Use systemd template files, fixes #3, #4

Add cleanup of legacy stuff

README.md

@@ -12,28 +12,28 @@
 
 This ansible role does download and install `cloudflared` on the host and optionally installs the [argo-tunnel] as a service. 
 
-The role is made in a way that you can install multiple services in parallel - simply run the role several times with different parameters `service_name`, `hostname` and `url`.
+The role is made in a way that you can install multiple services in parallel - simply run the role several times with different parameters `service`, `hostname` and `url`.
 
 The role performs the following steps:
 
 1. Download and install binary according to [downloads]
-2. Install/configure the daemon - see [Authenticate the daemon](#authenticate-the-daemon)
-3. Create a config file per `service_name` in `/etc/cloudflare`
+1. Install/configure the daemon - see [Authenticate the daemon](#authenticate-the-daemon)
+1. Create a config file per `service` in `/etc/cloudflare`
 
-    The file is named `cloudflared_{{ service_name }}.yml` and will contain the minimal configuration is as follows
+    The file is named `{{ tunnel }}.yml` and will contain the minimal configuration is as follows
 
     ```yaml
     hostname: {{ hostname }}
     url: {{ url }}
-    logfile: /var/log/cloudflared_{{ service_name }}.log
+    logfile: /var/log/cloudflared_{{ tunnel }}.log
     ```
 
     Additional parameters are configured via [Cloudflare parameters](#cloudflare-parameters)
 
-4. Create a systemd `service`-file and starts it
+1. Create a [systemd-unit-template] `cloudflared@{{ tunnel }}.service` and start an instance for each service in the list of `tunnels`
 
     ```bash
-    cloudflared tunnel --config cloudflared_{{ service_name }}.yml
+    cloudflared tunnel --config {{ tunnel }}.yml
     ```
 
 ## Authenticate the daemon
@@ -64,17 +64,25 @@ These are all variables
 
 |Parameter|Description|Default Value|
 |---------|-----------|-------------|
-|`service_name`|[Mandatory] Name of the service - used to create config file and systemd file|-|
 |`systemd_user`|User for systemd service|`backup`|
 |`systemd_group`|Group for systemd service|`backup`|
 |`download_baseurl`|Base url for `cloudflare` binaries|https://bin.equinox.io/c/VdrWdbjqyF/|
 |`cert_location`|Location of the certificate to be copied - see [Authenticate the daemon](#authenticate-the-daemon)|-|
 |`install_only`|Set to `true` if you only want to install the binary without any configuration or login|`false`|
 |`force_install`|Set to `true` if you want to re-install `cloudflared`. By default the assumption is that `cloudflared` is running as a service and automatically auto-updates.|`false`|
+|`tunnels`|[Mandatory] List of services, each one defining [Cloudflare parameters](#cloudflare-parameters)|-|
+|`do_legacy_cleanup`|Due to the changes of switching to [systemd-unit-template] you may need to cleanup the "legacy" stuff, if you used the role before.|`false`|
 
 ### Cloudflare parameters
 
-Parameters available for configuring `cloudflared` according to [cli-args]
+Tunnel-specific parameters available for configuring `cloudflared` according to [cli-args].
+
+```yaml
+tunnels:
+  ssh:
+    hostname: xxx
+    url: ssh.mycompany.com
+```
 
 |Parameter|Description|Default Value|
 |---------|-----------|-------------|
@@ -107,11 +115,12 @@ The following example installs an ssh-tunnel for each `server`
 - hosts: server
   vars:
     hostname: "{{ inventory_hostname }}.mycompany.com"
-    service_name: ssh
-    url: ssh://localhost:22
-    systemd_user: root
-    systemd_group: root
-    cert_location: /home/papanito/cert.pem
+    services:
+      ssh:
+        url: ssh://localhost:22
+        systemd_user: root
+        systemd_group: root
+        cert_location: /home/papanito/cert.pem
   roles:
     - papanito.cloudflared
 ```
@@ -140,4 +149,5 @@ Written by [Papanito](https://wyssmann.com) - [Gitlab](https://gitlab.com/papani
 [ssh-guide]: https://developers.cloudflare.com/access/ssh/ssh-guide/
 [config]: https://developers.cloudflare.com/argo-tunnel/reference/config/
 [cli-args]: https://developers.cloudflare.com/argo-tunnel/reference/arguments/
-[authenticate-the-cloudflare-daemon]: https://developers.cloudflare.com/access/ssh/ssh-guide/#2-authenticate-the-cloudflare-daemon
+[authenticate-the-cloudflare-daemon]: https://developers.cloudflare.com/access/ssh/ssh-guide/#2-authenticate-the-cloudflare-daemon
+[systemd-unit-template]: https://fedoramagazine.org/systemd-template-unit-files/

defaults/main.yml

@@ -6,4 +6,5 @@ systemd_group: root
 download_baseurl: https://bin.equinox.io/c/VdrWdbjqyF/
 download_folder: ./download
 install_only: False
-force_install: False
+force_install: False
+do_legacy_cleanup: False

tasks/cleanup.yml

@@ -0,0 +1,21 @@
+- name: Define required variables for cleanup
+  set_fact:
+    daemon_location: "{{ install_target_dir }}/cloudflared"
+    tunnel_name: "{{ item.key }}"
+    config_filename_legacy: "config.{{ item.key }}.yml"
+    systemd_filename_legacy: "cloudflared-{{ item.key }}.service"
+- name: Stop systemd service {{ systemd_filename_legacy }}
+  systemd:
+    name: "{{ systemd_filename_legacy }}"
+    state: stopped
+    enabled: no
+    daemon_reload: yes
+  ignore_errors: true
+- name: Remove legacy config files
+  file:
+    path: "{{ config_dir_tunnels }}/{{ config_filename_legacy }}"
+    state: absent
+- name: Remove legacy cloudflared service files
+  file:
+    path: "{{ systemd_target_dir }}/{{ systemd_filename_legacy }}"
+    state: absent

tasks/configure-tunnels.yml

@@ -0,0 +1,13 @@
+- name: Create config file for service '{{ item.key }}'
+  template:
+    src: config.yml.j2
+    dest: "{{ config_dir_tunnels }}/{{ item.key }}.yml"
+  with_dict: "{{ tunnels }}"
+- name: Start systemd service {{ item.key }}
+  systemd:
+    name: "{{ systemd_filename }}@{{ item.key }}"
+    state: started
+    enabled: yes
+    daemon_reload: yes
+    no_block: no
+  with_dict: "{{ tunnels }}"

tasks/configure.yml

@@ -1,19 +1,8 @@
 - name: Define required variables for configuration
   set_fact:
     daemon_location: "{{ install_target_dir }}/cloudflared"
-    config_filename: "config.{{ service_name }}.yml"
-    systemd_filename: "cloudflared-{{ service_name }}.service"
-- name: Create config file for service '{{ service_name }}'
-  template:
-    src: config.yml.j2
-    dest: "{{ config_dir_tunnels }}/{{ config_filename }}"
-- name: Install cloudflared service for service '{{ service_name }}''
+    systemd_filename: "cloudflared"
+- name: Install cloudflared service for service '{{ tunnel_name }}''
   template:
     src: cloudflared.service.j2
-    dest: "{{ systemd_target_dir }}/{{ systemd_filename }}"
-- name: Start systemd service {{ systemd_filename }}
-  systemd:
-    name: "{{ systemd_filename }}"
-    state: restarted
-    enabled: yes
-    daemon_reload: yes
+    dest: "{{ systemd_target_dir }}/{{ systemd_filename }}@.service"

tasks/main.yml

@@ -4,8 +4,15 @@
   set_fact:
     daemon_location: "{{ install_target_dir }}/cloudflared"
     cf_binary_filename: "{{ cf_binaries[ansible_machine].filename_tgz }}"
+- name: Cleanup legacy stuff
+  include_tasks: cleanup.yml
+  with_dict: "{{ tunnels }}"
+  when: do_legacy_cleanup
 - name: Download and install cloudflared
-  import_tasks: install.yml
+  include_tasks: install.yml
 - name: Install cloudflared
-  import_tasks: configure.yml
-  when: not install_only
+  include_tasks: configure.yml
+  when: not install_only
+- name: Configure tunnels
+  include_tasks: configure-tunnels.yml
+  when: not install_only

templates/cloudflared.service.j2

@@ -1,11 +1,12 @@
 [Unit]
-Description=cloudflared tunnel for {{ service_name }}
+Description=cloudflared tunnel for %I
+After=network.target
 
 [Service]
 Type=simple
-ExecStart=cloudflared tunnel --config {{ config_dir_tunnels }}/{{ config_filename }}
+ExecStart=cloudflared tunnel --config {{ config_dir_tunnels }}/%i.yml
 User={{ systemd_user }}
 Group={{ systemd_group }}
 
 [Install]
-After=NetworkManager.service
+WantedBy=multi-user.target

templates/config.yml.j2

@@ -1,43 +1,43 @@
-hostname: {{ hostname }}
-url: {{ url }}
-logfile: /var/log/cloudflared_{{ service_name }}.log
+hostname: {{ item.value.hostname }}
+url: {{ item.value.url }}
+logfile: /var/log/cloudflared_{{ item.key }}.log
 
-{% if lb_pool is defined %}
-lb-pool: {{ lb_pool }}
+{% if item.value.lb_pool is defined %}
+lb-pool: {{ item.value.lb_pool }}
 {% endif %}
-{% if autoupdate_freq is defined %}
-autoupdate-freq: {{ autoupdate_freq }}
+{% if item.value.autoupdate_freq is defined %}
+autoupdate-freq: {{ item.value.autoupdate_freq }}
 {% endif %}
-{% if no_autoupdate is defined %}
-no-autoupdate: {{ no_autoupdate }}
+{% if item.value.no_autoupdate is defined %}
+no-autoupdate: {{ item.value.no_autoupdate }}
 {% endif %}
-{% if no_tls_verify is defined %}
-no-tls-verify: {{ no_tls_verify }}
+{% if item.value.no_tls_verify is defined %}
+no-tls-verify: {{ item.value.no_tls_verify }}
 {% endif %}
-{% if origin_ca_pool is defined %}
-origin-ca-pool: {{ origin_ca_pool }}
+{% if item.value.origin_ca_pool is defined %}
+origin-ca-pool: {{ item.value.origin_ca_pool }}
 {% endif %}
-{% if origin_server_name is defined %}
-origin-server-name: {{ origin_server_name }}
+{% if item.value.origin_server_name is defined %}
+origin-server-name: {{ item.value.origin_server_name }}
 {% endif %}
-{% if metrics is defined %}
-metrics: {{ metrics }}
+{% if item.value.metrics is defined %}
+metrics: {{ item.value.metrics }}
 {% endif %}
-{% if metrics_update_freq is defined %}
-metrics-update-freq: {{ metrics_update_freq }}
+{% if item.value.metrics_update_freq is defined %}
+metrics-update-freq: {{ item.value.metrics_update_freq }}
 {% endif %}
-{% if tag is defined %}
-tag: {{ tag }}
+{% if item.value.tag is defined %}
+tag: {{ item.value.tag }}
 {% endif %}
-{% if loglevel is defined %}
-loglevel: {{ loglevel }}
+{% if item.value.loglevel is defined %}
+loglevel: {{ item.value.loglevel }}
 {% endif %}
-{% if proto_loglevel is defined %}
-proto-loglevel: {{ proto_loglevel }}
+{% if item.value.proto_loglevel is defined %}
+proto-loglevel: {{ item.value.proto_loglevel }}
 {% endif %}
-{% if retries is defined %}
-retries: {{ retries }}
+{% if item.value.retries is defined %}
+retries: {{ item.value.retries }}
 {% endif %}
-{% if no_chunked_encoding is defined %}
-no-chunked-encoding: {{ no_chunked_encoding }}
+{% if item.value.no_chunked_encoding is defined %}
+no-chunked-encoding: {{ item.value.no_chunked_encoding }}
 {% endif %}

tests/test.yml

@@ -2,8 +2,9 @@
 - hosts: localhost
   remote_user: root
   vars:
-    hostname: demo.mycompany.com
-    service_name: demo
-    url: https://localhost:8080
+    tunnels:
+      ssh:
+        hostname: demo.mycompany.com
+        url: https://localhost:8080
   roles:
     - ansible-role-cloudflared