Skip to content
Permalink
Browse files

Merge branch 'drybjed-no-domain-from-hostname'

  • Loading branch information...
drybjed committed Aug 10, 2019
2 parents 600cbd4 + f4b6025 commit ccf991dec7dff3c279de394c6e1ea73427348e30
Showing with 106 additions and 63 deletions.
  1. +11 −0 CHANGELOG.rst
  2. +3 −0 ansible/playbooks/service/lxc.yml
  3. +1 −1 ansible/roles/debops-contrib.foodsoft/defaults/main.yml
  4. +1 −1 ansible/roles/debops-contrib.homeassistant/defaults/main.yml
  5. +1 −1 ansible/roles/debops-contrib.volkszaehler/defaults/main.yml
  6. +1 −1 ansible/roles/debops.apache/defaults/main.yml
  7. +1 −1 ansible/roles/debops.core/defaults/main.yml
  8. +1 −1 ansible/roles/debops.dhcp_probe/defaults/main.yml
  9. +22 −2 ansible/roles/debops.dnsmasq/defaults/main.yml
  10. +1 −1 ansible/roles/debops.docker_registry/defaults/main.yml
  11. +1 −1 ansible/roles/debops.elasticsearch/defaults/main.yml
  12. +1 −1 ansible/roles/debops.etc_aliases/defaults/main.yml
  13. +1 −1 ansible/roles/debops.gitlab/defaults/main.yml
  14. +1 −1 ansible/roles/debops.gitlab_runner/defaults/main.yml
  15. +1 −1 ansible/roles/debops.icinga/defaults/main.yml
  16. +1 −1 ansible/roles/debops.icinga_web/defaults/main.yml
  17. +2 −1 ansible/roles/debops.keyring/tasks/main.yml
  18. +1 −1 ansible/roles/debops.kibana/defaults/main.yml
  19. +1 −1 ansible/roles/debops.ldap/defaults/main.yml
  20. +1 −1 ansible/roles/debops.librenms/defaults/main.yml
  21. +19 −19 ansible/roles/debops.lxc/defaults/main.yml
  22. +1 −1 ansible/roles/debops.lxc/templates/etc/default/lxc-net.j2
  23. +5 −5 ansible/roles/debops.lxc/templates/etc/lxc/lxc-net-dnsmasq.conf.j2
  24. +1 −1 ansible/roles/debops.mailman/defaults/main.yml
  25. +1 −1 ansible/roles/debops.monit/defaults/main.yml
  26. +1 −1 ansible/roles/debops.mosquitto/defaults/main.yml
  27. +1 −1 ansible/roles/debops.netbox/defaults/main.yml
  28. +1 −1 ansible/roles/debops.nginx/defaults/main.yml
  29. +1 −1 ansible/roles/debops.nullmailer/defaults/main.yml
  30. +1 −1 ansible/roles/debops.opendkim/defaults/main.yml
  31. +1 −1 ansible/roles/debops.owncloud/defaults/main.yml
  32. +1 −1 ansible/roles/debops.postfix/defaults/main.yml
  33. +1 −1 ansible/roles/debops.prosody/defaults/main.yml
  34. +1 −1 ansible/roles/debops.rabbitmq_management/defaults/main.yml
  35. +1 −1 ansible/roles/debops.redis_sentinel/defaults/main.yml
  36. +1 −1 ansible/roles/debops.redis_server/defaults/main.yml
  37. +1 −1 ansible/roles/debops.rstudio_server/defaults/main.yml
  38. +1 −1 ansible/roles/debops.rsyslog/defaults/main.yml
  39. +1 −1 ansible/roles/debops.secret/defaults/main.yml
  40. +1 −1 ansible/roles/debops.slapd/defaults/main.yml
  41. +2 −2 ansible/roles/debops.sshd/defaults/main.yml
  42. +8 −0 docs/news/upgrades.rst
@@ -199,6 +199,12 @@ General
- The DebOps documentation generator now supports Ansible roles with multiple
:file:`defaults/main/*.yml` files.

- Various DebOps roles will no longer use the hostname as a stand-in for an
empty DNS domain when no DNS domain is detected - this resulted in the
"standalone" hosts without a DNS domain to be misconfigured. Existing setups
with a DNS domain shouldn't be affected, but configuration of standalone
hosts that deploy webservices might require modifications.

User management
'''''''''''''''

@@ -308,6 +314,11 @@ User management
override to Debian Stretch and Ubuntu Xenial only. The containers correctly
shut down using ``SIGRTMIN+3`` signal on Debian Buster and beyond.

- The :envvar:`lxc__net_fqdn` variable will now define both the DNS domain for
the LXC containers as well as the DNS name of the ``lxcbr0`` interface. This
should ensure that both the LXC host and the containers see the same DNS
name for the same resource.

:ref:`debops.mariadb_server` role
'''''''''''''''''''''''''''''''''

@@ -10,6 +10,9 @@

roles:

- role: debops.root_account
tags: [ 'role::root_account', 'skip::root_account' ]

- role: debops.apt_preferences
tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
apt_preferences__dependent_list:
@@ -80,7 +80,7 @@ foodsoft__fqdn: 'foodsoft.{{ foodsoft__domain }}'
foodsoft__domain: '{{ ansible_local.core.domain
if (ansible_local|d() and ansible_local.core|d() and
ansible_local.core.domain|d())
else (ansible_domain if ansible_domain else ansible_hostname) }}'
else ansible_domain }}'
# ]]]
# ]]]
# Database configuration [[[
@@ -113,7 +113,7 @@ homeassistant__fqdn: 'ha.{{ homeassistant__domain }}'
homeassistant__domain: '{{ ansible_local.core.domain
if (ansible_local|d() and ansible_local.core|d() and
ansible_local.core.domain|d())
else (ansible_domain if ansible_domain else ansible_hostname) }}'
else ansible_domain }}'
# ]]]
# ]]]
# Reverse proxy configuration [[[
@@ -73,7 +73,7 @@ volkszaehler__fqdn: 'vz.{{ volkszaehler__domain }}'
volkszaehler__domain: '{{ ansible_local.core.domain
if (ansible_local|d() and ansible_local.core|d() and
ansible_local.core.domain|d())
else (ansible_domain if ansible_domain else ansible_hostname) }}'
else ansible_domain }}'
# ]]]
# ]]]
# Database configuration [[[
@@ -89,7 +89,7 @@ apache__fqdn: '{{ ansible_local.core.fqdn
apache__domain: '{{ ansible_local.core.domain
if (ansible_local|d() and ansible_local.core|d() and
ansible_local.core.domain|d())
else (ansible_domain if ansible_domain else ansible_hostname) }}'
else ansible_domain }}'

# ]]]
# .. envvar:: apache__config_path [[[
@@ -211,7 +211,7 @@ core__distribution_release: '{{ ansible_lsb.codename
#
# The default host domain which can be used by the other roles to configure
# network services.
core__domain: '{{ ansible_domain if ansible_domain else ansible_hostname }}'
core__domain: '{{ ansible_domain }}'

# ]]]
# .. envvar:: core__fqdn [[[
@@ -123,7 +123,7 @@ dhcp_probe__options: ''
dhcp_probe__domain: '{{ ansible_local.core.domain
if (ansible_local|d() and ansible_local.core|d() and
ansible_local.core.domain|d())
else (ansible_domain if ansible_domain else ansible_hostname) }}'
else ansible_domain }}'

# ]]]
# .. envvar:: dhcp_probe__mail_from [[[
@@ -93,7 +93,7 @@ dnsmasq__hostname: '{{ ansible_hostname }}'
dnsmasq__base_domain: '{{ ansible_local.core.domain
if (ansible_local|d() and ansible_local.core|d() and
ansible_local.core.domain|d())
else (ansible_domain if ansible_domain else ansible_hostname) }}'
else ansible_domain }}'

# ]]]
# .. envvar:: dnsmasq__base_domain_rebind_ok [[[
@@ -352,7 +352,10 @@ dnsmasq__default_configuration:
maintaining the leases.
option: 'rebind-domain-ok'
value: '{{ dnsmasq__base_domain }}'
state: '{{ "present" if dnsmasq__base_domain_rebind_ok|bool else "init" }}'
state: '{{ "present"
if (dnsmasq__base_domain_rebind_ok|bool and
dnsmasq__base_domain|d())
else "absent" }}'

- name: 'rebind-parent-domain-ok'
comment: |
@@ -363,6 +366,7 @@ dnsmasq__default_configuration:
value: '{{ dnsmasq__base_domain.split(".")[1:] | join(".") }}'
state: '{{ "present"
if (dnsmasq__base_domain_rebind_ok|bool and
dnsmasq__base_domain|d() and
(dnsmasq__base_domain.split(".") | length >= 4))
else "absent" }}'

@@ -408,6 +412,22 @@ dnsmasq__default_configuration:
ansible_local.lxc.net_address|d())
else "") }}'

# Create a separate 'lxc' host record that points to the 'lxcbr0'
# interface from the outside, if there's no external domain set.
- name: 'host-record'
value: '{{ (ansible_local.lxc.net_domain
if (ansible_local|d() and ansible_local.lxc|d() and
ansible_local.lxc.net_domain|d())
else "")
+ "," + (ansible_local.lxc.net_address
if (ansible_local|d() and ansible_local.lxc|d() and
ansible_local.lxc.net_address|d())
else "") }}'
state: '{{ "present"
if (ansible_local|d() and ansible_local.lxc|d() and
"." not in ansible_local.lxc.net_domain|d())
else "absent" }}'

- name: 'rev-server'
value: '{{ (ansible_local.lxc.net_subnet
if (ansible_local|d() and ansible_local.lxc|d() and
@@ -178,7 +178,7 @@ docker_registry__fqdn: 'registry.{{ docker_registry__domain }}'
docker_registry__domain: '{{ ansible_local.core.domain
if (ansible_local|d() and ansible_local.core|d() and
ansible_local.core.domain|d())
else (ansible_domain if ansible_domain else ansible_hostname) }}'
else ansible_domain }}'

# ]]]
# .. envvar:: docker_registry__backend_port [[[
@@ -161,7 +161,7 @@ elasticsearch__transport_tcp_port: '9300'
elasticsearch__domain: '{{ ansible_local.core.domain
if (ansible_local|d() and ansible_local.core|d() and
ansible_local.core.domain|d())
else (ansible_domain if ansible_domain else ansible_hostname) }}'
else ansible_domain }}'

# ]]]
# .. envvar:: elasticsearch__cluster_name [[[
@@ -38,7 +38,7 @@ etc_aliases__admin_private_email: '{{ ansible_local.core.admin_private_email
etc_aliases__domain: '{{ ansible_local.core.domain
if (ansible_local|d() and ansible_local.core|d() and
ansible_local.core.domain|d())
else (ansible_domain if ansible_domain else ansible_hostname) }}'
else ansible_domain }}'
# ]]]
# ]]]
# Local mail aliases and their recipients [[[
@@ -126,7 +126,7 @@ gitlab__fqdn: 'code.{{ gitlab_domain }}'
gitlab_domain: '{{ ansible_local.core.domain
if (ansible_local|d() and ansible_local.core|d() and
ansible_local.core.domain|d())
else (ansible_domain if ansible_domain else ansible_hostname) }}'
else ansible_domain }}'
# ]]]
# ]]]
# APT packages [[[
@@ -123,7 +123,7 @@ gitlab_runner__concurrent: '{{ ansible_processor_vcpus
# .. envvar:: gitlab_runner__domain [[[
#
# The default domain used in different places of the role.
gitlab_runner__domain: '{{ ansible_domain if ansible_domain else ansible_hostname }}'
gitlab_runner__domain: '{{ ansible_domain }}'

# ]]]
# .. envvar:: gitlab_runner__fqdn [[[
@@ -128,7 +128,7 @@ icinga__fqdn: '{{ ansible_local.core.fqdn
icinga__domain: '{{ ansible_local.core.domain
if (ansible_local|d() and ansible_local.core|d() and
ansible_local.core.domain|d())
else (ansible_domain if ansible_domain else ansible_hostname) }}'
else ansible_domain }}'

# ]]]
# .. envvar:: icinga__master_nodes [[[
@@ -70,7 +70,7 @@ icinga_web__fqdn: 'icinga.{{ icinga_web__domain }}'
icinga_web__domain: '{{ ansible_local.core.domain
if (ansible_local|d() and ansible_local.core|d() and
ansible_local.core.domain|d())
else (ansible_domain if ansible_domain else ansible_hostname) }}'
else ansible_domain }}'

# ]]]
# .. envvar:: icinga_web__node_fqdn [[[
@@ -93,6 +93,7 @@
- name: Gather information about existing UNIX accounts
getent:
database: 'passwd'
check_mode: False

# In some cases 'apt-key' command refuses to work complaining that it has to
# be run by root. This task should handle these cases gracefully.
@@ -128,7 +129,7 @@
become_user: '{{ item.user | d(keyring__dependent_gpg_user if keyring__dependent_gpg_user|d() else "root") }}'
loop: '{{ q("flattened", (keyring__dependent_gpg_keys)) }}'
register: keyring__register_gpg_key
until: keyring__register_gpg_key.rc == 0
until: keyring__register_gpg_key.rc|d(0) == 0
when: (keyring__enabled|bool and (item.id|d() or item is string) and
(item.user | d(keyring__dependent_gpg_user if keyring__dependent_gpg_user|d() else "root")) in getent_passwd.keys())
changed_when: '("Adding key..." in keyring__register_gpg_key.stdout_lines) or
@@ -71,7 +71,7 @@ kibana__fqdn: 'kibana.{{ kibana__domain }}'
kibana__domain: '{{ ansible_local.core.domain
if (ansible_local|d() and ansible_local.core|d() and
ansible_local.core.domain|d())
else (ansible_domain if ansible_domain else ansible_hostname) }}'
else ansible_domain }}'

# ]]]
# .. envvar:: kibana__webserver_access_policy [[[
@@ -79,7 +79,7 @@ ldap__packages: []
ldap__domain: '{{ ansible_local.core.domain
if (ansible_local|d() and ansible_local.core|d() and
ansible_local.core.domain|d())
else (ansible_domain if ansible_domain else ansible_hostname) }}'
else ansible_domain }}'

# ]]]
# .. envvar:: ldap__servers_srv_rr [[[
@@ -61,7 +61,7 @@ librenms__fqdn: 'nms.{{ librenms__domain }}'
librenms__domain: '{{ ansible_local.core.domain
if (ansible_local|d() and ansible_local.core|d() and
ansible_local.core.domain|d())
else (ansible_domain if ansible_domain else ansible_hostname) }}'
else ansible_domain }}'

# ]]]
# .. envvar:: librenms__base_url [[[
@@ -147,30 +147,30 @@ lxc__net_dhcp_end: '-2'
# ]]]
# .. envvar:: lxc__net_domain [[[
#
# The DNS domain used for the internal LXC network. By default it is based on
# the LXC host domain.
# The DNS domain used as a base for the internal LXC network. By default it is
# based on the LXC host domain.
lxc__net_domain: '{{ ansible_local.core.domain
if (ansible_local|d() and ansible_local.core|d() and
ansible_local.core.domain|d())
else ansible_domain }}'

# ]]]
# .. envvar:: lxc__net_fqdn [[[
#
# The FQDN of the internal LXC bridge / internal LXC gateway registered in the
# :command:`dnsmasq` service, as well as the DNS domain advertised to the LXC
# containers via DHCP. It can be seen for example in traceroutes.
#
# The :command:`resolvconf` service will be used to add or remove the LXC
# domain in the :file:`/etc/resolv.conf`; with local DNS resolver, for example
# :command:`dnsmasq`, configured on the LXC host the containers can then be
# accessed by their hostnames instead of the IP addresses.
lxc__net_domain: '{{ ansible_local.lxc.net_domain
if (ansible_local|d() and ansible_local.lxc|d() and
ansible_local.lxc.net_domain|d())
else ("lxc." + (ansible_local.core.domain
if (ansible_local|d() and
ansible_local.core|d() and
ansible_local.core.domain|d())
else (ansible_domain
if ansible_domain
else ansible_hostname))) }}'

# ]]]
# .. envvar:: lxc__net_interface_fqdn [[[
#
# The DNS name of the internal LXC bridge / internal LXC gateway registered in
# the :command:`dnsmasq` service; it can be seen for example in traceroutes.
lxc__net_interface_fqdn: '{{ ansible_hostname }}.{{ lxc__net_domain }}'
lxc__net_fqdn: '{{ ansible_local.lxc.net_domain
if (ansible_local|d() and ansible_local.lxc|d() and
ansible_local.lxc.net_domain|d())
else ("lxc" + (("." + lxc__net_domain)
if lxc__net_domain|d()
else "")) }}'

# ]]]
# .. envvar:: lxc__net_dnsmasq_conf [[[
@@ -13,5 +13,5 @@ LXC_NETWORK="{{ lxc__net_address | ipaddr('subnet') }}"
LXC_DHCP_RANGE="{{ lxc__net_address | ipaddr(lxc__net_dhcp_start|int) | ipaddr('address') + ',' + lxc__net_address | ipaddr(lxc__net_dhcp_end|int) | ipaddr('address') }}"
LXC_DHCP_MAX="{{ (lxc__net_address | ipaddr('size'))|int - ((lxc__net_dhcp_start|int|abs) + (lxc__net_dhcp_end|int|abs)) }}"
LXC_DHCP_CONFILE="{{ lxc__net_dnsmasq_conf }}"
LXC_DOMAIN="{{ lxc__net_domain }}"
LXC_DOMAIN="{{ lxc__net_fqdn }}"
{% endif %}
@@ -7,15 +7,15 @@
dns-loop-detect

# Mark the LXC domain as local and generate PTR resource records automatically
domain = {{ lxc__net_domain + ',' + (lxc__net_address | ipaddr('subnet')) + (',local' if (lxc__net_address | ipaddr('prefix') in [ 8, 16, 24 ]) else '') }}
domain = {{ lxc__net_fqdn + ',' + (lxc__net_address | ipaddr('subnet')) + (',local' if (lxc__net_address | ipaddr('prefix') in [ 8, 16, 24 ]) else '') }}

# Set the FQDN name of the bridge interface in the DNS
interface-name = {{ lxc__net_interface_fqdn }},{{ lxc__net_bridge }}
{% if (lxc__net_domain.split('.') | length >= 3 and lxc__net_domain.split('.')[1:] | length >= 2) %}
interface-name = {{ lxc__net_fqdn }},{{ lxc__net_bridge }}
{% if (lxc__net_fqdn.split('.') | length >= 3 and lxc__net_fqdn.split('.')[1:] | length >= 2) %}

# Include the parent domain as searchable via resolvconf
dhcp-option = tag:{{ lxc__net_bridge }},option:domain-search,{{ lxc__net_domain }},{{ lxc__net_domain.split('.')[1:] | join('.') }}
dhcp-option = tag:{{ lxc__net_bridge }},option6:domain-search,{{ lxc__net_domain }},{{ lxc__net_domain.split('.')[1:] | join('.') }}
dhcp-option = tag:{{ lxc__net_bridge }},option:domain-search,{{ lxc__net_fqdn }},{{ lxc__net_fqdn.split('.')[1:] | join('.') }}
dhcp-option = tag:{{ lxc__net_bridge }},option6:domain-search,{{ lxc__net_fqdn }},{{ lxc__net_fqdn.split('.')[1:] | join('.') }}
{% endif %}
{% if not lxc__net_router|bool %}

@@ -54,7 +54,7 @@ mailman__fqdn: '{{ ansible_fqdn }}'
# .. envvar:: mailman__domain [[[
#
# A DNS domain name of the host that manages the default mailing lists.
mailman__domain: '{{ ansible_domain if ansible_domain else ansible_hostname }}'
mailman__domain: '{{ ansible_domain }}'

# ]]]
# .. envvar:: mailman__site_domain [[[
@@ -44,7 +44,7 @@ monit__fqdn: '{{ ansible_local.core.fqdn
monit__domain: '{{ ansible_local.core.domain
if (ansible_local|d() and ansible_local.core|d() and
ansible_local.core.domain|d())
else (ansible_domain if ansible_domain else ansible_hostname) }}'
else ansible_domain }}'

# ]]]
# .. envvar:: monit__check_interval [[[
@@ -176,7 +176,7 @@ mosquitto__fqdn: 'mqtt.{{ mosquitto__domain }}'
mosquitto__domain: '{{ ansible_local.core.domain
if (ansible_local|d() and ansible_local.core|d() and
ansible_local.core.domain|d())
else (ansible_domain if ansible_domain else ansible_hostname) }}'
else ansible_domain }}'

# ]]]
# .. envvar:: mosquitto__http_dir_path [[[
@@ -27,7 +27,7 @@ netbox__fqdn: [ 'dcim.{{ netbox__domain }}', 'ipam.{{ netbox__domain }}' ]
netbox__domain: '{{ ansible_local.core.domain
if (ansible_local|d() and ansible_local.core|d() and
ansible_local.core.domain|d())
else (ansible_domain if ansible_domain else ansible_hostname) }}'
else ansible_domain }}'

# ]]]
# ]]]
@@ -707,7 +707,7 @@ nginx_acme_domain: 'acme.{{ ansible_domain }}'
nginx__hostname_domains: [ '{{ ansible_local.core.domain
if (ansible_local|d() and ansible_local.core|d() and
ansible_local.core.domain|d())
else (ansible_domain if ansible_domain else ansible_hostname) }}' ]
else ansible_domain }}' ]

# ]]]
# .. envvar:: nginx_status [[[

0 comments on commit ccf991d

Please sign in to comment.
You can’t perform that action at this time.