---
- name: Basic Setup
hosts: ch-http-proxy
roles:
- role: apt-repo/base
- role: core/base
- role: core/sshd/base
- role: core/zsh
- role: core/ntp
- name: Payload Setup
hosts: ch-http-proxy
roles:
- role: apt-repo/spreadspace
- role: monitoring/prometheus/exporter
- role: x509/static-ca/base
- role: x509/acmetool/base
- role: whawty/auth/store
- role: nginx/base
- role: nginx/auth/whawty-sso/base
- role: nginx/auth/whawty-sso/login
- role: apps/publish/base
post_tasks:
#### web.chaos-at-home.org (default-server)
- name: create directory for default server
file:
path: /var/www/default
state: directory
- name: copy chaos-at-home logo file
copy:
src: "{{ global_files_dir }}/chaos-at-home/logo.jpg"
dest: /var/www/default/logo.jpg
- name: install index.html for default server
copy:
dest: /var/www/default/index.html
content: |
No Such Site
You have reached the chaos@home internal webserver, however the URL that you used is unknown to this host.
- name: configure default vhost web.chaos-at-home.org
vars:
nginx_vhost:
default: yes
name: web
template: generic
tls:
certificate_provider: acmetool
certificate_config:
request:
challenge:
http-self-test: false
hostnames:
- web.chaos-at-home.org
locations:
'/':
root: /var/www/default
index: index.html
include_role:
name: nginx/vhost
#### webmail.chaos-at-home.org and webdav.chaos-at-home.org
- name: create directory for prometheus-old ca cert
file:
path: /etc/ssl/prometheus-old-ca
state: directory
- name: install prometheus-old ca cert
copy:
dest: /etc/ssl/prometheus-old-ca/ca.pem
content: |
-----BEGIN CERTIFICATE-----
MIIF6jCCA9KgAwIBAgIUXDQZo0d3tcTa4oilKki+E9md8GIwDQYJKoZIhvcNAQEN
BQAwgYwxCzAJBgNVBAYTAkFUMQ8wDQYDVQQIEwZTdHlyaWExDTALBgNVBAcTBEdy
YXoxFjAUBgNVBAoTDWNoYW9zLWF0LWhvbWUxFzAVBgNVBAsTDnByb21ldGhldXMt
b2xkMSwwKgYDVQQDEyNjaGFvcy1hdC1ob21lIENBIGZvciBwcm9tZXRoZXVzLW9s
ZDAeFw0yMDA4MjgyMTMwMDBaFw0yNTA4MjcyMTMwMDBaMIGMMQswCQYDVQQGEwJB
VDEPMA0GA1UECBMGU3R5cmlhMQ0wCwYDVQQHEwRHcmF6MRYwFAYDVQQKEw1jaGFv
cy1hdC1ob21lMRcwFQYDVQQLEw5wcm9tZXRoZXVzLW9sZDEsMCoGA1UEAxMjY2hh
b3MtYXQtaG9tZSBDQSBmb3IgcHJvbWV0aGV1cy1vbGQwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQDS1hSM5E7mhsv1c3S+cPmjxWAFz8N9xqSGk4JjRNxR
wsM7o2aS18FZus+w/Ikp3sTfyNiK017lrnD1iwkTV+yHV9FFNq5FC7Jry3kZcjhH
HirmRFJhXvsimsK6Ir/9ZuQ1EqhRv7HEnnG1W19UyQuk0VpTfcis4jNtMOuEcqG2
arXah/8OOKpcsvIK03XWpLjw0UzNhemka66BC1W+Sg0iB3PmYOSUjJfxSulfZYN8
YAP8QPhXCCrOw39EKiW4KcGnKhNQD8lulpk8kCZlr0Hd8bgxBzrQ+bDhMGEkbxnS
7VaSSTLZIKUWT/4IzCMOrLFbL0k7e0DcOL0+D9lgGjqgDSKKxOi7U3BavilTRJvU
9mq1B+7qrYrx3UfELNgYjUhF575iJmRRH+XKf4b/LGqyrAymRPpwnrubg7KUwGPa
zScuGI4QakOVc5/zU6XML9msyz7p2IXmKqkAi/cxrH6VLK49r63Q8OPbLp17vaDp
9TJaMyQ2QQDVaBulEfwIb1vSKiG+e+8frlXKBf7rtVbZxTda3VmUMFw56hbnT1vn
zvnWwbTWj2in4BhCMbjyvA+HgPd5CAvXkQff4rX5+quLa6hqP/GbslDxtceDSrN0
+GLRcFbBwxFSJhPmAyspUBDgKI6TaBwsaQIp54UF4wtmPOSmx7iRkYWELh7Jrfib
YQIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNV
HQ4EFgQUTSq7rSadFGLpZQMEOpI9Mt6ViM0wDQYJKoZIhvcNAQENBQADggIBAKeZ
FH+eabDb1JU41hIYrboPbL3N6G8IW9VxfAIQ/W3jYEHz+gLf7CAOZIqbZCrexajs
+hqamNAZ+eXQ+9o9IcGXHx5ifDDWLDVl0i/7qQ1cl+oXQ4Ua6jSN/I1UghPkV+Pt
X3Rptl+HLGtTjUcP8Sd78ugBnhM1T8oB9i/xkP9idP7H95C/JKnBER+uH8u67LVe
gYRZS6R+tI3vX1CrjdI0zps0TDWU9sixsu2BF8HHc6AJ6t+1oAVtvpNQcwl1Kll5
XtSUp+rdc5SHQ2Omq+S4WZ8nW88IrT+VG6WflYvg2F1Wzk9D1KYcAl1vox/nqKg5
iqy0BlygrwTLJGS1uNSbIPTHFPgIX7VVQc+u3TLwqFaexXwG5382jD3n4uAr65SM
zP2O8JWZMukdWSP2cAFkKCNUCpYNiA0cyCtdtNw+vWqXXFdc0uvnILROB/dQ6RJA
MviUhGFMdtcoW/bMXDlpJTVFQhhFwJmMatvPIAq9Z+OkvV+T/y87NfE/KUDKB+Hy
oFx9xgax8wsZUNEZMyDMVGcV1oLn1/dsKhHShYVQsDoJcc1egkL+Di8TtT7SwNxg
zT1Rzi1tmVUMLM+CeyP1bbf4YPrH4ulk1Evj2ZHzF6hwKxavvm8hHidmd82FVcik
ePVA2hh60RUIGEAKyJS23SWUdaFe5+hxxYFQ3qAB
-----END CERTIFICATE-----
- name: configure vhost for webmail.chaos-at-home.org
vars:
nginx_vhost:
name: webmail
template: generic
tls:
certificate_provider: acmetool
certificate_config:
request:
challenge:
http-self-test: false
hostnames:
- webmail.chaos-at-home.org
locations:
'/':
proxy_pass: "https://{{ network_zones.lan.prefix | ansible.utils.ipaddr(network_zones.lan.offsets['ch-prometheus-legacy']) | ansible.utils.ipaddr('address') }}/"
proxy_ssl:
verify: "on"
trusted_certificate: /etc/ssl/prometheus-old-ca/ca.pem
protocols: TLSv1
ciphers: "DEFAULT@SECLEVEL=0"
extra_directives: |-
client_max_body_size 200M;
include_role:
name: nginx/vhost
- name: configure vhost for webdav.chaos-at-home.org
vars:
nginx_vhost:
name: webdav
template: generic
tls:
certificate_provider: acmetool
certificate_config:
request:
challenge:
http-self-test: false
hostnames:
- webdav.chaos-at-home.org
locations:
'/':
proxy_pass: "https://{{ network_zones.lan.prefix | ansible.utils.ipaddr(network_zones.lan.offsets['ch-prometheus-legacy']) | ansible.utils.ipaddr('address') }}/"
proxy_ssl:
verify: "on"
trusted_certificate: /etc/ssl/prometheus-old-ca/ca.pem
protocols: TLSv1
ciphers: "DEFAULT@SECLEVEL=0"
include_role:
name: nginx/vhost
#### imap.chaos-at-home.org
- name: configure vhost for imap.chaos-at-home.org
vars:
nginx_vhost:
name: imap
template: generic
hostnames:
- imap.chaos-at-home.org
locations:
'/.well-known/acme-challenge/':
proxy_pass: "http://{{ network_services.imap.addr }}"
'/':
return: "303 https://webmail.chaos-at-home.org"
include_role:
name: nginx/vhost
### Service IP
- name: install systemd service unit for service-ip
copy:
dest: /etc/systemd/system/http-service-ip.service
content: |
[Unit]
Description=Assign HTTP Sevice IP
After=network.target
[Service]
Type=oneshot
ExecStart=/usr/sbin/ip addr add dev {{ network.primary.name }} {{ network_services.http.addr }}/32
ExecStop=/usr/sbin/ip addr del dev {{ network.primary.name }} {{ network_services.http.addr }}/32
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
register: service_ip_systemd_unit
- name: make sure service-ip systemd unit is enabeld and started
systemd:
daemon_reload: yes
name: http-service-ip.service
state: "{{ (service_ip_systemd_unit is changed) | ternary('restarted', 'started') }}"
enabled: yes