lilik_playbook

967 KiB

Tree: 43291bb572

Author	SHA1	Message	Date
Zolfa	1b3f7b8592	roles/reverse_proxy: proxy_protocol and random fix	5 years ago
Zolfa	c99cb8a9d5	reverse_proxy: use PROXY PROTOCOL Original Client IP is correctly passed to upstream nginx instances (nginx role or gitlab). Affected roles: - reverse_proxy: Pass PROXY PROTOCOL by default to all upstream server. May cause problem with upstream server unable to understand PROXY PROTOCOL. We should put a nginx proxy in front in that case. - nginx: Expect PROXY PROTOCOL for all incoming TLS connection on nginx clients. Warning: now you can access local server only passing by the firewall reverse proxy, not directly. - gitlab: Built-in nginx instance configured to expect PROXY PROTOCOL for tls incoming connections.	5 years ago
Zolfa	5631ae6a15	style and variables refactoring - Coherent quotation style Single quotes for text variable (even if implicit), no quotes for variable and conditional statements, if not required. - Some useful tags added: * ssh_certs renewal of server SSH certificates and configuration of authorized CA. * tls_pub renewal of public TLS certificates (let's encrypt) and certbot configuration. * tls_int renewal of internal TLS certificates (service authorizations) and configuration of authorized internal CA. (ToDo: deployment of Certificate Revokation Lists) * lxc deployment of new containers (deployment of configuration file excluded, for instance change in ip address are always applied and trigger a container restart even if you skip this tag. * packages installation and upgrade of software packages (apt, opkg or tarballs) * service_password create new random password for services-only password, for routine rotation. Not meant to be skipped (some roles need to know the service password, so they do a rotation). - prepare_host - ssh_server - lxc_guest - ldap - gitlab - x509_subject_prefix - x509_ldap_suffix Replaces: x509_suffix in ldap.yaml - letsencrypt_email Used in roles/certbot and roles/gitlab - root_ca_cert Replaces: ssl_ca_cert and files/lilik_x1.crt New defaults: - ldap_domain \| default: `${domain}` - server_fqdn \| default: `${hostname}.dmz.${domain}` Replaces: fqdn_domain Removed: - fqdn_dmain - x509_suffix Replaced by: x509_ldap_suffix in common New defaults: - server_fqdn \| default: `${hostname}.${domain}` Replaces: fqdn - ldap_domain \| default: `${domain}` - ldap_server \| default: `ldap1.dmz.${domain}` - ldap_basedn \| default: `dn(${ldap_domain})` - enable_https \| default: `true` New defaults: - server_fqdn \| default: `${hostname}.${domain}`	5 years ago
Andrea Cimbalo	1a647f799b	role reverse_proxy: notify reload on all changes	6 years ago
Edoardo Putti	83a49ba79c	take public ip instead of hardcoded	7 years ago
Andrea Cimbalo	0d01033f9d	fix hosts	7 years ago
Andrea Cimbalo	b63bda9ba9	reverse_proxy: ensure nginx will read additional configuration, add handler to reload nginx configuration	8 years ago
Edoardo Putti	e8e25e89c9	change host from gandalf2 to reverse_proxy	8 years ago
Edoardo Putti	cf365e645d	draft for the reverse proxy role This role split the reverse proxy configuration in three files per host. Every file belong to a different directory that is created on the reverse proxy we use (nginx).	8 years ago
Edoardo Putti	eba153f8b1	draft for a role to provide reverse proxy with SNI	8 years ago

10 Commits (43291bb5725ca7ebe536b6d9e6deaec1aa491e2c)