--- ## TODO: add storage handling! - set_fact: node_red_instance_basepath: "/srv/node-red/{{ node_red_instance }}" ## ## TODO: custom user - name: create instance directories loop: - data - tls file: path: "{{ node_red_instance_basepath }}/{{ item }}" state: directory owner: 1000 mode: 0700 - name: generate/install/fetch TLS certificates for mqtt when: "'mqtt_tls' in node_red_instances[node_red_instance]" vars: x509_certificate_name: "node-red-{{ node_red_instance }}_mqtt" x509_certificate_hostnames: [] x509_certificate_config: "{{ node_red_instances[node_red_instance].mqtt_tls.certificate_config }}" x509_certificate_renewal: install: - dest: "{{ node_red_instance_basepath }}/tls/mqtt-crt.pem" src: - fullchain owner: root group: 1000 mode: "0644" - dest: "{{ node_red_instance_basepath }}/tls/mqtt-key.pem" src: - key owner: root group: 1000 mode: "0640" - dest: "{{ node_red_instance_basepath }}/tls/mqtt-ca-crt.pem" src: - ca_cert owner: root group: 1000 mode: "0644" include_role: name: "x509/{{ node_red_instances[node_red_instance].mqtt_tls.certificate_provider }}/cert" - name: generate/install TLS certificates for publishment vars: x509_certificate_name: "node-red-{{ node_red_instance }}_publish" x509_certificate_hostnames: [] x509_certificate_config: ca: "{{ node_red_instances[node_red_instance].publish.zone.certificate_ca_config }}" cert: common_name: "node-red-{{ node_red_instance }}" extended_key_usage: - serverAuth extended_key_usage_critical: yes create_subject_key_identifier: yes not_after: +100w x509_certificate_renewal: install: - dest: "{{ node_red_instance_basepath }}/tls/publish-crt.pem" src: - fullchain owner: root group: 1000 mode: "0644" - dest: "{{ node_red_instance_basepath }}/tls/publish-key.pem" src: - key owner: root group: 1000 mode: "0640" - dest: "{{ node_red_instance_basepath }}/tls/publish-ca-crt.pem" src: - ca_cert owner: root group: 1000 mode: "0644" include_role: name: "x509/{{ node_red_instances[node_red_instance].publish.zone.certificate_provider }}/cert" - name: build custom image when: "'custom_image' in node_red_instances[node_red_instance]" block: - name: create build directory for custom image file: path: "{{ node_red_instance_basepath }}/build" state: directory - name: generate Dockerfile for custom image copy: content: | FROM {{ node_red_instances[node_red_instance].custom_image.from | default('nodered/node-red:' + node_red_instances[node_red_instance].version + '-debian') }} {{ node_red_instances[node_red_instance].custom_image.dockerfile }} dest: "{{ node_red_instance_basepath }}/build/Dockerfile" register: node_red_custom_image_docker - name: build custom image docker_image: name: "nodered/node-red/{{ node_red_instance }}:{{ node_red_instances[node_red_instance].version }}-debian" state: present force_source: "{{ node_red_custom_image_docker is changed }}" source: build build: path: "{{ node_red_instance_basepath }}/build" network: host pull: yes ## TODO: settings.js: # # module.exports = { # credentialSecret: "geheim", # https: { # key: require("fs").readFileSync('/tls/publish-key.pem'), # cert: require("fs").readFileSync('/tls/publish-crt.pem'), # ca: require("fs").readFileSync('/tls/publish-ca-crt.pem'), # requestCert: true, # minVersion: 'TLSv1.3' # }, # {{ node_red_instances[node_red_instance].extra_settings }} # } # - name: install pod manifest vars: kubernetes_standalone_pod: name: "node-red-{{ node_red_instance }}" spec: "{{ lookup('template', 'pod-spec.yml.j2') }}" include_role: name: kubernetes/standalone/pod - name: configure nginx vhost for publishment vars: nginx_vhost__yaml: | {% if node_red_instances[node_red_instance].publish.zone.publisher == inventory_hostname %} name: "node-red-{{ node_red_instance }}" {% else %} name: "node-red-{{ node_red_instance }}-{{ inventory_hostname }}" {% endif %} template: generic {% if 'tls' in node_red_instances[node_red_instance].publish %} tls: {{ node_red_instances[node_red_instance].publish.tls | to_nice_yaml(indent=2) | indent(2) }} {% endif %} hostnames: {% for hostname in node_red_instances[node_red_instance].publish.hostnames %} - {{ hostname }} {% endfor %} locations: '/': {% if node_red_instances[node_red_instance].publish.zone.publisher == inventory_hostname %} proxy_pass: "https://127.0.0.1:{{ node_red_instances[node_red_instance].port }}" {% else %} proxy_pass: "https://{{ ansible_default_ipv4.address }}:{{ node_red_instances[node_red_instance].port }}" {% endif %} proxy_ssl: certificate: "/etc/ssl/apps-publish-{{ node_red_instances[node_red_instance].publish.zone.name }}/apps-publish-{{ node_red_instances[node_red_instance].publish.zone.name }}-crt.pem" certificate_key: "/etc/ssl/apps-publish-{{ node_red_instances[node_red_instance].publish.zone.name }}/apps-publish-{{ node_red_instances[node_red_instance].publish.zone.name }}-key.pem" trusted_certificate: "/etc/ssl/apps-publish-{{ node_red_instances[node_red_instance].publish.zone.name }}/apps-publish-{{ node_red_instances[node_red_instance].publish.zone.name }}-ca-crt.pem" verify: "on" name: "node-red-{{ node_red_instance }}" protocols: "TLSv1.3" {% if 'location_extra_directives' in node_red_instances[node_red_instance].publish %} extra_directives: | {{ node_red_instances[node_red_instance].publish.location_extra_directives | indent(6) }} {% endif %} {% if 'vhost_extra_directives' in node_red_instances[node_red_instance].publish %} extra_directives: | {{ node_red_instances[node_red_instance].publish.vhost_extra_directives | indent(2) }} {% endif %} nginx_vhost: "{{ nginx_vhost__yaml | from_yaml }}" include_role: name: nginx/vhost apply: delegate_to: "{{ node_red_instances[node_red_instance].publish.zone.publisher }}"