c67e9aac43
- ACME via DNS-01 against internal NS (172.16.9.169) with TCP-only + disableANSChecks so the DMZ traefik can issue LE certs without reaching public NS IPs. - Migrate single-domain vars to `*_domains` lists (authentik, nextcloud, collabora, garage_s3) so public + *.int.* SANs share one cert and server-to-server traffic stays in the LAN. - Wire `traefik_dmz_exposed_services` per backend host (application, storage) with explicit `backend_host` overrides pointing at internal FQDNs — DMZ traefik now validates upstream certs against SAN names. - Nextcloud notify_push setup on internal FQDN to avoid DMZ hairpin; collabora WOPI / authentik LDAP outpost wired to *.int.* equivalents.
102 lines
2 KiB
YAML
102 lines
2 KiB
YAML
---
|
|
- name: Apply base configuration to all servers
|
|
hosts: all_servers
|
|
become: yes
|
|
roles:
|
|
- digitalboard.core.base
|
|
|
|
- name: Configure reverse proxy on application servers
|
|
hosts: traefik_servers_backend
|
|
become: yes
|
|
roles:
|
|
- digitalboard.core.traefik
|
|
|
|
- name: Configure reverse proxy on DMZ servers
|
|
hosts: traefik_servers_dmz
|
|
become: yes
|
|
roles:
|
|
- digitalboard.core.traefik
|
|
|
|
- name: Deploy httpbin service
|
|
hosts: httpbin_servers
|
|
become: yes
|
|
roles:
|
|
- digitalboard.core.httpbin
|
|
|
|
- name: Deploy 389ds LDAP service
|
|
hosts: ds389_servers
|
|
become: yes
|
|
roles:
|
|
- digitalboard.core.389ds
|
|
|
|
- name: Deploy keycloak service
|
|
hosts: keycloak_servers
|
|
become: yes
|
|
roles:
|
|
- digitalboard.core.keycloak
|
|
|
|
- name: Deploy garage service
|
|
hosts: garage_servers
|
|
become: yes
|
|
roles:
|
|
- digitalboard.core.garage
|
|
|
|
- name: Deploy collabora service
|
|
hosts: collabora_servers
|
|
become: yes
|
|
roles:
|
|
- digitalboard.core.collabora
|
|
|
|
- name: Deploy authentik service
|
|
hosts: authentik_servers
|
|
become: yes
|
|
roles:
|
|
- digitalboard.core.authentik
|
|
|
|
- name: Deploy authentik LDAP outpost
|
|
hosts: authentik_outpost_ldap_servers
|
|
become: yes
|
|
roles:
|
|
- digitalboard.core.authentik_outpost_ldap
|
|
|
|
- name: Deploy nextcloud service
|
|
hosts: nextcloud_servers
|
|
become: yes
|
|
roles:
|
|
- digitalboard.core.nextcloud
|
|
|
|
- name: Deploy drawio service
|
|
hosts: drawio_servers
|
|
become: yes
|
|
roles:
|
|
- digitalboard.core.drawio
|
|
|
|
# - name: Deploy send service
|
|
# hosts: send_servers
|
|
# become: yes
|
|
# roles:
|
|
# - digitalboard.core.send
|
|
|
|
# - name: Deploy openforms service
|
|
# hosts: openforms_servers
|
|
# become: yes
|
|
# roles:
|
|
# - digitalboard.core.openforms
|
|
|
|
- name: Deploy opencloud service
|
|
hosts: opencloud_servers
|
|
become: yes
|
|
roles:
|
|
- digitalboard.core.opencloud
|
|
|
|
- name: Deploy homarr service
|
|
hosts: homarr_servers
|
|
become: yes
|
|
roles:
|
|
- digitalboard.core.homarr
|
|
|
|
- name: Deploy opnform service
|
|
hosts: opnform_servers
|
|
become: yes
|
|
roles:
|
|
- digitalboard.core.opnform
|