aurore/ansible
aurore/ansible
11
2
Fork 0
Code Issues 1 Pull requests 13 Releases Wiki Activity

misc: misc

Browse source
This commit is contained in:
jeltz 2024-05-19 13:59:17 +02:00
parent 1e1783fd59
commit 0782695471
Signed by: jeltz
GPG key ID: 800882B66C0C3326
7 changed files with 154 additions and 90 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
group_vars/infra/firewall.yml
View file

@ -90,6 +90,10 @@ firewall__zones:
addrs: addrs:
- 2a09:6840:128::98 - 2a09:6840:128::98
- 10.128.0.98 - 10.128.0.98
nextcloud.adm:
addrs:
- 2a09:6840:128::58
- 10.128.0.58
dns.int: dns.int:
addrs: addrs:
- 2a09:6840:206::1:1 - 2a09:6840:206::1:1
@ -265,6 +269,11 @@ firewall__forward:
tcp: tcp:
dport: 3000 dport: 3000
verdict: accept verdict: accept
- src: proxy.pub
dst: nextcloud.adm
protocols:
tcp:
dport: 8080
- src: proxy.pub - src: proxy.pub
dst: adm-legacy dst: adm-legacy
protocols: protocols:

0
host_vars/collabora.pub.infra.auro.re.yml → host_vars/collabora.ext.infra.auro.re.yml
View file

37
host_vars/ns-master.int.infra.auro.re/knotd.yml
View file

@ -269,6 +269,7 @@ knotd__zones:
- rss - rss
- codimd - codimd
- hedgedoc - hedgedoc
- grist
- kanboard - kanboard
- www - www
- pad - pad
@ -278,13 +279,16 @@ knotd__zones:
target: proxy-ovh target: proxy-ovh
- name: - name:
- grafana - grafana
- nextcloud
- cloud
target: proxy.pub.infra
- name:
- netbox - netbox
- wiki - wiki
- matrix - matrix
- drone - drone
- gitea - gitea
- re2o - re2o
- nextcloud
- vote - vote
- office - office
target: proxy target: proxy
@ -364,23 +368,23 @@ knotd__zones:
- ns-2.auro.re. - ns-2.auro.re.
hosts: hosts:
services-1.ceph: services-1.ceph:
- 10.132.1.1 - 10.214.1.1
- "2a09:6840:132:1:1::" - "2a09:6840:214::1:1"
services-2.ceph: services-2.ceph:
- 10.132.1.2 - 10.214.1.2
- "2a09:6840:132:1:2::" - "2a09:6840:214::1:2"
services-3.ceph: services-3.ceph:
- 10.132.1.3 - 10.214.1.3
- "2a09:6840:132:1:3::" - "2a09:6840:209::1:3"
services-1.pve: services-1.pve:
- 10.134.1.1 - 10.209.2.1
- 2a09:6840:132:1:1::1 - 2a09:6840:209::2:1
services-2.pve: services-2.pve:
- 10.134.1.2 - 10.209.2.2
- 2a09:6840:132:1:2::1 - 2a09:6840:209::2:2
services-3.pve: services-3.pve:
- 10.134.1.3 - 10.209.2.3
- 2a09:6840:132:1:3::1 - 2a09:6840:209::2:3
ns-master.int: ns-master.int:
- 10.128.0.110 - 10.128.0.110
- 2a09:6840:128:0::110 - 2a09:6840:128:0::110
@ -402,6 +406,9 @@ knotd__zones:
dns-2.int: dns-2.int:
- 2a09:6840:206::1:2 - 2a09:6840:206::1:2
- 10.206.1.2 - 10.206.1.2
nis2.int:
- 2a09:6840:206::2:1
- 10.206.2.1
wg-1.vpn: wg-1.vpn:
- 2a09:6840:213::1:3 - 2a09:6840:213::1:3
- 10.213.1.3 - 10.213.1.3
@ -486,8 +493,8 @@ knotd__zones:
mx.test: mx.test:
- 2a09:6840:211::1:5 - 2a09:6840:211::1:5
- 10.211.1.5 - 10.211.1.5
collabora.pub: collabora.ext:
- 2a09:6840:128::220 #- 2a09:6840:128::220
- 10.128.0.220 - 10.128.0.220
proxy.pub: proxy.pub:
- 2a09:6840:214::1:1 - 2a09:6840:214::1:1

46
host_vars/proxy.pub.infra.auro.re.yml
View file

@ -33,9 +33,53 @@ caddy__routes_https:
reverse: reverse:
- "[2a09:6840:128::198]:3000" - "[2a09:6840:128::198]:3000"
- 10.128.0.198:3000 - 10.128.0.198:3000
grafana.auro.re:
reverse:
- "[2a09:6840:128::98]:3000"
- 10.128.0.98:3000
nextcloud.auro.re:
headers:
location: "https://cloud.auro.re{http.request.uri}"
status: 301
cloud.auro.re:
- path: /.well-known/carddav
headers:
location: /remote.php/dav/
status: 301
- path: /.well-known/caldav
headers:
location: /remote.php/dav/
status: 301
- path: /.well-known/webfinger
headers:
location: /index.php/.well-known/webfinger
status: 301
- path: /.well-known/nodeinfo
headers:
location: /index.php/.well-known/nodeinfo
status: 301
- path: /remote/*
rewrite: /remote.php
- path: /ocm-provider/*
rewrite: /index.php
- path: "*.mjs"
headers:
content-type: text/javascript
- reverse:
- "[2a09:6840:128::58]:8080"
- 10.128.0.58:8080
headers:
x-robots-tag: noindex, nofollow
referrer-policy: no-referrer
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-xss-protection: "1; mode=block"
caddy__contact_email: tech.aurore@lists.crans.org
caddy__errors: caddy__errors:
- root: /var/www - root: "{{ caddy__error_dir }}"
- rewrite: /error.html - rewrite: /error.html
- file_server: true - file_server: true
templates: true templates: true

3
hosts
View file

@ -4,8 +4,9 @@
mx.test.infra.auro.re mx.test.infra.auro.re
[vm_services] [vm_services]
collabora.pub.infra.auro.re collabora.ext.infra.auro.re
proxy.pub.infra.auro.re proxy.pub.infra.auro.re
nis2.int.infra.auro.re
[aruba] [aruba]
eb-1.acs.sw.infra.auro.re eb-1.acs.sw.infra.auro.re

7
playbooks/collabora.yml Executable file
View file

@ -0,0 +1,7 @@
#!/usr/bin/env ansible-playbook
---
- hosts:
- collabora.pub.infra.auro.re
roles:
- collabora
...

142
roles/caddy/filter_plugins/caddy.py
View file

@ -8,12 +8,22 @@ from pydantic import (
Field, Field,
IPvAnyAddress, IPvAnyAddress,
ValidationError, ValidationError,
Extra,
parse_obj_as, parse_obj_as,
) )
T = TypeVar("T") T = TypeVar("T")
class Context:
def __init__(self):
self._group = 0
def next_group(self):
self._group += 1
return self._group
def flatten_list(iterable: Iterable[Iterable[T]]) -> list[T]: def flatten_list(iterable: Iterable[Iterable[T]]) -> list[T]:
return list(itertools.chain.from_iterable(iterable)) return list(itertools.chain.from_iterable(iterable))
@ -31,65 +41,96 @@ class AutoList(list[T], Generic[T]):
return [parse_obj_as(T, value)] return [parse_obj_as(T, value)]
class BaseHandler(BaseModel): class BaseHandler(BaseModel, extra=Extra.forbid):
headers: dict[str, str] = {} headers: dict[str, str] = {}
strip_prefix: bool = False
path: str | None = None path: str | None = None
def to_caddy(self): def to_caddy_handlers(self):
raise StopIteration yield {
"handler": "headers",
"response": {
"set": {k: [v] for k, v in self.headers.items()},
"deferred": True,
},
}
def to_caddy(self, ctx: Context):
if self.path is None:
return {"handle": [*self.to_caddy_handlers()]}
strip = []
if self.strip_prefix:
strip.append(
{
"handler": "rewrite",
"strip_path_prefix": self.path,
})
handler = {
"handler": "subroute",
"routes": [
{"handle": strip + [*self.to_caddy_handlers()]},
],
}
return {
"group": f"group{ctx.next_group()}",
"match": [{"path": [self.path]}],
"handle": [handler],
}
class FilesHandler(BaseHandler): class FilesHandler(BaseHandler):
root: str root: str
def to_caddy(self): def to_caddy_handlers(self):
handler = {"handler": "vars", "root": self.root} yield from super().to_caddy_handlers()
yield {"handle": [handler]} yield {"handler": "vars", "root": self.root}
class StaticHandler(BaseHandler): class StaticHandler(BaseHandler):
status: int | None = None status: int
body: str | None = None body: str | None = None
def to_caddy(self): def to_caddy_handlers(self):
handler = {"handler": "static_response"} yield from super().to_caddy_handlers()
if self.status is not None: handler = {
handler["status_code"] = self.status "handler": "static_response",
"status_code": self.status,
}
if self.body is not None: if self.body is not None:
handler["body"] = self.body handler["body"] = self.body
yield {"handle": [handler]} yield handler
class ReverseHandler(BaseHandler): class ReverseHandler(BaseHandler):
reverse: AutoList[str] reverse: AutoList[str]
def to_caddy(self): def to_caddy_handlers(self):
handler = { yield from super().to_caddy_handlers()
yield {
"handler": "reverse_proxy", "handler": "reverse_proxy",
"upstreams": [{"dial": s} for s in self.reverse], "upstreams": [{"dial": s} for s in self.reverse],
} }
yield {"handle": [handler]}
class RewriteHandler(BaseHandler): class RewriteHandler(BaseHandler):
rewrite: str rewrite: str
def to_caddy(self): def to_caddy_handlers(self):
handler = {"handler": "rewrite", "uri": self.rewrite} yield from super().to_caddy_handlers()
yield {"handle": [handler]} yield {"handler": "rewrite", "uri": self.rewrite}
class FileServerHandler(BaseHandler): class FileServerHandler(BaseHandler):
file_server: Literal[True] file_server: Literal[True]
templates: bool = False templates: bool = False
def to_caddy(self): def to_caddy_handlers(self):
handlers = [ yield from super().to_caddy_handlers()
{"handler": "templates"}, yield {"handler": "templates"}
]
if self.templates: if self.templates:
handlers.append({"handler": "file_server"}) yield {"handler": "file_server"}
yield {"handle": handlers}
Handler = ( Handler = (
@ -98,11 +139,13 @@ Handler = (
| RewriteHandler | RewriteHandler
| FileServerHandler | FileServerHandler
| StaticHandler | StaticHandler
| BaseHandler
) )
Routes = dict[str, AutoList[Handler]] Routes = dict[str, AutoList[Handler]]
class Server(BaseModel): class Server(BaseModel, extra=Extra.forbid):
listen: AutoList[str] listen: AutoList[str]
routes: Routes = {} routes: Routes = {}
errors: AutoList[Handler] = {} errors: AutoList[Handler] = {}
@ -111,59 +154,12 @@ class Server(BaseModel):
Config = dict[str, Server] Config = dict[str, Server]
class Context:
def __init__(self):
self._group = 0
def next_group(self):
self._group += 1
return self._group
def strip_path_prefix(prefix: str) -> Any:
return {
"handler": "rewrite",
"strip_path_prefix": prefix,
}
def handler_to_caddy(handler: Handler, ctx: Context) -> Any:
def to_caddy_inner():
if handler.headers:
handlers = [
{
"handler": "headers",
"response": {"set": {name: [value]}},
}
for name, value in handler.headers.items()
]
yield {"handle": handlers}
yield from handler.to_caddy()
if handler.path is None:
yield from to_caddy_inner()
else:
yield {
"group": f"group{ctx.next_group()}",
"match": [{"path": [handler.path]}],
"handle": [
{
"handler": "subroute",
"routes": [
{"handle": [strip_path_prefix(handler.path)]},
*to_caddy_inner(),
],
}
],
}
def route_to_caddy( def route_to_caddy(
host: str | None, handlers: list[Handler], ctx: Context host: str | None, handlers: list[Handler], ctx: Context
) -> Any: ) -> Any:
handler = { handler = {
"handler": "subroute", "handler": "subroute",
"routes": flatten_list(handler_to_caddy(h, ctx) for h in handlers), "routes": [h.to_caddy(ctx) for h in handlers],
} }
route = {"handle": [handler], "terminal": True} route = {"handle": [handler], "terminal": True}
if host is not None: if host is not None: