vhost: support proxying to unix sockets

locale: Don't generate locales on RedHat based distros
Add example role to base other roles on
2024-07-28 17:45:50 +03:00 · 2024-07-28 16:22:05 +03:00 · 2024-07-28 16:21:39 +03:00 · 2024-07-28 16:21:25 +03:00 · 2024-07-28 16:21:06 +03:00 · 2024-07-28 01:05:41 +03:00
23 changed files with 292 additions and 152 deletions
--- a/roles/caddy/meta/argument_specs.yaml
+++ b/roles/caddy/meta/argument_specs.yaml
@@ -0,0 +1,9 @@
 ---
 argument_specs:
  main:
    short_description: Installs caddy
    options:
      caddy_admin_email:
        description: Email address used for ssl certs
        type: str
        required: true
--- a/roles/caddy/tasks/main.yml
+++ b/roles/caddy/tasks/main.yml
@@ -1,7 +1,16 @@
 ---
 - name: Ensure host distribution is supported
  ansible.builtin.import_role:
    name: compatcheck
  vars:
    compatcheck_supported_distributions:
      - name: debian
        version_min: 11
      - name: ubuntu
        version_min: 20
 - name: Add caddy apt repository
-  ansible.builtin.import_role:
+  ansible.builtin.include_role:
    name: apt_repository
  vars:
    repo_name: caddy-stable
@@ -10,6 +19,9 @@
    repo_suite: any-version
    repo_components:
      - main
  when: >
    (ansible_distribution == 'Debian' and ansible_distribution_major_version | int == 11) or
    (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version | int < 24)
 - name: Install caddy
  ansible.builtin.apt:
@@ -31,7 +43,7 @@
    marker: "# {mark} ANSIBLE MANAGED BLOCK general"
    block: |
      {
-        email {{ admin_email }}
+        email {{ caddy_admin_email }}
      }
    validate: 'caddy validate --config %s --adapter caddyfile'
    backup: true
--- a/roles/compatcheck/meta/argument_specs.yaml
+++ b/roles/compatcheck/meta/argument_specs.yaml
@@ -0,0 +1,32 @@
 ---
 argument_specs:
  main:
    short_description: Checks that the host is running a supported os
    description:
      - Checks that the host is runing a supported os.
      - Supported distros and versions are defined by the compatcheck_supported_distros variable.
      - This role is used by other roles to check compatibility.
    options:
      compatcheck_supported_distributions:
        description: A list of distros and versions supported by the role.
        type: list
        required: true
        elements: dict
        options:
          name:
            description: Name of the distro, in lowercase
            type: str
            required: true
            choices:
              - debian
              - ubuntu
              - fedora
              - archlinux
          version_min:
            description: Earliest supported major version. Allows any version if not specified.
            type: int
            required: false
          version_max:
            description: Last supported major version. Allows any version if not specified.
            type: int
            required: false
--- a/roles/compatcheck/tasks/main.yaml
+++ b/roles/compatcheck/tasks/main.yaml
@@ -0,0 +1,15 @@
 ---
 - name: Fail if distribution not supported
  ansible.builtin.fail:
    msg: "{{ lookup('ansible.builtin.template', 'distroerror.j2').strip() }}"
  when: checkfailed
  loop:
    - "{{ compatcheck_distro | length == 0 }}"
    - >
      {{
        ansible_distribution_major_version != 'n/a' and
        compatcheck_distro[0].version_min | default(0) > ansible_distribution_major_version | int
      }}
    - "{{ compatcheck_distro[0].version_max is defined and compatcheck_distro[0].version_max < ansible_distribution_major_version | int }}"
  loop_control:
    loop_var: checkfailed
--- a/roles/compatcheck/templates/distroerror.j2
+++ b/roles/compatcheck/templates/distroerror.j2
@@ -0,0 +1,15 @@
 {%- set distros = [] -%}
 {%- for distro in compatcheck_supported_distributions -%}
  {%- if distro.version_min is defined -%}
    {%- if distro.version_max is defined -%}
      {{ distros.append(distro.name | capitalize + ' ' + distro.version_min | string + '-' + distro.version_max | string) }}
    {%- else -%}
      {{ distros.append(distro.name | capitalize + ' ' + distro.version_min | string + '+') }}
    {%- endif -%}
  {%- elif distro.version_max is defined -%}
    {{ distros.append(distro.name | capitalize + ' <' + distro.version_max | string) }}
  {%- else -%}
    {{ distros.append(distro.name | capitalize) }}
  {%- endif -%}
 {%- endfor -%}
 This role only supports {{ distros | join(', ') }} (You are running {{ ansible_distribution }} {{ ansible_distribution_major_version }})
--- a/roles/compatcheck/vars/main.yaml
+++ b/roles/compatcheck/vars/main.yaml
@@ -0,0 +1,2 @@
 ---
 compatcheck_distro: "{{ compatcheck_supported_distributions | selectattr('name', 'equalto', ansible_distribution | lower) }}"
--- a/roles/example/defaults/main.yaml
+++ b/roles/example/defaults/main.yaml
@@ -0,0 +1,2 @@
 ---
 example_ping: false
--- a/roles/example/meta/argument_specs.yaml
+++ b/roles/example/meta/argument_specs.yaml
@@ -0,0 +1,13 @@
 ---
 argument_specs:
  main:
    short_description: Example role.
    description:
      - This role is just an example.
      - It pings the host, if example_ping is set to true.
    options:
      example_ping:
        description: This role does nothing, unless this is set to true
        type: bool
        required: false
        default: false
--- a/roles/example/tasks/main.yaml
+++ b/roles/example/tasks/main.yaml
@@ -0,0 +1,17 @@
 ---
 - name: Ensure host distribution is supported
  ansible.builtin.import_role:
    name: compatcheck
  vars:
    compatcheck_supported_distributions:
      - name: debian
        version_min: 8
      - name: archlinux
      - name: ubuntu
        version_min: 16
      - name: fedora
        version_min: 29
 - name: Ping
  ansible.builtin.ping:
  when: example_ping
--- a/roles/locale/tasks/main.yml
+++ b/roles/locale/tasks/main.yml
@@ -12,6 +12,7 @@
  community.general.locale_gen:
    name: "{{ item }}"
  loop: "{{ gen_locales }}"
  when: locale_gen | default('true')
 - name: Put default locale config in place
  ansible.builtin.template:
--- a/roles/locale/vars/RedHat.yml
+++ b/roles/locale/vars/RedHat.yml
@@ -1,3 +1,4 @@
 ---
 locale_config: /etc/locale.conf
 locale_gen: false
--- a/roles/reverse_proxy/README.md
+++ b/roles/reverse_proxy/README.md
@@ -1 +0,0 @@
 Deprecated
--- a/roles/reverse_proxy/defaults/main.yml
+++ b/roles/reverse_proxy/defaults/main.yml
@@ -1,4 +0,0 @@
 ---
 reverse_proxy_type: caddy
 web_server: "{{ reverse_proxy_type }}"
--- a/roles/reverse_proxy/tasks/main.yml
+++ b/roles/reverse_proxy/tasks/main.yml
@@ -1,30 +0,0 @@
 ---
 - name: Deprecation warning
  ansible.builtin.debug:
    msg: "uumas.general.reverse_proxy is deprecated. You should switch to uumas.general.vhost with vhost_type: reverse_proxy"
 - name: Legacy proxy_target handling
  when: proxy_target is defined and proxy_target_port is not defined
  block:
    - name: Split legacy proxy_target to protocol and target
      ansible.builtin.set_fact:
        proxy_target_split_protocol: "{{ proxy_target.split('://') }}"
    - name: Split target further to host and port
      ansible.builtin.set_fact:
        proxy_target_split_host: "{{ (proxy_target_split_protocol | last).split(':') }}"
    - name: Set host and port variables
      ansible.builtin.set_fact:
        proxy_target_host: "{{ proxy_target_split_host[0] }}"
        proxy_target_port: "{{ proxy_target_split_host[1] }}"
    - name: Set proxy_target_protocol based on proxy_target
      ansible.builtin.set_fact:
        proxy_target_protocol: "{{ proxy_target_split_protocol[0] }}"
      when: proxy_target_split_protocol | length == 2
 - name: Configure vhost for reverse proxy
  ansible.builtin.include_role:
    name: vhost
  vars:
    vhost_type: reverse_proxy
--- a/roles/vhost/README.md
+++ b/roles/vhost/README.md
@@ -1 +0,0 @@
 Sets up a vhost on web server defined by the `web_server` variable
--- a/roles/vhost/defaults/main.yaml
+++ b/roles/vhost/defaults/main.yaml
@@ -0,0 +1,23 @@
 ---
 vhost_state: present
 vhost_type: "{{ vhost_state }}"
 vhost_domains: []
 vhost_web_server: caddy
 vhost_locations: []
 vhost_headers: {}
 vhost_delete_headers: []
 vhost_basicauth: false
 vhost_basicauth_users: {}
 vhost_proxy_target_netproto: tcp
 vhost_proxy_target_protocol: http
 vhost_proxy_target_host: localhost
 vhost_proxy_delete_headers: []
 vhost_redirect_type: temporary
 vhost_redirect_preserve_path: false
 vhost_respond_content_type: plain
--- a/roles/vhost/defaults/main.yml
+++ b/roles/vhost/defaults/main.yml
@@ -1,22 +0,0 @@
 ---
 vhost_state: present
 vhost_type: "{{ vhost_state }}"
 vhost_domains: []
 web_server: caddy
 vhost_locations: []
 vhost_headers: {}
 vhost_delete_headers: []
 vhost_basicauth: false
 vhost_basicauth_users: {}
 proxy_target_protocol: http
 proxy_target_host: localhost
 proxy_delete_headers: []
 redirect_type: temporary
 redirect_preserve_path: false
 respond_content_type: plain
--- a/roles/vhost/meta/argument_specs.yaml
+++ b/roles/vhost/meta/argument_specs.yaml
@@ -1,8 +1,11 @@
 ---
 argument_specs:
  main:
    short_description: Sets up a vhost
    description:
      - Sets up a vhost on a web server.
      - Supports reverse proxies, redirects and simple resonses.
      - Currently only supports caddy.
    options:
      vhost_id:
        description: A unique identifier for this vhost. Not visible to end users.
@@ -28,8 +31,8 @@ argument_specs:
        type: list
        required: "{{ vhost_state == 'present' }}"
        elements: str
-      web_server:
+      vhost_web_server:
-        description: Defines which server software to use for vhost. This role does nothing if set to none
+        description: Defines which server software to use for vhost. This role does nothing if set to none.
        type: str
        required: false
        default: caddy
@@ -59,35 +62,57 @@ argument_specs:
        required: false
        default: {}
-      proxy_target_port:
+      vhost_proxy_target_netproto:
-        description: Port where to proxy requests to. Only applicable if vhost_type is reverse_proxy
+        description:
-        type: int
+          - Network protocol to use for proxy requests.
-        required: "{{ vhost_state == 'present' and vhost_type == 'reverse_proxy' }}"
+          - Only applicable if vhost_type is reverse_proxy.
      proxy_target_host:
        description: Host where to proxy requests to. Only applicable if vhost_type is reverse_proxy
        type: str
        required: false
-        default: localhost
+        default: tcp
-      proxy_target_protocol:
+        choices:
-        description: Protocol to use for proxy requests. Only applicable if vhost_type is reverse_proxy
+          - tcp
          - unix
      vhost_proxy_target_protocol:
        description:
          - Transport protocol (scheme) to use for proxy requests.
          - Only applicable if vhost_type is reverse_proxy.
        type: str
        required: false
        default: http
        choices:
          - http
          - https
-      proxy_delete_headers:
+      vhost_proxy_target_host:
        description:
          - Host where to proxy requests to.
          - Only applicable if vhost_type is reverse_proxy and vhost_proxy_target_netproto is tcp.
        type: str
        required: false
        default: localhost
      vhost_proxy_target_port:
        description:
          - Port where to proxy requests to.
          - Only applicable if vhost_type is reverse_proxy and vhost_proxy_target_netproto is tcp.
        type: int
        required: "{{ vhost_state == 'present' and vhost_type == 'reverse_proxy' and vhost_proxy_target_netproto == 'tcp' }}"
      vhost_proxy_target_socket:
        description:
          - Unix socket path to proxy requests to.
          - Only applicable if vhost_type is reverse_proxy and vhost_proxy_target_netproto is unix.
        type: str
        required: "{{ vhost_state == 'present' and vhost_type == 'reverse_proxy' and vhost_proxy_target_netproto == 'unix' }}"
      vhost_proxy_delete_headers:
        description: List of headers to delete from proxied requests
        type: list
        elements: str
        required: false
        default: []
-      redirect_target:
+      vhost_redirect_target:
        description: "Only applicable if vhost_type is redirect. Example: https://www.domain.tld/location"
        type: str
        required: "{{ vhost_state == 'present' and vhost_type == 'redirect' }}"
-      redirect_preserve_path:
+      vhost_redirect_preserve_path:
        description: Whether to keep the original request path
        type: bool
        required: false
@@ -101,11 +126,11 @@ argument_specs:
          - temporary
          - permanent
-      respond_content:
+      vhost_respond_content:
-        description: Content to respond with. Json content can be set as yaml as long as respond_content_type is set to json
+        description: Content to respond with. Json content can be set as yaml as long as vhost_respond_content_type is set to json
        type: str
        required: "{{ vhost_state == 'present' and vhost_type == 'respond' }}"
-      respond_content_type:
+      vhost_respond_content_type:
        description: Type of the respond content
        type: str
        required: false
@@ -155,46 +180,65 @@ argument_specs:
            type: dict
            default: "{{ vhost_basicauth_users }}"
-          proxy_target_port:
+          proxy_target_netproto:
-            description: Port where to proxy requests to. Only applicable if type is reverse_proxy.
+            description:
-            type: int
+              - Network protocol to use for proxy requests.
              - Only applicable if type is reverse_proxy.
            type: str
            required: false
-            default: "{{ proxy_target_port if vhost_type == 'reverse_proxy' else 0 }}"
+            default: "{{ vhost_proxy_target_netproto }}"
            choices:
              - tcp
              - unix
          proxy_target_protocol:
            description:
              - Transport protocol (scheme) to use for proxy requests.
              - Only applicable if type is reverse_proxy.
            type: str
            required: false
            default: "{{ vhost_proxy_target_protocol }}"
            choices:
              - http
              - https
          proxy_target_host:
            description: Host where to proxy requests to. Only applicable if type is reverse_proxy
            type: str
            required: false
-            default: "{{ proxy_target_host }}"
+            default: "{{ vhost_proxy_target_host }}"
-          proxy_target_protocol:
+          proxy_target_port:
-            description: Protocol to use for proxy requests. Only applicable if type is reverse_proxy
+            description: Port where to proxy requests to. Only applicable if type is reverse_proxy.
            type: int
            required: false
            default: "{{ vhost_proxy_target_port if vhost_type == 'reverse_proxy' and vhost_proxy_target_netproto == 'tcp' else 0 }}"
          proxy_target_socket:
            description:
              - Unix socket path to proxy requests to.
              - Only applicable if type is reverse_proxy and proxy_target_netproto is unix.
            type: str
            required: false
-            default: "{{ proxy_target_protocol }}"
+            default: "{{ vhost_proxy_target_socket if vhost_type == 'reverse_proxy' and vhost_proxy_target_netproto == 'unix' else '' }}"
            choices:
              - http
              - https
          proxy_delete_headers:
            description: List of request headers to delete from proxied requests
            type: list
            elements: str
            required: false
-            default: "{{ proxy_delete_headers }}"
+            default: "{{ vhost_proxy_delete_headers }}"
          redirect_target:
            description: "Only applicable if vhost_type is redirect. Example: https://www.domain.tld/location"
            type: str
            required: false
-            default: "{{ redirect_target if vhost_type == 'redirect' else '' }}"
+            default: "{{ vhost_redirect_target if vhost_type == 'redirect' else '' }}"
          redirect_preserve_path:
            description: Whether to keep the original request path
            type: bool
            required: false
-            default: "{{ redirect_preserve_path }}"
+            default: "{{ vhost_redirect_preserve_path }}"
-          redirect type:
+          redirect_type:
            description: Only applicable if vhost_type is reverse_proxy
            type: str
            required: false
-            default: "{{ redirect_type }}"
+            default: "{{ vhost_redirect_type }}"
            choices:
              - temporary
              - permanent
@@ -203,12 +247,12 @@ argument_specs:
            description: Content to respond with. Json content can be set as yaml as long as respond_content_type is set to json
            type: str
            required: false
-            default: "{{ respond_content if vhost_type == 'respond' else '' }}"
+            default: "{{ vhost_respond_content if vhost_type == 'respond' else '' }}"
          respond_content_type:
            description: Type of the respond content
            type: str
            required: false
-            default: "{{ respond_content_type }}"
+            default: "{{ vhost_respond_content_type }}"
            choices:
              - plain
              - json
--- a/roles/vhost/meta/main.yaml
+++ b/roles/vhost/meta/main.yaml
@@ -0,0 +1,5 @@
 ---
 dependencies:
  - role: caddy
    when: vhost_web_server == 'caddy'
--- a/roles/vhost/meta/main.yml
+++ b/roles/vhost/meta/main.yml
@@ -1,5 +0,0 @@
 ---
 dependencies:
  - role: caddy
    when: web_server == 'caddy'
--- a/roles/vhost/tasks/caddy.yaml
+++ b/roles/vhost/tasks/caddy.yaml
@@ -22,10 +22,18 @@
          }
          {% endif %}
          {% if location.type == 'reverse_proxy' %}
-          reverse_proxy {{ location.proxy_target_protocol }}://{{ location.proxy_target_host }}:{{ location.proxy_target_port }} {
+          reverse_proxy  {
-            {% if location.proxy_target_protocol == 'https' and location.proxy_target_host == 'localhost' %}
+            {% if location.proxy_target_netproto == 'tcp' %}
            to tcp/{{ location.proxy_target_host }}:{{ location.proxy_target_port }}
            {% else %}
            to unix/{{ location.proxy_target_socket }}
            {% endif %}
            {% if location.proxy_target_protocol == 'https' %}
            transport http {
              tls
              {% if location.proxy_target_host == 'localhost' %}
              tls_insecure_skip_verify
              {% endif %}
            }
            {% endif %}
          }
--- a/roles/vhost/tasks/main.yaml
+++ b/roles/vhost/tasks/main.yaml
@@ -0,0 +1,53 @@
 ---
 - name: Fail if vhost_redirect_target is a relative path and vhost_redirect_preserve_path is true
  ansible.builtin.fail:
    msg: vhost_redirect_target must be an absolute url or absolute path if vhost_redirect_preserve_path is true
  when:
    - vhost_redirect_preserve_path
    - vhost_redirect_target.split('://') | length < 2
    - not vhost_redirect_target.startswith('/')
 - name: Fail if vhost_redirect_target ends with / and vhost_redirect_preserve_path is true
  ansible.builtin.fail:
    msg: vhost_redirect_target must not end with / if vhost_redirect_preserve_path is true
  when:
    - vhost_redirect_preserve_path
    - vhost_redirect_target.endswith('/')
 - name: Reset vhost_locations_all
  ansible.builtin.set_fact:
    vhost_locations_all: []
 - name: Set vhost_locations_all reverse proxies
  ansible.builtin.set_fact:
    vhost_locations_all: >
      {{ vhost_locations_all + [{
      'path': item.path,
      'type': item.type | default(vhost_type),
      'headers': item.headers | default(vhost_headers),
      'delete_headers': item.delete_headers | default(vhost_delete_headers),
      'basicauth': item.basicauth | default(vhost_basicauth),
      'basicauth_users': item.basicauth_users | default(vhost_basicauth_users),
      'proxy_target_netproto': item.proxy_target_netproto | default(vhost_proxy_target_netproto),
      'proxy_target_protocol': item.proxy_target_protocol | default(vhost_proxy_target_protocol),
      'proxy_target_host': item.proxy_target_host | default(vhost_proxy_target_host),
      'proxy_target_port': item.proxy_target_port | default(vhost_proxy_target_port if
        vhost_type == 'reverse_proxy' and vhost_proxy_target_netproto == 'tcp' else ''),
      'proxy_target_socket': item.proxy_target_socket | default(vhost_proxy_target_socket if
        vhost_type == 'reverse_proxy' and vhost_proxy_target_netproto == 'unix' else ''),
      'proxy_delete_headers': item.proxy_delete_headers | default(vhost_proxy_delete_headers),
      'redirect_target': item.redirect_target | default(vhost_redirect_target if vhost_type == 'redirect' else ''),
      'redirect_preserve_path': item.redirect_preserve_path | default(vhost_redirect_preserve_path),
      'redirect_type': item.redirect_type | default(vhost_redirect_type),
      'respond_content': item.respond_content | default(vhost_respond_content if vhost_type == 'respond' else ''),
      'respond_content_type': item.respond_content_type | default(vhost_respond_content_type)
      }] }}
  loop: "{{ vhost_locations + [{'path': ''}] }}"
 - name: "Setup {{ vhost_id + ' vhost on ' + vhost_web_server }}"
  ansible.builtin.include_tasks: "{{ vhost_web_server }}.yaml"
  when: vhost_web_server != 'none'
--- a/roles/vhost/tasks/main.yml
+++ b/roles/vhost/tasks/main.yml
@@ -1,49 +0,0 @@
 ---
 - name: Fail if redirect_target is a relative path and redirect_preserve_path is true
  ansible.builtin.fail:
    msg: redirect_target must be an absolute url or absolute path if redirect_preserve_path is true
  when:
    - redirect_preserve_path
    - redirect_target.split('://') | length < 2
    - not redirect_target.startswith('/')
 - name: Fail if redirect_target ends with / and redirect_preserve_path is true
  ansible.builtin.fail:
    msg: redirect_target must not end with / if redirect_preserve_path is true
  when:
    - redirect_preserve_path
    - redirect_target.endswith('/')
 - name: Reset vhost_locations_all
  ansible.builtin.set_fact:
    vhost_locations_all: []
 - name: Set vhost_locations_all reverse proxies
  ansible.builtin.set_fact:
    vhost_locations_all: >
      {{ vhost_locations_all + [{
      'path': item.path,
      'type': item.type | default(vhost_type),
      'headers': item.headers | default(vhost_headers),
      'delete_headers': item.delete_headers | default(vhost_delete_headers),
      'basicauth': item.basicauth | default(vhost_basicauth),
      'basicauth_users': item.basicauth_users | default(vhost_basicauth_users),
      'proxy_target_port': item.proxy_target_port | default(proxy_target_port if vhost_type == 'reverse_proxy' else ''),
      'proxy_target_host': item.proxy_target_host | default(proxy_target_host),
      'proxy_target_protocol': item.proxy_target_protocol | default(proxy_target_protocol),
      'proxy_delete_headers': item.proxy_delete_headers | default(proxy_delete_headers),
      'redirect_target': item.redirect_target | default(redirect_target if vhost_type == 'redirect' else ''),
      'redirect_preserve_path': item.redirect_preserve_path | default(redirect_preserve_path),
      'redirect_type': item.redirect_type | default(redirect_type),
      'respond_content': item.respond_content | default(respond_content if vhost_type == 'respond' else ''),
      'respond_content_type': item.respond_content_type | default(respond_content_type)
      }] }}
  loop: "{{ vhost_locations + [{'path': ''}] }}"
 - name: "Setup {{ vhost_id + ' vhost on ' + web_server }}"
  ansible.builtin.include_tasks: "{{ web_server }}.yml"
  when: web_server != 'none'
Author	SHA1	Message	Date
uumas	b892da1b89	vhost: support proxying to unix sockets	2024-07-28 17:45:50 +03:00
uumas	1dc6ea7f8e	locale: Don't generate locales on RedHat based distros	2024-07-28 16:22:05 +03:00
uumas	35c696e7d4	Add example role to base other roles on	2024-07-28 16:21:39 +03:00
uumas	92e297f15e	caddy: Lint and compatcheck	2024-07-28 16:21:25 +03:00
uumas	bad1da0783	Add compatcheck role Meant to be used by other roles	2024-07-28 16:21:06 +03:00
uumas	5d16b0a514	vhost: Rename yml -> yaml	2024-07-28 01:05:41 +03:00
uumas	d731d3c70e	vhost: Prefix variables with role name	2024-07-28 01:05:19 +03:00
		`@@ -0,0 +1,2 @@`
							`---`
							`compatcheck_distro: "{{ compatcheck_supported_distributions \| selectattr('name', 'equalto', ansible_distribution \| lower) }}"`
		`@@ -1 +0,0 @@`
			Sets up a vhost on web server defined by the `web_server` variable