vhost: support proxying to unix sockets

Meant to be used by other roles

roles/caddy/meta/argument_specs.yaml

@@ -0,0 +1,9 @@
+---
+argument_specs:
+  main:
+    short_description: Installs caddy
+    options:
+      caddy_admin_email:
+        description: Email address used for ssl certs
+        type: str
+        required: true

roles/caddy/tasks/main.yml

@@ -1,7 +1,16 @@
 ---
+- name: Ensure host distribution is supported
+  ansible.builtin.import_role:
+    name: compatcheck
+  vars:
+    compatcheck_supported_distributions:
+      - name: debian
+        version_min: 11
+      - name: ubuntu
+        version_min: 20
 
 - name: Add caddy apt repository
-  ansible.builtin.import_role:
+  ansible.builtin.include_role:
     name: apt_repository
   vars:
     repo_name: caddy-stable
@@ -10,6 +19,9 @@
     repo_suite: any-version
     repo_components:
       - main
+  when: >
+    (ansible_distribution == 'Debian' and ansible_distribution_major_version | int == 11) or
+    (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version | int < 24)
 
 - name: Install caddy
   ansible.builtin.apt:
@@ -31,7 +43,7 @@
     marker: "# {mark} ANSIBLE MANAGED BLOCK general"
     block: |
       {
-        email {{ admin_email }}
+        email {{ caddy_admin_email }}
       }
     validate: 'caddy validate --config %s --adapter caddyfile'
     backup: true

roles/compatcheck/meta/argument_specs.yaml

@@ -0,0 +1,32 @@
+---
+argument_specs:
+  main:
+    short_description: Checks that the host is running a supported os
+    description:
+      - Checks that the host is runing a supported os.
+      - Supported distros and versions are defined by the compatcheck_supported_distros variable.
+      - This role is used by other roles to check compatibility.
+    options:
+      compatcheck_supported_distributions:
+        description: A list of distros and versions supported by the role.
+        type: list
+        required: true
+        elements: dict
+        options:
+          name:
+            description: Name of the distro, in lowercase
+            type: str
+            required: true
+            choices:
+              - debian
+              - ubuntu
+              - fedora
+              - archlinux
+          version_min:
+            description: Earliest supported major version. Allows any version if not specified.
+            type: int
+            required: false
+          version_max:
+            description: Last supported major version. Allows any version if not specified.
+            type: int
+            required: false

roles/compatcheck/tasks/main.yaml

@@ -0,0 +1,15 @@
+---
+- name: Fail if distribution not supported
+  ansible.builtin.fail:
+    msg: "{{ lookup('ansible.builtin.template', 'distroerror.j2').strip() }}"
+  when: checkfailed
+  loop:
+    - "{{ compatcheck_distro | length == 0 }}"
+    - >
+      {{
+        ansible_distribution_major_version != 'n/a' and
+        compatcheck_distro[0].version_min | default(0) > ansible_distribution_major_version | int
+      }}
+    - "{{ compatcheck_distro[0].version_max is defined and compatcheck_distro[0].version_max < ansible_distribution_major_version | int }}"
+  loop_control:
+    loop_var: checkfailed

roles/compatcheck/templates/distroerror.j2

@@ -0,0 +1,15 @@
+{%- set distros = [] -%}
+{%- for distro in compatcheck_supported_distributions -%}
+  {%- if distro.version_min is defined -%}
+    {%- if distro.version_max is defined -%}
+      {{ distros.append(distro.name | capitalize + ' ' + distro.version_min | string + '-' + distro.version_max | string) }}
+    {%- else -%}
+      {{ distros.append(distro.name | capitalize + ' ' + distro.version_min | string + '+') }}
+    {%- endif -%}
+  {%- elif distro.version_max is defined -%}
+    {{ distros.append(distro.name | capitalize + ' <' + distro.version_max | string) }}
+  {%- else -%}
+    {{ distros.append(distro.name | capitalize) }}
+  {%- endif -%}
+{%- endfor -%}
+This role only supports {{ distros | join(', ') }} (You are running {{ ansible_distribution }} {{ ansible_distribution_major_version }})

roles/compatcheck/vars/main.yaml

@@ -0,0 +1,2 @@
+---
+compatcheck_distro: "{{ compatcheck_supported_distributions | selectattr('name', 'equalto', ansible_distribution | lower) }}"

roles/example/defaults/main.yaml

@@ -0,0 +1,2 @@
+---
+example_ping: false

roles/example/meta/argument_specs.yaml

@@ -0,0 +1,13 @@
+---
+argument_specs:
+  main:
+    short_description: Example role.
+    description:
+      - This role is just an example.
+      - It pings the host, if example_ping is set to true.
+    options:
+      example_ping:
+        description: This role does nothing, unless this is set to true
+        type: bool
+        required: false
+        default: false

roles/example/tasks/main.yaml

@@ -0,0 +1,17 @@
+---
+- name: Ensure host distribution is supported
+  ansible.builtin.import_role:
+    name: compatcheck
+  vars:
+    compatcheck_supported_distributions:
+      - name: debian
+        version_min: 8
+      - name: archlinux
+      - name: ubuntu
+        version_min: 16
+      - name: fedora
+        version_min: 29
+
+- name: Ping
+  ansible.builtin.ping:
+  when: example_ping

roles/locale/tasks/main.yml

@@ -12,6 +12,7 @@
   community.general.locale_gen:
     name: "{{ item }}"
   loop: "{{ gen_locales }}"
+  when: locale_gen | default('true')
 
 - name: Put default locale config in place
   ansible.builtin.template:

roles/locale/vars/RedHat.yml

@@ -1,3 +1,4 @@
 ---
 
 locale_config: /etc/locale.conf
+locale_gen: false

roles/reverse_proxy/README.md

@@ -1 +0,0 @@
-Deprecated

roles/reverse_proxy/defaults/main.yml

@@ -1,4 +0,0 @@
----
-
-reverse_proxy_type: caddy
-web_server: "{{ reverse_proxy_type }}"

roles/reverse_proxy/tasks/main.yml

@@ -1,30 +0,0 @@
----
-
-- name: Deprecation warning
-  ansible.builtin.debug:
-    msg: "uumas.general.reverse_proxy is deprecated. You should switch to uumas.general.vhost with vhost_type: reverse_proxy"
-
-- name: Legacy proxy_target handling
-  when: proxy_target is defined and proxy_target_port is not defined
-  block:
-    - name: Split legacy proxy_target to protocol and target
-      ansible.builtin.set_fact:
-        proxy_target_split_protocol: "{{ proxy_target.split('://') }}"
-    - name: Split target further to host and port
-      ansible.builtin.set_fact:
-        proxy_target_split_host: "{{ (proxy_target_split_protocol | last).split(':') }}"
-    - name: Set host and port variables
-      ansible.builtin.set_fact:
-        proxy_target_host: "{{ proxy_target_split_host[0] }}"
-        proxy_target_port: "{{ proxy_target_split_host[1] }}"
-
-    - name: Set proxy_target_protocol based on proxy_target
-      ansible.builtin.set_fact:
-        proxy_target_protocol: "{{ proxy_target_split_protocol[0] }}"
-      when: proxy_target_split_protocol | length == 2
-
-- name: Configure vhost for reverse proxy
-  ansible.builtin.include_role:
-    name: vhost
-  vars:
-    vhost_type: reverse_proxy

roles/vhost/README.md

@@ -1 +0,0 @@
-Sets up a vhost on web server defined by the `web_server` variable

roles/vhost/defaults/main.yaml

@@ -0,0 +1,23 @@
+---
+
+vhost_state: present
+vhost_type: "{{ vhost_state }}"
+vhost_domains: []
+vhost_web_server: caddy
+
+vhost_locations: []
+vhost_headers: {}
+vhost_delete_headers: []
+
+vhost_basicauth: false
+vhost_basicauth_users: {}
+
+vhost_proxy_target_netproto: tcp
+vhost_proxy_target_protocol: http
+vhost_proxy_target_host: localhost
+vhost_proxy_delete_headers: []
+
+vhost_redirect_type: temporary
+vhost_redirect_preserve_path: false
+
+vhost_respond_content_type: plain

roles/vhost/defaults/main.yml

@@ -1,22 +0,0 @@
----
-
-vhost_state: present
-vhost_type: "{{ vhost_state }}"
-vhost_domains: []
-web_server: caddy
-
-vhost_locations: []
-vhost_headers: {}
-vhost_delete_headers: []
-
-vhost_basicauth: false
-vhost_basicauth_users: {}
-
-proxy_target_protocol: http
-proxy_target_host: localhost
-proxy_delete_headers: []
-
-redirect_type: temporary
-redirect_preserve_path: false
-
-respond_content_type: plain

roles/vhost/meta/argument_specs.yaml

@@ -1,8 +1,11 @@
 ---
-
 argument_specs:
   main:
     short_description: Sets up a vhost
+    description:
+      - Sets up a vhost on a web server.
+      - Supports reverse proxies, redirects and simple resonses.
+      - Currently only supports caddy.
     options:
       vhost_id:
         description: A unique identifier for this vhost. Not visible to end users.
@@ -28,8 +31,8 @@ argument_specs:
         type: list
         required: "{{ vhost_state == 'present' }}"
         elements: str
-      web_server:
-        description: Defines which server software to use for vhost. This role does nothing if set to none
+      vhost_web_server:
+        description: Defines which server software to use for vhost. This role does nothing if set to none.
         type: str
         required: false
         default: caddy
@@ -59,35 +62,57 @@ argument_specs:
         required: false
         default: {}
 
-      proxy_target_port:
-        description: Port where to proxy requests to. Only applicable if vhost_type is reverse_proxy
-        type: int
-        required: "{{ vhost_state == 'present' and vhost_type == 'reverse_proxy' }}"
-      proxy_target_host:
-        description: Host where to proxy requests to. Only applicable if vhost_type is reverse_proxy
+      vhost_proxy_target_netproto:
+        description:
+          - Network protocol to use for proxy requests.
+          - Only applicable if vhost_type is reverse_proxy.
         type: str
         required: false
-        default: localhost
-      proxy_target_protocol:
-        description: Protocol to use for proxy requests. Only applicable if vhost_type is reverse_proxy
+        default: tcp
+        choices:
+          - tcp
+          - unix
+      vhost_proxy_target_protocol:
+        description:
+          - Transport protocol (scheme) to use for proxy requests.
+          - Only applicable if vhost_type is reverse_proxy.
         type: str
         required: false
         default: http
         choices:
           - http
           - https
-      proxy_delete_headers:
+      vhost_proxy_target_host:
+        description:
+          - Host where to proxy requests to.
+          - Only applicable if vhost_type is reverse_proxy and vhost_proxy_target_netproto is tcp.
+        type: str
+        required: false
+        default: localhost
+      vhost_proxy_target_port:
+        description:
+          - Port where to proxy requests to.
+          - Only applicable if vhost_type is reverse_proxy and vhost_proxy_target_netproto is tcp.
+        type: int
+        required: "{{ vhost_state == 'present' and vhost_type == 'reverse_proxy' and vhost_proxy_target_netproto == 'tcp' }}"
+      vhost_proxy_target_socket:
+        description:
+          - Unix socket path to proxy requests to.
+          - Only applicable if vhost_type is reverse_proxy and vhost_proxy_target_netproto is unix.
+        type: str
+        required: "{{ vhost_state == 'present' and vhost_type == 'reverse_proxy' and vhost_proxy_target_netproto == 'unix' }}"
+      vhost_proxy_delete_headers:
         description: List of headers to delete from proxied requests
         type: list
         elements: str
         required: false
         default: []
 
-      redirect_target:
+      vhost_redirect_target:
         description: "Only applicable if vhost_type is redirect. Example: https://www.domain.tld/location"
         type: str
         required: "{{ vhost_state == 'present' and vhost_type == 'redirect' }}"
-      redirect_preserve_path:
+      vhost_redirect_preserve_path:
         description: Whether to keep the original request path
         type: bool
         required: false
@@ -101,11 +126,11 @@ argument_specs:
           - temporary
           - permanent
 
-      respond_content:
-        description: Content to respond with. Json content can be set as yaml as long as respond_content_type is set to json
+      vhost_respond_content:
+        description: Content to respond with. Json content can be set as yaml as long as vhost_respond_content_type is set to json
         type: str
         required: "{{ vhost_state == 'present' and vhost_type == 'respond' }}"
-      respond_content_type:
+      vhost_respond_content_type:
         description: Type of the respond content
         type: str
         required: false
@@ -155,46 +180,65 @@ argument_specs:
             type: dict
             default: "{{ vhost_basicauth_users }}"
 
-          proxy_target_port:
-            description: Port where to proxy requests to. Only applicable if type is reverse_proxy.
-            type: int
+          proxy_target_netproto:
+            description:
+              - Network protocol to use for proxy requests.
+              - Only applicable if type is reverse_proxy.
+            type: str
             required: false
-            default: "{{ proxy_target_port if vhost_type == 'reverse_proxy' else 0 }}"
+            default: "{{ vhost_proxy_target_netproto }}"
+            choices:
+              - tcp
+              - unix
+          proxy_target_protocol:
+            description:
+              - Transport protocol (scheme) to use for proxy requests.
+              - Only applicable if type is reverse_proxy.
+            type: str
+            required: false
+            default: "{{ vhost_proxy_target_protocol }}"
+            choices:
+              - http
+              - https
           proxy_target_host:
             description: Host where to proxy requests to. Only applicable if type is reverse_proxy
             type: str
             required: false
-            default: "{{ proxy_target_host }}"
-          proxy_target_protocol:
-            description: Protocol to use for proxy requests. Only applicable if type is reverse_proxy
+            default: "{{ vhost_proxy_target_host }}"
+          proxy_target_port:
+            description: Port where to proxy requests to. Only applicable if type is reverse_proxy.
+            type: int
+            required: false
+            default: "{{ vhost_proxy_target_port if vhost_type == 'reverse_proxy' and vhost_proxy_target_netproto == 'tcp' else 0 }}"
+          proxy_target_socket:
+            description:
+              - Unix socket path to proxy requests to.
+              - Only applicable if type is reverse_proxy and proxy_target_netproto is unix.
             type: str
             required: false
-            default: "{{ proxy_target_protocol }}"
-            choices:
-              - http
-              - https
+            default: "{{ vhost_proxy_target_socket if vhost_type == 'reverse_proxy' and vhost_proxy_target_netproto == 'unix' else '' }}"
           proxy_delete_headers:
             description: List of request headers to delete from proxied requests
             type: list
             elements: str
             required: false
-            default: "{{ proxy_delete_headers }}"
+            default: "{{ vhost_proxy_delete_headers }}"
 
           redirect_target:
             description: "Only applicable if vhost_type is redirect. Example: https://www.domain.tld/location"
             type: str
             required: false
-            default: "{{ redirect_target if vhost_type == 'redirect' else '' }}"
+            default: "{{ vhost_redirect_target if vhost_type == 'redirect' else '' }}"
           redirect_preserve_path:
             description: Whether to keep the original request path
             type: bool
             required: false
-            default: "{{ redirect_preserve_path }}"
-          redirect type:
+            default: "{{ vhost_redirect_preserve_path }}"
+          redirect_type:
             description: Only applicable if vhost_type is reverse_proxy
             type: str
             required: false
-            default: "{{ redirect_type }}"
+            default: "{{ vhost_redirect_type }}"
             choices:
               - temporary
               - permanent
@@ -203,12 +247,12 @@ argument_specs:
             description: Content to respond with. Json content can be set as yaml as long as respond_content_type is set to json
             type: str
             required: false
-            default: "{{ respond_content if vhost_type == 'respond' else '' }}"
+            default: "{{ vhost_respond_content if vhost_type == 'respond' else '' }}"
           respond_content_type:
             description: Type of the respond content
             type: str
             required: false
-            default: "{{ respond_content_type }}"
+            default: "{{ vhost_respond_content_type }}"
             choices:
               - plain
               - json

roles/vhost/meta/main.yaml

@@ -0,0 +1,5 @@
+---
+
+dependencies:
+  - role: caddy
+    when: vhost_web_server == 'caddy'

roles/vhost/meta/main.yml

@@ -1,5 +0,0 @@
----
-
-dependencies:
-  - role: caddy
-    when: web_server == 'caddy'

roles/vhost/tasks/caddy.yaml

@@ -22,10 +22,18 @@
           }
           {% endif %}
           {% if location.type == 'reverse_proxy' %}
-          reverse_proxy {{ location.proxy_target_protocol }}://{{ location.proxy_target_host }}:{{ location.proxy_target_port }} {
-            {% if location.proxy_target_protocol == 'https' and location.proxy_target_host == 'localhost' %}
+          reverse_proxy  {
+            {% if location.proxy_target_netproto == 'tcp' %}
+            to tcp/{{ location.proxy_target_host }}:{{ location.proxy_target_port }}
+            {% else %}
+            to unix/{{ location.proxy_target_socket }}
+            {% endif %}
+            {% if location.proxy_target_protocol == 'https' %}
             transport http {
+              tls
+              {% if location.proxy_target_host == 'localhost' %}
               tls_insecure_skip_verify
+              {% endif %}
             }
             {% endif %}
           }

roles/vhost/tasks/main.yaml

@@ -0,0 +1,53 @@
+---
+
+- name: Fail if vhost_redirect_target is a relative path and vhost_redirect_preserve_path is true
+  ansible.builtin.fail:
+    msg: vhost_redirect_target must be an absolute url or absolute path if vhost_redirect_preserve_path is true
+  when:
+    - vhost_redirect_preserve_path
+    - vhost_redirect_target.split('://') | length < 2
+    - not vhost_redirect_target.startswith('/')
+
+- name: Fail if vhost_redirect_target ends with / and vhost_redirect_preserve_path is true
+  ansible.builtin.fail:
+    msg: vhost_redirect_target must not end with / if vhost_redirect_preserve_path is true
+  when:
+    - vhost_redirect_preserve_path
+    - vhost_redirect_target.endswith('/')
+
+- name: Reset vhost_locations_all
+  ansible.builtin.set_fact:
+    vhost_locations_all: []
+- name: Set vhost_locations_all reverse proxies
+  ansible.builtin.set_fact:
+    vhost_locations_all: >
+      {{ vhost_locations_all + [{
+      'path': item.path,
+      'type': item.type | default(vhost_type),
+      'headers': item.headers | default(vhost_headers),
+      'delete_headers': item.delete_headers | default(vhost_delete_headers),
+
+      'basicauth': item.basicauth | default(vhost_basicauth),
+      'basicauth_users': item.basicauth_users | default(vhost_basicauth_users),
+
+      'proxy_target_netproto': item.proxy_target_netproto | default(vhost_proxy_target_netproto),
+      'proxy_target_protocol': item.proxy_target_protocol | default(vhost_proxy_target_protocol),
+      'proxy_target_host': item.proxy_target_host | default(vhost_proxy_target_host),
+      'proxy_target_port': item.proxy_target_port | default(vhost_proxy_target_port if
+        vhost_type == 'reverse_proxy' and vhost_proxy_target_netproto == 'tcp' else ''),
+      'proxy_target_socket': item.proxy_target_socket | default(vhost_proxy_target_socket if
+        vhost_type == 'reverse_proxy' and vhost_proxy_target_netproto == 'unix' else ''),
+      'proxy_delete_headers': item.proxy_delete_headers | default(vhost_proxy_delete_headers),
+
+      'redirect_target': item.redirect_target | default(vhost_redirect_target if vhost_type == 'redirect' else ''),
+      'redirect_preserve_path': item.redirect_preserve_path | default(vhost_redirect_preserve_path),
+      'redirect_type': item.redirect_type | default(vhost_redirect_type),
+
+      'respond_content': item.respond_content | default(vhost_respond_content if vhost_type == 'respond' else ''),
+      'respond_content_type': item.respond_content_type | default(vhost_respond_content_type)
+      }] }}
+  loop: "{{ vhost_locations + [{'path': ''}] }}"
+
+- name: "Setup {{ vhost_id + ' vhost on ' + vhost_web_server }}"
+  ansible.builtin.include_tasks: "{{ vhost_web_server }}.yaml"
+  when: vhost_web_server != 'none'

roles/vhost/tasks/main.yml

@@ -1,49 +0,0 @@
----
-
-- name: Fail if redirect_target is a relative path and redirect_preserve_path is true
-  ansible.builtin.fail:
-    msg: redirect_target must be an absolute url or absolute path if redirect_preserve_path is true
-  when:
-    - redirect_preserve_path
-    - redirect_target.split('://') | length < 2
-    - not redirect_target.startswith('/')
-
-- name: Fail if redirect_target ends with / and redirect_preserve_path is true
-  ansible.builtin.fail:
-    msg: redirect_target must not end with / if redirect_preserve_path is true
-  when:
-    - redirect_preserve_path
-    - redirect_target.endswith('/')
-
-- name: Reset vhost_locations_all
-  ansible.builtin.set_fact:
-    vhost_locations_all: []
-- name: Set vhost_locations_all reverse proxies
-  ansible.builtin.set_fact:
-    vhost_locations_all: >
-      {{ vhost_locations_all + [{
-      'path': item.path,
-      'type': item.type | default(vhost_type),
-      'headers': item.headers | default(vhost_headers),
-      'delete_headers': item.delete_headers | default(vhost_delete_headers),
-
-      'basicauth': item.basicauth | default(vhost_basicauth),
-      'basicauth_users': item.basicauth_users | default(vhost_basicauth_users),
-
-      'proxy_target_port': item.proxy_target_port | default(proxy_target_port if vhost_type == 'reverse_proxy' else ''),
-      'proxy_target_host': item.proxy_target_host | default(proxy_target_host),
-      'proxy_target_protocol': item.proxy_target_protocol | default(proxy_target_protocol),
-      'proxy_delete_headers': item.proxy_delete_headers | default(proxy_delete_headers),
-
-      'redirect_target': item.redirect_target | default(redirect_target if vhost_type == 'redirect' else ''),
-      'redirect_preserve_path': item.redirect_preserve_path | default(redirect_preserve_path),
-      'redirect_type': item.redirect_type | default(redirect_type),
-
-      'respond_content': item.respond_content | default(respond_content if vhost_type == 'respond' else ''),
-      'respond_content_type': item.respond_content_type | default(respond_content_type)
-      }] }}
-  loop: "{{ vhost_locations + [{'path': ''}] }}"
-
-- name: "Setup {{ vhost_id + ' vhost on ' + web_server }}"
-  ansible.builtin.include_tasks: "{{ web_server }}.yml"
-  when: web_server != 'none'