aurore/ansible
aurore/ansible
11
2
Fork 0
Code Issues 1 Pull requests 13 Releases Wiki Activity

misc: misc

Browse source
This commit is contained in:
jeltz 2024-05-19 13:59:17 +02:00
parent 1e1783fd59
commit 0782695471
Signed by: jeltz
GPG key ID: 800882B66C0C3326
7 changed files with 154 additions and 90 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
group_vars/infra/firewall.yml
View file

@ -90,6 +90,10 @@ firewall__zones:
addrs:
- 2a09:6840:128::98
- 10.128.0.98
nextcloud.adm:
addrs:
- 2a09:6840:128::58
- 10.128.0.58
dns.int:
addrs:
- 2a09:6840:206::1:1
@ -265,6 +269,11 @@ firewall__forward:
tcp:
dport: 3000
verdict: accept
- src: proxy.pub
dst: nextcloud.adm
protocols:
tcp:
dport: 8080
- src: proxy.pub
dst: adm-legacy
protocols:

0
host_vars/collabora.pub.infra.auro.re.yml → host_vars/collabora.ext.infra.auro.re.yml
View file

37
host_vars/ns-master.int.infra.auro.re/knotd.yml
View file

@ -269,6 +269,7 @@ knotd__zones:
- rss
- codimd
- hedgedoc
- grist
- kanboard
- www
- pad
@ -278,13 +279,16 @@ knotd__zones:
target: proxy-ovh
- name:
- grafana
- nextcloud
- cloud
target: proxy.pub.infra
- name:
- netbox
- wiki
- matrix
- drone
- gitea
- re2o
- nextcloud
- vote
- office
target: proxy
@ -364,23 +368,23 @@ knotd__zones:
- ns-2.auro.re.
hosts:
services-1.ceph:
- 10.132.1.1
- "2a09:6840:132:1:1::"
- 10.214.1.1
- "2a09:6840:214::1:1"
services-2.ceph:
- 10.132.1.2
- "2a09:6840:132:1:2::"
- 10.214.1.2
- "2a09:6840:214::1:2"
services-3.ceph:
- 10.132.1.3
- "2a09:6840:132:1:3::"
- 10.214.1.3
- "2a09:6840:209::1:3"
services-1.pve:
- 10.134.1.1
- 2a09:6840:132:1:1::1
- 10.209.2.1
- 2a09:6840:209::2:1
services-2.pve:
- 10.134.1.2
- 2a09:6840:132:1:2::1
- 10.209.2.2
- 2a09:6840:209::2:2
services-3.pve:
- 10.134.1.3
- 2a09:6840:132:1:3::1
- 10.209.2.3
- 2a09:6840:209::2:3
ns-master.int:
- 10.128.0.110
- 2a09:6840:128:0::110
@ -402,6 +406,9 @@ knotd__zones:
dns-2.int:
- 2a09:6840:206::1:2
- 10.206.1.2
nis2.int:
- 2a09:6840:206::2:1
- 10.206.2.1
wg-1.vpn:
- 2a09:6840:213::1:3
- 10.213.1.3
@ -486,8 +493,8 @@ knotd__zones:
mx.test:
- 2a09:6840:211::1:5
- 10.211.1.5
collabora.pub:
- 2a09:6840:128::220
collabora.ext:
#- 2a09:6840:128::220
- 10.128.0.220
proxy.pub:
- 2a09:6840:214::1:1

46
host_vars/proxy.pub.infra.auro.re.yml
View file

@ -33,9 +33,53 @@ caddy__routes_https:
reverse:
- "[2a09:6840:128::198]:3000"
- 10.128.0.198:3000
grafana.auro.re:
reverse:
- "[2a09:6840:128::98]:3000"
- 10.128.0.98:3000
nextcloud.auro.re:
headers:
location: "https://cloud.auro.re{http.request.uri}"
status: 301
cloud.auro.re:
- path: /.well-known/carddav
headers:
location: /remote.php/dav/
status: 301
- path: /.well-known/caldav
headers:
location: /remote.php/dav/
status: 301
- path: /.well-known/webfinger
headers:
location: /index.php/.well-known/webfinger
status: 301
- path: /.well-known/nodeinfo
headers:
location: /index.php/.well-known/nodeinfo
status: 301
- path: /remote/*
rewrite: /remote.php
- path: /ocm-provider/*
rewrite: /index.php
- path: "*.mjs"
headers:
content-type: text/javascript
- reverse:
- "[2a09:6840:128::58]:8080"
- 10.128.0.58:8080
headers:
x-robots-tag: noindex, nofollow
referrer-policy: no-referrer
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-xss-protection: "1; mode=block"
caddy__contact_email: tech.aurore@lists.crans.org
caddy__errors:
- root: /var/www
- root: "{{ caddy__error_dir }}"
- rewrite: /error.html
- file_server: true
templates: true

3
hosts
View file

@ -4,8 +4,9 @@
mx.test.infra.auro.re
[vm_services]
collabora.pub.infra.auro.re
collabora.ext.infra.auro.re
proxy.pub.infra.auro.re
nis2.int.infra.auro.re
[aruba]
eb-1.acs.sw.infra.auro.re

7
playbooks/collabora.yml Executable file
View file

@ -0,0 +1,7 @@
#!/usr/bin/env ansible-playbook
---
- hosts:
- collabora.pub.infra.auro.re
roles:
- collabora
...

142
roles/caddy/filter_plugins/caddy.py
View file

@ -8,12 +8,22 @@ from pydantic import (
Field,
IPvAnyAddress,
ValidationError,
Extra,
parse_obj_as,
)
T = TypeVar("T")
class Context:
def __init__(self):
self._group = 0
def next_group(self):
self._group += 1
return self._group
def flatten_list(iterable: Iterable[Iterable[T]]) -> list[T]:
return list(itertools.chain.from_iterable(iterable))
@ -31,65 +41,96 @@ class AutoList(list[T], Generic[T]):
return [parse_obj_as(T, value)]
class BaseHandler(BaseModel):
class BaseHandler(BaseModel, extra=Extra.forbid):
headers: dict[str, str] = {}
strip_prefix: bool = False
path: str | None = None
def to_caddy(self):
raise StopIteration
def to_caddy_handlers(self):
yield {
"handler": "headers",
"response": {
"set": {k: [v] for k, v in self.headers.items()},
"deferred": True,
},
}
def to_caddy(self, ctx: Context):
if self.path is None:
return {"handle": [*self.to_caddy_handlers()]}
strip = []
if self.strip_prefix:
strip.append(
{
"handler": "rewrite",
"strip_path_prefix": self.path,
})
handler = {
"handler": "subroute",
"routes": [
{"handle": strip + [*self.to_caddy_handlers()]},
],
}
return {
"group": f"group{ctx.next_group()}",
"match": [{"path": [self.path]}],
"handle": [handler],
}
class FilesHandler(BaseHandler):
root: str
def to_caddy(self):
handler = {"handler": "vars", "root": self.root}
yield {"handle": [handler]}
def to_caddy_handlers(self):
yield from super().to_caddy_handlers()
yield {"handler": "vars", "root": self.root}
class StaticHandler(BaseHandler):
status: int | None = None
status: int
body: str | None = None
def to_caddy(self):
handler = {"handler": "static_response"}
if self.status is not None:
handler["status_code"] = self.status
def to_caddy_handlers(self):
yield from super().to_caddy_handlers()
handler = {
"handler": "static_response",
"status_code": self.status,
}
if self.body is not None:
handler["body"] = self.body
yield {"handle": [handler]}
yield handler
class ReverseHandler(BaseHandler):
reverse: AutoList[str]
def to_caddy(self):
handler = {
def to_caddy_handlers(self):
yield from super().to_caddy_handlers()
yield {
"handler": "reverse_proxy",
"upstreams": [{"dial": s} for s in self.reverse],
}
yield {"handle": [handler]}
class RewriteHandler(BaseHandler):
rewrite: str
def to_caddy(self):
handler = {"handler": "rewrite", "uri": self.rewrite}
yield {"handle": [handler]}
def to_caddy_handlers(self):
yield from super().to_caddy_handlers()
yield {"handler": "rewrite", "uri": self.rewrite}
class FileServerHandler(BaseHandler):
file_server: Literal[True]
templates: bool = False
def to_caddy(self):
handlers = [
{"handler": "templates"},
]
def to_caddy_handlers(self):
yield from super().to_caddy_handlers()
yield {"handler": "templates"}
if self.templates:
handlers.append({"handler": "file_server"})
yield {"handle": handlers}
yield {"handler": "file_server"}
Handler = (
@ -98,11 +139,13 @@ Handler = (
| RewriteHandler
| FileServerHandler
| StaticHandler
| BaseHandler
)
Routes = dict[str, AutoList[Handler]]
class Server(BaseModel):
class Server(BaseModel, extra=Extra.forbid):
listen: AutoList[str]
routes: Routes = {}
errors: AutoList[Handler] = {}
@ -111,59 +154,12 @@ class Server(BaseModel):
Config = dict[str, Server]
class Context:
def __init__(self):
self._group = 0
def next_group(self):
self._group += 1
return self._group
def strip_path_prefix(prefix: str) -> Any:
return {
"handler": "rewrite",
"strip_path_prefix": prefix,
}
def handler_to_caddy(handler: Handler, ctx: Context) -> Any:
def to_caddy_inner():
if handler.headers:
handlers = [
{
"handler": "headers",
"response": {"set": {name: [value]}},
}
for name, value in handler.headers.items()
]
yield {"handle": handlers}
yield from handler.to_caddy()
if handler.path is None:
yield from to_caddy_inner()
else:
yield {
"group": f"group{ctx.next_group()}",
"match": [{"path": [handler.path]}],
"handle": [
{
"handler": "subroute",
"routes": [
{"handle": [strip_path_prefix(handler.path)]},
*to_caddy_inner(),
],
}
],
}
def route_to_caddy(
host: str | None, handlers: list[Handler], ctx: Context
) -> Any:
handler = {
"handler": "subroute",
"routes": flatten_list(handler_to_caddy(h, ctx) for h in handlers),
"routes": [h.to_caddy(ctx) for h in handlers],
}
route = {"handle": [handler], "terminal": True}
if host is not None: