ctucx.git: ansible-configs

My personal ansible roles and playbooks

commit 0a5babd692afa4e332357f90041542746a3be4ca
parent 8d2e009dab7b6a88ffd915b0090bca4fb388571f
Author: Leah (ctucx) <leah@ctu.cx>
Date: Mon, 16 Nov 2020 20:19:48 +0100

add frps
7 files changed, 72 insertions(+), 25 deletions(-)
diff --git a/config-files/awall/custom-services.json b/config-files/awall/custom-services.json
@@ -2,6 +2,9 @@
 	"service": {
 		"submissions": [
 			{ "proto": "tcp", "port": 465 }
+		],
+		"frps": [
+			{ "proto": "tcp", "port": 5050 }
 		]
 	}
 }
diff --git a/config-files/awall/frps.json b/config-files/awall/frps.json
@@ -0,0 +1,13 @@
+{
+  "description": "Allow FRPS on WAN",
+  "import": [ "base" ],
+
+  "filter": [
+    {
+      "in": "WAN",
+      "out": "_fw",
+      "service": "frps",
+      "action": "accept"
+    }
+  ]
+}
diff --git a/config-files/frps/confd b/config-files/frps/confd
@@ -1,3 +0,0 @@
-# Configuration for /etc/init.d/chartsrv
-
-frps_opts="--token=foobar123 --bind_port=9000 --subdomain_host=frp.ctu.cx --vhost_http_port=8088"
diff --git a/roles/frps/tasks/main.yml b/roles/frps/tasks/main.yml
@@ -6,9 +6,21 @@
    state: present
    update_cache: yes
 
-- copy:
-   src: config-files/frps/confd
+- name: Copy http(s) firewall-rule to destination host
+  copy:
+    src: config-files/awall/frps.json
+    dest: /etc/awall/optional/frps.json
+    validate: jq '.' %s
+
+- awall:
+   name: frps
+   state: enabled
+   activate: yes
+
+- template:
+   src: frps.confd
    dest: /etc/conf.d/frps
+   mode: 0644
 
 - service:
    name: frps

@@ -18,11 +30,17 @@
 - name: copy nginx-vhost for frps to destination host 
   template: 
     src: frps-vhost.conf.j2
-    dest: /etc/nginx/conf.d/oeffisearch.conf
+    dest: /etc/nginx/conf.d/frps.conf
     mode: 0644
     owner: nginx
     group: nginx
 
+- name: restart frps
+  service:
+    name: frps
+    state: restarted
+    enabled: yes
+
 - name: restart nginx
   service:
     name: nginx
diff --git a/roles/frps/templates/frps-vhost.conf.j2 b/roles/frps/templates/frps-vhost.conf.j2
@@ -0,0 +1,33 @@
+
+{% for vhost in frps.vhosts %}
+server {
+	listen 443 ssl;
+	listen [::]:443 ssl;
+
+	ssl_certificate "{{frps.sslDir}}/{{vhost}}.{{frps.vhost_domain}}/{{frps.sslCertFile}}";
+	ssl_certificate_key "{{frps.sslDir}}/{{vhost}}.{{frps.vhost_domain}}/{{frps.sslPrivkeyFile}}";
+	include /etc/nginx/ssl.conf;
+	
+	server_name {{vhost}}.{{frps.vhost_domain}};
+
+	location / {
+		proxy_pass http://127.0.0.1:{{frps.vhost_port}}/;
+
+        proxy_http_version      1.1;
+        proxy_set_header        Upgrade $http_upgrade;
+        proxy_set_header        Connection "upgrade";
+
+        proxy_redirect          off;
+        proxy_connect_timeout   90;
+        proxy_send_timeout      90;
+        proxy_read_timeout      90;
+        proxy_set_header        Host $host;
+        proxy_set_header        X-Real-IP $remote_addr;
+        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header        X-Forwarded-Proto $scheme;
+        proxy_set_header        X-Forwarded-Host $host;
+        proxy_set_header        X-Forwarded-Server $host;
+	}
+}
+
+{% endfor %}
diff --git a/roles/frps/templates/frps.confd b/roles/frps/templates/frps.confd
@@ -0,0 +1,2 @@
+# Configuration for /etc/init.d/chartsrv
+frps_opts="--token={{frps.token}} --bind_port={{frps.port}} --subdomain_host={{frps.vhost_domain}} --vhost_http_port={{frps.vhost_port}}"
diff --git a/roles/frps/templates/oeffisearch-vhost.conf.j2 b/roles/frps/templates/oeffisearch-vhost.conf.j2
@@ -1,19 +0,0 @@
-server {
-	listen 443 ssl;
-	listen [::]:443 ssl;
-
-	ssl_certificate "{{oeffisearch.ssl_cert}}";
-	ssl_certificate_key "{{oeffisearch.ssl_privkey}}";
-	include /etc/nginx/ssl.conf;
-	
-	server_name {{oeffisearch.domain}};
-
-	location / {
-		try_files $uri $uri/ @api;
-		root /usr/share/oeffisearch;
-	}
-
-	location @api {
-		proxy_pass http://127.0.0.1:8081;
-	}
-}