Various changes that I am not going to write a description for

group_vars/all.yaml

@@ -1,3 +1,14 @@
 ansible_user: root
 ansible_python_interpreter: auto_silent
 notify_email: bestuur@bitlair.nl
+acme_bootstrap_certs: no
+trusted_ranges:
+  - { v: ipv4, cidr: 127.0.0.1/8 }
+  - { v: ipv4, cidr: 10.0.0.0/8 }
+  - { v: ipv4, cidr: 192.168.0.0/16 }
+  - { v: ipv4, cidr: 100.64.0.0/10 }
+  - { v: ipv4, cidr: 172.16.0.0/21 }
+  - { v: ipv4, cidr: 185.205.52.194/32 }
+  - { v: ipv6, cidr: "::1" }
+  - { v: ipv6, cidr: "fe80::/10" }
+  - { v: ipv6, cidr: "2a02:166b:92::/64" }

mqtt-internal.yaml

@@ -3,5 +3,5 @@
   vars:
     mqtt_internal_public_host: bitlair.nl
   roles:
-    - polyfloyd.tweaks
+    - common
     - mqtt-internal

music.yaml

@@ -0,0 +1,11 @@
+---
+- hosts: music
+  vars:
+    music_domain: music.bitlair.nl
+    acme_san_domains:
+      - [ music.bitlair.nl ]
+  roles:
+    - common
+    - acme
+    - go
+    - music

roles/bank-terminal/handlers/main.yaml

@@ -1,7 +1,5 @@
 ---
-- name: daemon_reload
+- import_tasks: ../../common/handlers/main.yaml
-  systemd:
-    daemon_reload: yes
 
 - name: console_setup
   command: dpkg-reconfigure console-setup --frontend noninteractive

roles/mqtt-internal/handlers/main.yaml

@@ -1,5 +1,7 @@
 ---
-- name: restart_mosquitto
+- import_tasks: ../../common/handlers/main.yaml
+
+- name: restart mosquitto
   systemd:
     name: mosquitto
     state: restarted

roles/mqtt-internal/tasks/main.yaml

@@ -7,14 +7,17 @@
         name: mosquitto
         state: present
 
-    - name: Configure public bridge forwarding
+    - name: Configure Mosquitto
       template:
-        src: public-bridge.conf
+        src: "{{ item }}"
-        dest: /etc/mosquitto/conf.d/public-bridge.conf
+        dest: "/etc/mosquitto/conf.d/{{ item }}"
         owner: root
         group: root
         mode: 0644
-      notify: restart_mosquitto
+      notify: restart mosquitto
+      with_items:
+        - internal.conf
+        - public-bridge.conf
 
     - name: Start mosquitto
       systemd:

roles/mqtt-internal/templates/internal.conf

@@ -0,0 +1,6 @@
+# Managed by Ansible
+
+listener 1883 ::
+listener 1883 0.0.0.0
+
+allow_anonymous true

roles/mqtt-internal/templates/public-bridge.conf

@@ -1,18 +1,13 @@
 # Managed by Ansible
 
 connection public-bridge
-
 address {{ mqtt_internal_public_host }}
 
 topic bitlair/state out
 topic bitlair/state/djo out
-topic bitlair/cam/+ out
 topic bitlair/music/+/state out
 topic bitlair/music/+/volume out
 topic bitlair/wifi/+/online out
 topic bitlair/climate/# out
-topic bitlair/temperature/+/current out
-topic bitlair/temperature/+/target out
 topic bitlair/humidity/+ out
 topic bitlair/lasercutter/+ out
-topic bitlair/flash out

roles/music/handlers/main.yaml

@@ -1,14 +1,5 @@
 ---
-- name: reload nginx
+- import_tasks: ../../common/handlers/main.yaml
-  systemd:
-    name: nginx
-    state: reloaded
-
-- name: rebuild trollibox
-  command: ./build.sh
-  args:
-    chdir: /opt/trollibox
-  environment: { RELEASE: 1 }
 
 - name: restart trollibox
   systemd:

roles/music/tasks/main.yaml

@@ -7,3 +7,18 @@
 
 - tags: music_librespot
   import_tasks: librespot.yaml
+
+- tags: music
+  block:
+    - name: Install nginx
+      apt:
+        name: nginx
+
+    - name: Install nginx config
+      template:
+        src: nginx-site.conf
+        dest: /etc/nginx/sites-enabled/trollibox
+        owner: root
+        group: root
+        mode: 0644
+      notify: reload nginx

roles/music/tasks/trollibox.yaml

@@ -1,4 +1,13 @@
 ---
+- name: Install Trollibox config
+  template:
+    src: trollibox.yaml
+    dest: /etc/trollibox.yaml
+    owner: root
+    group: root
+    mode: 0644
+  notify: restart trollibox
+
 - name: Get latest Trollibox version from Github API
   get_url:
     url: "https://api.github.com/repos/polyfloyd/trollibox/releases/latest"

roles/music/templates/nginx-site.conf

@@ -0,0 +1,68 @@
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+    listen 443 ssl default_server;
+    listen [::]:443 ssl default_server;
+
+    server_name {{ music_domain }};
+
+    {% if acme_bootstrap_certs %}
+    include "snippets/snakeoil.conf";
+    {% else %}
+    ssl_certificate     "/var/lib/dehydrated/certs/{{ music_domain }}/fullchain.pem";
+    ssl_certificate_key "/var/lib/dehydrated/certs/{{ music_domain }}/privkey.pem";
+    {% endif %}
+
+    {% for range in trusted_ranges %}
+    allow {{ range.cidr }};
+    {% endfor %}
+    deny all;
+
+    location / {
+        rewrite ^/(.*) https://{{ music_domain }}/trollibox/player/space?;
+    }
+
+    location /trollibox/ {
+        proxy_pass http://[::1]:3000/;
+        client_max_body_size 512M;
+        include proxy_params;
+    }
+
+    location ~ ^/trollibox/(.+/events)$ {
+        proxy_pass http://[::1]:3000/$1;
+        include proxy_params;
+        proxy_http_version 1.1;
+        chunked_transfer_encoding off;
+        add_header X-Test "123";
+        proxy_set_header Connection '';
+        proxy_buffering off;
+        proxy_read_timeout 7d;
+    }
+
+    location ~ ^/trollibox/(.+/listen)$ {
+        proxy_pass http://[::1]:3000/$1;
+        include proxy_params;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_read_timeout 7d;
+    }
+
+    location /bobdsp/ {
+        proxy_pass http://[::1]:8081/;
+        include proxy_params;
+    }
+
+    location /vis/ {
+        allow all;
+        proxy_pass http://[::1]:13378/;
+        include proxy_params;
+    }
+
+    location = /vis/ {
+        rewrite ^(.*)$ /vis/index.html;
+        include proxy_params;
+    }
+
+    include "snippets/acme.conf";
+}

roles/music/templates/trollibox.yaml

@@ -0,0 +1,53 @@
+# Managed by Ansible
+
+# The network address to listen on. Must be in the Go listen format.
+#
+# Example, listen on port 80 on all interfaces:
+#  :80
+bind: "[::1]:3000"
+
+# The base URL at which the webinterface will can be reached by clients.
+# Must end with '/'.
+url_root: https://{{ music_domain }}/trollibox/
+
+# The directory which Trollibox will use to store data which can not be
+# saved to configured players.
+storage_dir: ~/.config/trollibox
+
+# The CSS colors used in the interface.
+colors:
+  background: "#333"
+  background_elem: "#222"
+  text: "#eee"
+  text_inactive: "#aaa"
+  accent: "#f60"
+
+# Enable or disable random tracks being automatically queued when the
+# playlist ends.
+autoqueue: true
+
+# Sets the default player by name. Leave empty to let Trollibox select a
+# random player.
+default_player:
+
+# The sections below list options to configure the players that Trollibox
+# will control. Each player is identified by a unique "name" property.
+
+# MPD instances to control. Leave emtpy if you don't want to configure any
+# MPD instances.
+mpd:
+  - name: space
+    network: tcp
+    address: 127.0.0.1:6600
+    password:
+
+# Logitech SlimServer to control. Set to null if you don't want to configure a
+# SlimServer. The players along with their names are automatically detected.
+#slimserver:
+#  network: tcp
+#  address: 127.0.0.1:9090
+#  username:
+#  password:
+#
+#  # The root of the SlimServer's web interface. Used to query track art.
+#  weburl: http://127.0.0.1:9000/

roles/raspi/handlers/main.yaml

@@ -1,3 +1,2 @@
 ---
-- name: reboot
+- import_tasks: ../../common/handlers/main.yaml
-  reboot: