Support ssh_pubkeys as list

caddy: Use firewalld
Add readmes
2025-10-12 19:26:12 +03:00 · 2025-09-14 03:02:59 +03:00 · 2025-09-14 03:02:48 +03:00 · 2025-09-14 03:02:09 +03:00 · 2025-09-14 03:01:52 +03:00 · 2025-09-14 02:58:39 +03:00
25 changed files with 166 additions and 20 deletions
--- a/roles/automatic_updates/README.md
+++ b/roles/automatic_updates/README.md
@@ -0,0 +1,2 @@
+This role enables automatic package updates.
+It currently supports Debian and Ubuntu.
--- a/roles/borgmatic/README.md
+++ b/roles/borgmatic/README.md
@@ -0,0 +1 @@
+Installs borgmatic
--- a/roles/borgmatic/tasks/target.yaml
+++ b/roles/borgmatic/tasks/target.yaml
@@ -2,6 +2,7 @@
 - name: Gather facts
  ansible.builtin.setup:
  delegate_facts: true
+  ignore_unreachable: true
  retries: 3

 - name: Add ssh key to authorized_keys
--- a/roles/borgmatic_config/README.md
+++ b/roles/borgmatic_config/README.md
@@ -0,0 +1 @@
+Creates a bormatic configuration in /etc/borgmatic.d/ and creates the repos
--- a/roles/borgmatic_config/handlers/main.yaml
+++ b/roles/borgmatic_config/handlers/main.yaml
@@ -1,4 +1,10 @@
 ---
+- name: Initialize borgmatic
+  ansible.builtin.command:
+    cmd: borgmatic init --encryption repokey
+  register: _borgmatic_init_out
+  changed_when: _borgmatic_init_out.stdout | length > 0
+
 - name: Restart borgmatic timer {{ borgmatic_config_name }}
  ansible.builtin.systemd_service:
    name: "borgmatic@{{ borgmatic_config_name }}.timer"
--- a/roles/borgmatic_config/tasks/main.yaml
+++ b/roles/borgmatic_config/tasks/main.yaml
@@ -18,6 +18,7 @@
    dest: /etc/borgmatic.d/{{ borgmatic_config_name }}.yaml
    mode: "0600"
  no_log: true
+  notify: Initialize borgmatic

 - name: Add systemd timer for borgmatic {{ borgmatic_config_name }}
  ansible.builtin.template:
--- a/roles/caddy/meta/main.yaml
+++ b/roles/caddy/meta/main.yaml
@@ -4,6 +4,7 @@ dependencies:
    vars:
      compatcheck_supported_distributions:
        - name: debian
-          version_min: 11
+          version_min: 12
        - name: ubuntu
          version_min: 22
+  - role: uumas.general.firewalld
--- a/roles/caddy/tasks/main.yaml
+++ b/roles/caddy/tasks/main.yaml
@@ -41,3 +41,14 @@
    validate: 'caddy validate --config %s --adapter caddyfile'
    backup: true
  notify: Reload caddy
+
+- name: Open ports for caddy
+  ansible.posix.firewalld:
+    service: "{{ item }}"
+    state: enabled
+    permanent: true
+    immediate: true
+  loop:
+    - http
+    - https
+    - http3
--- a/roles/compatcheck/meta/argument_specs.yaml
+++ b/roles/compatcheck/meta/argument_specs.yaml
@@ -22,6 +22,7 @@ argument_specs:
              - ubuntu
              - fedora
              - archlinux
+              - macosx
          version_min:
            description: Earliest supported major version. Allows any version if not specified.
            type: int
@@ -31,7 +32,9 @@ argument_specs:
            type: int
            required: false
          package_managers:
-            description: List of supported package managers. Defaults to apt for debian and ubuntu, dnf for fedora, pacman for archlinux
+            description: >-
+              List of supported package managers. Defaults to apt for debian and ubuntu,
+              dnf for fedora, pacman for archlinux, homebrew for macosx
            type: list
            required: false
            elements: str
@@ -40,3 +43,4 @@ argument_specs:
              - dnf
              - pacman
              - atomic_container
+              - homebrew
--- a/roles/compatcheck/vars/main.yaml
+++ b/roles/compatcheck/vars/main.yaml
@@ -5,4 +5,5 @@ _compatcheck_default_package_managers:
  ubuntu: apt
  fedora: dnf
  archlinux: pacman
+  macosx: homebrew
 _compatcheck_default_package_manager: "{{ _compatcheck_default_package_managers[ansible_distribution | lower] }}"
--- a/roles/firewalld/README.md
+++ b/roles/firewalld/README.md
@@ -0,0 +1 @@
+Installs firewalld
--- a/roles/firewalld/meta/argument_specs.yaml
+++ b/roles/firewalld/meta/argument_specs.yaml
@@ -0,0 +1,5 @@
+---
+argument_specs:
+  main:
+    description: Installs firewalld
+    options: {}
--- a/roles/firewalld/meta/main.yaml
+++ b/roles/firewalld/meta/main.yaml
@@ -0,0 +1,9 @@
+---
+dependencies:
+  - role: uumas.general.compatcheck
+    vars:
+      compatcheck_supported_distributions:
+        - name: debian
+          version_min: 12
+        - name: ubuntu
+          version_min: 22
--- a/roles/firewalld/tasks/main.yaml
+++ b/roles/firewalld/tasks/main.yaml
@@ -0,0 +1,4 @@
+---
+- name: Install firewalld
+  ansible.builtin.apt:
+    name: firewalld
--- a/roles/prometheus_node_exporter/defaults/main.yaml
+++ b/roles/prometheus_node_exporter/defaults/main.yaml
@@ -0,0 +1,2 @@
+---
+prometheus_node_exporter_local_network: ""
--- a/roles/prometheus_node_exporter/handlers/main.yaml
+++ b/roles/prometheus_node_exporter/handlers/main.yaml
@@ -1,5 +1,5 @@
 ---
 - name: Restart prometheus-node-exporter
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
    name: prometheus-node-exporter
    state: restarted
--- a/roles/prometheus_node_exporter/meta/argument_specs.yaml
+++ b/roles/prometheus_node_exporter/meta/argument_specs.yaml
@@ -3,7 +3,10 @@ argument_specs:
  main:
    description: Installs and configures prometheus node exporter to listen on local ipv4 address
    options:
-      local_network:
-        description: The local ipv4 network block, listen address is taken from this block
+      prometheus_node_exporter_local_network:
+        description: >-
+          The local ipv4 network block, listen address is taken from this block.
+          If empty, listens on 0.0.0.0
        type: str
-        required: true
+        required: false
+        default: ""
--- a/roles/prometheus_node_exporter/meta/main.yaml
+++ b/roles/prometheus_node_exporter/meta/main.yaml
@@ -1,9 +1,3 @@
 ---
 dependencies:
-  - role: uumas.general.compatcheck
-    vars:
-      compatcheck_supported_distributions:
-        - name: debian
-          version_min: 11
-        - name: ubuntu
-          version_min: 24
+  - role: uumas.general.firewalld
--- a/roles/prometheus_node_exporter/tasks/main.yaml
+++ b/roles/prometheus_node_exporter/tasks/main.yaml
@@ -1,7 +1,18 @@
 ---
+- name: Compatibility check
+  ansible.builtin.import_role:
+    name: uumas.general.compatcheck
+  vars:
+    compatcheck_supported_distributions:
+      - name: debian
+        version_min: 11
+      - name: ubuntu
+        version_min: 22
+
 - name: Install prometheus node exporter
  ansible.builtin.apt:
    name: prometheus-node-exporter
+    install_recommends: false

 - name: Set prometheus options in /etc/default/prometheus-node-exporter
  ansible.builtin.template:
--- a/roles/prometheus_node_exporter/templates/prometheus-node-exporter.j2
+++ b/roles/prometheus_node_exporter/templates/prometheus-node-exporter.j2
@@ -1 +1 @@
-ARGS="--web.listen-address {{ (ansible_all_ipv4_addresses | ansible.utils.ipaddr(local_network))[0] }}:9100 --collector.logind --collector.systemd --collector.processes"
+ARGS="--web.listen-address {{ (ansible_all_ipv4_addresses | ansible.utils.ipaddr(prometheus_node_exporter_local_network))[0] if prometheus_node_exporter_local_network | length > 0 else '0.0.0.0' }}:9100 --collector.logind --collector.systemd --collector.processes"
--- a/roles/users/tasks/main.yaml
+++ b/roles/users/tasks/main.yaml
@@ -26,7 +26,8 @@
 - name: Set ssh authorized keys for users
  ansible.posix.authorized_key:
    user: "{{ item.name }}"
-    key: "{{ item.ssh_pubkey }}"
+    key: "{{ item.ssh_pubkeys | default([item.ssh_pubkey]) | join('\n') }}"
+    exclusive: true
  when: item.state | default('present') == 'present'
  loop: "{{ users }}"

--- a/roles/vhost/defaults/main.yaml
+++ b/roles/vhost/defaults/main.yaml
@@ -17,6 +17,9 @@ vhost_proxy_target_host: localhost
 vhost_proxy_headers: {}
 vhost_proxy_delete_headers: []
 vhost_proxy_pass_host_header: true
+vhost_proxy_auth_socket: ""
+vhost_proxy_auth_uri: ""
+vhost_proxy_auth_unauthorized_redir: ""

 vhost_redirect_type: temporary
 vhost_redirect_preserve_path: false
--- a/roles/vhost/meta/argument_specs.yaml
+++ b/roles/vhost/meta/argument_specs.yaml
@@ -119,6 +119,27 @@ argument_specs:
        type: bool
        required: false
        default: true
+      vhost_proxy_auth_socket:
+        description: >-
+          Unix socket path to forward requests to for auhtentication, before
+          proxying them
+        type: str
+        required: false
+        default: ""
+      vhost_proxy_auth_uri:
+        description: >-
+          The authentication endpoint of the auth host. Required if
+          proxy_auth_socket is defined. Does nothing otherwise.
+        type: str
+        required: false
+        default: ""
+      vhost_proxy_auth_unauthorized_redir:
+        description: >-
+          Where to redirect requests if authentication service returns 401
+          unathorized. If not set, returns responses as is.
+        type: str
+        required: false
+        default: ""

      vhost_redirect_target:
        description: "Only applicable if vhost_type is redirect. Example: https://www.domain.tld/location"
@@ -282,6 +303,27 @@ argument_specs:
            type: bool
            required: false
            default: "{{ vhost_proxy_pass_host_header }}"
+          proxy_auth_socket:
+            description: >-
+              Unix socket path to forward requests to for auhtentication, before
+              proxying them
+            type: str
+            required: false
+            default: "{{ vhost_proxy_auth_socket }}"
+          proxy_auth_uri:
+            description: >-
+              The authentication endpoint of the auth host. Required if
+              proxy_auth_socket is defined. Does nothing otherwise.
+            type: str
+            required: false
+            default: "{{ vhost_proxy_auth_uri }}"
+          proxy_auth_unauthorized_redir:
+            description: >-
+              Where to redirect requests if authentication service returns 401
+              unathorized. If not set, returns responses as is.
+            type: str
+            required: false
+            default: "{{ vhost_proxy_auth_unauthorized_redir }}"

          redirect_target:
            description: "Only applicable if vhost_type is redirect. Example: https://www.domain.tld/location"
@@ -336,7 +378,9 @@ argument_specs:
        elements: dict
        options:
          path:
-            description: Path to match. Only supports full paths for now.
+            description: >-
+              Path to match.
+              If the value begins with ^ and end with $, the value is matched as regex.
            type: str
            required: true
          type:
@@ -422,6 +466,27 @@ argument_specs:
            type: bool
            required: false
            default: "{{ vhost_proxy_pass_host_header }}"
+          proxy_auth_socket:
+            description: >-
+              Unix socket path to forward requests to for auhtentication, before
+              proxying them
+            type: str
+            required: false
+            default: "{{ vhost_proxy_auth_socket }}"
+          proxy_auth_uri:
+            description: >-
+              The authentication endpoint of the auth host. Required if
+              proxy_auth_socket is defined. Does nothing otherwise.
+            type: str
+            required: false
+            default: "{{ vhost_proxy_auth_uri }}"
+          proxy_auth_unauthorized_redir:
+            description: >-
+              Where to redirect requests if authentication service returns 401
+              unathorized. If not set, returns responses as is.
+            type: str
+            required: false
+            default: "{{ vhost_proxy_auth_unauthorized_redir }}"

          redirect_target:
            description: "Only applicable if vhost_type is redirect. Example: https://www.domain.tld/location"
@@ -502,8 +567,7 @@ argument_specs:
              match_headers:
                description: >-
                  Headers to match against.
-                  The value is matched as regex.
-                  ^ and $ are implied, so don't add them yourself.
+                  If the value begins with ^ and end with $, the value is matched as regex.
                type: dict
                required: false
                default: {}
--- a/roles/vhost/templates/Caddyfile_block.j2
+++ b/roles/vhost/templates/Caddyfile_block.j2
@@ -1,7 +1,12 @@
 #jinja2: lstrip_blocks: True
 {{ vhost_domains | join(' ') }} {
  {% for location in _vhost_locations_complete %}
-    handle {{ location.path }} {
+   {% if location.path != '' %}
+    @{{ location.path }} path{{ '_regexp' if location.path.startswith('^') and location.path.endswith('$') else '' }} {{ location.path }}
+    handle @{{ location.path }} {
+   {% else %}
+    handle {
+   {% endif %}
      {% for matcher in location.matchers %}
      {% if matcher.name != '' %}
        @{{ matcher.name }} {
@@ -28,6 +33,18 @@
            }
          {% endif %}
          {% if matcher.type == 'reverse_proxy' %}
+           {% if matcher.proxy_auth_socket | length > 0 %}
+            forward_auth {
+                to unix//{{ matcher.proxy_auth_socket }}
+                uri {{ matcher.proxy_auth_uri }}
+              {% if matcher.proxy_auth_unauthorized_redir | length > 0 %}
+                @unauthorized status 401
+                handle_response @unauthorized {
+                    redir * {{ matcher.proxy_auth_unauthorized_redir }}
+                }
+              {% endif %}
+            }
+           {% endif %}
            reverse_proxy {
              {% if matcher.proxy_target_netproto == 'tcp' %}
                to tcp/{{ matcher.proxy_target_host }}:{{ matcher.proxy_target_port }}
--- a/roles/vhost/vars/main.yaml
+++ b/roles/vhost/vars/main.yaml
@@ -28,6 +28,9 @@ _vhost_location_defaults:
  proxy_headers: "{{ vhost_proxy_headers }}"
  proxy_delete_headers: "{{ vhost_proxy_delete_headers }}"
  proxy_pass_host_header: "{{ vhost_proxy_pass_host_header }}"
+  proxy_auth_socket: "{{ vhost_proxy_auth_socket }}"
+  proxy_auth_uri: "{{ vhost_proxy_auth_uri }}"
+  proxy_auth_unauthorized_redir: "{{ vhost_proxy_auth_unauthorized_redir }}"

  redirect_target: "{{ vhost_redirect_target if vhost_type == 'redirect' else '' }}"
  redirect_preserve_path: "{{ vhost_redirect_preserve_path }}"
Author	SHA1	Message	Date
uumas	d8bd645a80	Support ssh_pubkeys as list	2025-10-12 19:26:12 +03:00
uumas	6d2d305fd0	caddy: Use firewalld	2025-09-14 03:02:59 +03:00
uumas	90ade1e766	Add readmes	2025-09-14 03:02:48 +03:00
uumas	f2840d79a7	prometheus_node_exporter: Allow listening on all	2025-09-14 03:02:09 +03:00
uumas	217b79b225	Add firewalld role	2025-09-14 03:01:52 +03:00
uumas	37066850a0	compatcheck: support macosx	2025-09-14 02:58:39 +03:00
uumas	7617edfdde	borgmatic_config: Initialize repos	2025-09-14 02:58:15 +03:00
uumas	e4c8a2343a	borgmatic: ignore unreachable backup target	2025-09-14 02:57:45 +03:00
uumas	9b40f06804	Revert "prometheus_node_exporter: Make listening on localhost possible" This reverts commit `273da948b5`.	2025-07-27 19:42:24 +03:00
uumas	273da948b5	prometheus_node_exporter: Make listening on localhost possible	2025-07-26 23:07:09 +03:00
uumas	7e0538ae20	prometheus_node_exporter: move compatcheck to tasks	2025-07-26 23:06:34 +03:00
uumas	1c9649e8d6	prometheus_node_exporter: rename variable	2025-07-26 23:05:26 +03:00
uumas	648da9266b	prometheus_node_exporter: Use systemd_service	2025-07-26 14:34:13 +03:00
uumas	8af49bcc3e	vhost: Support regex matching paths	2025-07-19 20:01:34 +03:00
uumas	cb0817fc54	caddy: indent email by 4 spaces	2025-07-19 20:01:09 +03:00
uumas	c0753aeaa2	vhost: Support proxy forward auth	2025-07-13 19:03:02 +03:00
				`@@ -0,0 +1 @@`
				`Creates a bormatic configuration in /etc/borgmatic.d/ and creates the repos`