Setting `reverse_proxy_proxy_protocol: true` and
`nginx_proxy_protocol: true` in nginx roles enable the forwarding of
the original connection address from the reverse_proxy to the target
nginx instance, using the established TCP PROXY PROTOCOL (adding a TCP
header, so working also for TLS connections that are not terminated at
the reverse proxy).
**Warning**
The `reverse_proxy_proxy_protocol` settings acts globally on the
reverse proxy nodes, so every virtual server on the reverse proxy must
accept and correctly handle proxy protocol headers.
This settings must be the same for every host sharing the same reverse
proxy, otherwise the setting will be changed globally at every run.
commont task to create lxc vm in separete file `prepare_lxc_host`,
avoid redundancy of statements in each vm-specific playbook file.
Playbooks updated to import `prepare_lxc_host`:
- ldap
- matrix
- nextcloud
- projects
- status
- Coherent quotation style
Single quotes for text variable (even if implicit), no quotes for
variable and conditional statements, if not required.
- Some useful tags added:
* ssh_certs
renewal of server SSH certificates and configuration of authorized
CA.
* tls_pub
renewal of public TLS certificates (let's encrypt) and certbot
configuration.
* tls_int
renewal of internal TLS certificates (service authorizations) and
configuration of authorized internal CA.
*(ToDo: deployment of Certificate Revokation Lists)*
* lxc
deployment of new containers (deployment of configuration file
excluded, for instance change in ip address are always applied and
trigger a container restart even if you skip this tag.
* packages
installation and upgrade of software packages (apt, opkg or
tarballs)
* service_password
create new random password for services-only password, for routine
rotation. Not meant to be skipped (some roles need to know the
service password, so they do a rotation).
- prepare_host
- ssh_server
- lxc_guest
- ldap
- gitlab
- x509_subject_prefix
- x509_ldap_suffix
*Replaces:* x509_suffix in ldap.yaml
- letsencrypt_email
Used in roles/certbot and roles/gitlab
- root_ca_cert
*Replaces:* ssl_ca_cert and files/lilik_x1.crt
New defaults:
- ldap_domain | default: `${domain}`
- server_fqdn | default: `${hostname}.dmz.${domain}`
*Replaces:* fqdn_domain
Removed:
- fqdn_dmain
- x509_suffix
*Replaced by:* x509_ldap_suffix in common
New defaults:
- server_fqdn | default: `${hostname}.${domain}`
*Replaces*: fqdn
- ldap_domain | default: `${domain}`
- ldap_server | default: `ldap1.dmz.${domain}`
- ldap_basedn | default: `dn(${ldap_domain})`
- enable_https | default: `true`
New defaults:
- server_fqdn | default: `${hostname}.${domain}`
Now which *host* is hosting a specific container is not defined in the
playbook yaml file but centrally in the invetory under the
`ansible_lxc_host` variable.
The `lxc_guest` role is runned directly against the guest, even if it
doesn't exist yet, and lxc tasks are delegated to the lxc-running
physical host.
In this way it should be easier to scale-up and configure multiple
istance of a service on different containers without changing the
playbook.
Look at `/ldap.yaml` for a commented example.
`lxc-ssh.py` removed.
All Playbbooks now user `ssh_lxc` connection.
`ansible_ssh_lxc_name` variable used to specify container name.
Tested and worked correctly with `python==3.8.2` and `ansible==2.9.6` on the
controller and `python==2.7` on the target.