✨: dynamic inventory with proxmox

2025-03-21 09:06:39 +01:00
parent 064c28f0a7
commit 609ee99d57
34 changed files with 169 additions and 239 deletions
--- a/roles/firewall/templates/firewall.j2
+++ b/roles/firewall/templates/firewall.j2
@@ -120,7 +120,7 @@ config rule
 config rule
 	option name 'Allow-DMZ-Syslog'
 	option dest 'dmz'
-	option dest_ip '{{ hostvars['syslog.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
+	option dest_ip '{{ hostvars['syslog']['ansible_default_ipv4']['address'] }}'
 	option dest_port '514'
 	list proto 'udp'
 	option target 'ACCEPT'
@@ -173,7 +173,7 @@ config redirect
 	list proto 'tcp'
 	list proto 'udp'
 	option dest 'dmz'
-	option dest_ip '{{ hostvars['haproxy.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
+	option dest_ip '{{ hostvars['haproxy']['ansible_default_ipv4']['address'] }}'
 	option dest_port '80'
 	option target 'DNAT'

@@ -184,14 +184,14 @@ config redirect
 	list proto 'tcp'
 	list proto 'udp'
 	option dest 'dmz'
-	option dest_ip '{{ hostvars['haproxy.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
+	option dest_ip '{{ hostvars['haproxy']['ansible_default_ipv4']['address'] }}'
 	option dest_port '443'
 	option target 'DNAT'

 # Allow Web traffic IN
-{% for host in groups['webservers'] %}
+{% for host in groups['webservers'] | sort %}
 config rule
-	option name 'Allow-INPUT-{{ host }}-Web'
+	option name 'Allow-INPUT-{{ hostvars[host]['ansible_host'] }}-Web'
 	option src 'wan'
 	list proto 'tcp'
 	list proto 'udp'
@@ -207,7 +207,7 @@ config rule
 config rule
 	option name 'Allow-OUTPUT-BT'
 	option src 'dmz'
-	option src_ip '{{ hostvars['bt.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
+	option src_ip '{{ hostvars['bt']['ansible_default_ipv4']['address'] }}'
 	list proto 'tcp'
 	list proto 'udp'
 	option dest 'wan'
@@ -217,7 +217,7 @@ config rule
 config rule
 	option name 'Allow-OUTPUT-BT'
 	option src 'dmz'
-	option src_ip '{{ hostvars['bt.dmz.mateu.be']['ansible_default_ipv6']['address'] }}'
+	option src_ip '{{ hostvars['bt']['ansible_default_ipv6']['address'] }}'
 	list proto 'tcp'
 	list proto 'udp'
 	option dest 'wan'
@@ -230,7 +230,7 @@ config rule
 	list proto 'tcp'
 	list proto 'udp'
 	option dest 'dmz'
-	option dest_ip '{{ hostvars['bt.dmz.mateu.be']['ansible_default_ipv6']['address'] }}'
+	option dest_ip '{{ hostvars['bt']['ansible_default_ipv6']['address'] }}'
 	option dest_port '10010'
 	option target 'ACCEPT'
 	option family 'ipv6'
@@ -242,7 +242,7 @@ config redirect
 	list proto 'tcp'
 	list proto 'udp'
 	option dest 'dmz'
-	option dest_ip '{{ hostvars['bt.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
+	option dest_ip '{{ hostvars['bt']['ansible_default_ipv4']['address'] }}'
 	option dest_port '10010'
 	option target 'DNAT'

@@ -275,7 +275,7 @@ config redirect
 config rule
 	option name 'Allow-OUTPUT-XMPP-s2s'
 	option src 'dmz'
-	option src_ip '{{ hostvars['jabber.dmz.mateu.be']['ansible_default_ipv4']['address']}}'
+	option src_ip '{{ hostvars['jabber']['ansible_default_ipv4']['address']}}'
 	list proto 'tcp'
 	list proto 'udp'
 	option dest 'wan'
@@ -286,7 +286,7 @@ config rule
 config rule
 	option name 'Allow-OUTPUT-XMPP-s2s'
 	option src 'dmz'
-	option src_ip '{{ hostvars['jabber.dmz.mateu.be']['ansible_default_ipv6']['address'] }}'
+	option src_ip '{{ hostvars['jabber']['ansible_default_ipv6']['address'] }}'
 	list proto 'tcp'
 	list proto 'udp'
 	option dest 'wan'
@@ -301,7 +301,7 @@ config redirect
 	list proto 'tcp'
 	list proto 'udp'
 	option dest 'dmz'
-	option dest_ip '{{ hostvars['jabber.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
+	option dest_ip '{{ hostvars['jabber']['ansible_default_ipv4']['address'] }}'
 	option dest_port '5222'
 	option target 'DNAT'

@@ -312,7 +312,7 @@ config redirect
 	list proto 'tcp'
 	list proto 'udp'
 	option dest 'dmz'
-	option dest_ip '{{ hostvars['jabber.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
+	option dest_ip '{{ hostvars['jabber']['ansible_default_ipv4']['address'] }}'
 	option dest_port '5269'
 	option target 'DNAT'

@@ -322,7 +322,7 @@ config rule
 	list proto 'tcp'
 	list proto 'udp'
 	option dest 'dmz'
-	option dest_ip '{{ hostvars['jabber.dmz.mateu.be']['ansible_default_ipv6']['address'] }}'
+	option dest_ip '{{ hostvars['jabber']['ansible_default_ipv6']['address'] }}'
 	option dest_port '5222 5269'
 	option target 'ACCEPT'
 	option family 'ipv6'
@@ -334,7 +334,7 @@ config rule
 	list proto 'tcp'
 	list proto 'udp'
 	option dest 'dmz'
-	option dest_ip '{{ hostvars['voice1.dmz.mateu.be']['ansible_default_ipv6']['address'] }}'
+	option dest_ip '{{ hostvars['voice1']['ansible_default_ipv6']['address'] }}'
 	option dest_port '64738'
 	option target 'ACCEPT'
 	option family 'ipv6'
@@ -346,7 +346,7 @@ config redirect
 	list proto 'tcp'
 	list proto 'udp'
 	option dest 'dmz'
-	option dest_ip '{{ hostvars['voice1.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
+	option dest_ip '{{ hostvars['voice1']['ansible_default_ipv4']['address'] }}'
 	option dest_port '64738'
 	option target 'DNAT'

@@ -354,7 +354,7 @@ config redirect
 config rule
 	option name 'Allow-OUTPUT-SMTP'
 	option src 'dmz'
-	option src_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
+	option src_ip '{{ hostvars['mail']['ansible_default_ipv4']['address'] }}'
 	list proto 'tcp'
 	option dest 'wan'
 	option dest_port '25'
@@ -366,7 +366,7 @@ config rule
 	option src 'wan'
 	list proto 'tcp'
 	option dest 'dmz'
-	option dest_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv6']['address'] }}'
+	option dest_ip '{{ hostvars['mail']['ansible_default_ipv6']['address'] }}'
 	option dest_port '25 465 587'
 	option target 'ACCEPT'
 	option family 'ipv6'
@@ -376,7 +376,7 @@ config rule
 	option src 'wan'
 	list proto 'tcp'
 	option dest 'dmz'
-	option dest_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv6']['address'] }}'
+	option dest_ip '{{ hostvars['mail']['ansible_default_ipv6']['address'] }}'
 	option dest_port '143 993'
 	option target 'ACCEPT'
 	option family 'ipv6'
@@ -387,7 +387,7 @@ config redirect
 	option src_dport '25'
 	list proto 'tcp'
 	option dest 'dmz'
-	option dest_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
+	option dest_ip '{{ hostvars['mail']['ansible_default_ipv4']['address'] }}'
 	option dest_port '25'
 	option target 'DNAT'

@@ -397,7 +397,7 @@ config redirect
 	option src_dport '465'
 	list proto 'tcp'
 	option dest 'dmz'
-	option dest_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
+	option dest_ip '{{ hostvars['mail']['ansible_default_ipv4']['address'] }}'
 	option dest_port '465'
 	option target 'DNAT'

@@ -407,7 +407,7 @@ config redirect
 	option src_dport '587'
 	list proto 'tcp'
 	option dest 'dmz'
-	option dest_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
+	option dest_ip '{{ hostvars['mail']['ansible_default_ipv4']['address'] }}'
 	option dest_port '587'
 	option target 'DNAT'

@@ -417,7 +417,7 @@ config redirect
 	option src_dport '143'
 	list proto 'tcp'
 	option dest 'dmz'
-	option dest_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
+	option dest_ip '{{ hostvars['mail']['ansible_default_ipv4']['address'] }}'
 	option dest_port '143'
 	option target 'DNAT'

@@ -427,7 +427,7 @@ config redirect
 	option src_dport '993'
 	list proto 'tcp'
 	option dest 'lan'
-	option dest_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
+	option dest_ip '{{ hostvars['mail']['ansible_default_ipv4']['address'] }}'
 	option dest_port '993'
 	option target 'DNAT'

@@ -435,7 +435,7 @@ config redirect
 config rule
 	option name 'Allow-INPUT-Munin'
 	option src 'dmz'
-	option src_ip '{{ hostvars['munin.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
+	option src_ip '{{ hostvars['munin']['ansible_default_ipv4']['address'] }}'
 	list proto 'tcp'
 	option dest_port '4949'
 	option target 'ACCEPT'
@@ -444,7 +444,7 @@ config rule
 config rule
 	option name 'Allow-FORWARD-Munin-Mikrotik-Garregmach'
 	option src 'dmz'
-	option src_ip '{{ hostvars['munin.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
+	option src_ip '{{ hostvars['munin']['ansible_default_ipv4']['address'] }}'
 	list proto 'tcp'
 	list proto 'udp'
 	option dest 'lan'
@@ -456,7 +456,7 @@ config rule
 config rule
 	option name 'Allow-FORWARD-Munin-Mikrotik-Derdriu'
 	option src 'dmz'
-	option src_ip '{{ hostvars['munin.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
+	option src_ip '{{ hostvars['munin']['ansible_default_ipv4']['address'] }}'
 	list proto 'tcp'
 	list proto 'udp'
 	option dest 'lan'
@@ -530,7 +530,7 @@ config rule
 	option src 'iot'
 	list proto 'tcp'
 	option dest 'dmz'
-	option dest_ip '{{ hostvars['ftp.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
+	option dest_ip '{{ hostvars['ftp']['ansible_default_ipv4']['address'] }}'
 	option dest_port '21 10100-10110'
 	option target 'ACCEPT'

--- a/roles/haproxy/templates/haproxy.cfg.j2
+++ b/roles/haproxy/templates/haproxy.cfg.j2
@@ -45,7 +45,7 @@ frontend http
 {% for hostname in hostvars[server]['web_hostname'] | sort(attribute='host') %}
 	## {{ hostname.host }} configuration
 	acl host_{{ hostname.host }} hdr(host) -i {{ hostname.host }}
-	use_backend http_{{ server }} if letsencrypt host_{{ hostname.host }}
+	use_backend http_{{ hostvars[server].ansible_host }} if letsencrypt host_{{ hostname.host }}

 {% endfor %}
 {% endfor %}
@@ -64,21 +64,21 @@ frontend https
 	acl network_allowed_{{ hostname.host }} src {% for addrv4 in hostname.allowlistv4 %}{{ addrv4 }}{% endfor %}

 {% endif %}
-	use_backend https_{{ server }} if host_{{ hostname.host }}{% if hostname.allowlistv4 is defined %} network_allowed_{{ hostname.host }}{% endif %}
+	use_backend https_{{ hostvars[server].ansible_host }} if host_{{ hostname.host }}{% if hostname.allowlistv4 is defined %} network_allowed_{{ hostname.host }}{% endif %}


 {% endfor %}
 {% endfor %}

 {% for server in groups['webservers'] | difference(groups['disabled_loadbalanced_webservers']) | sort %}
-## {{ server }} configuration
-backend http_{{ server }}
+## {{ hostvars[server].ansible_host }} configuration
+backend http_{{ hostvars[server].ansible_host }}
 	mode http
-	server host_{{ server.split('.')|join('_') }} {{ hostvars[server]['ansible_default_ipv4']['address'] }}:80
+	server host_{{ hostvars[server].ansible_host.split('.')|join('_') }} {{ hostvars[server]['ansible_default_ipv4']['address'] }}:80

-backend https_{{ server }}
+backend https_{{ hostvars[server].ansible_host }}
 	mode tcp
-	server host_{{ server.split('.')|join('_') }} {{ hostvars[server]['ansible_default_ipv4']['address'] }}:443
+	server host_{{ hostvars[server].ansible_host.split('.')|join('_') }} {{ hostvars[server]['ansible_default_ipv4']['address'] }}:443

 {% endfor %}

--- a/roles/munin_client/tasks/main.yml
+++ b/roles/munin_client/tasks/main.yml
@@ -41,7 +41,7 @@
    update_cache: true
  notify:
    - Restart munin-node
-  when: "'webservers' in group_names or 'loadbalancers' in group_names"
+  when: "'webservers' in group_names or 'lbservers' in group_names"

 # for HAProxy servers
 - name: Add haproxy backend module
@@ -51,7 +51,7 @@
    state: link
  notify:
    - Restart munin-node
-  when: "'loadbalancers' in group_names"
+  when: "'lbservers' in group_names"

 # For MariaDB servers
 - name: Install MariaDB servers
--- a/roles/munin_client/templates/munin-node.conf.j2
+++ b/roles/munin_client/templates/munin-node.conf.j2
@@ -34,14 +34,14 @@ ignore_file \.pod$
 # Set this if the client doesn't report the correct hostname when
 # telnetting to localhost, port 4949
 #
-host_name {{ inventory_hostname }}
+host_name {{ ansible_host }}

 # A list of addresses that are allowed to connect.  This must be a
 # regular expression, since Net::Server does not understand CIDR-style
 # network notation unless the perl module Net::CIDR is installed.  You
 # may repeat the allow line as many times as you'd like

-allow ^{{ hostvars['munin.dmz.mateu.be']['ansible_default_ipv4']['address'].split('.')|join('\.') }}
+allow ^{{ hostvars['munin']['ansible_default_ipv4']['address'].split('.')|join('\.') }}
 allow ^127\.0\.0\.1$
 allow ^::1$

--- a/roles/munin_server/templates/munin.conf.j2
+++ b/roles/munin_server/templates/munin.conf.j2
@@ -97,7 +97,7 @@ includedir /etc/munin/munin-conf.d
 # a simple host tree

 {% for host in groups['all'] | difference(groups['disabled_munin']) | sort %}
-[{{ host }}]
+[{{ hostvars[host].ansible_host }}]
 	address {{ hostvars[host]['ansible_default_ipv4']['address'] }}
 {% endfor %}

--- a/roles/nginx/templates/header.conf.j2
+++ b/roles/nginx/templates/header.conf.j2
@@ -9,7 +9,7 @@
 	error_log /var/log/nginx/{{ item.host }}.error.log;
 	error_log syslog:server=unix:/dev/log;
 {% if item.allowlistv4 is defined %}
-	allow {{ hostvars['haproxy.dmz.mateu.be'].ansible_default_ipv4.address }};
+	allow {{ hostvars['haproxy']['ansible_default_ipv4']['address'] }};
 {% endif %}
 {% if item.allowlistv6 is defined %}
 {% for addrv6 in item.allowlistv6 %}
--- a/roles/restic/vars/main.yml
+++ b/roles/restic/vars/main.yml
@@ -6,4 +6,4 @@ restic_architecture: "amd64"
 restic_system: "{{ ansible_facts['system'] | lower }}"
 restic_download_url: "https://github.com/restic/restic/releases/download/v{{ restic_version }}/restic_{{ restic_version }}_{{ restic_system }}_{{ restic_architecture }}.bz2"

-restic_repository: "{{ restic_s3_url }}/{{ inventory_hostname }}"
+restic_repository: "{{ restic_s3_url }}/{{ ansible_host }}"