fix: various fixes

2 years ago · ac4de942ba
parent 5ca943312c
commit ac4de942ba
39 changed files with 427 additions and 360 deletions
--- a/all.yml
+++ b/all.yml
@ -35,7 +35,7 @@
        role_deps: "{{ (([{ 'stage': 6, 'role': host_primary_role }] if role_dependency is not defined else [role_dependency]) +
                        ([role_dependency_common] if (role_dependency_no_common | d(false) == false) else []) +
                        ([{ 'stage': 1, 'role': 'container' }] if 'containers' in group_names else []) +
-                        ([{ 'stage': 3, 'role': 'postgres', 'function': 'integrate' }] if role_dependency_use_db | d(false) == true else [])
+                        ([{ 'stage': 3, 'role': 'postgres', 'tasks_from': 'integrate.yml' }] if role_use_database | d(false) == true else [])
                       ) | flatten(levels=1) | sort(attribute='stage') }}"
        selected_stages: "{%- if stage is defined and ((stage | string) is search(',')) -%}{{ stage | string | split(',') | list | map('int') | list }}\
                          {%- elif (stage is not defined) or ((stage | int) == 0) -%}{{ [1,2,3,4,5,6,7,8,9] }}\
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@ -1,7 +1,6 @@
 ansible_user: root
 ansible_dir: /etc/ansible
 ansible_key_dir: keys
 alpine_version: "3.17"
 mac_prefix: 02:FF
@ -39,6 +38,16 @@ role_dependency_common:
  - {stage: 2, role: 'common'}
  - {stage: 4, role: 'ns'}
  - {stage: 5, role: 'mail-user'}
  - {stage: 8, role: 'rproxy'}
  - {stage: 8, role: 'iptables'}
  - {stage: 9, role: 'backup', function: 'setup'}
 reverse_proxy_type: caddy
 acme_default_config:
  endpoint_prod: https://acme-v02.api.letsencrypt.org/directory
  endpoint_staging: https://acme-staging-v02.api.letsencrypt.org/directory
  staging: no
  resolver: 1.1.1.1
  renew_at_days: 45
  preferred_chain: 'ISRG Root X1'
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -0,0 +1,3 @@
 - name: restart systemd daemons
  systemd:
    daemon_reload: yes
--- a/roles/acme-dns/defaults/main.yml
+++ b/roles/acme-dns/defaults/main.yml
@ -8,7 +8,6 @@ acme_dns_admin: "{{ maintainer_email | d('admin@' ~ (acme_tld | d(tld))) }}"
 acme_dns_api_port: 8080
 acme_dns_default_config:
  general:
    listen: ":53"
@ -34,7 +33,7 @@ acme_dns_default_config:
    tls: none
    use_header: no
-    notification_email: "{{ letsencrypt_email | d(maintainer_email) }}"
+    notification_email: "{{ maintainer_email }}"
    corsorigins:
      - "*"
--- a/roles/acme-dns/tasks/info.yml
+++ b/roles/acme-dns/tasks/info.yml
@ -0,0 +1,12 @@
 - name: set role information
  set_fact:
    role_dependency_index: 0
    role_hardware:
      cores: 2
      memory: 128
      swap: 64
      disk: 0.3
    role_use_reverse_proxy: yes
    role_use_database: yes
--- a/roles/acme-dns/tasks/main.yml
+++ b/roles/acme-dns/tasks/main.yml
@ -1,6 +1,7 @@
 - name: set acme_dns_cfg
  set_fact:
-    acme_dns_cfg: "{{ acme_dns_default_config | d({}) | combine(acme_dns_config | d({}), recursive=true) }}"
+    acme_dns_cfg: "{{ acme_dns_default_config | d({}) |
      combine(acme_dns_config | d({}), recursive=true) }}"
 - name: install dependencies
@ -27,7 +28,7 @@
      location: github
      assets: yes
      asset_filter: 'Linux_amd64.tar.gz$'
-      file: "{{ acme_dns_dir }}/last_version"
+      file: "{{ (acme_dns_dir, 'last_version') | path_join }}"
      extract: "{{ acme_dns_dir }}"
      user: "{{ acme_dns_user }}"
      group: "{{ acme_dns_group }}"
@ -36,7 +37,7 @@
 - name: delete unnecessary files
  file:
-    path: "{{ acme_dns_dir }}/{{ item }}"
+    path: "{{ (acme_dns_dir, item) | path_join }}"
    state: absent
  loop:
    - CHANGELOG.md
@ -47,7 +48,7 @@
 - name: template acme-dns config
  template:
    src: config.j2
-    dest: "{{ acme_dns_dir }}/config.cfg"
+    dest: "{{ (acme_dns_dir, 'config.cfg') | path_join }}"
    force: yes
    mode: 0400
    owner: "{{ acme_dns_user }}"
@ -63,45 +64,47 @@
    force: yes
    mode: "+x"
  notify: restart acme-dns
  when: ansible_distribution == 'Alpine'
 - name: ensure acme-dns binary has executable bit set
  file:
-    path: "{{ acme_dns_dir }}/acme-dns"
+    path: "{{ (acme_dns_dir, 'acme-dns') | path_join }}"
    mode: "+x"
 - name: add cap_net_bind_service to acme-dns executable
  community.general.capabilities:
-    path: "{{ acme_dns_dir }}/acme-dns"
+    path: "{{ (acme_dns_dir, 'acme-dns') | path_join }}"
    capability: cap_net_bind_service+ep
  changed_when: no
- name: set acme server address
+- name: flush handlers
-  set_fact:
+  meta: flush_handlers
    acme_server: "http://127.0.0.1:{{ acme_dns_api_port }}"
- name: install and configure nginx
+- name: add reverse proxy config
  include_role:
-    name: nginx
+    name: rproxy
    tasks_from: add.yml
  vars:
-    nginx:
+    rproxy_config:
-      servers:
+      port: "{{ acme_dns_api_port }}"
-        - conf: nginx_server
+      acme:
-      certs: "{{ host_tls }}"
+        server: "http://127.0.0.1:{{ acme_dns_api_port }}"
-
+      nginx: rproxy_nginx.j2
-
+      caddy_reverse_proxy_handlers:
- name: flush handlers
+        - handler: reverse_proxy
-  meta: flush_handlers
+          upstreams:
            - dial: "127.0.0.1:{{ acme_dns_api_port }}"
 - name: add directories to backup plan
  include_role:
    name: backup
    tasks_from: add.yml
  vars:
    function: add
    backup_items:
      - "{{ acme_dns_dir }}"
--- a/roles/acme-dns/templates/init.j2
+++ b/roles/acme-dns/templates/init.j2
@ -1,9 +1,9 @@
 #!/sbin/openrc-run
 name="$SVCNAME"
-command="{{ acme_dns_dir }}/$SVCNAME"
+command="{{ (acme_dns_dir, '$SVCNAME') | path_join }}"
 directory="{{ acme_dns_dir }}"
-command_user="{{ acme_dns_user }}:{{ acme_dns_group }}"
+command_user="{{ acme_dns_user ~ ':' ~ acme_dns_group }}"
 pidfile="/var/run/$SVCNAME.pid"
 command_background=true
 start_stop_daemon_args="--stdout-logger logger --stderr-logger logger"
@ -14,5 +14,5 @@ depend() {
 }
 start_pre() {
-        setcap 'cap_net_bind_service=+ep' {{ acme_dns_dir }}/$SVCNAME
+        setcap 'cap_net_bind_service=+ep' {{ (acme_dns_dir, '$SVCNAME') | path_join | quote }}
 }
--- a/roles/acme-dns/templates/rproxy_nginx.j2
+++ b/roles/acme-dns/templates/rproxy_nginx.j2
--- a/roles/backup/tasks/main.yml
+++ b/roles/backup/tasks/main.yml
@ -1,8 +1,35 @@
- name: add to backup plan
+- fail:
-  include_tasks: add.yml
+  when: function is defined
  when: function is defined and function == 'add'
- name: setup backups
+- name: notify that backups are not supported
-  include_tasks: setup.yml
+  debug:
-  when: function is defined and function == 'setup'
+    msg: backup host is missing, will not set up backups
  when: services.backup is not mapping
 - name: install restic with custom configuration
  block:
    - include_role:
        name: restic
      vars:
        backup: "{{ backup_cfg }}"
  when: services.backup is mapping and backup_cfg is mapping
 - name: install restic with default configuration
  block:
    - include_role:
        name: restic
      vars:
        backup:
          dirs: "{{ collected_backup_dirs }}"
          password: "{{ backup_password }}"
          tags: automated
          filter:
            - "*.log"
            - "node_modules"
            - ".npm"
  when: services.backup is mapping and backup_cfg is not defined and backup_password is defined
--- a/roles/backup/tasks/setup.yml
+++ b/roles/backup/tasks/setup.yml
@ -1,31 +0,0 @@
 - name: notify that backups are not supported
  debug:
    msg: backup host is missing, will not set up backups
  when: services.backup is not mapping
 - name: install restic with custom configuration
  block:
    - include_role:
        name: restic
      vars:
        backup: "{{ backup_cfg }}"
  when: services.backup is mapping and backup_cfg is mapping
 - name: install restic with default configuration
  block:
    - include_role:
        name: restic
      vars:
        backup:
          dirs: "{{ collected_backup_dirs }}"
          password: "{{ backup_password }}"
          tags: automated
          filter:
            - "*.log"
            - "node_modules"
            - ".npm"
  when: services.backup is mapping and backup_cfg is not defined and backup_password is defined
--- a/roles/caddy/defaults/main.yml
+++ b/roles/caddy/defaults/main.yml
@ -4,27 +4,15 @@ caddy_group: caddy
 caddy_conf_dir: /etc/caddy
 caddy_asset_dir: /opt/caddy-assets
 caddy_bin_dir: /usr/sbin
 caddy_cert_dir: /etc/caddy/certs
 caddy_xcaddy_dir: /opt/xcaddy
 caddy_acmedns_client_bin_dir: /opt/acme-client
 caddy_conf_file: "{{ (caddy_conf_dir, 'caddy.json') | path_join }}"
-caddy_default_plugins:
+caddy_default_plugins: []
  - github.com/caddy-dns/acmedns
 # hardcoded in acmedns_client and cannot be changed
 caddy_acmedns_client_dir: /etc/acmedns
 caddy_acmedns_client_file: /etc/acmedns/clientstorage.json
 caddy_use_lego: no
 caddy_lego_dir: /opt/lego
 caddy_lego_lastrun_file: "{{ (caddy_lego_dir, 'lastrun') | path_join }}"
 caddy_domains:
  - "{{ host_fqdn }}"
 caddy_acme_endpoint: https://acme-staging-v02.api.letsencrypt.org/directory
 caddy_default_config:
  admin:
    disabled: yes
--- a/roles/caddy/handlers/main.yml
+++ b/roles/caddy/handlers/main.yml
@ -2,8 +2,3 @@
  service:
    name: caddy
    state: restarted
 - name: reload systemd daemons
  systemd:
    daemon_reload: yes
--- a/roles/caddy/tasks/build_caddy.yml
+++ b/roles/caddy/tasks/build_caddy.yml
@ -36,7 +36,9 @@
    - name: install xcaddy
      package:
-        name: xcaddy
+        name:
          - xcaddy
          - golang
  when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
@ -78,12 +80,12 @@
        remote_src: yes
        mode: "+x"
  when: ansible_distribution == 'Alpine'
- name: install golang
+    - name: install golang
      package:
-    name: golang
+        name: go
  when: ansible_distribution == 'Alpine'
 - name: get latest caddy version
--- a/roles/caddy/tasks/main.yml
+++ b/roles/caddy/tasks/main.yml
@ -1,32 +1,24 @@
 - name: determine if custom caddy build should be used
  set_fact:
    caddy_custom_build: "{{ (((caddy_default_plugins | d([])) + (caddy_custom_plugins | d([]))) | length > 0) or (caddy_use_xcaddy | d(false) == true) }}"
    caddy_has_reverse_proxy: "{{ reverse_proxy_port is number or reverse_proxy_port is string }}"
- name: import vars for automatic caddy tls
+- name: import vars for unmanaged tls
  include_vars:
-    file: tls_caddy.yml
+    file: tls.yml
  when: not caddy_use_lego
 - name: import vars for lego tls
  include_vars:
    file: tls_lego.yml
  when: caddy_use_lego
 - name: import reverse proxy vars
  include_vars:
    file: reverse_proxy.yml
-  when: caddy_has_reverse_proxy
+  when: caddy_reverse_proxy_handlers is defined
 - name: set caddy_cfg
  set_fact:
    caddy_cfg: "{{ caddy_default_config | d({}) |
      combine(caddy_tls_config | d({}), recursive=true) |
-      combine(caddy_reverse_proxy_config | d({}), recursive=true) |
+      combine(caddy_reverse_proxy_config | d({}), recursive=true, list_merge='replace') |
      combine(caddy_config | d({}), recursive=true) }}"
@ -49,6 +41,7 @@
  loop:
    - "{{ caddy_conf_dir }}"
    - "{{ caddy_asset_dir }}"
    - "{{ caddy_cert_dir }}"
 - name: create caddy bin dir
@ -67,16 +60,6 @@
  when: not caddy_custom_build
 - name: setup acme-dns-client for auto-tls
  include_tasks: setup_acme_client.yml
  when: not caddy_use_lego
 - name: setup lego for unmanaged tls
  include_tasks: setup_lego.yml
  when: caddy_use_lego
 - name: template caddy config
  template:
    src: caddy.j2
@ -120,6 +103,19 @@
  notify: restart caddy
 - name: deploy certificates
  include_role:
    name: certs
  vars:
    certs:
      cert: "{{ (caddy_cert_dir, 'ecc384.crt') | path_join }}"
      key: "{{ (caddy_cert_dir, 'ecc384.key') | path_join }}"
      ecc: yes
      post_hook: service caddy restart
      owner: "{{ caddy_user }}"
      group: "{{ caddy_group }}"
 - name: flush handlers
  meta: flush_handlers
@ -132,6 +128,7 @@
    backup_items:
      - "{{ caddy_asset_dir }}"
      - "{{ caddy_conf_dir }}"
      - "{{ caddy_cert_dir }}"
 - name: enable and start caddy
--- a/roles/caddy/tasks/setup_lego.yml
+++ b/roles/caddy/tasks/setup_lego.yml
@ -1,158 +0,0 @@
 - name: determine host architecture
  include_tasks: tasks/get_host_arch.yml
 - name: create lego working dir
  file:
    path: "{{ caddy_lego_dir }}"
    state: directory
    mode: 0700
    owner: "{{ caddy_user }}"
    group: "{{ caddy_group }}"
 - name: get and extract latest lego version
  include_tasks: tasks/get_lastversion.yml
  vars:
    package:
      name: go-acme/lego
      location: github
      assets: yes
      asset_filter: "{{ 'linux_' ~ host_architecture ~ '.tar.gz$' }}"
      file: "{{ caddy_lego_dir }}/last_version"
      extract: "{{ caddy_lego_dir }}"
      user: "{{ caddy_user }}"
      group: "{{ caddy_group }}"
 - block:
    - name: remove unnecessary files
      file:
        path: "{{ (caddy_lego_dir, item) | path_join }}"
        state: absent
      loop:
        - LICENSE
        - CHANGELOG.md
  rescue:
    - meta: noop
 - name: set lego parameters
  set_fact:
    lego_params: "{{
      [
        ([] | zip_longest(caddy_domains | d([]) | select() | map('quote'), fillvalue='--domains ') | map('join') | list),
        '--server ' ~ (acme_endpoint | quote),
        '--accept-tos',
        '--email ' ~ (acme_email | quote),
        '--key-type ec384',
        '--path ' ~ (caddy_lego_dir | quote),
        '--dns acme-dns',
        '--dns.resolvers 9.9.9.9',
        '--dns.disable-cp'
      ] | flatten(levels=1) | select() | list | join(' ') }}"
    lego_renewal_params: "{{
      [
        (('--days ' ~ (acme_renewal_days | quote)) if acme_renewal_days is defined else ''),
        ('--reuse-key' if acme_reuse_key | d(false) == true else ''),
        ('--no-random-sleep' if acme_no_random_sleep | d(true) == true else '')
      ] | flatten(levels=1) | select() | list | join(' ') }}"
    lego_preferred_chain: "{{ '--preferred-chain ' ~ (acme_preferred_chain | quote) if acme_preferred_chain is defined else '' }}"
 - name: check if lastrun file exists
  stat:
    path: "{{ caddy_lego_lastrun_file }}"
    get_checksum: no
    get_mime: no
  register: result
 - name: set initial reissue value
  set_fact:
    lego_must_reissue: yes
    lego_full_command: "{{ (caddy_lego_dir, 'lego') | path_join }} {{ lego_params }} run {{ lego_preferred_chain }}"
    lego_renew_command: "{{ (caddy_lego_dir, 'lego') | path_join }} {{ lego_params }} renew {{ lego_preferred_chain }} {{ lego_renewal_params }}"
 - block:
    - name: get lastrun file contents
      slurp:
        path: "{{ caddy_lego_lastrun_file }}"
      register: file_content
      no_log: yes
    - name: set acme-dns-client domain fact
      set_fact:
        lego_must_reissue: "{{ (file_content.content | b64decode) != lego_full_command }}"
  when: result.stat.exists
 - block:
    - name: issue cert with dns mode
      shell:
        cmd: "{{ lego_full_command }}"
        chdir: "{{ caddy_lego_dir }}"
      environment:
        ACME_DNS_API_BASE: "{{ acme_dns_server }}"
        ACME_DNS_STORAGE_PATH: "{{ (caddy_lego_dir, 'accounts.conf') | path_join }}"
      register: result
      become: yes
      become_method: "{{ 'su' if ansible_distribution == 'Alpine' else 'sudo' }}"
      become_user: "{{ caddy_user }}"
  when: lego_must_reissue
  rescue:
    - pause:
    - name: retry issuing cert with dns mode
      shell:
        cmd: "{{ lego_full_command }}"
        chdir: "{{ caddy_lego_dir }}"
      environment:
        ACME_DNS_API_BASE: "{{ acme_dns_server }}"
        ACME_DNS_STORAGE_PATH: "{{ (caddy_lego_dir, 'accounts.conf') | path_join }}"
      register: result
      become: yes
      become_method: "{{ 'su' if ansible_distribution == 'Alpine' else 'sudo' }}"
      become_user: "{{ caddy_user }}"
 - block:
    - name: save data to lastrun file
      copy:
        content: "{{ lego_full_command }}"
        dest: "{{ caddy_lego_lastrun_file }}"
        remote_src: yes
    - name: defer caddy restart
      debug:
        msg: deferring caddy restart
      changed_when: yes
      notify: restart caddy
  when: lego_must_reissue
 - name: template systemd files
  template:
    src: "{{ item.src }}.j2"
    dest: "/etc/systemd/system/{{ item.dst }}"
    force: yes
    lstrip_blocks: yes
  loop:
    - { src: 'lego_systemd', dst: 'lego.service' }
    - { src: 'lego_timer', dst: 'lego.timer' }
  notify: reload systemd daemons
 - name: enable lego timer
  systemd:
    name: lego.timer
    state: started
    enabled: yes
 # TODO: restart script
--- a/roles/caddy/templates/init.j2
+++ b/roles/caddy/templates/init.j2
@ -4,7 +4,7 @@
 name="$SVCNAME"
 directory="{{ caddy_conf_dir }}"
-command=/usr/sbin/caddy
+command="{{ (caddy_bin_dir, 'caddy') | path_join }}"
 command_args="run --environ $caddy_opts"
 command_user="{{ caddy_user ~ ':' ~ caddy_group }}"
 pidfile="/var/run/$SVCNAME.pid"
--- a/roles/caddy/vars/reverse_proxy.yml
+++ b/roles/caddy/vars/reverse_proxy.yml
@ -1,3 +1,7 @@
 caddy_reverse_proxy_default_handler:
  - handler: static_response
    status_code: 404
 caddy_reverse_proxy_config:
  apps:
    http:
@ -7,7 +11,7 @@ caddy_reverse_proxy_config:
            - "tcp4/:443"
            - "tcp6/:443"
          automatic_https:
-            disable: "{{ caddy_use_lego }}"
+            disable: yes
          tls_connection_policies:
            - match:
                sni:
@ -17,11 +21,5 @@ caddy_reverse_proxy_config:
            - match:
                - host:
                    - "{{ host_fqdn }}"
-              handle:
+              handle: "{{ (caddy_reverse_proxy_handlers | d([])) + caddy_reverse_proxy_default_handler }}"
                - handler: subroute
                  routes:
                    - handle:
                      - handler: reverse_proxy
                        upstreams:
                          - dial: "127.0.0.1:{{ reverse_proxy_port }}"
              terminal: true
--- a/roles/caddy/vars/tls_lego.yml
+++ b/roles/caddy/vars/tls_lego.yml
@ -1,8 +1,8 @@
-caddy_unmanaged_tls_config:
+caddy_tls_config:
  apps:
    tls:
      certificates:
        load_files:
-          - certificate: "{{ (caddy_lego_dir, 'certificates', caddy_domains[0] ~ '.crt') | path_join }}"
+          - certificate: "{{ (caddy_cert_dir, 'certificates', caddy_domains[0] ~ '.crt') | path_join }}"
-            key: "{{ (caddy_lego_dir, 'certificates', caddy_domains[0] ~ '.key') | path_join }}"
+            key: "{{ (caddy_cert_dir, 'certificates', caddy_domains[0] ~ '.key') | path_join }}"
            tags: "{{ caddy_domains }}"
--- a/roles/caddy/vars/tls_caddy.yml
+++ b/roles/caddy/vars/tls_caddy.yml
@ -1,33 +0,0 @@
 caddy_auto_tls_config:
  apps:
    tls:
      automation:
        policies:
          - subjects: "{{ caddy_domains }}"
            issuers:
              - module: acme
                ca: "{{ caddy_acme_endpoint }}"
                email: "{{ maintainer_email | d(None) }}"
                acme_timeout: 5m
                challenges:
                  http:
                    disabled: yes
                  tls-alpn:
                    disabled: yes
                  dns:
                    resolvers:
                      - 1.1.1.1
                      - 8.8.8.8
                    provider:
                      name: acmedns
                      config_file_path: "{{ caddy_acmedns_client_file }}"
                    propagation_delay: 15s
                    propagation_timeout: -1
                preferred_chains:
                  root_common_name:
                    - ISRG Root X1
            must_staple: yes
            key_type: p384
        renew_interval: 1h
      certificates:
        automate: "{{ caddy_domains }}"
--- a/roles/certs/tasks/acme_dns.yml
+++ b/roles/certs/tasks/acme_dns.yml
@ -22,3 +22,4 @@
    acme_tld: "{{ combined.tld | d(None) }}"
    acme_fqdn: "{{ combined.fqdn | d(None) }}"
    acme_hosts: "{{ combined.hosts | d(None) }}"
    acme_server: "{{ combined.acme_server | d(None) }}"
--- a/roles/common/defaults/main.yml
+++ b/roles/common/defaults/main.yml
@ -1 +1,2 @@
 dropbear_dir: /etc/dropbear
 alpine_version: "3.17"
--- a/roles/container/tasks/preconf.yml
+++ b/roles/container/tasks/preconf.yml
@ -13,20 +13,11 @@
        - pct_command: rc-update add dropbear
          chg_substr: added to runlevel
-    - name: install dropbear-scp if this is not an ansible controller
+    - name: install openssh-sftp-server
      include_tasks: tasks/pct_command.yml
      vars:
        pct_command: apk add dropbear-scp
        chg_substr: Installing
      when: (inventory_hostname != 'ansible') and ((primary_role is not defined) or (primary_role != 'ansible'))
          and alpine_version is version('3.15', '<=')
    - name: install openssh-sftp-server due to openssh 9 scp deprecation
      include_tasks: tasks/pct_command.yml
      vars:
        pct_command: apk add openssh-sftp-server
        chg_substr: Installing
      when: alpine_version is version('3.16', '>=')
    - name: start dropbear
      include_tasks: tasks/pct_command.yml
@ -57,7 +48,6 @@
      vars:
        pct_command: "sed -i 's/PermitRootLogin prohibit-password/PermitRootLogin yes/g' /etc/ssh/sshd_config"
    - name: start sshd
      include_tasks: tasks/pct_command.yml
      vars:
--- a/roles/coredns/tasks/install.yml
+++ b/roles/coredns/tasks/install.yml
--- a/roles/iptables/tasks/add.yml
+++ b/roles/iptables/tasks/add.yml
@ -0,0 +1,5 @@
 - name: collect firewall config
  set_fact:
    firewall_collected_configs: "{{ firewall_collected_configs | d([]) |
      combine(firewall_config, recursive=true, list_merge='append') }}"
  when: firewall_config is mapping
--- a/roles/iptables/tasks/main.yml
+++ b/roles/iptables/tasks/main.yml
@ -4,6 +4,7 @@
        firewall_cfg: "{{ firewall_default_config | d({}) |
          combine(firewall_ssh_config if (firewall_use_ssh | d(true) == true) else {}, recursive=true, list_merge='append') |
          combine(role_firewall_config | d({}), recursive=true, list_merge='append') |
          combine(firewall_collected_configs | d({}), recursive=true, list_merge='append') |
          combine(firewall | d({}), recursive=true, list_merge='append') }}"
--- a/roles/lego/defaults/main.yml
+++ b/roles/lego/defaults/main.yml
@ -0,0 +1,11 @@
 lego_dir: /opt/lego
 lego_lastrun_file: "{{ (lego_dir, 'lastrun') | path_join }}"
 lego_user: root
 lego_group: root
 # hardcoded in acmedns_client and cannot be changed
 lego_acmedns_client_dir: /etc/acmedns
 lego_acmedns_client_file: /etc/acmedns/clientstorage.json
 lego_acmedns_client_bin_dir: /opt/acme-client
--- a/roles/caddy/tasks/setup_acme_client.yml
+++ b/roles/caddy/tasks/setup_acme_client.yml
--- a/roles/lego/tasks/main.yml
+++ b/roles/lego/tasks/main.yml
@ -0,0 +1,174 @@
 - name: set acme_cfg
  set_fact:
    acme_cfg: "{{ acme_default_config | d({}) |
      combine(acme_config | d({}), recursive=true) }}"
 - name: determine host architecture
  include_tasks: tasks/get_host_arch.yml
 - name: create user and group
  include_tasks: tasks/create_user.yml
  vars:
    user:
      name: "{{ lego_user }}"
      group: "{{ lego_group }}"
      create_home: no
 - name: create lego working dir
  file:
    path: "{{ lego_dir }}"
    state: directory
    mode: 0700
 - name: get and extract latest lego version
  include_tasks: tasks/get_lastversion.yml
  vars:
    package:
      name: go-acme/lego
      location: github
      assets: yes
      asset_filter: "{{ 'linux_' ~ host_architecture ~ '.tar.gz$' }}"
      file: "{{ lego_dir }}/last_version"
      extract: "{{ lego_dir }}"
 - block:
    - name: remove unnecessary files
      file:
        path: "{{ (lego_dir, item) | path_join }}"
        state: absent
      loop:
        - LICENSE
        - CHANGELOG.md
  rescue:
    - meta: noop
 - name: set lego parameters
  set_fact:
    lego_params: "{{
      [
        ([] | zip_longest(acme_domains | d([]) | select() | map('quote'), fillvalue='--domains ') | map('join') | list),
        '--server ' ~ ((acme_cfg.endpoint_staging if acme_cfg.staging else acme_cfg.endpoint_prod) | quote),
        '--accept-tos',
        '--email ' ~ (acme_cfg.email | d(maintainer_email) | quote),
        '--key-type ec384',
        '--path ' ~ (lego_dir | quote),
        '--dns acme-dns',
        '--dns.resolvers ' ~ (acme_cfg.resolver | d('1.1.1.1') | quote),
        '--dns.disable-cp'
      ] | flatten(levels=1) | select() | list | join(' ') }}"
    lego_renewal_params: "{{
      [
        (('--days ' ~ (acme_cfg.renew_at_days | quote)) if acme_cfg.renew_at_days is defined else ''),
        ('--reuse-key' if acme_cfg.reuse_key | d(false) == true else ''),
        ('--no-random-sleep' if acme_cfg.no_random_sleep | d(true) == true else '')
      ] | flatten(levels=1) | select() | list | join(' ') }}"
    lego_preferred_chain: "{{ '--preferred-chain ' ~ (acme_cfg.preferred_chain | quote) if acme_cfg.preferred_chain is defined else '' }}"
 - name: check if lastrun file exists
  stat:
    path: "{{ lego_lastrun_file }}"
    get_checksum: no
    get_mime: no
  register: result
 - name: set initial reissue value
  set_fact:
    lego_must_reissue: yes
    lego_full_command: "{{ (lego_dir, 'lego') | path_join }} {{ lego_params }} run {{ lego_preferred_chain }}"
    lego_renew_command: "{{ (lego_dir, 'lego') | path_join }} {{ lego_params }} renew {{ lego_preferred_chain }} {{ lego_renewal_params }}"
 - block:
    - name: get lastrun file contents
      slurp:
        path: "{{ lego_lastrun_file }}"
      register: file_content
      no_log: yes
    - name: determine if cert should be reissued
      set_fact:
        lego_must_reissue: "{{ (file_content.content | b64decode) != lego_full_command }}"
  when: result.stat.exists
 - block:
    - name: issue cert with dns mode
      shell:
        cmd: "{{ lego_full_command }}"
        chdir: "{{ lego_dir }}"
      environment:
        ACME_DNS_API_BASE: "{{ acme_cfg.server }}"
        ACME_DNS_STORAGE_PATH: "{{ lego_accounts_file | d((lego_dir, 'accounts.conf') | path_join) }}"
      register: result
      become: yes
      become_method: "{{ 'su' if ansible_distribution == 'Alpine' else 'sudo' }}"
      become_user: "{{ lego_user }}"
  when: lego_must_reissue
  rescue:
    - pause:
      when: interactive | d(false) == true
    - name: retry issuing cert with dns mode
      shell:
        cmd: "{{ lego_full_command }}"
        chdir: "{{ lego_dir }}"
      environment:
        ACME_DNS_API_BASE: "{{ acme_cfg.server }}"
        ACME_DNS_STORAGE_PATH: "{{ lego_accounts_file | d((lego_dir, 'accounts.conf') | path_join) }}"
      register: result
      become: yes
      become_method: "{{ 'su' if ansible_distribution == 'Alpine' else 'sudo' }}"
      become_user: "{{ lego_user }}"
 - block:
    - name: save data to lastrun file
      copy:
        content: "{{ lego_full_command }}"
        dest: "{{ lego_lastrun_file }}"
        remote_src: yes
    - name: defer service restart
      debug:
        msg: deferring service restart
      changed_when: yes
      notify: "{{ lego_notify }}"
      when: lego_notify is defined
  when: lego_must_reissue
 - block:
    - name: template systemd files
      template:
        src: "{{ item.src }}.j2"
        dest: "{{ ('/etc/systemd/system', item.dst) | path_join }}"
        force: yes
        lstrip_blocks: yes
      loop:
        - { src: 'lego_systemd', dst: 'lego.service' }
        - { src: 'lego_timer', dst: 'lego.timer' }
      notify: reload systemd daemons
    - name: enable lego timer
      systemd:
        name: lego.timer
        state: started
        enabled: yes
  when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
 # TODO: restart script
--- a/roles/caddy/tasks/register_acme_domain.yml
+++ b/roles/caddy/tasks/register_acme_domain.yml
@ -1,6 +1,6 @@
 - name: call acme-dns-client
  expect:
-    command: "./acme-dns-client register -d {{ domain | quote }} -s {{ acme_dns_server | quote }}"
+    command: "./acme-dns-client register -d {{ domain | quote }} -s {{ acme_dns_server_url | quote }}"
    chdir: "{{ caddy_acmedns_client_bin_dir }}"
    echo: yes
    responses:
@ -16,4 +16,4 @@
 - name: pause if acme-dns-client registered a new record
  pause:
-  when: result.changed
+  when: result.changed and (interactive | d(true) == true)
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@ -148,6 +148,7 @@
          notify: restart nginx
          stapling: "{{ nginx_cfg.must_staple | d(nginx_cfg.enable_stapling) | d(false) }}"
          hosts: "{{ nginx_cfg.domains | d(None) }}"
          acme_server: "{{ nginx_cfg.acme_server | d(None) }}"
        certs:
          - id: "{{ host_name ~ '-nginx-ecc' }}"
            cert: "{{ nginx_cfg.conf_dir }}/tls/{{ nginx_cfg.cert_ecc_name }}.crt"
--- a/roles/postgres/defaults/main.yml
+++ b/roles/postgres/defaults/main.yml
@ -1,10 +1,9 @@
 postgresql_user: postgres
 postgresql_group: postgres
-postgresql_data_dir: /db
+postgresql_data_dir: /opt/postgresql
 postgresql_conf_dir: /etc/postgresql
-postgresql_tls_dir: "{{ postgresql_conf_dir }}/tls"
+postgresql_tls_dir: "{{ (postgresql_conf_dir, 'tls') | path_join }}"
 postgresql_dhparam_file: dhparam.pem
 postgresql_db: []
@ -50,9 +49,9 @@ postgresql_default_config:
  log_timezone: "{{ timezone }}"
  timezone: "{{ timezone }}"
-  shared_buffers: "{{ ((hardware.memory | d(512) | int) * (1024/2)) | int }}kB"
+  shared_buffers: "{{ ((host_hardware.memory | d(512) | int) * (1024/2)) | int }}kB"
-  work_mem: "{{ ((hardware.memory | d(512) | int) * (1024/35)) | round(1, 'ceil') | int }}kB"
+  work_mem: "{{ ((host_hardware.memory | d(512) | int) * (1024/35)) | round(1, 'ceil') | int }}kB"
-  max_wal_size: "{{ ((hardware.disk | d(2) | float) * (1024 / 2)) | int }}MB"
+  max_wal_size: "{{ ((host_hardware.disk | d(2) | float) * (1024 / 2)) | int }}MB"
 postgresql_tls_config:
@ -61,7 +60,7 @@ postgresql_tls_config:
  ssl_prefer_server_ciphers: yes
  ssl_min_protocol_version: TLSv1.2
  ssl_ecdh_curve: secp384r1
-  ssl_ca_file: "{{ postgresql_tls_dir }}/root.crt"
+  ssl_ca_file: "{{ (postgresql_tls_dir, 'root.crt') | path_join }}"
-  ssl_cert_file: "{{ postgresql_tls_dir }}/ecc384.crt"
+  ssl_cert_file: "{{ (postgresql_tls_dir, 'ecc384.crt') | path_join }}"
-  ssl_key_file: "{{ postgresql_tls_dir }}/ecc384.key"
+  ssl_key_file: "{{ (postgresql_tls_dir, 'ecc384.key') | path_join }}"
-  ssl_dh_params_file: "{{ postgresql_tls_dir ~ '/' ~ postgresql_dhparam_file }}"
+  ssl_dh_params_file: "{{ (postgresql_tls_dir, 'dhparam.pem') | path_join }}"
--- a/roles/postgres/tasks/add_database.yml
+++ b/roles/postgres/tasks/add_database.yml
@ -56,7 +56,7 @@
 - name: add line to postgres hba
  community.postgresql.postgresql_pg_hba:
-    dest: "{{ postgresql_conf_dir }}/pg_hba.conf"
+    dest: "{{ (postgresql_conf_dir, 'pg_hba.conf') | path_join }}"
    contype: "{{ 'host' if (database.ssl | d(false) == false) else 'hostssl' }}"
    databases: "{{ database.name }}"
    users: "{{ database.user }}"
--- a/roles/postgres/tasks/install.yml
+++ b/roles/postgres/tasks/install.yml
@ -1,6 +1,7 @@
 - name: set pg_cfg
  set_fact:
-    pg_cfg: "{{ postgresql_default_config | d({}) | combine(postgresql_config | d({}), recursive=true) }}"
+    pg_cfg: "{{ postgresql_default_config | d({}) |
      combine(postgresql_config | d({}), recursive=true) }}"
 - name: install dependencies
@ -29,6 +30,18 @@
    group: "{{ postgresql_group }}"
 - block:
    - name: create data directory
      file:
        path: "{{ postgresql_data_dir }}"
        state: directory
        mode: 0700
        owner: "{{ postgresql_user }}"
        group: "{{ postgresql_group }}"
  rescue:
    - meta: noop
 - name: include custom config in default postgres config
  lineinfile:
    path: "{{ postgresql_conf_dir }}/postgresql.conf"
--- a/roles/postgres/tasks/integrate.yml
+++ b/roles/postgres/tasks/integrate.yml
@ -1,19 +1,16 @@
 - name: install postgres for self-hosted deployment
-  include_role:
+  include_tasks: install.yml
    name: postgres
  vars:
    function: install
  when: database_self_hosted | d(false) == true
 - name: add database
-  include_role:
+  include_tasks:
-    name: postgres
+    file: add_database.yml
    apply:
      delegate_to: "{{ inventory_hostname if (database_self_hosted | d(false) == true) else services.db.hostname }}"
  vars:
    function: add_database
    database:
      name: "{{ database_name }}"
      user: "{{ database_user }}"
      pass: "{{ database_pass }}"
      self_hosted: "{{ database_self_hosted | d(false) }}"
--- a/roles/rproxy/tasks/add.yml
+++ b/roles/rproxy/tasks/add.yml
@ -0,0 +1,5 @@
 - name: collect rproxy config
  set_fact:
    rproxy_collected_configs: "{{ (rproxy_collected_configs | d([])) +
                                 ([rproxy_config] if rproxy_config is mapping else rproxy_config) }}"
  when: rproxy_config is defined and ((rproxy_config | type_debug == 'list') or rproxy_config is mapping)
--- a/roles/rproxy/tasks/main.yml
+++ b/roles/rproxy/tasks/main.yml
@ -0,0 +1,41 @@
 - block:
    - name: fail if more than one reverse proxy config was collected
      fail:
        msg: more than one reverse proxy config was collected, this is not supported yet
      when: rproxy_collected_configs | length > 1
    - name: install nginx
      include_role:
        name: nginx
      vars:
        nginx:
          servers:
            - conf: rproxy_collected_configs[0].nginx
          certs: "{{ host_tls }}"
          acme_server: "{{ (rproxy_collected_configs[0].acme | d({}))['server'] | d(None) }}"
      when: reverse_proxy_type == 'nginx'
    - name: install caddy
      include_role:
        name: caddy
      vars:
        caddy_config: "{{ rproxy_collected_configs[0].caddy | d({}) }}"
        caddy_reverse_proxy_handlers: "{{ rproxy_collected_configs[0].caddy_reverse_proxy_handlers | d([]) }}"
      when: reverse_proxy_type == 'caddy'
    - name: add firewall entries
      include_role:
        name: iptables
        tasks_from: add.yml
      vars:
        firewall_config:
          filter:
            input:
              - { protocol: tcp, dst_port: [80, 443], action: accept }
              - { protocol: udp, dst_port: [80, 443], action: accept }
  when: rproxy_collected_configs is defined and rproxy_collected_configs | length > 0
    and role_use_reverse_proxy | d(true) == true
--- a/roles/vault/tasks/info.yml
+++ b/roles/vault/tasks/info.yml
@ -0,0 +1,12 @@
 - name: set role information
  set_fact:
    role_dependency_index: 2
    role_hardware:
      cores: 4
      memory: 128
      swap: 64
      disk: 1.2
    role_use_reverse_proxy: yes
    role_use_database: yes
--- a/roles/vault/tasks/main.yml
+++ b/roles/vault/tasks/main.yml
@ -76,8 +76,8 @@
 - name: move vaultwarden to vault dir
  copy:
-    src: "{{ (vault_extract_dir, 'output', 'valutwarden') | path_join }}"
+    src: "{{ (vault_extract_dir, 'output', 'vaultwarden') | path_join }}"
-    dest: "{{ (vault_dir, 'valutwarden') | path_join }}"
+    dest: "{{ (vault_dir, 'vaultwarden') | path_join }}"
    force: yes
    remote_src: yes
    owner: "{{ vault_user }}"
@ -94,7 +94,7 @@
 - name: ensure vaultwarden has executable bit set
  file:
-    path: "{{ (vault_dir, 'valutwarden') | path_join }}"
+    path: "{{ (vault_dir, 'vaultwarden') | path_join }}"
    mode: "+x"
@ -106,7 +106,7 @@
      location: github
      assets: yes
      asset_filter: '.tar.gz$'
-      file: "{{ vault_dir }}/last_version"
+      file: "{{ (vault_dir, 'last_version') | path_join }}"
      extract: "{{ vault_dir }}"
      user: "{{ vault_user }}"
      group: "{{ vault_group }}"
@ -132,6 +132,7 @@
    force: yes
    mode: "+x"
  notify: restart vaultwarden
  when: ansible_distribution == 'Alpine'
 - name: ensure correct ownership in vault dir
@ -145,20 +146,24 @@
  notify: restart vaultwarden
 - name: install and configure nginx
  include_role:
    name: nginx
  vars:
    nginx:
      servers:
        - conf: nginx_server
      certs: "{{ host_tls }}"
 - name: flush handlers
  meta: flush_handlers
 - name: add reverse proxy config
  include_role:
    name: rproxy
    tasks_from: add.yml
  vars:
    rproxy_config:
      port: "{{ vault_port }}"
      nginx: rproxy_nginx.j2
      caddy_reverse_proxy_handlers:
        - handler: reverse_proxy
          upstreams:
            - dial: "127.0.0.1:{{ vault_port }}"
 - name: add directories to backup plan
  include_role:
    name: backup
--- a/roles/vault/templates/rproxy_nginx.j2
+++ b/roles/vault/templates/rproxy_nginx.j2
`@ -1 +1,2 @@`
	`dropbear_dir: /etc/dropbear`	`dropbear_dir: /etc/dropbear`
		`alpine_version: "3.17"`