Support ssh_pubkeys as list

This reverts commit 273da948b5.

roles/automatic_updates/README.md

@@ -0,0 +1,2 @@
+This role enables automatic package updates.
+It currently supports Debian and Ubuntu.

roles/automatic_updates/meta/main.yaml

@@ -0,0 +1,9 @@
+---
+dependencies:
+  - role: uumas.general.compatcheck
+    vars:
+      compatcheck_supported_distributions:
+        - name: debian
+          version_min: 11
+        - name: ubuntu
+          version_min: 22

roles/automatic_updates/tasks/main.yaml

@@ -1,14 +1,4 @@
 ---
-- name: Ensure host distribution is supported
-  ansible.builtin.import_role:
-    name: compatcheck
-  vars:
-    compatcheck_supported_distributions:
-      - name: debian
-        version_min: 11
-      - name: ubuntu
-        version_min: 22
-
 - name: Install unatteded-upgrades
   ansible.builtin.apt:
     name: unattended-upgrades

roles/borgmatic/README.md

@@ -0,0 +1 @@
+Installs borgmatic

roles/borgmatic/meta/main.yaml

@@ -0,0 +1,9 @@
+---
+dependencies:
+  - role: uumas.general.compatcheck
+    vars:
+      compatcheck_supported_distributions:
+        - name: debian
+          version_min: 11
+        - name: ubuntu
+          version_min: 22

roles/borgmatic/tasks/main.yaml

@@ -1,14 +1,4 @@
 ---
-- name: Ensure host distribution is supported
-  ansible.builtin.import_role:
-    name: compatcheck
-  vars:
-    compatcheck_supported_distributions:
-      - name: debian
-        version_min: 11
-      - name: ubuntu
-        version_min: 22
-
 - name: Install borgmatic
   ansible.builtin.apt:
     name: borgmatic

roles/borgmatic/tasks/target.yaml

@@ -2,6 +2,7 @@
 - name: Gather facts
   ansible.builtin.setup:
   delegate_facts: true
+  ignore_unreachable: true
   retries: 3
 
 - name: Add ssh key to authorized_keys

roles/borgmatic_config/README.md

@@ -0,0 +1 @@
+Creates a bormatic configuration in /etc/borgmatic.d/ and creates the repos

roles/borgmatic_config/handlers/main.yaml

@@ -1,4 +1,10 @@
 ---
+- name: Initialize borgmatic
+  ansible.builtin.command:
+    cmd: borgmatic init --encryption repokey
+  register: _borgmatic_init_out
+  changed_when: _borgmatic_init_out.stdout | length > 0
+
 - name: Restart borgmatic timer {{ borgmatic_config_name }}
   ansible.builtin.systemd_service:
     name: "borgmatic@{{ borgmatic_config_name }}.timer"

roles/borgmatic_config/tasks/main.yaml

@@ -18,6 +18,7 @@
     dest: /etc/borgmatic.d/{{ borgmatic_config_name }}.yaml
     mode: "0600"
   no_log: true
+  notify: Initialize borgmatic
 
 - name: Add systemd timer for borgmatic {{ borgmatic_config_name }}
   ansible.builtin.template:

roles/caddy/meta/main.yaml

@@ -0,0 +1,10 @@
+---
+dependencies:
+  - role: uumas.general.compatcheck
+    vars:
+      compatcheck_supported_distributions:
+        - name: debian
+          version_min: 12
+        - name: ubuntu
+          version_min: 22
+  - role: uumas.general.firewalld

roles/caddy/tasks/main.yaml

@@ -1,14 +1,4 @@
 ---
-- name: Ensure host distribution is supported
-  ansible.builtin.import_role:
-    name: compatcheck
-  vars:
-    compatcheck_supported_distributions:
-      - name: debian
-        version_min: 11
-      - name: ubuntu
-        version_min: 22
-
 - name: Ensure legacy caddy apt repository not present
   ansible.builtin.file:
     path: /etc/apt/sources.list.d/caddy-stable.list
@@ -46,8 +36,19 @@
     marker: "# {mark} ANSIBLE MANAGED BLOCK general"
     block: |
       {
-        email {{ caddy_admin_email }}
+          email {{ caddy_admin_email }}
       }
     validate: 'caddy validate --config %s --adapter caddyfile'
     backup: true
   notify: Reload caddy
+
+- name: Open ports for caddy
+  ansible.posix.firewalld:
+    service: "{{ item }}"
+    state: enabled
+    permanent: true
+    immediate: true
+  loop:
+    - http
+    - https
+    - http3

roles/compatcheck/meta/argument_specs.yaml

@@ -22,6 +22,7 @@ argument_specs:
               - ubuntu
               - fedora
               - archlinux
+              - macosx
           version_min:
             description: Earliest supported major version. Allows any version if not specified.
             type: int
@@ -31,7 +32,9 @@ argument_specs:
             type: int
             required: false
           package_managers:
-            description: List of supported package managers. Defaults to apt for debian and ubuntu, dnf for fedora, pacman for archlinux
+            description: >-
+              List of supported package managers. Defaults to apt for debian and ubuntu,
+              dnf for fedora, pacman for archlinux, homebrew for macosx
             type: list
             required: false
             elements: str
@@ -40,3 +43,4 @@ argument_specs:
               - dnf
               - pacman
               - atomic_container
+              - homebrew

roles/compatcheck/vars/main.yaml

@@ -5,4 +5,5 @@ _compatcheck_default_package_managers:
   ubuntu: apt
   fedora: dnf
   archlinux: pacman
+  macosx: homebrew
 _compatcheck_default_package_manager: "{{ _compatcheck_default_package_managers[ansible_distribution | lower] }}"

roles/example/meta/main.yaml

@@ -0,0 +1,12 @@
+---
+dependencies:
+  - role: uumas.general.compatcheck
+    vars:
+      compatcheck_supported_distributions:
+        - name: debian
+          version_min: 8
+        - name: archlinux
+        - name: ubuntu
+          version_min: 16
+        - name: fedora
+          version_min: 29

roles/example/tasks/main.yaml

@@ -1,17 +1,4 @@
 ---
-- name: Ensure host distribution is supported
-  ansible.builtin.import_role:
-    name: compatcheck
-  vars:
-    compatcheck_supported_distributions:
-      - name: debian
-        version_min: 8
-      - name: archlinux
-      - name: ubuntu
-        version_min: 16
-      - name: fedora
-        version_min: 29
-
 - name: Ping
   ansible.builtin.ping:
   when: example_ping

roles/firewalld/README.md

@@ -0,0 +1 @@
+Installs firewalld

roles/firewalld/meta/argument_specs.yaml

@@ -0,0 +1,5 @@
+---
+argument_specs:
+  main:
+    description: Installs firewalld
+    options: {}

roles/firewalld/meta/main.yaml

@@ -0,0 +1,9 @@
+---
+dependencies:
+  - role: uumas.general.compatcheck
+    vars:
+      compatcheck_supported_distributions:
+        - name: debian
+          version_min: 12
+        - name: ubuntu
+          version_min: 22

roles/firewalld/tasks/main.yaml

@@ -0,0 +1,4 @@
+---
+- name: Install firewalld
+  ansible.builtin.apt:
+    name: firewalld

roles/locale/meta/main.yaml

@@ -0,0 +1,11 @@
+---
+dependencies:
+  - role: uumas.general.compatcheck
+    vars:
+      compatcheck_supported_distributions:
+        - name: debian
+          version_min: 10
+        - name: ubuntu
+          version_min: 24
+        - name: fedora
+          version_min: 39

roles/locale/tasks/main.yaml

@@ -1,16 +1,4 @@
 ---
-- name: Ensure host distribution is supported
-  ansible.builtin.import_role:
-    name: compatcheck
-  vars:
-    compatcheck_supported_distributions:
-      - name: debian
-        version_min: 10
-      - name: ubuntu
-        version_min: 24
-      - name: fedora
-        version_min: 39
-
 - name: Include variables for os family {{ ansible_os_family }}
   ansible.builtin.include_vars: "{{ ansible_os_family }}.yaml"
 

roles/prometheus_node_exporter/defaults/main.yaml

@@ -0,0 +1,2 @@
+---
+prometheus_node_exporter_local_network: ""

roles/prometheus_node_exporter/handlers/main.yaml

@@ -1,5 +1,5 @@
 ---
 - name: Restart prometheus-node-exporter
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
     name: prometheus-node-exporter
     state: restarted

roles/prometheus_node_exporter/meta/argument_specs.yaml

@@ -3,7 +3,10 @@ argument_specs:
   main:
     description: Installs and configures prometheus node exporter to listen on local ipv4 address
     options:
-      local_network:
+      prometheus_node_exporter_local_network:
-        description: The local ipv4 network block, listen address is taken from this block
+        description: >-
+          The local ipv4 network block, listen address is taken from this block.
+          If empty, listens on 0.0.0.0
         type: str
-        required: true
+        required: false
+        default: ""

roles/prometheus_node_exporter/meta/main.yaml

@@ -0,0 +1,3 @@
+---
+dependencies:
+  - role: uumas.general.firewalld

roles/prometheus_node_exporter/tasks/main.yaml

@@ -1,17 +1,18 @@
 ---
-- name: Ensure host distribution is supported
+- name: Compatibility check
   ansible.builtin.import_role:
-    name: compatcheck
+    name: uumas.general.compatcheck
   vars:
     compatcheck_supported_distributions:
       - name: debian
         version_min: 11
       - name: ubuntu
-        version_min: 24
+        version_min: 22
 
 - name: Install prometheus node exporter
   ansible.builtin.apt:
     name: prometheus-node-exporter
+    install_recommends: false
 
 - name: Set prometheus options in /etc/default/prometheus-node-exporter
   ansible.builtin.template:

roles/prometheus_node_exporter/templates/prometheus-node-exporter.j2

@@ -1 +1 @@
-ARGS="--web.listen-address {{ (ansible_all_ipv4_addresses | ansible.utils.ipaddr(local_network))[0] }}:9100 --collector.logind --collector.systemd --collector.processes"
+ARGS="--web.listen-address {{ (ansible_all_ipv4_addresses | ansible.utils.ipaddr(prometheus_node_exporter_local_network))[0] if prometheus_node_exporter_local_network | length > 0 else '0.0.0.0' }}:9100 --collector.logind --collector.systemd --collector.processes"

roles/users/meta/main.yaml

@@ -0,0 +1,11 @@
+---
+dependencies:
+  - role: uumas.general.compatcheck
+    vars:
+      compatcheck_supported_distributions:
+        - name: debian
+          version_min: 11
+        - name: ubuntu
+          version_min: 22
+        - name: fedora
+          version_min: 39

roles/users/tasks/main.yaml

@@ -1,16 +1,4 @@
 ---
-- name: Ensure host distribution is supported
-  ansible.builtin.import_role:
-    name: compatcheck
-  vars:
-    compatcheck_supported_distributions:
-      - name: debian
-        version_min: 11
-      - name: ubuntu
-        version_min: 22
-      - name: fedora
-        version_min: 39
-
 - name: Ensure sudo is installed
   ansible.builtin.package:
     name: sudo
@@ -38,7 +26,8 @@
 - name: Set ssh authorized keys for users
   ansible.posix.authorized_key:
     user: "{{ item.name }}"
-    key: "{{ item.ssh_pubkey }}"
+    key: "{{ item.ssh_pubkeys | default([item.ssh_pubkey]) | join('\n') }}"
+    exclusive: true
   when: item.state | default('present') == 'present'
   loop: "{{ users }}"
 

roles/vhost/defaults/main.yaml

@@ -14,10 +14,18 @@ vhost_basicauth_users: {}
 vhost_proxy_target_netproto: tcp
 vhost_proxy_target_protocol: http
 vhost_proxy_target_host: localhost
+vhost_proxy_headers: {}
 vhost_proxy_delete_headers: []
+vhost_proxy_pass_host_header: true
+vhost_proxy_auth_socket: ""
+vhost_proxy_auth_uri: ""
+vhost_proxy_auth_unauthorized_redir: ""
 
 vhost_redirect_type: temporary
 vhost_redirect_preserve_path: false
 vhost_redirect_preserve_query: "{{ vhost_redirect_preserve_path }}"
 
 vhost_respond_content_type: plain
+vhost_respond_status: 200
+
+vhost_matchers: []

roles/vhost/meta/argument_specs.yaml

@@ -103,12 +103,43 @@ argument_specs:
           - Only applicable if vhost_type is reverse_proxy and vhost_proxy_target_netproto is unix.
         type: str
         required: false
+      vhost_proxy_headers:
+        description: Dict of request headers and their values to set for proxied requests
+        type: dict
+        required: false
+        default: {}
       vhost_proxy_delete_headers:
         description: List of headers to delete from proxied requests
         type: list
         elements: str
         required: false
         default: []
+      vhost_proxy_pass_host_header:
+        description: Whether to pass the host header unchanged (true) or change it to the proxy target host (false)
+        type: bool
+        required: false
+        default: true
+      vhost_proxy_auth_socket:
+        description: >-
+          Unix socket path to forward requests to for auhtentication, before
+          proxying them
+        type: str
+        required: false
+        default: ""
+      vhost_proxy_auth_uri:
+        description: >-
+          The authentication endpoint of the auth host. Required if
+          proxy_auth_socket is defined. Does nothing otherwise.
+        type: str
+        required: false
+        default: ""
+      vhost_proxy_auth_unauthorized_redir:
+        description: >-
+          Where to redirect requests if authentication service returns 401
+          unathorized. If not set, returns responses as is.
+        type: str
+        required: false
+        default: ""
 
       vhost_redirect_target:
         description: "Only applicable if vhost_type is redirect. Example: https://www.domain.tld/location"
@@ -145,6 +176,199 @@ argument_specs:
         choices:
           - plain
           - json
+      vhost_respond_status:
+        description: Status code of response
+        type: int
+        required: false
+        default: 200
+
+      vhost_matchers:
+        description: >
+          List of matchers to handle differently from the default for vhost.
+          A matcher matches if all of its conditions match
+        type: list
+        elements: dict
+        required: false
+        default: []
+        options:
+          name:
+            description: Name of the matcher used to reference it
+            type: str
+            required: true
+
+          match_methods:
+            description: HTTP methods to match against. Matching one method is enough.
+            type: list
+            elements: str
+            choices:
+              - GET
+              - HEAD
+              - OPTIONS
+              - TRACE
+              - PUT
+              - DELETE
+              - POST
+              - PATCH
+              - CONNECT
+            required: false
+            default: []
+          match_headers:
+            description: >-
+              Headers to match against.
+              If the value begins with ^ and end with $, the value is matched as regex.
+            type: dict
+            required: false
+            default: {}
+
+          type:
+            type: str
+            required: false
+            default: "{{ vhost_type }}"
+            choices:
+              - reverse_proxy
+              - redirect
+              - respond
+          headers:
+            description: Dict of response headers and their values
+            type: dict
+            required: false
+            default: "{{ vhost_headers }}"
+          delete_headers:
+            description: List of response headers to delete
+            type: list
+            elements: str
+            required: false
+            default: "{{ vhost_delete_headers }}"
+
+          basicauth:
+            description: Whether to require basic auth for the location
+            type: bool
+            required: false
+            default: "{{ vhost_basicauth }}"
+          basicauth_users:
+            description: A dict of basic auth users and their password hashes. Required if basicauth is true
+            type: dict
+            default: "{{ vhost_basicauth_users }}"
+
+          proxy_target_netproto:
+            description:
+              - Network protocol to use for proxy requests.
+              - Only applicable if type is reverse_proxy.
+            type: str
+            required: false
+            default: "{{ vhost_proxy_target_netproto }}"
+            choices:
+              - tcp
+              - unix
+          proxy_target_protocol:
+            description:
+              - Transport protocol (scheme) to use for proxy requests.
+              - Only applicable if type is reverse_proxy.
+            type: str
+            required: false
+            default: "{{ vhost_proxy_target_protocol }}"
+            choices:
+              - http
+              - https
+          proxy_target_host:
+            description: Host where to proxy requests to. Only applicable if type is reverse_proxy
+            type: str
+            required: false
+            default: "{{ vhost_proxy_target_host }}"
+          proxy_target_port:
+            description: Port where to proxy requests to. Only applicable if type is reverse_proxy.
+            type: int
+            required: false
+            default: "{{ vhost_proxy_target_port if vhost_type == 'reverse_proxy' and vhost_proxy_target_netproto == 'tcp' else 0 }}"
+          proxy_target_socket:
+            description:
+              - Unix socket path to proxy requests to.
+              - Only applicable if type is reverse_proxy and proxy_target_netproto is unix.
+            type: str
+            required: false
+            default: "{{ vhost_proxy_target_socket if vhost_type == 'reverse_proxy' and vhost_proxy_target_netproto == 'unix' else '' }}"
+          proxy_headers:
+            description: Dict of request headers and their values to set for proxied requests
+            type: dict
+            required: false
+            default: "{{ vhost_proxy_headers }}"
+          proxy_delete_headers:
+            description: List of request headers to delete from proxied requests
+            type: list
+            elements: str
+            required: false
+            default: "{{ vhost_proxy_delete_headers }}"
+          proxy_pass_host_header:
+            description: Whether to pass the host header unchanged (true) or change it to the proxy target host (false)
+            type: bool
+            required: false
+            default: "{{ vhost_proxy_pass_host_header }}"
+          proxy_auth_socket:
+            description: >-
+              Unix socket path to forward requests to for auhtentication, before
+              proxying them
+            type: str
+            required: false
+            default: "{{ vhost_proxy_auth_socket }}"
+          proxy_auth_uri:
+            description: >-
+              The authentication endpoint of the auth host. Required if
+              proxy_auth_socket is defined. Does nothing otherwise.
+            type: str
+            required: false
+            default: "{{ vhost_proxy_auth_uri }}"
+          proxy_auth_unauthorized_redir:
+            description: >-
+              Where to redirect requests if authentication service returns 401
+              unathorized. If not set, returns responses as is.
+            type: str
+            required: false
+            default: "{{ vhost_proxy_auth_unauthorized_redir }}"
+
+          redirect_target:
+            description: "Only applicable if vhost_type is redirect. Example: https://www.domain.tld/location"
+            type: str
+            required: false
+            default: "{{ vhost_redirect_target if vhost_type == 'redirect' else '' }}"
+          redirect_preserve_path:
+            description: Whether to keep the original request path
+            type: bool
+            required: false
+            default: "{{ vhost_redirect_preserve_path }}"
+          redirect_preserve_query:
+            description: Whether to keep the original request query string
+            type: bool
+            required: false
+            default: "{{ vhost_redirect_preserve_query }}"
+          redirect_type:
+            description: Only applicable if vhost_type is redirect
+            type: str
+            required: false
+            default: "{{ vhost_redirect_type }}"
+            choices:
+              - temporary
+              - permanent
+
+          respond_content:
+            description: >-
+              Content to respond with.
+              Json content can be set as yaml as long as respond_content_type is set to json.
+            type: str
+            required: false
+            default: "{{ vhost_respond_content if vhost_type == 'respond' else '' }}"
+          respond_content_type:
+            description: Type of the respond content
+            type: str
+            required: false
+            default: "{{ vhost_respond_content_type }}"
+            choices:
+              - plain
+              - json
+          respond_status:
+            description: Status code of response
+            type: int
+            required: false
+            default: "{{ vhost_respond_status }}"
 
       vhost_locations:
         description: List of locations to handle differently from the default for vhost
@@ -154,7 +378,9 @@ argument_specs:
         elements: dict
         options:
           path:
-            description: Path to match. Only supports full paths for now.
+            description: >-
+              Path to match.
+              If the value begins with ^ and end with $, the value is matched as regex.
             type: str
             required: true
           type:
@@ -224,12 +450,43 @@ argument_specs:
             type: str
             required: false
             default: "{{ vhost_proxy_target_socket if vhost_type == 'reverse_proxy' and vhost_proxy_target_netproto == 'unix' else '' }}"
+          proxy_headers:
+            description: Dict of request headers and their values to set for proxied requests
+            type: dict
+            required: false
+            default: "{{ vhost_proxy_headers }}"
           proxy_delete_headers:
             description: List of request headers to delete from proxied requests
             type: list
             elements: str
             required: false
             default: "{{ vhost_proxy_delete_headers }}"
+          proxy_pass_host_header:
+            description: Whether to pass the host header unchanged (true) or change it to the proxy target host (false)
+            type: bool
+            required: false
+            default: "{{ vhost_proxy_pass_host_header }}"
+          proxy_auth_socket:
+            description: >-
+              Unix socket path to forward requests to for auhtentication, before
+              proxying them
+            type: str
+            required: false
+            default: "{{ vhost_proxy_auth_socket }}"
+          proxy_auth_uri:
+            description: >-
+              The authentication endpoint of the auth host. Required if
+              proxy_auth_socket is defined. Does nothing otherwise.
+            type: str
+            required: false
+            default: "{{ vhost_proxy_auth_uri }}"
+          proxy_auth_unauthorized_redir:
+            description: >-
+              Where to redirect requests if authentication service returns 401
+              unathorized. If not set, returns responses as is.
+            type: str
+            required: false
+            default: "{{ vhost_proxy_auth_unauthorized_redir }}"
 
           redirect_target:
             description: "Only applicable if vhost_type is redirect. Example: https://www.domain.tld/location"
@@ -256,7 +513,9 @@ argument_specs:
               - permanent
 
           respond_content:
-            description: Content to respond with. Json content can be set as yaml as long as respond_content_type is set to json
+            description: >-
+              Content to respond with.
+              Json content can be set as yaml as long as respond_content_type is set to json.
             type: str
             required: false
             default: "{{ vhost_respond_content if vhost_type == 'respond' else '' }}"
@@ -268,3 +527,156 @@ argument_specs:
             choices:
               - plain
               - json
+          respond_status:
+            description: Status code of response
+            type: int
+            required: false
+            default: "{{ vhost_respond_status }}"
+
+          matchers:
+            description: >
+              List of matchers to handle differently from the default for vhost.
+              A matcher matches if all of its conditions match.
+              Options without a specified default will default to location's corresponding option.
+            type: list
+            elements: dict
+            required: false
+            default: "{{ vhost_matchers }}"
+            options:
+              name:
+                description: Name of the matcher used to reference it
+                type: str
+                required: true
+
+              match_methods:
+                description: HTTP methods to match against. Matching one method is enough.
+                type: list
+                elements: str
+                choices:
+                  - GET
+                  - HEAD
+                  - OPTIONS
+                  - TRACE
+                  - PUT
+                  - DELETE
+                  - POST
+                  - PATCH
+                  - CONNECT
+                required: false
+                default: []
+              match_headers:
+                description: >-
+                  Headers to match against.
+                  If the value begins with ^ and end with $, the value is matched as regex.
+                type: dict
+                required: false
+                default: {}
+
+              type:
+                type: str
+                required: false
+                choices:
+                  - reverse_proxy
+                  - redirect
+                  - respond
+              headers:
+                description: Dict of response headers and their values
+                type: dict
+                required: false
+              delete_headers:
+                description: List of response headers to delete
+                type: list
+                elements: str
+                required: false
+
+              basicauth:
+                description: Whether to require basic auth for the location
+                type: bool
+                required: false
+              basicauth_users:
+                description: A dict of basic auth users and their password hashes. Required if basicauth is true
+                type: dict
+
+              proxy_target_netproto:
+                description:
+                  - Network protocol to use for proxy requests.
+                  - Only applicable if type is reverse_proxy.
+                type: str
+                required: false
+                choices:
+                  - tcp
+                  - unix
+              proxy_target_protocol:
+                description:
+                  - Transport protocol (scheme) to use for proxy requests.
+                  - Only applicable if type is reverse_proxy.
+                type: str
+                required: false
+                choices:
+                  - http
+                  - https
+              proxy_target_host:
+                description: Host where to proxy requests to. Only applicable if type is reverse_proxy
+                type: str
+                required: false
+              proxy_target_port:
+                description: Port where to proxy requests to. Only applicable if type is reverse_proxy.
+                type: int
+                required: false
+              proxy_target_socket:
+                description:
+                  - Unix socket path to proxy requests to.
+                  - Only applicable if type is reverse_proxy and proxy_target_netproto is unix.
+                type: str
+                required: false
+              proxy_headers:
+                description: Dict of request headers and their values to set for proxied requests
+                type: dict
+                required: false
+              proxy_delete_headers:
+                description: List of request headers to delete from proxied requests
+                type: list
+                elements: str
+                required: false
+              proxy_pass_host_header:
+                description: Whether to pass the host header unchanged (true) or change it to the proxy target host (false)
+                type: bool
+                required: false
+
+              redirect_target:
+                description: "Only applicable if vhost_type is redirect. Example: https://www.domain.tld/location"
+                type: str
+                required: false
+              redirect_preserve_path:
+                description: Whether to keep the original request path
+                type: bool
+                required: false
+              redirect_preserve_query:
+                description: Whether to keep the original request query string
+                type: bool
+                required: false
+              redirect_type:
+                description: Only applicable if vhost_type is redirect
+                type: str
+                required: false
+                choices:
+                  - temporary
+                  - permanent
+
+              respond_content:
+                description: >-
+                  Content to respond with.
+                  Json content can be set as yaml as long as respond_content_type is set to json.
+                type: str
+                required: false
+              respond_content_type:
+                description: Type of the respond content
+                type: str
+                required: false
+                choices:
+                  - plain
+                  - json
+              respond_status:
+                description: Status code of response
+                type: int
+                required: false

roles/vhost/tasks/caddy.yaml

@@ -3,56 +3,7 @@
   ansible.builtin.blockinfile:
     path: /etc/caddy/Caddyfile
     marker: "# {mark} ANSIBLE MANAGED BLOCK {{ vhost_id }}"
-    # yamllint disable rule:line-length
+    block: "{{ lookup('ansible.builtin.template', 'Caddyfile_block.j2') }}"
-    block: |
-      {{ vhost_domains | join(' ') }} {
-        {% for location in _vhost_locations_complete %}
-        handle {{ location.path }} {
-          {% for header in location.delete_headers %}
-          header -{{ header }}
-          {% endfor %}
-          {% for header in location.headers | dict2items %}
-          header {{ header.key }} `{{ header.value }}`
-          {% endfor %}
-          {% if location.basicauth %}
-          basicauth {
-            {% for user in location.basicauth_users | dict2items %}
-            {{ user.key }} {{ user.value }}
-            {% endfor %}
-          }
-          {% endif %}
-          {% if location.type == 'reverse_proxy' %}
-          reverse_proxy  {
-            {% if location.proxy_target_netproto == 'tcp' %}
-            to tcp/{{ location.proxy_target_host }}:{{ location.proxy_target_port }}
-            {% else %}
-            to unix/{{ location.proxy_target_socket }}
-            {% endif %}
-            {% if location.proxy_target_protocol == 'https' %}
-            transport http {
-              tls
-              {% if location.proxy_target_host == 'localhost' %}
-              tls_insecure_skip_verify
-              {% endif %}
-            }
-            {% endif %}
-          }
-          {% for header in location.proxy_delete_headers %}
-          request_header -{{ header }}
-          {% endfor %}
-          {% elif location.type == 'redirect' %}
-          redir * {{ location.redirect_target }}{{ '{path}' if location.redirect_preserve_path }}{{ '?{query}' if location.redirect_preserve_query }} {{ location.redirect_type }}
-          {% elif location.type == 'respond' %}
-            {% if location.respond_content_type == 'json' %}
-            respond `{{ location.respond_content | to_json }}`
-            {% else %}
-            respond `{{ location.respond_content }}`
-            {% endif %}
-          {% endif %}
-        }
-        {% endfor %}
-      }
-    # yamllint enable rule:line-length
     validate: 'caddy validate --config %s --adapter caddyfile'
     backup: true
     state: "{{ vhost_state }}"

roles/vhost/templates/Caddyfile_block.j2

@@ -0,0 +1,85 @@
+#jinja2: lstrip_blocks: True
+{{ vhost_domains | join(' ') }} {
+  {% for location in _vhost_locations_complete %}
+   {% if location.path != '' %}
+    @{{ location.path }} path{{ '_regexp' if location.path.startswith('^') and location.path.endswith('$') else '' }} {{ location.path }}
+    handle @{{ location.path }} {
+   {% else %}
+    handle {
+   {% endif %}
+      {% for matcher in location.matchers %}
+      {% if matcher.name != '' %}
+        @{{ matcher.name }} {
+          {% if matcher.match_methods | length > 0 %}
+            method {{ matcher.match_methods | join(' ') }}
+          {% endif %}
+          {% for header in matcher.match_headers | dict2items %}
+            header{{ '_regexp' if header.value.startswith('^') and header.value.endswith('$') else '' }} {{ header.key }} {{ header.value }}
+          {% endfor %}
+        }
+      {% endif %}
+        handle{{ ' @' ~ matcher.name if matcher.name != '' else '' }} {
+          {% for header in matcher.delete_headers %}
+            header -{{ header }}
+          {% endfor %}
+          {% for header in matcher.headers | dict2items %}
+            header {{ header.key }} `{{ header.value }}`
+          {% endfor %}
+          {% if matcher.basicauth %}
+            basicauth {
+              {% for user in matcher.basicauth_users | dict2items %}
+                {{ user.key }} {{ user.value }}
+              {% endfor %}
+            }
+          {% endif %}
+          {% if matcher.type == 'reverse_proxy' %}
+           {% if matcher.proxy_auth_socket | length > 0 %}
+            forward_auth {
+                to unix//{{ matcher.proxy_auth_socket }}
+                uri {{ matcher.proxy_auth_uri }}
+              {% if matcher.proxy_auth_unauthorized_redir | length > 0 %}
+                @unauthorized status 401
+                handle_response @unauthorized {
+                    redir * {{ matcher.proxy_auth_unauthorized_redir }}
+                }
+              {% endif %}
+            }
+           {% endif %}
+            reverse_proxy {
+              {% if matcher.proxy_target_netproto == 'tcp' %}
+                to tcp/{{ matcher.proxy_target_host }}:{{ matcher.proxy_target_port }}
+              {% else %}
+                to unix/{{ matcher.proxy_target_socket }}
+              {% endif %}
+              {% if matcher.proxy_target_protocol == 'https' %}
+                transport http {
+                    tls
+                  {% if matcher.proxy_target_host == 'localhost' %}
+                    tls_insecure_skip_verify
+                  {% endif %}
+                }
+              {% endif %}
+              {% for header in matcher.proxy_delete_headers %}
+                header_up -{{ header }}
+              {% endfor %}
+              {% for header in matcher.proxy_headers | dict2items %}
+                header_up {{ header.key }} `{{ header.value }}`
+              {% endfor %}
+              {% if (not matcher.proxy_pass_host_header) and ('host' not in matcher.proxy_headers | map('lower')) %}
+                header_up Host {upstream_hostport}
+              {% endif %}
+            }
+          {% elif matcher.type == 'redirect' %}
+            redir * {{ matcher.redirect_target }}{{ '{path}' if matcher.redirect_preserve_path }}{{ '?{query}' if matcher.redirect_preserve_query }} {{ matcher.redirect_type }}
+          {% elif matcher.type == 'respond' %}
+           {% if matcher.respond_content_type == 'json' %}
+            respond `{{ matcher.respond_content | to_json }}`
+           {% else %}
+            respond `{{ matcher.respond_content }}` {{ matcher.respond_status }}
+           {% endif %}
+          {% endif %}
+        }
+      {% endfor %}
+    }
+  {% endfor %}
+}

roles/vhost/vars/main.yaml

@@ -1,4 +1,15 @@
 ---
+_vhost_matcher_defaults:
+  match_headers: {}
+  match_method: []
+_vhost_matchers: >-
+  {{
+    vhost_matchers
+    | map('combine', _vhost_matcher_defaults)
+    | zip(vhost_matchers)
+    | map('combine')
+  }}
+
 _vhost_location_defaults:
   type: "{{ vhost_type }}"
   headers: "{{ vhost_headers }}"
@@ -14,7 +25,12 @@ _vhost_location_defaults:
     vhost_type == 'reverse_proxy' and vhost_proxy_target_netproto == 'tcp' else '' }}"
   proxy_target_socket: "{{ vhost_proxy_target_socket if
     vhost_type == 'reverse_proxy' and vhost_proxy_target_netproto == 'unix' else '' }}"
+  proxy_headers: "{{ vhost_proxy_headers }}"
   proxy_delete_headers: "{{ vhost_proxy_delete_headers }}"
+  proxy_pass_host_header: "{{ vhost_proxy_pass_host_header }}"
+  proxy_auth_socket: "{{ vhost_proxy_auth_socket }}"
+  proxy_auth_uri: "{{ vhost_proxy_auth_uri }}"
+  proxy_auth_unauthorized_redir: "{{ vhost_proxy_auth_unauthorized_redir }}"
 
   redirect_target: "{{ vhost_redirect_target if vhost_type == 'redirect' else '' }}"
   redirect_preserve_path: "{{ vhost_redirect_preserve_path }}"
@@ -23,12 +39,36 @@ _vhost_location_defaults:
 
   respond_content: "{{ vhost_respond_content if vhost_type == 'respond' else '' }}"
   respond_content_type: "{{ vhost_respond_content_type }}"
+  respond_status: "{{ vhost_respond_status }}"
+
+  matchers: "{{ _vhost_matchers }}"
 
 _vhost_locations: "{{ vhost_locations + [{'path': ''}] }}"
 
-_vhost_locations_complete: "{{
+_vhost_locations_withdefaults: >-
-  _vhost_locations
+  {{
-  | map('combine', _vhost_location_defaults)
+    _vhost_locations
-  | zip(_vhost_locations)
+    | map('combine', _vhost_location_defaults)
-  | map('combine')
+    | zip(
-}}"
+        _vhost_locations
+      )
+    | map('combine')
+    | map('combine', {'matchers': [{'name': ''}]}, list_merge='append')
+  }}
+
+_vhost_locations_complete: >-
+  {{
+    _vhost_locations_withdefaults |
+      sort(attribute='path') |
+      zip(
+        _vhost_locations_withdefaults |
+          subelements('matchers') |
+          map('combine') |
+          groupby('path') |
+          map('last') |
+          map('community.general.remove_keys', ['matchers', 'path']) |
+          map('community.general.dict_kv', 'matchers')
+      ) |
+        map('combine') |
+        reverse
+  }}