Support ssh_pubkeys as list

This reverts commit 273da948b5.

roles/automatic_updates/README.md

@@ -0,0 +1,2 @@
+This role enables automatic package updates.
+It currently supports Debian and Ubuntu.

roles/borgmatic/README.md

@@ -0,0 +1 @@
+Installs borgmatic

roles/borgmatic/tasks/target.yaml

@@ -2,6 +2,7 @@
 - name: Gather facts
   ansible.builtin.setup:
   delegate_facts: true
+  ignore_unreachable: true
   retries: 3
 
 - name: Add ssh key to authorized_keys

roles/borgmatic_config/README.md

@@ -0,0 +1 @@
+Creates a bormatic configuration in /etc/borgmatic.d/ and creates the repos

roles/borgmatic_config/handlers/main.yaml

@@ -1,4 +1,10 @@
 ---
+- name: Initialize borgmatic
+  ansible.builtin.command:
+    cmd: borgmatic init --encryption repokey
+  register: _borgmatic_init_out
+  changed_when: _borgmatic_init_out.stdout | length > 0
+
 - name: Restart borgmatic timer {{ borgmatic_config_name }}
   ansible.builtin.systemd_service:
     name: "borgmatic@{{ borgmatic_config_name }}.timer"

roles/borgmatic_config/tasks/main.yaml

@@ -18,6 +18,7 @@
     dest: /etc/borgmatic.d/{{ borgmatic_config_name }}.yaml
     mode: "0600"
   no_log: true
+  notify: Initialize borgmatic
 
 - name: Add systemd timer for borgmatic {{ borgmatic_config_name }}
   ansible.builtin.template:

roles/caddy/meta/main.yaml

@@ -4,6 +4,7 @@ dependencies:
     vars:
       compatcheck_supported_distributions:
         - name: debian
-          version_min: 11
+          version_min: 12
         - name: ubuntu
           version_min: 22
+  - role: uumas.general.firewalld

roles/caddy/tasks/main.yaml

@@ -36,8 +36,19 @@
     marker: "# {mark} ANSIBLE MANAGED BLOCK general"
     block: |
       {
-        email {{ caddy_admin_email }}
+          email {{ caddy_admin_email }}
       }
     validate: 'caddy validate --config %s --adapter caddyfile'
     backup: true
   notify: Reload caddy
+
+- name: Open ports for caddy
+  ansible.posix.firewalld:
+    service: "{{ item }}"
+    state: enabled
+    permanent: true
+    immediate: true
+  loop:
+    - http
+    - https
+    - http3

roles/compatcheck/meta/argument_specs.yaml

@@ -22,6 +22,7 @@ argument_specs:
               - ubuntu
               - fedora
               - archlinux
+              - macosx
           version_min:
             description: Earliest supported major version. Allows any version if not specified.
             type: int
@@ -31,7 +32,9 @@ argument_specs:
             type: int
             required: false
           package_managers:
-            description: List of supported package managers. Defaults to apt for debian and ubuntu, dnf for fedora, pacman for archlinux
+            description: >-
+              List of supported package managers. Defaults to apt for debian and ubuntu,
+              dnf for fedora, pacman for archlinux, homebrew for macosx
             type: list
             required: false
             elements: str
@@ -40,3 +43,4 @@ argument_specs:
               - dnf
               - pacman
               - atomic_container
+              - homebrew

roles/compatcheck/vars/main.yaml

@@ -5,4 +5,5 @@ _compatcheck_default_package_managers:
   ubuntu: apt
   fedora: dnf
   archlinux: pacman
+  macosx: homebrew
 _compatcheck_default_package_manager: "{{ _compatcheck_default_package_managers[ansible_distribution | lower] }}"

roles/firewalld/README.md

@@ -0,0 +1 @@
+Installs firewalld

roles/firewalld/meta/argument_specs.yaml

@@ -0,0 +1,5 @@
+---
+argument_specs:
+  main:
+    description: Installs firewalld
+    options: {}

roles/firewalld/meta/main.yaml

@@ -0,0 +1,9 @@
+---
+dependencies:
+  - role: uumas.general.compatcheck
+    vars:
+      compatcheck_supported_distributions:
+        - name: debian
+          version_min: 12
+        - name: ubuntu
+          version_min: 22

roles/firewalld/tasks/main.yaml

@@ -0,0 +1,4 @@
+---
+- name: Install firewalld
+  ansible.builtin.apt:
+    name: firewalld

roles/prometheus_node_exporter/defaults/main.yaml

@@ -0,0 +1,2 @@
+---
+prometheus_node_exporter_local_network: ""

roles/prometheus_node_exporter/handlers/main.yaml

@@ -1,5 +1,5 @@
 ---
 - name: Restart prometheus-node-exporter
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
     name: prometheus-node-exporter
     state: restarted

roles/prometheus_node_exporter/meta/argument_specs.yaml

@@ -3,7 +3,10 @@ argument_specs:
   main:
     description: Installs and configures prometheus node exporter to listen on local ipv4 address
     options:
-      local_network:
+      prometheus_node_exporter_local_network:
-        description: The local ipv4 network block, listen address is taken from this block
+        description: >-
+          The local ipv4 network block, listen address is taken from this block.
+          If empty, listens on 0.0.0.0
         type: str
-        required: true
+        required: false
+        default: ""

roles/prometheus_node_exporter/meta/main.yaml

@@ -1,9 +1,3 @@
 ---
 dependencies:
-  - role: uumas.general.compatcheck
+  - role: uumas.general.firewalld
-    vars:
-      compatcheck_supported_distributions:
-        - name: debian
-          version_min: 11
-        - name: ubuntu
-          version_min: 24

roles/prometheus_node_exporter/tasks/main.yaml

@@ -1,7 +1,18 @@
 ---
+- name: Compatibility check
+  ansible.builtin.import_role:
+    name: uumas.general.compatcheck
+  vars:
+    compatcheck_supported_distributions:
+      - name: debian
+        version_min: 11
+      - name: ubuntu
+        version_min: 22
+
 - name: Install prometheus node exporter
   ansible.builtin.apt:
     name: prometheus-node-exporter
+    install_recommends: false
 
 - name: Set prometheus options in /etc/default/prometheus-node-exporter
   ansible.builtin.template:

roles/prometheus_node_exporter/templates/prometheus-node-exporter.j2

@@ -1 +1 @@
-ARGS="--web.listen-address {{ (ansible_all_ipv4_addresses | ansible.utils.ipaddr(local_network))[0] }}:9100 --collector.logind --collector.systemd --collector.processes"
+ARGS="--web.listen-address {{ (ansible_all_ipv4_addresses | ansible.utils.ipaddr(prometheus_node_exporter_local_network))[0] if prometheus_node_exporter_local_network | length > 0 else '0.0.0.0' }}:9100 --collector.logind --collector.systemd --collector.processes"

roles/users/tasks/main.yaml

@@ -26,7 +26,8 @@
 - name: Set ssh authorized keys for users
   ansible.posix.authorized_key:
     user: "{{ item.name }}"
-    key: "{{ item.ssh_pubkey }}"
+    key: "{{ item.ssh_pubkeys | default([item.ssh_pubkey]) | join('\n') }}"
+    exclusive: true
   when: item.state | default('present') == 'present'
   loop: "{{ users }}"
 

roles/vhost/meta/argument_specs.yaml

@@ -378,7 +378,9 @@ argument_specs:
         elements: dict
         options:
           path:
-            description: Path to match. Only supports full paths for now.
+            description: >-
+              Path to match.
+              If the value begins with ^ and end with $, the value is matched as regex.
             type: str
             required: true
           type:
@@ -565,8 +567,7 @@ argument_specs:
               match_headers:
                 description: >-
                   Headers to match against.
-                  The value is matched as regex.
+                  If the value begins with ^ and end with $, the value is matched as regex.
-                  ^ and $ are implied, so don't add them yourself.
                 type: dict
                 required: false
                 default: {}

roles/vhost/templates/Caddyfile_block.j2

@@ -1,7 +1,12 @@
 #jinja2: lstrip_blocks: True
 {{ vhost_domains | join(' ') }} {
   {% for location in _vhost_locations_complete %}
-    handle {{ location.path }} {
+   {% if location.path != '' %}
+    @{{ location.path }} path{{ '_regexp' if location.path.startswith('^') and location.path.endswith('$') else '' }} {{ location.path }}
+    handle @{{ location.path }} {
+   {% else %}
+    handle {
+   {% endif %}
       {% for matcher in location.matchers %}
       {% if matcher.name != '' %}
         @{{ matcher.name }} {