "{{ domains | get_domain(application_id) }}" domain: "{{ domains | get_domain(application_id) }}"
http_port: "{{ ports.localhost.http[application_id] }}" http_port: "{{ ports.localhost.http[application_id] }}"

View File

@ -9,7 +9,7 @@ This Ansible role deploys and configures [FusionDirectory](https://www.fusiondir
- Loads and templating of FusionDirectory-specific variables - Loads and templating of FusionDirectory-specific variables
- Generates a `.env` file for the container environment - Generates a `.env` file for the container environment
- Deploys the FusionDirectory container via Docker Compose - Deploys the FusionDirectory container via Docker Compose
- Configures NGINX (via the `srv-web-proxy-domain` role) to expose the service - Configures NGINX (via the `srv-proxy-6-6-domain` role) to expose the service
- Integrates with your central LDAP server for authentication - Integrates with your central LDAP server for authentication
## Features ## Features

View File

@ -4,9 +4,9 @@
name: cmp-db-docker-proxy name: cmp-db-docker-proxy
when: run_once_docker_mailu is not defined when: run_once_docker_mailu is not defined
- name: "Include the srv-web-proxy-tls-deploy role" - name: "Include the srv-proxy-6-6-tls-deploy role"
include_role: include_role:
name: srv-web-proxy-tls-deploy name: srv-proxy-6-6-tls-deploy
when: run_once_docker_mailu is not defined when: run_once_docker_mailu is not defined
- name: Flush docker service handlers - name: Flush docker service handlers

View File

@ -5,7 +5,7 @@
- name: "Include setup for domain '{{ domain }}'" - name: "Include setup for domain '{{ domain }}'"
include_role: include_role:
name: srv-web-proxy-domain name: srv-proxy-6-6-domain
loop: "{{ domains.mastodon }}" loop: "{{ domains.mastodon }}"
loop_control: loop_control:
loop_var: domain loop_var: domain

View File

@ -24,4 +24,4 @@ galaxy_info:
logo: logo:
class: "fa-solid fa-satellite-dish" class: "fa-solid fa-satellite-dish"
dependencies: dependencies:
- srv-web-proxy-core - srv-proxy-7-4-core

View File

@ -1,7 +1,7 @@
--- ---
- name: "include role srv-web-proxy-domain for {{application_id}}" - name: "include role srv-proxy-6-6-domain for {{application_id}}"
include_role: include_role:
name: srv-web-proxy-domain name: srv-proxy-6-6-domain
loop: loop:
- "{{domains.matrix.element}}" - "{{domains.matrix.element}}"
- "{{domains.matrix.synapse}}" - "{{domains.matrix.synapse}}"

View File

@ -14,7 +14,7 @@
- name: "include role for {{application_id}} to receive certs & do modification routines" - name: "include role for {{application_id}} to receive certs & do modification routines"
include_role: include_role:
name: srv-web-composer name: srv-web-7-6-composer
vars: vars:
domain: "{{domains.matrix.synapse}}" domain: "{{domains.matrix.synapse}}"
http_port: "{{ports.localhost.http.synapse}}" http_port: "{{ports.localhost.http.synapse}}"
@ -39,9 +39,9 @@
http_port: "{{ports.localhost.http.synapse}}" http_port: "{{ports.localhost.http.synapse}}"
notify: restart nginx notify: restart nginx
- name: "include role srv-web-proxy-domain for {{application_id}}" - name: "include role srv-proxy-6-6-domain for {{application_id}}"
include_role: include_role:
name: srv-web-proxy-domain name: srv-proxy-6-6-domain
vars: vars:
domain: "{{domains.matrix.element}}" domain: "{{domains.matrix.element}}"
http_port: "{{ports.localhost.http.element}}" http_port: "{{ports.localhost.http.element}}"

View File

@ -11,6 +11,6 @@ server {
listen 8448 ssl default_server; listen 8448 ssl default_server;
listen [::]:8448 ssl default_server; listen [::]:8448 ssl default_server;
{% include 'roles/srv-web-injector-compose/templates/global.includes.conf.j2'%} {% include 'roles/srv-web-7-7-inj-compose/templates/global.includes.conf.j2'%}
{% include 'roles/srv-web-proxy-core/templates/location/proxy_basic.conf.j2' %} {% include 'roles/srv-proxy-7-4-core/templates/location/proxy_basic.conf.j2' %}
} }

View File

@ -24,4 +24,4 @@ galaxy_info:
- web-app-keycloak - web-app-keycloak
- web-app-mailu - web-app-mailu
dependencies: dependencies:
- srv-web-proxy-core - srv-proxy-7-4-core

Some files were not shown because too many files have changed in this diff Show More