diff --git a/roles/sys-stk-front-base/README.md b/roles/sys-stk-front-base/README.md new file mode 100644 index 00000000..eff12086 --- /dev/null +++ b/roles/sys-stk-front-base/README.md @@ -0,0 +1,21 @@ +# Front Base (HTTPS + Cloudflare + Handlers) πŸš€ + +## Description +**sys-stk-front-base** bootstraps the front layer that most web-facing apps need: +- Ensures the HTTPS base via `sys-svc-webserver-https` +- (Optional) Cloudflare bootstrap (zone lookup, dev mode, purge) +- Wires OpenResty/Nginx handlers +- Leaves per-domain certificate issuance to consumer roles (or pass-through vars to `sys-util-csp-cert` if needed) + +> This role is intentionally small and reusable. It prepares the ground so app roles can just render their vHost. + +## Responsibilities +- Include `sys-svc-webserver-https` (once per host) +- Include Cloudflare tasks when `DNS_PROVIDER == "cloudflare"` +- Load handler utilities (e.g., `svc-prx-openresty`) +- Stay domain-agnostic: expect `domain` to be provided by the consumer + +## Outputs +- Handler wiring completed +- HTTPS base ready (Nginx, ACME webroot) +- Cloudflare prepared (optional) diff --git a/roles/sys-stk-front-base/meta/main.yml b/roles/sys-stk-front-base/meta/main.yml new file mode 100644 index 00000000..3b46eaca --- /dev/null +++ b/roles/sys-stk-front-base/meta/main.yml @@ -0,0 +1,24 @@ +galaxy_info: + author: "Kevin Veen-Birkenbach" + description: "Front bootstrap for web apps: HTTPS base, optional Cloudflare setup, and handler wiring." + license: "Infinito.Nexus NonCommercial License" + license_url: "https://s.infinito.nexus/license" + company: | + Kevin Veen-Birkenbach + Consulting & Coaching Solutions + https://www.veen.world + min_ansible_version: "2.9" + platforms: + - name: Archlinux + versions: + - rolling + galaxy_tags: + - nginx + - https + - cloudflare + - automation + - web + repository: "https://s.infinito.nexus/code" + issue_tracker_url: "https://s.infinito.nexus/issues" + documentation: "https://docs.infinito.nexus/" +dependencies: [] \ No newline at end of file diff --git a/roles/sys-stk-front-proxy/tasks/02_cloudflare.yml b/roles/sys-stk-front-base/tasks/01_cloudflare.yml similarity index 100% rename from roles/sys-stk-front-proxy/tasks/02_cloudflare.yml rename to roles/sys-stk-front-base/tasks/01_cloudflare.yml diff --git a/roles/sys-stk-front-proxy/tasks/cloudflare/01_cleanup.yml b/roles/sys-stk-front-base/tasks/cloudflare/01_cleanup.yml similarity index 100% rename from roles/sys-stk-front-proxy/tasks/cloudflare/01_cleanup.yml rename to roles/sys-stk-front-base/tasks/cloudflare/01_cleanup.yml diff --git a/roles/sys-stk-front-proxy/tasks/cloudflare/02_enable_cf_dev_mode.yml b/roles/sys-stk-front-base/tasks/cloudflare/02_enable_cf_dev_mode.yml similarity index 100% rename from roles/sys-stk-front-proxy/tasks/cloudflare/02_enable_cf_dev_mode.yml rename to roles/sys-stk-front-base/tasks/cloudflare/02_enable_cf_dev_mode.yml diff --git a/roles/sys-stk-front-base/tasks/main.yml b/roles/sys-stk-front-base/tasks/main.yml new file mode 100644 index 00000000..a92fd82a --- /dev/null +++ b/roles/sys-stk-front-base/tasks/main.yml @@ -0,0 +1,14 @@ +- block: + - name: Include dependency 'sys-svc-webserver-https' + include_role: + name: sys-svc-webserver-https + when: run_once_sys_svc_webserver_https is not defined + - include_tasks: utils/run_once.yml + when: run_once_sys_stk_front_base is not defined + +- include_tasks: "01_cloudflare.yml" + when: DNS_PROVIDER == "cloudflare" + +- include_tasks: "{{ [ playbook_dir, 'tasks/utils/load_handlers.yml' ] | path_join }}" + vars: + handler_role_name: "svc-prx-openresty" diff --git a/roles/sys-stk-front-proxy/tasks/01_base.yml b/roles/sys-stk-front-proxy/tasks/01_base.yml index fdf3e559..3d4e7375 100644 --- a/roles/sys-stk-front-proxy/tasks/01_base.yml +++ b/roles/sys-stk-front-proxy/tasks/01_base.yml @@ -1,17 +1,6 @@ -- block: - - name: Include dependency 'sys-svc-webserver-https' - include_role: - name: sys-svc-webserver-https - when: run_once_sys_svc_webserver_https is not defined - - include_tasks: utils/run_once.yml - when: run_once_sys_stk_front_proxy is not defined - -- include_tasks: "02_cloudflare.yml" - when: DNS_PROVIDER == "cloudflare" - -- include_tasks: "{{ [ playbook_dir, 'tasks/utils/load_handlers.yml' ] | path_join }}" - vars: - handler_role_name: "svc-prx-openresty" +- name: Front bootstrap + include_role: + name: sys-stk-front-base - name: "include role for '{{ domain }}' to receive certificates and do the modification routines" include_role: diff --git a/roles/sys-stk-semi-stateless/README.md b/roles/sys-stk-semi-stateless/README.md new file mode 100644 index 00000000..6c44b44c --- /dev/null +++ b/roles/sys-stk-semi-stateless/README.md @@ -0,0 +1,13 @@ +# Semi-Stateless Stack (Front + Back) ⚑ + +## Description +**sys-stk-semi-stateless** combines the front and back layer into a lightweight, mostly stateless web service stack: +- Front bootstrap via `sys-stk-front-base` (HTTPS base, optional Cloudflare, handlers) +- Backend via `sys-stk-back-stateless` (no persistent volumes/DB) + +Ideal for services that need TLS/front glue but no database (e.g., TURN/STUN, gateways, simple APIs). + +## Responsibilities +- Prepare the front layer (HTTPS / handlers / optional Cloudflare) +- Deploy the stateless backend (typically via Docker Compose) +- Keep domain variables (`domain`) and app-scoped variables (`application_id`) clearly separated diff --git a/roles/sys-stk-semi-stateless/meta/main.yml b/roles/sys-stk-semi-stateless/meta/main.yml new file mode 100644 index 00000000..374ca9fa --- /dev/null +++ b/roles/sys-stk-semi-stateless/meta/main.yml @@ -0,0 +1,24 @@ +galaxy_info: + author: "Kevin Veen-Birkenbach" + description: "Combined semi-stateless app stack: front bootstrap + stateless backend." + license: "Infinito.Nexus NonCommercial License" + license_url: "https://s.infinito.nexus/license" + company: | + Kevin Veen-Birkenbach + Consulting & Coaching Solutions + https://www.veen.world + min_ansible_version: "2.9" + platforms: + - name: Archlinux + versions: + - rolling + galaxy_tags: + - nginx + - https + - stateless + - backend + - cloudflare + - automation + repository: "https://s.infinito.nexus/code" + issue_tracker_url: "https://s.infinito.nexus/issues" + documentation: "https://docs.infinito.nexus/" diff --git a/roles/sys-stk-semi-stateless/tasks/main.yml b/roles/sys-stk-semi-stateless/tasks/main.yml new file mode 100644 index 00000000..b97f8e7c --- /dev/null +++ b/roles/sys-stk-semi-stateless/tasks/main.yml @@ -0,0 +1,11 @@ +# run_once_sys_stk_full_stateless: deactivated + +- name: "sys-stk-front-base" + include_role: + name: sys-stk-front-base + vars: + domain: "{{ domains | get_domain(application_id) }}" + +- name: "For '{{ application_id }}': Load sys-stk-back-stateless" + include_role: + name: sys-stk-back-stateless diff --git a/roles/sys-util-csp-cert/README.md b/roles/sys-util-csp-cert/README.md index 4eaa38d0..d3b62f99 100644 --- a/roles/sys-util-csp-cert/README.md +++ b/roles/sys-util-csp-cert/README.md @@ -1,4 +1,4 @@ -# Role: sys-util-csp-cert +# sys-util-csp-cert This Ansible role composes and orchestrates all necessary HTTPS-layer tasks and HTML-content injections for your webserver domains. It integrates two key sub-roles into a unified workflow: diff --git a/roles/web-svc-cdn/tasks/01_core.yml b/roles/web-svc-cdn/tasks/01_core.yml index 11346274..1cc01fff 100644 --- a/roles/web-svc-cdn/tasks/01_core.yml +++ b/roles/web-svc-cdn/tasks/01_core.yml @@ -2,7 +2,7 @@ include_role: name: '{{ item }}' loop: - - sys-svc-webserver-https + - sys-stk-front-base - dev-git - name: "include role for {{ application_id }} to receive certs & do modification routines" diff --git a/roles/web-svc-coturn/README.md b/roles/web-svc-coturn/README.md index b5aac4b6..f7397895 100644 --- a/roles/web-svc-coturn/README.md +++ b/roles/web-svc-coturn/README.md @@ -1,9 +1,46 @@ -# Coturn Server (DRAFT) -setup an coturn server based on https://hub.docker.com/r/coturn/coturn +# Coturn -## todo +This folder contains the role to deploy and manage a [Coturn](https://github.com/coturn/coturn) service. -Needs to be implemented so that Nextcloud Talk works +## Description -## author -[Kevin Veen-Birkenbach](https://www.veen.world) \ No newline at end of file +[Coturn](https://github.com/coturn/coturn) is a free and open-source **TURN (Traversal Using Relays around NAT)** and **STUN (Session Traversal Utilities for NAT)** server. +It enables real-time communication (RTC) applications such as **WebRTC** to work reliably across NATs and firewalls. + +Without TURN/STUN, video calls, conferencing, and peer-to-peer connections often fail due to NAT traversal issues. +Coturn solves this by acting as a **relay server** and/or **discovery service** for public IP addresses. + +More background: +* Wikipedia: [Traversal Using Relays around NAT](https://en.wikipedia.org/wiki/Traversal_Using_Relays_around_NAT) +* Wikipedia: [Session Traversal Utilities for NAT](https://en.wikipedia.org/wiki/STUN) +* Official Coturn Docs: [https://github.com/coturn/coturn/wiki](https://github.com/coturn/coturn/wiki) + +## Overview + +This role deploys Coturn via Docker Compose using the `sys-stk-semi-stateless` stack. +It automatically configures: +- TURN and STUN listening ports +- Relay port ranges +- TLS certificates (via Let’s Encrypt integration) +- Long-term credentials and/or REST API secrets + +Typical use cases: +- Nextcloud Talk +- Jitsi +- BigBlueButton +- Any WebRTC-based application + +## Features + +* Stateless container deployment (no database or persistent volume required) +* Automatic TLS handling via `sys-stk-front-base` +* TURN and STUN support over TCP and UDP +* Configurable relay port ranges for scaling +* Integration into Infinito.Nexus inventory/variable system + +## Further Resources + +* Coturn Project β€” [https://github.com/coturn/coturn](https://github.com/coturn/coturn) +* Coturn Wiki β€” [https://github.com/coturn/coturn/wiki](https://github.com/coturn/coturn/wiki) +* TURN on Wikipedia β€” [https://en.wikipedia.org/wiki/Traversal_Using_Relays_around_NAT](https://en.wikipedia.org/wiki/Traversal_Using_Relays_around_NAT) +* STUN on Wikipedia β€” [https://en.wikipedia.org/wiki/STUN](https://en.wikipedia.org/wiki/STUN) diff --git a/roles/web-svc-coturn/meta/main.yml b/roles/web-svc-coturn/meta/main.yml index 27d8a73c..9ff43253 100644 --- a/roles/web-svc-coturn/meta/main.yml +++ b/roles/web-svc-coturn/meta/main.yml @@ -1,7 +1,7 @@ --- galaxy_info: author: "Kevin Veen-Birkenbach" - description: "Deploys a Coturn TURN/STUN server via Docker Compose, with automatic domain and port configuration for Nextcloud Talk." + description: "Deploys Coturn, a free and open-source TURN/STUN server" license: "Infinito.Nexus NonCommercial License" license_url: "https://s.infinito.nexus/license" company: | @@ -12,12 +12,13 @@ galaxy_info: - coturn - turn - stun + - webrtc - docker + - stateless + - realtime repository: "https://s.infinito.nexus/code" issue_tracker_url: "https://s.infinito.nexus/issues" - documentation: "https://s.infinito.nexus/code/tree/main/roles/web-svc-coturn" - min_ansible_version: "2.9" - platforms: - - name: Any - versions: - - all + documentation: "https://github.com/coturn/coturn/wiki" + logo: + class: "webrtc" + run_after: [] diff --git a/roles/web-svc-coturn/tasks/main.yml b/roles/web-svc-coturn/tasks/main.yml index 2d9c3f2f..ad4af46a 100644 --- a/roles/web-svc-coturn/tasks/main.yml +++ b/roles/web-svc-coturn/tasks/main.yml @@ -1,4 +1,4 @@ --- -- name: "For '{{ application_id }}': Load sys-stk-back-stateless" +- name: "Load 'sys-stk-semi-stateless' for '{{ application_id }}'" include_role: - name: sys-stk-back-stateless + name: sys-stk-semi-stateless diff --git a/roles/web-svc-file/tasks/main.yml b/roles/web-svc-file/tasks/main.yml index a4ccf075..b8625cea 100644 --- a/roles/web-svc-file/tasks/main.yml +++ b/roles/web-svc-file/tasks/main.yml @@ -3,7 +3,7 @@ include_role: name: '{{ item }}' loop: - - sys-svc-webserver-https + - sys-stk-front-base - dev-git - include_tasks: utils/run_once.yml when: run_once_web_svc_file is not defined diff --git a/roles/web-svc-html/tasks/main.yml b/roles/web-svc-html/tasks/main.yml index 70fdd84c..697dc76d 100644 --- a/roles/web-svc-html/tasks/main.yml +++ b/roles/web-svc-html/tasks/main.yml @@ -3,7 +3,7 @@ include_role: name: '{{ item }}' loop: - - sys-svc-webserver-https + - sys-stk-front-base - dev-git - include_tasks: utils/run_once.yml when: run_once_web_svc_html is not defined