Added debug mode with support for all roles

4 years ago · fcb1ed71b6
parent 027e5cec0b
commit fcb1ed71b6
17 changed files with 51 additions and 16 deletions
--- a/group_vars/all/vars.yml
+++ b/group_vars/all/vars.yml
@ -25,6 +25,16 @@ backup_scripts_directory: "/root/backup"
 backup_files_scripts_directory: "{{ backup_scripts_directory }}/files"
 backup_mysql_database_scripts_directory: "{{ backup_scripts_directory }}/mysql_databases"

+# Enabling "debug mode" allows deploying an debug / transitional instance besides another with the same base configuration
+# The debug instance is reachable by using the same domain but prefixed with global_dns_debug_prefix
+# Prevents overwriting of original's instance DNS config until debug mode is disabled
+# If debug mode is disabled, the compatibility to the "debug domain" will be lost and the original's instance DNS config will be overwritten
+# Other variables will need to be adjusted if both instances run on the same server
+is_debug_instance: no
+delete_debug_dns_entries: "{{ not is_debug_instance }}"
+debug_domain: "_transfer.{{ domain }}" # used if is_debug_instance / on "debug mode", should only prefix domain
+effective_domain: "{{ is_debug_instance | ternary(debug_domain, domain) }}"
+
 global_local_user: "{{ lookup('env', 'USER') }}"

 global_deployment_directory: "/ansible"
--- a/roles/acme/certificate/defaults/main.yml
+++ b/roles/acme/certificate/defaults/main.yml
@ -3,11 +3,12 @@
 # at least one of domain or domains is required
 domain: "{{ domains[0] }}"
 domains:
-  - "{{ domain }}"
+  - "{{ effective_domain }}"
+# effective_domain from all/vars.yml

 acme_must_staple: yes

-certificate_name: "{{ domain }}"
+certificate_name: "{{ effective_domain }}"

 # acme_validation_root_directory from nginx/application

--- a/roles/dns/entries/defaults/main.yml
+++ b/roles/dns/entries/defaults/main.yml
@ -1,6 +1,9 @@
 ---

 # domain (of service running)
+# debug_domain from all/vars.yml
+# effective_domain from all/vars.yml
+
 dns_zone_domain: "{{ lookup('pipe', global_public_key_directory|quote + '/dns_zone.py ' + domain|quote) }}" # domain of dns zone
 dns_system_domain: "{{ lookup('file', global_dns_list_directory + '/' + dns_zone_domain) }}" # domain of dns authority server

--- a/roles/dns/entries/tasks/main.yml
+++ b/roles/dns/entries/tasks/main.yml
@ -8,6 +8,27 @@
  tags:
    - dns_entries

+- name: Disable debug mode entries
+  nsupdate:
+    state: absent
+    server: "127.0.0.1" # delegated to correct system
+    key_algorithm: "{{ tsig_key.key_algorithm }}"
+    key_name: "{{ tsig_key.key_name }}"
+    key_secret: "{{ tsig_key.key_secret }}"
+    zone: "{{ dns_zone_domain }}"
+    record: "{{ item.domain | default('@') | domain_relative_to(debug_domain) }}"
+    ttl: "{{ item.ttl | default(ttl_default) }}"
+    type: "{{ item.type }}"
+    value: "{{ item.data }}"
+  loop: "{{ entries | dns_entries_interpreter }}"
+  loop_control:
+    label: "{{ item.domain | default('@') | domain_relative_to(debug_domain) }} {{ item.type }}"
+  delegate_to: "{{ dns_system_domain }}"
+  when:
+    - delete_debug_dns_entries
+  tags:
+    - dns_entries
+
 - name: Apply changes in DNS records
  nsupdate:
    server: "127.0.0.1" # delegated to correct system
--- a/roles/nginx/forward/templates/forward.conf
+++ b/roles/nginx/forward/templates/forward.conf
@ -1,7 +1,7 @@
 server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
-  server_name {{ domain }};
+  server_name {{ effective_domain }};

  ssl on;
  ssl_certificate {{ acme_fullchain_location }};
--- a/roles/nginx/mail_proxy/templates/mail_proxy.conf
+++ b/roles/nginx/mail_proxy/templates/mail_proxy.conf
@ -3,7 +3,7 @@ server {
  protocol {{ protocol }};
  proxy_pass {{ backend }};

-  server_name {{ domain }};
+  server_name {{ effective_domain }};

  proxy_pass_error_message on;

--- a/roles/nginx/php/templates/server.conf
+++ b/roles/nginx/php/templates/server.conf
@ -1,7 +1,7 @@
 server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
-  server_name {{ domain }};
+  server_name {{ effective_domain }};

  ssl on;
  ssl_certificate {{ acme_fullchain_location }};
--- a/roles/nginx/server/defaults/main.yml
+++ b/roles/nginx/server/defaults/main.yml
@ -8,7 +8,7 @@ listen_directives: |
  listen [::]:443 ssl http2;

 server_name_directives: |
-  server_name {{ domain }};
+  server_name {{ effective_domain }};

 certificates_directives: |
  ssl_certificate {{ acme_fullchain_location }};
--- a/roles/nginx/static/templates/static.conf
+++ b/roles/nginx/static/templates/static.conf
@ -1,7 +1,7 @@
 server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
-  server_name {{ domain }};
+  server_name {{ effective_domain }};

  ssl on;
  ssl_certificate {{ acme_fullchain_location }};
--- a/roles/server/firefox-sync/templates/syncserver.ini
+++ b/roles/server/firefox-sync/templates/syncserver.ini
@ -9,7 +9,7 @@ use = egg:syncserver
 [syncserver]
 # This must be edited to point to the public URL of your server,
 # i.e. the URL as seen by Firefox.
-public_url = https://{{ domain }}/
+public_url = https://{{ effective_domain }}/

 # By default, syncserver will accept identity assertions issued by
 # any BrowserID issuer.  The line below restricts it to accept assertions
--- a/roles/server/gitea/templates/app.ini
+++ b/roles/server/gitea/templates/app.ini
@ -128,7 +128,7 @@ FILE_EXTENSIONS = {{ ( gitea_markdown_file_extensions + gitea_markdown_file_exte
 [server]
 ; The protocol the server listens on. One of 'http', 'https', 'unix' or 'fcgi'.
 PROTOCOL = unix
-DOMAIN = {{ domain }}
+DOMAIN = {{ effective_domain }}
 ROOT_URL = https://%(DOMAIN)s/
 ; The address to listen on. Either a IPv4/IPv6 address or the path to a unix socket.
 HTTP_ADDR = {{ gitea_socket_path }}
--- a/roles/server/linx/templates/config.ini
+++ b/roles/server/linx/templates/config.ini
@ -1,6 +1,6 @@
 bind = 127.0.0.1:{{ bind_port }}
 sitename = {{ site_name }}
-siteurl = https://{{ domain }}/
+siteurl = https://{{ effective_domain }}/
 selifpath = {{ selif_path }}
 maxsize = {{ max_size }}
 maxexpiry = {{ max_expiry }}
--- a/roles/server/linx/templates/upload.sh
+++ b/roles/server/linx/templates/upload.sh
@ -7,4 +7,4 @@ if [[ -z "${1:-}" ]]; then
  exit 2;
 fi

-curl -H "Linx-Api-Key: {{ auth_code }}" -H "Linx-Delete-Key: {{ auth_code }}" -T "$1" https://{{ domain }}/upload/;
+curl -H "Linx-Api-Key: {{ auth_code }}" -H "Linx-Delete-Key: {{ auth_code }}" -T "$1" https://{{ effective_domain }}/upload/;
--- a/roles/server/minecraft/meta/main.yml
+++ b/roles/server/minecraft/meta/main.yml
@ -8,7 +8,7 @@ dependencies:
    custom_entries:
      - domain: "_minecraft._tcp"
        type: SRV
-        data: "10 10 {{ minecraft_port }} {{ domain }}."
+        data: "10 10 {{ minecraft_port }} {{ effective_domain }}."
  - role: misc/system_user
    # system_user
    # user_directory
--- a/roles/server/nextcloud/defaults/main.yml
+++ b/roles/server/nextcloud/defaults/main.yml
@ -35,9 +35,9 @@ nextcloud_admin_pass: "{{ lookup('password', 'credentials/' + inventory_hostname
 import_config:
  system:
    # domain
-    "overwrite.cli.url": "{{ domain }}"
+    "overwrite.cli.url": "{{ effective_domain }}"
    trusted_domains:
-      - "{{ domain }}"
+      - "{{ effective_domain }}"
    # database
    dbtype: mysql
    dbhost: localhost
--- a/roles/server/node/templates/service.env
+++ b/roles/server/node/templates/service.env
@ -2,7 +2,7 @@ USER={{ system_user }}
 HOME={{ user_directory }}
 NODE_ENV=production
 PORT={{ bind_port }}
-DOMAIN={{ domain }}
+DOMAIN={{ effective_domain }}
 DATABASE_HOST=127.0.0.1
 DATABASE_PORT=3306
 DATABASE_USERNAME={{ database_user }}
--- a/roles/server/tt-rss/templates/config.php
+++ b/roles/server/tt-rss/templates/config.php
@ -18,7 +18,7 @@
 	// *** Basic settings (important!) ***
 	// ***********************************

-	define('SELF_URL_PATH', 'https://{{ domain }}/');
+	define('SELF_URL_PATH', 'https://{{ effective_domain }}/');
 	// This should be set to a fully qualified URL used to access
 	// your tt-rss instance over the net.
 	// The value should be a constant string literal. Please don't use