kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-08-29 23:08:06 +02:00
Code Issues Packages Projects Releases Wiki Activity

Optimized cloudflare implementation

Browse Source
This commit is contained in:
Kevin Veen-Birkenbach
2025-04-29 02:20:10 +02:00
parent d796158c61
commit e5e394d470
13 changed files with 249 additions and 117 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
roles/dns-records-cloudflare/tasks/main.yml
View File

@@ -12,7 +12,7 @@
name: "{{ item }}"
content: "{{ cloudflare_target_ip }}"
ttl: 1
proxied: "{{ cloudflare_target_ip }}"
proxied: "{{ cloudflare_proxied | int }}"
loop: "{{ cloudflare_domains }}"
loop_control:
label: "{{ item }}"

8
roles/docker-bigbluebutton/tasks/main.yml
View File

@@ -4,6 +4,14 @@
include_role:
name: docker-compose
- name: "Seed BigBlueButton Database for Backup"
include_tasks: "{{ playbook_dir }}/roles/backup-docker-to-local/tasks/seed-database-to-backup.yml"
vars:
database_instance: "{{ application_id }}"
database_password: "{{ applications[application_id].credentials.postgresql_secret }}"
database_username: "postgres"
database_name: "" # Multiple databases
- name: "include role nginx-domain-setup for {{application_id}}"
include_role:
name: nginx-domain-setup

14
roles/docker-bigbluebutton/templates/env.j2
View File

@@ -1,7 +1,7 @@
ENABLE_COTURN=true
COTURN_TLS_CERT_PATH={{ certbot_cert_path }}/{{ ssl_cert_folder }}/fullchain.pem
COTURN_TLS_KEY_PATH={{ certbot_cert_path }}/{{ ssl_cert_folder }}/privkey.pem
ENABLE_GREENLIGHT={{applications.bigbluebutton.enable_greenlight}}
ENABLE_GREENLIGHT={{applications[application_id].enable_greenlight}}
# Enable Webhooks
# used by some integrations
@@ -27,11 +27,11 @@ RECORDING_MAX_AGE_DAYS=365
# SECRETS
# ====================================
# important! change these to any random values
SHARED_SECRET={{applications.bigbluebutton.credentials.shared_secret}}
ETHERPAD_API_KEY={{applications.bigbluebutton.credentials.etherpad_api_key}}
RAILS_SECRET={{applications.bigbluebutton.credentials.rails_secret}}
POSTGRESQL_SECRET={{applications.bigbluebutton.credentials.postgresql_secret}}
FSESL_PASSWORD={{applications.bigbluebutton.credentials.fsesl_password}}
SHARED_SECRET={{applications[application_id].credentials.shared_secret}}
ETHERPAD_API_KEY={{applications[application_id].credentials.etherpad_api_key}}
RAILS_SECRET={{applications[application_id].credentials.rails_secret}}
POSTGRESQL_SECRET={{applications[application_id].credentials.postgresql_secret}}
FSESL_PASSWORD={{applications[application_id].credentials.fsesl_password}}
# ====================================
# CONNECTION
@@ -51,7 +51,7 @@ STUN_PORT={{ ports.public.stun[application_id] }}
# TURN SERVER
# uncomment and adjust following two lines to add an external TURN server
TURN_SERVER=turns:{{domains[application_id]}}:{{ ports.public.turn[application_id] }}?transport=tcp
TURN_SECRET={{applications.bigbluebutton.credentials.turn_secret}}
TURN_SECRET={{applications[application_id].credentials.turn_secret}}
# Allowed SIP IPs
# due to high traffic caused by bots, by default the SIP port is blocked.

80
roles/nginx-domains-cleanup/tasks/main.yml
View File

@@ -1,52 +1,50 @@
---
- name: "Remove Nginx configuration for deprecated domains"
ansible.builtin.command:
cmd: >-
rm -fv /etc/nginx/conf.d/http/servers/*.{{ item }}.conf;
rm -fv /etc/nginx/conf.d/http/servers/{{ item }}.conf
- name: Include task to remove deprecated nginx configs
include_tasks: remove_deprecated_nginx_configs.yml
loop: "{{ deprecated_domains }}"
loop_control:
label: "{{ item }}"
notify: restart nginx
vars:
domain: "{{ item }}"
when:
- mode_cleanup | bool
- run_once_nginx_domains_cleanup is not defined
# The revoking just works for the base domain
- name: "Revoke Certbot certificate for {{ item }}"
ansible.builtin.command:
cmd: "certbot revoke -n --cert-name {{ item }}"
become: true
loop: "{{ deprecated_domains }}"
loop_control:
label: "{{ item }}"
when:
- mode_cleanup | bool
- run_once_nginx_domains_cleanup is not defined
register: certbot_revoke_result
failed_when: >
certbot_revoke_result.rc != 0 and
'No certificate found with name' not in certbot_revoke_result.stderr
changed_when: >
certbot_revoke_result.rc == 0
# The deleting just works for the base domain
- name: "Delete Certbot certificate for {{ item }}"
ansible.builtin.command:
cmd: "certbot delete -n --cert-name {{ item }}"
become: true
loop: "{{ deprecated_domains }}"
loop_control:
label: "{{ item }}"
when:
- mode_cleanup | bool
- run_once_nginx_domains_cleanup is not defined
register: certbot_delete_result
failed_when: >
certbot_delete_result.rc != 0 and
'No certificate found with name' not in certbot_delete_result.stderr
changed_when: >
certbot_delete_result.rc == 0
## The revoking just works for the base domain
#- name: "Revoke Certbot certificate for {{ item }}"
# ansible.builtin.command:
# cmd: "certbot revoke -n --cert-name {{ item }} --non-interactive"
# become: true
# loop: "{{ deprecated_domains }}"
# loop_control:
# label: "{{ item }}"
# when:
# - mode_cleanup | bool
# - run_once_nginx_domains_cleanup is not defined
# register: certbot_revoke_result
# failed_when: >
# certbot_revoke_result.rc != 0 and
# 'No certificate found with name' not in certbot_revoke_result.stderr
# changed_when: >
# certbot_revoke_result.rc == 0
#
## The deleting just works for the base domain
#- name: "Delete Certbot certificate for {{ item }}"
# ansible.builtin.command:
# cmd: "certbot delete -n --cert-name {{ item }} --non-interactive"
# become: true
# loop: "{{ deprecated_domains }}"
# loop_control:
# label: "{{ item }}"
# when:
# - mode_cleanup | bool
# - run_once_nginx_domains_cleanup is not defined
# register: certbot_delete_result
# failed_when: >
# certbot_delete_result.rc != 0 and
# 'No certificate found with name' not in certbot_delete_result.stderr
# changed_when: >
# certbot_delete_result.rc == 0
- name: run the nginx_domains_cleanup role once
set_fact:

20
roles/nginx-domains-cleanup/tasks/remove_deprecated_nginx_configs.yml Normal file
View File

@@ -0,0 +1,20 @@
---
- name: Find matching nginx configs for {{ domain }}
ansible.builtin.find:
paths: /etc/nginx/conf.d/http/servers
patterns: "*.{{ domain }}.conf"
register: find_result
- name: Remove wildcard nginx configs for {{ domain }}
ansible.builtin.file:
path: "{{ item.path }}"
state: absent
loop: "{{ find_result.files | default([]) }}"
when: item is defined
notify: restart nginx
- name: Remove exact nginx config for {{ domain }}
ansible.builtin.file:
path: "/etc/nginx/conf.d/http/servers/{{ domain }}.conf"
state: absent
notify: restart nginx

7
roles/nginx-https-get-cert/tasks/flavors/dedicated.yml
View File

@@ -1,3 +1,9 @@
- name: "Check if certificate already exists for {{ domain }}"
cert_check_exists:
domain: "{{ domain }}"
cert_base_path: "{{ certbot_cert_path }}"
register: cert_check
- name: "receive certificate for {{ domain }}"
command: >-
certbot certonly
@@ -21,3 +27,4 @@
{{ '--test-cert' if mode_test | bool else '' }}
register: certbot_result
changed_when: "'Certificate not yet due for renewal' not in certbot_result.stdout"
when: not cert_check.exists

32
roles/nginx-https-get-cert/tasks/main.yml
View File

@@ -1,24 +1,24 @@
- name: "Include flavor"
include_tasks: "{{ role_path }}/tasks/flavors/{{ certbot_flavor }}.yml"
- name: "Cleanup dedicated cert for {{ domain }}"
command: >-
certbot delete --cert-name {{ domain }} --non-interactive
when:
- mode_cleanup | bool
# Cleanup mode is enabled
- certbot_flavor != 'dedicated'
# Wildcard certificate is enabled
- domain.split('.') | length == (primary_domain.split('.') | length + 1) and domain.endswith(primary_domain)
# AND: The domain is a direct first-level subdomain of the primary domain
- domain != primary_domain
# The domain is not the primary domain
register: certbot_result
failed_when: certbot_result.rc != 0 and ("No certificate found with name" not in certbot_result.stderr)
changed_when: certbot_result.rc == 0 and ("No certificate found with name" not in certbot_result.stderr)
#- name: "Cleanup dedicated cert for {{ domain }}"
# command: >-
# certbot delete --cert-name {{ domain }} --non-interactive
# when:
# - mode_cleanup | bool
# # Cleanup mode is enabled
# - certbot_flavor != 'dedicated'
# # Wildcard certificate is enabled
# - domain.split('.') | length == (primary_domain.split('.') | length + 1) and domain.endswith(primary_domain)
# # AND: The domain is a direct first-level subdomain of the primary domain
# - domain != primary_domain
# # The domain is not the primary domain
# register: certbot_result
# failed_when: certbot_result.rc != 0 and ("No certificate found with name" not in certbot_result.stderr)
# changed_when: certbot_result.rc == 0 and ("No certificate found with name" not in certbot_result.stderr)
- name: Find SSL cert folder for domain
find_cert_folder:
cert_folder_find:
domain: "{{ domain }}"
certbot_flavor: "{{ certbot_flavor }}"
cert_base_path: "{{ certbot_cert_path }}"

20
roles/nginx-redirect-www/tasks/main.yml
View File

@@ -8,21 +8,17 @@
set_fact:
www_domains: "{{ all_domains | select('match', '^www\\.') | list }}"
- name: Build redirect mappings for www domains
set_fact:
domain_mappings: >-
{{ www_domains
| map('regex_replace', '^www\\.(.+)$', '{ source: \"www.\\1\", target: \"\\1\" }')
| map('from_yaml')
| list
}}
- name: Include nginx-redirect-domain role for www-to-bare redirects
include_role:
name: nginx-redirect-domain
vars:
domain_mappings: "{{ domain_mappings }}"
when: certbot_flavor == 'dedicated'
domain_mappings: "{{ www_domains
| map('regex_replace',
'^www\\.(.+)$',
'{ source: \"www.\\1\", target: \"\\1\" }')
| map('from_yaml')
| list
}}"
- name: Include DNS role to set redirects
include_role:
@@ -31,5 +27,5 @@
cloudflare_api_token: "{{ certbot_dns_api_token }}"
cloudflare_domains: "{{ www_domains }}"
cloudflare_target_ip: "{{ networks.internet.ip4 }}"
cloudflare_proxied_false: false
cloudflare_proxied: false
when: dns_provider == 'cloudflare'