Store reverse proxy data in proxy host vars

2020-11-04 22:38:54 +01:00 · 2020-11-04 22:38:54 +01:00 · f9b7e052b9
commit f9b7e052b9
parent 61f78f5bd3
5 changed files with 102 additions and 43 deletions
--- a/group_vars/all/vault.yml
+++ b/group_vars/all/vault.yml
@ -1,4 +1,3 @@
---
 $ANSIBLE_VAULT;1.1;AES256
 61333538366635353537346231363235653162356330396434383631656465616330363136306563
 3861333166386536633437386335613461646466346239360a643139303037613937373631313661
--- a/host_vars/proxy-local.adm.auro.re.yml
+++ b/host_vars/proxy-local.adm.auro.re.yml
@ -0,0 +1,42 @@
+---
+certbot:
+  domains:
+    - bbb.auro.re
+    - drone.auro.re
+    - gitea.auro.re
+    - intranet.auro.re
+    - nextcloud.auro.re
+    - re2o.auro.re
+    - re2o-server.auro.re
+    - re2o-test.auro.re
+
+  dns_rfc2136_name: certbot_challenge.
+  dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
+  mail: tech.aurore@lists.crans.org
+  certname: auro.re
+  dns_masters_ipv4:
+    - "92.222.211.196"
+
+nginx:
+  ssl:
+    cert: /etc/letsencrypt/live/auro.re/fullchain.pem
+    cert_key: /etc/letsencrypt/live/auro.re/privkey.pem
+    trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem
+
+  redirect_dnames:
+    - aurores.net
+    - fede-aurore.net
+
+  redirect_sites: {}
+
+  reverseproxy_sites:
+    - from: re2o.auro.re
+      to: 10.128.0.10
+    - from: intranet.auro.re
+      to: 10.128.0.10
+
+    - from: drone.auro.re
+      to: "10.128.0.64:8000"
+
+    - from: re2o-test.auro.re
+      to: 10.128.0.100
--- a/host_vars/proxy.adm.auro.re.yml
+++ b/host_vars/proxy.adm.auro.re.yml
@ -0,0 +1,58 @@
+---
+certbot:
+  domains:
+    - auro.re
+    - cas.auro.re
+    - codimd.auro.re
+    - grafana.auro.re
+    - pad.auro.re
+    - passbolt.auro.re
+    - phabricator.auro.re
+    - privatebin.auro.re
+    - riot.auro.re
+    - sharelatex.auro.re
+    - wiki.auro.re
+    - www.auro.re
+  dns_rfc2136_name: certbot_challenge.
+  dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
+  mail: tech.aurore@lists.crans.org
+  certname: auro.re
+  dns_masters_ipv4:
+    - "92.222.211.196"
+
+nginx:
+  ssl:
+    cert: /etc/letsencrypt/live/auro.re/fullchain.pem
+    cert_key: /etc/letsencrypt/live/auro.re/privkey.pem
+    trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem
+
+  redirect_dnames:
+    - aurores.net
+    - fede-aurore.net
+
+  redirect_sites:
+    - from: auro.re
+      to: www.auro.re
+
+  reverseproxy_sites:
+    - from: phabricator.auro.re
+      to: 10.128.0.50
+
+    - from: wiki.auro.re
+      to: 10.128.0.51
+
+    - from: www.auro.re
+      to: 10.128.0.52
+
+    - from: riot.auro.re
+      to: "10.128.0.150:8080"
+    - from: codimd.auro.re
+      to: "10.128.0.150:8081"
+    - from: grafana.auro.re
+      to: "10.128.0.150:8082"
+    - from: privatebin.auro.re
+      to: "10.128.0.150:8083"
+    - from: pad.auro.re
+      to: "10.128.0.150:8084"
+    - from: cas.auro.re
+      to: "10.128.0.150:8085"
--- a/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2
+++ b/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2
@ -1,7 +1,7 @@
 # {{ ansible_managed }}

 # Pour appliquer cette conf et générer la conf de renewal :
-# certbot --config wildcard.ini certonly
+# certbot --config /etc/letsencrypt/conf.d/aurore.ini certonly

 # Use a 4096 bit RSA key instead of 2048
 rsa-key-size = 4096
@ -22,4 +22,4 @@ dns-rfc2136-propagation-seconds = 30

 # Wildcard the domain
 cert-name = {{ certbot.certname }}
-domains = {{ certbot.domains }}
+domains = {{ ", ".join(certbot.domains) }}
--- a/services_web.yml
+++ b/services_web.yml
@ -12,46 +12,6 @@

 # Deploy reverse proxy
 - hosts: proxy*.adm.auro.re
-  vars:
-    certbot:
-      dns_rfc2136_name: certbot_challenge.
-      dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
-      mail: tech.aurore@lists.crans.org
-      certname: auro.re
-      domains: "auro.re, *.auro.re, aurores.net, *.aurores.net, fede-aurore.net, *.fede-aurore.net"
-      dns_masters_ipv4:
-        - "92.222.211.196"
-    nginx:
-      ssl:
-        cert: /etc/letsencrypt/live/auro.re/fullchain.pem
-        cert_key: /etc/letsencrypt/live/auro.re/privkey.pem
-        trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem
-
-      redirect_dnames:
-        - aurores.net
-        - fede-aurore.net
-
-      reverseproxy_sites:
-        - {from: re2o.auro.re, to: 10.128.0.10}
-        - {from: intranet.auro.re, to: 10.128.0.10}
-
-        - {from: phabricator.auro.re, to: 10.128.0.50}
-        - {from: wiki.auro.re, to: 10.128.0.51}
-        - {from: www.auro.re, to: 10.128.0.52}
-
-        - {from: drone.auro.re, to: "10.128.0.64:8000"}
-
-        - {from: re2o-test.auro.re, to: 10.128.0.100}
-
-        - {from: riot.auro.re, to: "10.128.0.150:8080"}
-        - {from: codimd.auro.re, to: "10.128.0.150:8081"}
-        - {from: grafana.auro.re, to: "10.128.0.150:8082"}
-        - {from: privatebin.auro.re, to: "10.128.0.150:8083"}
-        - {from: pad.auro.re, to: "10.128.0.150:8084"}
-        - {from: cas.auro.re, to: "10.128.0.150:8085"}
-
-      redirect_sites:
-        - {from: auro.re, to: www.auro.re}
  roles:
    - certbot
    - nginx_reverseproxy