---
- name: Basic Setup
hosts: ch-http-proxy
roles:
- role: apt-repo/base
- role: core/base
- role: core/sshd/base
- role: core/zsh
- role: apt-repo/spreadspace
- role: acmetool/base
- role: nginx/base
post_tasks:
#### web.chaos-at-home.org (default-server)
- name: create directory for default server
file:
path: /var/www/default
state: directory
- name: copy chaos-at-home logo file
copy:
src: "{{ global_files_dir }}/chaos-at-home/logo.jpg"
dest: /var/www/default/logo.jpg
- name: install index.html for default server
copy:
dest: /var/www/default/index.html
content: |
No Such Site
You have reached the chaos@home internal webserver, however the URL that you used is unknown to this host.
- name: configure default vhost web.chaos-at-home.org
vars:
nginx_vhost:
default: yes
name: web
template: generic
acme: yes
hostnames:
- web.chaos-at-home.org
locations:
'/':
root: /var/www/default
index: index.html
acmetool_cert_config:
request:
challenge:
http-self-test: false
include_role:
name: nginx/vhost
#### passwd.chaos-at-home.org
- name: create directory for whawty auth ca cert
file:
path: /etc/ssl/whawty-auth-ca
state: directory
- name: install whawty auth ca cert
copy:
dest: /etc/ssl/whawty-auth-ca/ca.pem
content: |
-----BEGIN CERTIFICATE-----
MIIF3jCCA8agAwIBAgIUQLP44rt/4d91qIT8oOVKMb3+WVQwDQYJKoZIhvcNAQEN
BQAwgYYxCzAJBgNVBAYTAkFUMQ8wDQYDVQQIEwZTdHlyaWExDTALBgNVBAcTBEdy
YXoxFjAUBgNVBAoTDWNoYW9zLWF0LWhvbWUxFDASBgNVBAsTC3doYXd0eS1hdXRo
MSkwJwYDVQQDEyBjaGFvcy1hdC1ob21lIENBIGZvciB3aGF3dHktYXV0aDAeFw0y
MDA4MjgxOTQzMDBaFw0yNTA4MjcxOTQzMDBaMIGGMQswCQYDVQQGEwJBVDEPMA0G
A1UECBMGU3R5cmlhMQ0wCwYDVQQHEwRHcmF6MRYwFAYDVQQKEw1jaGFvcy1hdC1o
b21lMRQwEgYDVQQLEwt3aGF3dHktYXV0aDEpMCcGA1UEAxMgY2hhb3MtYXQtaG9t
ZSBDQSBmb3Igd2hhd3R5LWF1dGgwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
AoICAQCyoleHLYcu2vBbwa3OuukNHKWKrdohAJPPOc5rRTNv2ENiTn1U3Mmuo2Sk
1DODyQCsuFS92wWNq7T+aFKoHt1VlUkT73ytVduCdu06j6N7I8CUqFBMKvs2e7iO
mjV8ur7F/0LpSvF812aqOEHqGKjjsaHGy8TMb9OnxtcvU4Icit7jnTDspIec8rQY
dfo4tHtYNvwmyiLk3nTorpFMREmyDRYNijtYy+RO+dN+8/Cg5GmiAVBPLHu0DyGA
VtRmZsKKWXCPloWNwdalKDfn8ZRP7zzurkAAtQMvYMJiTxucRfnvkeT1AK+mWVuJ
REpFOFNJtrdismIPaeQ0VwgJEOXmFCsOTJpksVbOoFK9HSDliNOVIIpbDxp7Pm5I
RIpw1f3RBEejrg7tqOM+tn7In1s783sPNqMFf7WDyl2wNaAoAQvmY+BL4jS/HTOj
KiAWEoU2ncPlL5VnWDkH2npSD3lGuSXUiIikL5MGPjwOjYICW5dKLtLzbC7ElODI
GWCzZRHFMewgBGsOfcLQjOYlwwtMWbkZ5OTXYAUDhW5k3WXav+7fHcV5Ydp+OLAH
mVkn3EiIWySuMdGp9eEFoxAQeJLnX1/gc30cWSh20VxUmE2HpgCW9UliCeUrRFFE
cI+cWdzmVNkOr6MyeGOA8dTThBrRW5kFBnrQTTd8fyGCds5uyQIDAQABo0IwQDAO
BgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUFFTxZcX0
E66DaRMRikHxfMfCf9AwDQYJKoZIhvcNAQENBQADggIBAJh4CyhxoQfWhyfpnbgh
yDjvtC9gHo3mGHUBjc4QOaAC0MQocEbk5+FCmV0cMzqJ7fWNCckXs+mV08GFqNxv
MzzyfLQuOc5WNnr7uLTQ/PCsjQ5ohzE40WKugfABiZhG49R1nWky5aM31LfhJ2Am
VqJhz8b50YC3aq1R2P0nJ7zLAZzfIpb3fgeLsENV9fxNDA5xLCTsqkdjTpZ79MZy
Ud3W02KZY0izd95gkvaWp8uCSTagYNBlMTIYLdEBnUIHlSGca5dXVACtuWBE3v3N
DcomliXUpHcCun9pzsgBjN1OpR9PN/FOXFHbiM734CHl6ddsWDFmpQC4mzA/QPNb
CZtfslr1WvWOTd8N+ksph68v7xFbIalYOfJf+f8VjunU7Kxgl6oQ/7m8GGnQ8Ah7
JUCeiEeOZuN6C4yRArYD55AG/5NcrwVJzJ2q/K3B8YlXIpuQVNEOUbyT97deD+cC
c+1HymHgT6RGVeU8W1M7JNv9Qwzo41Um1LVWk8c2mXuyq76E58XaC3aL/K6i5VfP
/04Dx9VVnGu2nUoCmryWgh+Pa3M20GWdG85cAb4b3srf7KoeaOeWzv5QqIj1tcJs
EdaZIyg65dC5dMuuQ0geCEoTaBjOWUiTzBGgvFXkdVHSfyBh+BRbTHMnIuPIwe+c
y8wejeuvOelX6YEzJpnebARk
-----END CERTIFICATE-----
- name: configure vhost for passwd.chaos-at-home.org
vars:
nginx_vhost:
name: passwd
template: generic
acme: yes
hostnames:
- passwd.chaos-at-home.org
locations:
'/':
proxy_pass: "https://{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-auth-legacy']) | ipaddr('address') }}/"
proxy_ssl:
verify: "on"
trusted_certificate: /etc/ssl/whawty-auth-ca/ca.pem
acmetool_cert_config:
request:
challenge:
http-self-test: false
include_role:
name: nginx/vhost
#### webmail.chaos-at-home.org and webdav.chaos-at-home.org
- name: create directory for prometheus-old ca cert
file:
path: /etc/ssl/prometheus-old-ca
state: directory
- name: install prometheus-old ca cert
copy:
dest: /etc/ssl/prometheus-old-ca/ca.pem
content: |
-----BEGIN CERTIFICATE-----
MIIF6jCCA9KgAwIBAgIUXDQZo0d3tcTa4oilKki+E9md8GIwDQYJKoZIhvcNAQEN
BQAwgYwxCzAJBgNVBAYTAkFUMQ8wDQYDVQQIEwZTdHlyaWExDTALBgNVBAcTBEdy
YXoxFjAUBgNVBAoTDWNoYW9zLWF0LWhvbWUxFzAVBgNVBAsTDnByb21ldGhldXMt
b2xkMSwwKgYDVQQDEyNjaGFvcy1hdC1ob21lIENBIGZvciBwcm9tZXRoZXVzLW9s
ZDAeFw0yMDA4MjgyMTMwMDBaFw0yNTA4MjcyMTMwMDBaMIGMMQswCQYDVQQGEwJB
VDEPMA0GA1UECBMGU3R5cmlhMQ0wCwYDVQQHEwRHcmF6MRYwFAYDVQQKEw1jaGFv
cy1hdC1ob21lMRcwFQYDVQQLEw5wcm9tZXRoZXVzLW9sZDEsMCoGA1UEAxMjY2hh
b3MtYXQtaG9tZSBDQSBmb3IgcHJvbWV0aGV1cy1vbGQwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQDS1hSM5E7mhsv1c3S+cPmjxWAFz8N9xqSGk4JjRNxR
wsM7o2aS18FZus+w/Ikp3sTfyNiK017lrnD1iwkTV+yHV9FFNq5FC7Jry3kZcjhH
HirmRFJhXvsimsK6Ir/9ZuQ1EqhRv7HEnnG1W19UyQuk0VpTfcis4jNtMOuEcqG2
arXah/8OOKpcsvIK03XWpLjw0UzNhemka66BC1W+Sg0iB3PmYOSUjJfxSulfZYN8
YAP8QPhXCCrOw39EKiW4KcGnKhNQD8lulpk8kCZlr0Hd8bgxBzrQ+bDhMGEkbxnS
7VaSSTLZIKUWT/4IzCMOrLFbL0k7e0DcOL0+D9lgGjqgDSKKxOi7U3BavilTRJvU
9mq1B+7qrYrx3UfELNgYjUhF575iJmRRH+XKf4b/LGqyrAymRPpwnrubg7KUwGPa
zScuGI4QakOVc5/zU6XML9msyz7p2IXmKqkAi/cxrH6VLK49r63Q8OPbLp17vaDp
9TJaMyQ2QQDVaBulEfwIb1vSKiG+e+8frlXKBf7rtVbZxTda3VmUMFw56hbnT1vn
zvnWwbTWj2in4BhCMbjyvA+HgPd5CAvXkQff4rX5+quLa6hqP/GbslDxtceDSrN0
+GLRcFbBwxFSJhPmAyspUBDgKI6TaBwsaQIp54UF4wtmPOSmx7iRkYWELh7Jrfib
YQIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNV
HQ4EFgQUTSq7rSadFGLpZQMEOpI9Mt6ViM0wDQYJKoZIhvcNAQENBQADggIBAKeZ
FH+eabDb1JU41hIYrboPbL3N6G8IW9VxfAIQ/W3jYEHz+gLf7CAOZIqbZCrexajs
+hqamNAZ+eXQ+9o9IcGXHx5ifDDWLDVl0i/7qQ1cl+oXQ4Ua6jSN/I1UghPkV+Pt
X3Rptl+HLGtTjUcP8Sd78ugBnhM1T8oB9i/xkP9idP7H95C/JKnBER+uH8u67LVe
gYRZS6R+tI3vX1CrjdI0zps0TDWU9sixsu2BF8HHc6AJ6t+1oAVtvpNQcwl1Kll5
XtSUp+rdc5SHQ2Omq+S4WZ8nW88IrT+VG6WflYvg2F1Wzk9D1KYcAl1vox/nqKg5
iqy0BlygrwTLJGS1uNSbIPTHFPgIX7VVQc+u3TLwqFaexXwG5382jD3n4uAr65SM
zP2O8JWZMukdWSP2cAFkKCNUCpYNiA0cyCtdtNw+vWqXXFdc0uvnILROB/dQ6RJA
MviUhGFMdtcoW/bMXDlpJTVFQhhFwJmMatvPIAq9Z+OkvV+T/y87NfE/KUDKB+Hy
oFx9xgax8wsZUNEZMyDMVGcV1oLn1/dsKhHShYVQsDoJcc1egkL+Di8TtT7SwNxg
zT1Rzi1tmVUMLM+CeyP1bbf4YPrH4ulk1Evj2ZHzF6hwKxavvm8hHidmd82FVcik
ePVA2hh60RUIGEAKyJS23SWUdaFe5+hxxYFQ3qAB
-----END CERTIFICATE-----
- name: configure vhost for webmail.chaos-at-home.org
vars:
nginx_vhost:
name: webmail
template: generic
acme: yes
hostnames:
- webmail.chaos-at-home.org
locations:
'/':
proxy_pass: "https://{{ network_zones.lan.prefix | ipaddr(network_zones.lan.offsets['ch-prometheus-legacy']) | ipaddr('address') }}/"
proxy_ssl:
verify: "on"
trusted_certificate: /etc/ssl/prometheus-old-ca/ca.pem
protocols: TLSv1
ciphers: "DEFAULT@SECLEVEL=1"
extra_directives: |-
client_max_body_size 200M;
acmetool_cert_config:
request:
challenge:
http-self-test: false
include_role:
name: nginx/vhost
- name: configure vhost for webdav.chaos-at-home.org
vars:
nginx_vhost:
name: webdav
template: generic
acme: yes
hostnames:
- webdav.chaos-at-home.org
locations:
'/':
proxy_pass: "https://{{ network_zones.lan.prefix | ipaddr(network_zones.lan.offsets['ch-prometheus-legacy']) | ipaddr('address') }}/"
proxy_ssl:
verify: "on"
trusted_certificate: /etc/ssl/prometheus-old-ca/ca.pem
protocols: TLSv1
ciphers: "DEFAULT@SECLEVEL=1"
acmetool_cert_config:
request:
challenge:
http-self-test: false
include_role:
name: nginx/vhost
#### imap.chaos-at-home.org
- name: configure vhost for imap.chaos-at-home.org
vars:
nginx_vhost:
name: imap
acme: no
content: |
server {
listen 80;
listen [::]:80;
server_name imap.chaos-at-home.org;
location /.well-known/acme-challenge/ {
proxy_pass http://{{ network_services.imap.addr }};
}
location / {
return 303 https://webmail.chaos-at-home.org;
}
}
include_role:
name: nginx/vhost
### Service IP
- name: install systemd service unit for service-ip
copy:
dest: /etc/systemd/system/http-service-ip.service
content: |
[Unit]
Description=Assign HTTP Sevice IP
After=network.target
[Service]
Type=oneshot
ExecStart=/usr/sbin/ip addr add dev {{ network.primary.name }} {{ network_services.http.addr }}/32
ExecStop=/usr/sbin/ip addr del dev {{ network.primary.name }} {{ network_services.http.addr }}/32
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
register: service_ip_systemd_unit
- name: make sure service-ip systemd unit is enabeld and started
systemd:
daemon_reload: yes
name: http-service-ip.service
state: "{{ (service_ip_systemd_unit is changed) | ternary('restarted', 'started') }}"
enabled: yes