blob: 627343e6c0ddda92a2fa7b91978fffd2b05e9222 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
|
---
- name: Basic Setup
hosts: ch-http-proxy
roles:
- role: apt-repo/base
- role: core/base
- role: core/sshd
- role: core/zsh
- role: apt-repo/spreadspace
- role: acmetool/base
- role: nginx/base
post_tasks:
#### web.chaos-at-home.org (default-server)
- name: create directory for default server
file:
path: /var/www/default
state: directory
- name: copy chaos-at-home logo file
copy:
src: "{{ global_files_dir }}/chaos-at-home/logo.jpg"
dest: /var/www/default/logo.jpg
- name: install index.html for default server
copy:
dest: /var/www/default/index.html
content: |
<html>
<head>
<title>No Such Site</title>
</head>
<body style="font-family: Helvetica, Arial, Sans-Serif; color: white; background: black;">
<div style="text-align: center; margin-top: 4em; margin-left:auto; margin-right:auto;">
<img src="logo.jpg" alt="chaos@home Logo" />
<h2 style="">You have reached the chaos@home internal webserver, however the URL that you used is unknown to this host.</h2>
</div>
</body>
</html>
- name: configure default vhost web.chaos-at-home.org
vars:
nginx_vhost:
default: yes
name: web
template: static-files-with-acme
acme: yes
hostnames:
- web.chaos-at-home.org
root: /var/www/default
index: index.html
acmetool_cert_config:
request:
challenge:
http-self-test: false
include_role:
name: nginx/vhost
#### passwd.chaos-at-home.org
- name: create directory for whawty auth ca cert
file:
path: /etc/ssl/whawty-auth-ca
state: directory
- name: install whawty auth ca cert
copy:
dest: /etc/ssl/whawty-auth-ca/ca.pem
content: |
-----BEGIN CERTIFICATE-----
MIIF3jCCA8agAwIBAgIUQLP44rt/4d91qIT8oOVKMb3+WVQwDQYJKoZIhvcNAQEN
BQAwgYYxCzAJBgNVBAYTAkFUMQ8wDQYDVQQIEwZTdHlyaWExDTALBgNVBAcTBEdy
YXoxFjAUBgNVBAoTDWNoYW9zLWF0LWhvbWUxFDASBgNVBAsTC3doYXd0eS1hdXRo
MSkwJwYDVQQDEyBjaGFvcy1hdC1ob21lIENBIGZvciB3aGF3dHktYXV0aDAeFw0y
MDA4MjgxOTQzMDBaFw0yNTA4MjcxOTQzMDBaMIGGMQswCQYDVQQGEwJBVDEPMA0G
A1UECBMGU3R5cmlhMQ0wCwYDVQQHEwRHcmF6MRYwFAYDVQQKEw1jaGFvcy1hdC1o
b21lMRQwEgYDVQQLEwt3aGF3dHktYXV0aDEpMCcGA1UEAxMgY2hhb3MtYXQtaG9t
ZSBDQSBmb3Igd2hhd3R5LWF1dGgwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
AoICAQCyoleHLYcu2vBbwa3OuukNHKWKrdohAJPPOc5rRTNv2ENiTn1U3Mmuo2Sk
1DODyQCsuFS92wWNq7T+aFKoHt1VlUkT73ytVduCdu06j6N7I8CUqFBMKvs2e7iO
mjV8ur7F/0LpSvF812aqOEHqGKjjsaHGy8TMb9OnxtcvU4Icit7jnTDspIec8rQY
dfo4tHtYNvwmyiLk3nTorpFMREmyDRYNijtYy+RO+dN+8/Cg5GmiAVBPLHu0DyGA
VtRmZsKKWXCPloWNwdalKDfn8ZRP7zzurkAAtQMvYMJiTxucRfnvkeT1AK+mWVuJ
REpFOFNJtrdismIPaeQ0VwgJEOXmFCsOTJpksVbOoFK9HSDliNOVIIpbDxp7Pm5I
RIpw1f3RBEejrg7tqOM+tn7In1s783sPNqMFf7WDyl2wNaAoAQvmY+BL4jS/HTOj
KiAWEoU2ncPlL5VnWDkH2npSD3lGuSXUiIikL5MGPjwOjYICW5dKLtLzbC7ElODI
GWCzZRHFMewgBGsOfcLQjOYlwwtMWbkZ5OTXYAUDhW5k3WXav+7fHcV5Ydp+OLAH
mVkn3EiIWySuMdGp9eEFoxAQeJLnX1/gc30cWSh20VxUmE2HpgCW9UliCeUrRFFE
cI+cWdzmVNkOr6MyeGOA8dTThBrRW5kFBnrQTTd8fyGCds5uyQIDAQABo0IwQDAO
BgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUFFTxZcX0
E66DaRMRikHxfMfCf9AwDQYJKoZIhvcNAQENBQADggIBAJh4CyhxoQfWhyfpnbgh
yDjvtC9gHo3mGHUBjc4QOaAC0MQocEbk5+FCmV0cMzqJ7fWNCckXs+mV08GFqNxv
MzzyfLQuOc5WNnr7uLTQ/PCsjQ5ohzE40WKugfABiZhG49R1nWky5aM31LfhJ2Am
VqJhz8b50YC3aq1R2P0nJ7zLAZzfIpb3fgeLsENV9fxNDA5xLCTsqkdjTpZ79MZy
Ud3W02KZY0izd95gkvaWp8uCSTagYNBlMTIYLdEBnUIHlSGca5dXVACtuWBE3v3N
DcomliXUpHcCun9pzsgBjN1OpR9PN/FOXFHbiM734CHl6ddsWDFmpQC4mzA/QPNb
CZtfslr1WvWOTd8N+ksph68v7xFbIalYOfJf+f8VjunU7Kxgl6oQ/7m8GGnQ8Ah7
JUCeiEeOZuN6C4yRArYD55AG/5NcrwVJzJ2q/K3B8YlXIpuQVNEOUbyT97deD+cC
c+1HymHgT6RGVeU8W1M7JNv9Qwzo41Um1LVWk8c2mXuyq76E58XaC3aL/K6i5VfP
/04Dx9VVnGu2nUoCmryWgh+Pa3M20GWdG85cAb4b3srf7KoeaOeWzv5QqIj1tcJs
EdaZIyg65dC5dMuuQ0geCEoTaBjOWUiTzBGgvFXkdVHSfyBh+BRbTHMnIuPIwe+c
y8wejeuvOelX6YEzJpnebARk
-----END CERTIFICATE-----
- name: configure vhost for passwd.chaos-at-home.org
vars:
nginx_vhost:
name: passwd
template: generic-proxy-no-buffering-with-acme
acme: yes
hostnames:
- passwd.chaos-at-home.org
# proxy_pass: "https://{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-auth-legacy']) | ipaddr('address') }}/"
proxy_pass: "https://{{ network_zones.lan.prefix | ipaddr(network_zones.lan.offsets['ch-auth-legacy']) | ipaddr('address') }}:843/"
proxy_ssl:
verify: "on"
trusted_certificate: /etc/ssl/whawty-auth-ca/ca.pem
acmetool_cert_config:
request:
challenge:
http-self-test: false
include_role:
name: nginx/vhost
#### webmail.chaos-at-home.org
- name: configure vhost for webmail.chaos-at-home.org
vars:
nginx_vhost:
name: webmail
template: generic-proxy-no-buffering-with-acme
acme: yes
hostnames:
- webmail.chaos-at-home.org
client_max_body_size: "200M"
proxy_pass: "https://{{ network_zones.lan.prefix | ipaddr(network_zones.lan.offsets['ch-prometheus-old']) | ipaddr('address') }}/"
proxy_ssl:
protocols: TLSv1
ciphers: "DEFAULT@SECLEVEL=1"
acmetool_cert_config:
request:
challenge:
http-self-test: false
include_role:
name: nginx/vhost
#### webdav.chaos-at-home.org
- name: configure vhost for webdav.chaos-at-home.org
vars:
nginx_vhost:
name: webdav
template: generic-proxy-no-buffering-with-acme
acme: yes
hostnames:
- webdav.chaos-at-home.org
proxy_pass: "https://{{ network_zones.lan.prefix | ipaddr(network_zones.lan.offsets['ch-prometheus-old']) | ipaddr('address') }}/"
proxy_ssl:
protocols: TLSv1
ciphers: "DEFAULT@SECLEVEL=1"
acmetool_cert_config:
request:
challenge:
http-self-test: false
include_role:
name: nginx/vhost
#### imap.chaos-at-home.or
- name: configure vhost for imap.chaos-at-home.org
vars:
nginx_vhost:
name: imap
acme: no
content: |
server {
listen 80;
listen [::]:80;
server_name imap.chaos-at-home.org;
location /.well-known/acme-challenge/ {
proxy_pass http://{{ network_services.imap.addr }};
}
location / {
return 303 https://webmail.chaos-at-home.org;
}
}
include_role:
name: nginx/vhost
### Service IP
# - name: install systemd service unit for service-ip
# copy:
# dest: /etc/systemd/system/http-service-ip.service
# content: |
# [Unit]
# Description=Assign HTTP Sevice IP
# After=network.target
# [Service]
# Type=oneshot
# ExecStart=/usr/sbin/ip addr add dev {{ network.primary.name }} {{ network_services.http.addr }}/32
# ExecStop=/usr/sbin/ip addr del dev {{ network.primary.name }} {{ network_services.http.addr }}/32
# RemainAfterExit=yes
# [Install]
# WantedBy=multi-user.target
# register: service_ip_systemd_unit
# - name: make sure service-ip systemd unit is enabeld and started
# systemd:
# daemon_reload: yes
# name: http-service-ip.service
# state: "{{ (service_ip_systemd_unit is changed) | ternary('restarted', 'started') }}"
# enabled: yes
|
