diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 5b6d714..114990b 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -25,6 +25,16 @@ backup_scripts_directory: "/root/backup" backup_files_scripts_directory: "{{ backup_scripts_directory }}/files" backup_mysql_database_scripts_directory: "{{ backup_scripts_directory }}/mysql_databases" +# Enabling "debug mode" allows deploying an debug / transitional instance besides another with the same base configuration +# The debug instance is reachable by using the same domain but prefixed with global_dns_debug_prefix +# Prevents overwriting of original's instance DNS config until debug mode is disabled +# If debug mode is disabled, the compatibility to the "debug domain" will be lost and the original's instance DNS config will be overwritten +# Other variables will need to be adjusted if both instances run on the same server +is_debug_instance: no +delete_debug_dns_entries: "{{ not is_debug_instance }}" +debug_domain: "_transfer.{{ domain }}" # used if is_debug_instance / on "debug mode", should only prefix domain +effective_domain: "{{ is_debug_instance | ternary(debug_domain, domain) }}" + global_local_user: "{{ lookup('env', 'USER') }}" global_deployment_directory: "/ansible" diff --git a/roles/acme/certificate/defaults/main.yml b/roles/acme/certificate/defaults/main.yml index 979c6c6..d440cf5 100644 --- a/roles/acme/certificate/defaults/main.yml +++ b/roles/acme/certificate/defaults/main.yml @@ -3,11 +3,12 @@ # at least one of domain or domains is required domain: "{{ domains[0] }}" domains: - - "{{ domain }}" + - "{{ effective_domain }}" +# effective_domain from all/vars.yml acme_must_staple: yes -certificate_name: "{{ domain }}" +certificate_name: "{{ effective_domain }}" # acme_validation_root_directory from nginx/application diff --git a/roles/dns/entries/defaults/main.yml b/roles/dns/entries/defaults/main.yml index e76a04e..3228943 100644 --- a/roles/dns/entries/defaults/main.yml +++ b/roles/dns/entries/defaults/main.yml @@ -1,6 +1,9 @@ --- # domain (of service running) +# debug_domain from all/vars.yml +# effective_domain from all/vars.yml + dns_zone_domain: "{{ lookup('pipe', global_public_key_directory|quote + '/dns_zone.py ' + domain|quote) }}" # domain of dns zone dns_system_domain: "{{ lookup('file', global_dns_list_directory + '/' + dns_zone_domain) }}" # domain of dns authority server diff --git a/roles/dns/entries/tasks/main.yml b/roles/dns/entries/tasks/main.yml index 1da5ea9..f0a0a99 100644 --- a/roles/dns/entries/tasks/main.yml +++ b/roles/dns/entries/tasks/main.yml @@ -8,6 +8,27 @@ tags: - dns_entries +- name: Disable debug mode entries + nsupdate: + state: absent + server: "127.0.0.1" # delegated to correct system + key_algorithm: "{{ tsig_key.key_algorithm }}" + key_name: "{{ tsig_key.key_name }}" + key_secret: "{{ tsig_key.key_secret }}" + zone: "{{ dns_zone_domain }}" + record: "{{ item.domain | default('@') | domain_relative_to(debug_domain) }}" + ttl: "{{ item.ttl | default(ttl_default) }}" + type: "{{ item.type }}" + value: "{{ item.data }}" + loop: "{{ entries | dns_entries_interpreter }}" + loop_control: + label: "{{ item.domain | default('@') | domain_relative_to(debug_domain) }} {{ item.type }}" + delegate_to: "{{ dns_system_domain }}" + when: + - delete_debug_dns_entries + tags: + - dns_entries + - name: Apply changes in DNS records nsupdate: server: "127.0.0.1" # delegated to correct system diff --git a/roles/nginx/forward/templates/forward.conf b/roles/nginx/forward/templates/forward.conf index 465c173..5bc928b 100644 --- a/roles/nginx/forward/templates/forward.conf +++ b/roles/nginx/forward/templates/forward.conf @@ -1,7 +1,7 @@ server { listen 443 ssl http2; listen [::]:443 ssl http2; - server_name {{ domain }}; + server_name {{ effective_domain }}; ssl on; ssl_certificate {{ acme_fullchain_location }}; diff --git a/roles/nginx/mail_proxy/templates/mail_proxy.conf b/roles/nginx/mail_proxy/templates/mail_proxy.conf index 6aa6f25..fcb18e3 100644 --- a/roles/nginx/mail_proxy/templates/mail_proxy.conf +++ b/roles/nginx/mail_proxy/templates/mail_proxy.conf @@ -3,7 +3,7 @@ server { protocol {{ protocol }}; proxy_pass {{ backend }}; - server_name {{ domain }}; + server_name {{ effective_domain }}; proxy_pass_error_message on; diff --git a/roles/nginx/php/templates/server.conf b/roles/nginx/php/templates/server.conf index 6af95b9..79baedc 100644 --- a/roles/nginx/php/templates/server.conf +++ b/roles/nginx/php/templates/server.conf @@ -1,7 +1,7 @@ server { listen 443 ssl http2; listen [::]:443 ssl http2; - server_name {{ domain }}; + server_name {{ effective_domain }}; ssl on; ssl_certificate {{ acme_fullchain_location }}; diff --git a/roles/nginx/server/defaults/main.yml b/roles/nginx/server/defaults/main.yml index 27ef33e..c3f06f6 100644 --- a/roles/nginx/server/defaults/main.yml +++ b/roles/nginx/server/defaults/main.yml @@ -8,7 +8,7 @@ listen_directives: | listen [::]:443 ssl http2; server_name_directives: | - server_name {{ domain }}; + server_name {{ effective_domain }}; certificates_directives: | ssl_certificate {{ acme_fullchain_location }}; diff --git a/roles/nginx/static/templates/static.conf b/roles/nginx/static/templates/static.conf index ec89685..d5c2ac4 100644 --- a/roles/nginx/static/templates/static.conf +++ b/roles/nginx/static/templates/static.conf @@ -1,7 +1,7 @@ server { listen 443 ssl http2; listen [::]:443 ssl http2; - server_name {{ domain }}; + server_name {{ effective_domain }}; ssl on; ssl_certificate {{ acme_fullchain_location }}; diff --git a/roles/server/firefox-sync/templates/syncserver.ini b/roles/server/firefox-sync/templates/syncserver.ini index 74530d7..a9bf290 100644 --- a/roles/server/firefox-sync/templates/syncserver.ini +++ b/roles/server/firefox-sync/templates/syncserver.ini @@ -9,7 +9,7 @@ use = egg:syncserver [syncserver] # This must be edited to point to the public URL of your server, # i.e. the URL as seen by Firefox. -public_url = https://{{ domain }}/ +public_url = https://{{ effective_domain }}/ # By default, syncserver will accept identity assertions issued by # any BrowserID issuer. The line below restricts it to accept assertions diff --git a/roles/server/gitea/templates/app.ini b/roles/server/gitea/templates/app.ini index eed1d17..f4c6ce7 100644 --- a/roles/server/gitea/templates/app.ini +++ b/roles/server/gitea/templates/app.ini @@ -128,7 +128,7 @@ FILE_EXTENSIONS = {{ ( gitea_markdown_file_extensions + gitea_markdown_file_exte [server] ; The protocol the server listens on. One of 'http', 'https', 'unix' or 'fcgi'. PROTOCOL = unix -DOMAIN = {{ domain }} +DOMAIN = {{ effective_domain }} ROOT_URL = https://%(DOMAIN)s/ ; The address to listen on. Either a IPv4/IPv6 address or the path to a unix socket. HTTP_ADDR = {{ gitea_socket_path }} diff --git a/roles/server/linx/templates/config.ini b/roles/server/linx/templates/config.ini index 5893384..e00eb17 100644 --- a/roles/server/linx/templates/config.ini +++ b/roles/server/linx/templates/config.ini @@ -1,6 +1,6 @@ bind = 127.0.0.1:{{ bind_port }} sitename = {{ site_name }} -siteurl = https://{{ domain }}/ +siteurl = https://{{ effective_domain }}/ selifpath = {{ selif_path }} maxsize = {{ max_size }} maxexpiry = {{ max_expiry }} diff --git a/roles/server/linx/templates/upload.sh b/roles/server/linx/templates/upload.sh index ec16f79..cd73e06 100644 --- a/roles/server/linx/templates/upload.sh +++ b/roles/server/linx/templates/upload.sh @@ -7,4 +7,4 @@ if [[ -z "${1:-}" ]]; then exit 2; fi -curl -H "Linx-Api-Key: {{ auth_code }}" -H "Linx-Delete-Key: {{ auth_code }}" -T "$1" https://{{ domain }}/upload/; +curl -H "Linx-Api-Key: {{ auth_code }}" -H "Linx-Delete-Key: {{ auth_code }}" -T "$1" https://{{ effective_domain }}/upload/; diff --git a/roles/server/minecraft/meta/main.yml b/roles/server/minecraft/meta/main.yml index 193ac0d..b46f5da 100644 --- a/roles/server/minecraft/meta/main.yml +++ b/roles/server/minecraft/meta/main.yml @@ -8,7 +8,7 @@ dependencies: custom_entries: - domain: "_minecraft._tcp" type: SRV - data: "10 10 {{ minecraft_port }} {{ domain }}." + data: "10 10 {{ minecraft_port }} {{ effective_domain }}." - role: misc/system_user # system_user # user_directory diff --git a/roles/server/nextcloud/defaults/main.yml b/roles/server/nextcloud/defaults/main.yml index 7df9c77..e754372 100644 --- a/roles/server/nextcloud/defaults/main.yml +++ b/roles/server/nextcloud/defaults/main.yml @@ -35,9 +35,9 @@ nextcloud_admin_pass: "{{ lookup('password', 'credentials/' + inventory_hostname import_config: system: # domain - "overwrite.cli.url": "{{ domain }}" + "overwrite.cli.url": "{{ effective_domain }}" trusted_domains: - - "{{ domain }}" + - "{{ effective_domain }}" # database dbtype: mysql dbhost: localhost diff --git a/roles/server/node/templates/service.env b/roles/server/node/templates/service.env index 6e01d95..e51e512 100644 --- a/roles/server/node/templates/service.env +++ b/roles/server/node/templates/service.env @@ -2,7 +2,7 @@ USER={{ system_user }} HOME={{ user_directory }} NODE_ENV=production PORT={{ bind_port }} -DOMAIN={{ domain }} +DOMAIN={{ effective_domain }} DATABASE_HOST=127.0.0.1 DATABASE_PORT=3306 DATABASE_USERNAME={{ database_user }} diff --git a/roles/server/tt-rss/templates/config.php b/roles/server/tt-rss/templates/config.php index f1ceba2..f969c8e 100755 --- a/roles/server/tt-rss/templates/config.php +++ b/roles/server/tt-rss/templates/config.php @@ -18,7 +18,7 @@ // *** Basic settings (important!) *** // *********************************** - define('SELF_URL_PATH', 'https://{{ domain }}/'); + define('SELF_URL_PATH', 'https://{{ effective_domain }}/'); // This should be set to a fully qualified URL used to access // your tt-rss instance over the net. // The value should be a constant string literal. Please don't use