summaryrefslogtreecommitdiff
path: root/chaos-at-home/ch-http-proxy.yml
blob: 2dc38364253aee5b975d288f6273da359a4d7070 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
---
- name: Basic Setup
  hosts: ch-http-proxy
  roles:
  - role: apt-repo/base
  - role: core/base
  - role: core/sshd
  - role: core/zsh
  - role: apt-repo/spreadspace
  - role: acmetool/base
  - role: nginx/base
  post_tasks:
  #### web.chaos-at-home.org (default-server)
  - name: create directory for default server
    file:
      path: /var/www/default
      state: directory

  - name: copy chaos-at-home logo file
    copy:
      src: "{{ global_files_dir }}/chaos-at-home/logo.jpg"
      dest: /var/www/default/logo.jpg

  - name: install index.html for default server
    copy:
      dest: /var/www/default/index.html
      content: |
        <html>
          <head>
            <title>No Such Site</title>
          </head>
          <body style="font-family: Helvetica, Arial, Sans-Serif; color: white; background: black;">
            <div style="text-align: center; margin-top: 4em; margin-left:auto; margin-right:auto;">
              <img src="logo.jpg" alt="chaos@home Logo" />
              <h2 style="">You have reached the chaos@home internal webserver, however the URL that you used is unknown to this host.</h2>
            </div>
          </body>
        </html>

  - name: configure default vhost web.chaos-at-home.org
    vars:
      nginx_vhost:
        default: yes
        name: web
        template: static-files-with-acme
        acme: yes
        hostnames:
        - web.chaos-at-home.org
        root: /var/www/default
        index: index.html
      acmetool_cert_config:
        request:
          challenge:
            http-self-test: false
    include_role:
      name: nginx/vhost


  #### passwd.chaos-at-home.org
  - name: create directory for whawty auth ca cert
    file:
      path: /etc/ssl/whawty-auth-ca
      state: directory

  - name: install whawty auth ca cert
    copy:
      dest: /etc/ssl/whawty-auth-ca/ca.pem
      content: |
        -----BEGIN CERTIFICATE-----
        MIIF3jCCA8agAwIBAgIUQLP44rt/4d91qIT8oOVKMb3+WVQwDQYJKoZIhvcNAQEN
        BQAwgYYxCzAJBgNVBAYTAkFUMQ8wDQYDVQQIEwZTdHlyaWExDTALBgNVBAcTBEdy
        YXoxFjAUBgNVBAoTDWNoYW9zLWF0LWhvbWUxFDASBgNVBAsTC3doYXd0eS1hdXRo
        MSkwJwYDVQQDEyBjaGFvcy1hdC1ob21lIENBIGZvciB3aGF3dHktYXV0aDAeFw0y
        MDA4MjgxOTQzMDBaFw0yNTA4MjcxOTQzMDBaMIGGMQswCQYDVQQGEwJBVDEPMA0G
        A1UECBMGU3R5cmlhMQ0wCwYDVQQHEwRHcmF6MRYwFAYDVQQKEw1jaGFvcy1hdC1o
        b21lMRQwEgYDVQQLEwt3aGF3dHktYXV0aDEpMCcGA1UEAxMgY2hhb3MtYXQtaG9t
        ZSBDQSBmb3Igd2hhd3R5LWF1dGgwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
        AoICAQCyoleHLYcu2vBbwa3OuukNHKWKrdohAJPPOc5rRTNv2ENiTn1U3Mmuo2Sk
        1DODyQCsuFS92wWNq7T+aFKoHt1VlUkT73ytVduCdu06j6N7I8CUqFBMKvs2e7iO
        mjV8ur7F/0LpSvF812aqOEHqGKjjsaHGy8TMb9OnxtcvU4Icit7jnTDspIec8rQY
        dfo4tHtYNvwmyiLk3nTorpFMREmyDRYNijtYy+RO+dN+8/Cg5GmiAVBPLHu0DyGA
        VtRmZsKKWXCPloWNwdalKDfn8ZRP7zzurkAAtQMvYMJiTxucRfnvkeT1AK+mWVuJ
        REpFOFNJtrdismIPaeQ0VwgJEOXmFCsOTJpksVbOoFK9HSDliNOVIIpbDxp7Pm5I
        RIpw1f3RBEejrg7tqOM+tn7In1s783sPNqMFf7WDyl2wNaAoAQvmY+BL4jS/HTOj
        KiAWEoU2ncPlL5VnWDkH2npSD3lGuSXUiIikL5MGPjwOjYICW5dKLtLzbC7ElODI
        GWCzZRHFMewgBGsOfcLQjOYlwwtMWbkZ5OTXYAUDhW5k3WXav+7fHcV5Ydp+OLAH
        mVkn3EiIWySuMdGp9eEFoxAQeJLnX1/gc30cWSh20VxUmE2HpgCW9UliCeUrRFFE
        cI+cWdzmVNkOr6MyeGOA8dTThBrRW5kFBnrQTTd8fyGCds5uyQIDAQABo0IwQDAO
        BgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUFFTxZcX0
        E66DaRMRikHxfMfCf9AwDQYJKoZIhvcNAQENBQADggIBAJh4CyhxoQfWhyfpnbgh
        yDjvtC9gHo3mGHUBjc4QOaAC0MQocEbk5+FCmV0cMzqJ7fWNCckXs+mV08GFqNxv
        MzzyfLQuOc5WNnr7uLTQ/PCsjQ5ohzE40WKugfABiZhG49R1nWky5aM31LfhJ2Am
        VqJhz8b50YC3aq1R2P0nJ7zLAZzfIpb3fgeLsENV9fxNDA5xLCTsqkdjTpZ79MZy
        Ud3W02KZY0izd95gkvaWp8uCSTagYNBlMTIYLdEBnUIHlSGca5dXVACtuWBE3v3N
        DcomliXUpHcCun9pzsgBjN1OpR9PN/FOXFHbiM734CHl6ddsWDFmpQC4mzA/QPNb
        CZtfslr1WvWOTd8N+ksph68v7xFbIalYOfJf+f8VjunU7Kxgl6oQ/7m8GGnQ8Ah7
        JUCeiEeOZuN6C4yRArYD55AG/5NcrwVJzJ2q/K3B8YlXIpuQVNEOUbyT97deD+cC
        c+1HymHgT6RGVeU8W1M7JNv9Qwzo41Um1LVWk8c2mXuyq76E58XaC3aL/K6i5VfP
        /04Dx9VVnGu2nUoCmryWgh+Pa3M20GWdG85cAb4b3srf7KoeaOeWzv5QqIj1tcJs
        EdaZIyg65dC5dMuuQ0geCEoTaBjOWUiTzBGgvFXkdVHSfyBh+BRbTHMnIuPIwe+c
        y8wejeuvOelX6YEzJpnebARk
        -----END CERTIFICATE-----

  - name: configure vhost for passwd.chaos-at-home.org
    vars:
      nginx_vhost:
        name: passwd
        template: generic-proxy-no-buffering-with-acme
        acme: yes
        hostnames:
        - passwd.chaos-at-home.org
        proxy_pass: "https://{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-auth-legacy']) | ipaddr('address') }}/"
        proxy_ssl:
          verify: "on"
          trusted_certificate: /etc/ssl/whawty-auth-ca/ca.pem
      acmetool_cert_config:
        request:
          challenge:
            http-self-test: false
    include_role:
      name: nginx/vhost


  #### webmail.chaos-at-home.org and webdav.chaos-at-home.org
  - name: create directory for prometheus-old ca cert
    file:
      path: /etc/ssl/prometheus-old-ca
      state: directory

  - name: install prometheus-old ca cert
    copy:
      dest: /etc/ssl/prometheus-old-ca/ca.pem
      content: |
        -----BEGIN CERTIFICATE-----
        MIIF6jCCA9KgAwIBAgIUXDQZo0d3tcTa4oilKki+E9md8GIwDQYJKoZIhvcNAQEN
        BQAwgYwxCzAJBgNVBAYTAkFUMQ8wDQYDVQQIEwZTdHlyaWExDTALBgNVBAcTBEdy
        YXoxFjAUBgNVBAoTDWNoYW9zLWF0LWhvbWUxFzAVBgNVBAsTDnByb21ldGhldXMt
        b2xkMSwwKgYDVQQDEyNjaGFvcy1hdC1ob21lIENBIGZvciBwcm9tZXRoZXVzLW9s
        ZDAeFw0yMDA4MjgyMTMwMDBaFw0yNTA4MjcyMTMwMDBaMIGMMQswCQYDVQQGEwJB
        VDEPMA0GA1UECBMGU3R5cmlhMQ0wCwYDVQQHEwRHcmF6MRYwFAYDVQQKEw1jaGFv
        cy1hdC1ob21lMRcwFQYDVQQLEw5wcm9tZXRoZXVzLW9sZDEsMCoGA1UEAxMjY2hh
        b3MtYXQtaG9tZSBDQSBmb3IgcHJvbWV0aGV1cy1vbGQwggIiMA0GCSqGSIb3DQEB
        AQUAA4ICDwAwggIKAoICAQDS1hSM5E7mhsv1c3S+cPmjxWAFz8N9xqSGk4JjRNxR
        wsM7o2aS18FZus+w/Ikp3sTfyNiK017lrnD1iwkTV+yHV9FFNq5FC7Jry3kZcjhH
        HirmRFJhXvsimsK6Ir/9ZuQ1EqhRv7HEnnG1W19UyQuk0VpTfcis4jNtMOuEcqG2
        arXah/8OOKpcsvIK03XWpLjw0UzNhemka66BC1W+Sg0iB3PmYOSUjJfxSulfZYN8
        YAP8QPhXCCrOw39EKiW4KcGnKhNQD8lulpk8kCZlr0Hd8bgxBzrQ+bDhMGEkbxnS
        7VaSSTLZIKUWT/4IzCMOrLFbL0k7e0DcOL0+D9lgGjqgDSKKxOi7U3BavilTRJvU
        9mq1B+7qrYrx3UfELNgYjUhF575iJmRRH+XKf4b/LGqyrAymRPpwnrubg7KUwGPa
        zScuGI4QakOVc5/zU6XML9msyz7p2IXmKqkAi/cxrH6VLK49r63Q8OPbLp17vaDp
        9TJaMyQ2QQDVaBulEfwIb1vSKiG+e+8frlXKBf7rtVbZxTda3VmUMFw56hbnT1vn
        zvnWwbTWj2in4BhCMbjyvA+HgPd5CAvXkQff4rX5+quLa6hqP/GbslDxtceDSrN0
        +GLRcFbBwxFSJhPmAyspUBDgKI6TaBwsaQIp54UF4wtmPOSmx7iRkYWELh7Jrfib
        YQIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNV
        HQ4EFgQUTSq7rSadFGLpZQMEOpI9Mt6ViM0wDQYJKoZIhvcNAQENBQADggIBAKeZ
        FH+eabDb1JU41hIYrboPbL3N6G8IW9VxfAIQ/W3jYEHz+gLf7CAOZIqbZCrexajs
        +hqamNAZ+eXQ+9o9IcGXHx5ifDDWLDVl0i/7qQ1cl+oXQ4Ua6jSN/I1UghPkV+Pt
        X3Rptl+HLGtTjUcP8Sd78ugBnhM1T8oB9i/xkP9idP7H95C/JKnBER+uH8u67LVe
        gYRZS6R+tI3vX1CrjdI0zps0TDWU9sixsu2BF8HHc6AJ6t+1oAVtvpNQcwl1Kll5
        XtSUp+rdc5SHQ2Omq+S4WZ8nW88IrT+VG6WflYvg2F1Wzk9D1KYcAl1vox/nqKg5
        iqy0BlygrwTLJGS1uNSbIPTHFPgIX7VVQc+u3TLwqFaexXwG5382jD3n4uAr65SM
        zP2O8JWZMukdWSP2cAFkKCNUCpYNiA0cyCtdtNw+vWqXXFdc0uvnILROB/dQ6RJA
        MviUhGFMdtcoW/bMXDlpJTVFQhhFwJmMatvPIAq9Z+OkvV+T/y87NfE/KUDKB+Hy
        oFx9xgax8wsZUNEZMyDMVGcV1oLn1/dsKhHShYVQsDoJcc1egkL+Di8TtT7SwNxg
        zT1Rzi1tmVUMLM+CeyP1bbf4YPrH4ulk1Evj2ZHzF6hwKxavvm8hHidmd82FVcik
        ePVA2hh60RUIGEAKyJS23SWUdaFe5+hxxYFQ3qAB
        -----END CERTIFICATE-----

  - name: configure vhost for webmail.chaos-at-home.org
    vars:
      nginx_vhost:
        name: webmail
        template: generic-proxy-no-buffering-with-acme
        acme: yes
        hostnames:
        - webmail.chaos-at-home.org
        client_max_body_size: "200M"
        proxy_pass: "https://{{ network_zones.lan.prefix | ipaddr(network_zones.lan.offsets['ch-prometheus-old']) | ipaddr('address') }}/"
        proxy_ssl:
          verify: "on"
          trusted_certificate: /etc/ssl/prometheus-old-ca/ca.pem
          protocols: TLSv1
          ciphers: "DEFAULT@SECLEVEL=1"
      acmetool_cert_config:
        request:
          challenge:
            http-self-test: false
    include_role:
      name: nginx/vhost

  - name: configure vhost for webdav.chaos-at-home.org
    vars:
      nginx_vhost:
        name: webdav
        template: generic-proxy-no-buffering-with-acme
        acme: yes
        hostnames:
        - webdav.chaos-at-home.org
        proxy_pass: "https://{{ network_zones.lan.prefix | ipaddr(network_zones.lan.offsets['ch-prometheus-old']) | ipaddr('address') }}/"
        proxy_ssl:
          verify: "on"
          trusted_certificate: /etc/ssl/prometheus-old-ca/ca.pem
          protocols: TLSv1
          ciphers: "DEFAULT@SECLEVEL=1"
      acmetool_cert_config:
        request:
          challenge:
            http-self-test: false
    include_role:
      name: nginx/vhost


  #### imap.chaos-at-home.org
  - name: configure vhost for imap.chaos-at-home.org
    vars:
      nginx_vhost:
        name: imap
        acme: no
        content: |
          server {
            listen 80;
            listen [::]:80;
            server_name imap.chaos-at-home.org;

            location /.well-known/acme-challenge/ {
              proxy_pass http://{{ network_services.imap.addr }};
            }

            location / {
              return 303 https://webmail.chaos-at-home.org;
            }
          }
    include_role:
      name: nginx/vhost


  ### Service IP
  - name: install systemd service unit for service-ip
    copy:
      dest: /etc/systemd/system/http-service-ip.service
      content: |
        [Unit]
        Description=Assign HTTP Sevice IP
        After=network.target

        [Service]
        Type=oneshot
        ExecStart=/usr/sbin/ip addr add dev {{ network.primary.name }} {{ network_services.http.addr }}/32
        ExecStop=/usr/sbin/ip addr del dev {{ network.primary.name }} {{ network_services.http.addr }}/32
        RemainAfterExit=yes

        [Install]
        WantedBy=multi-user.target
    register: service_ip_systemd_unit

  - name: make sure service-ip systemd unit is enabeld and started
    systemd:
      daemon_reload: yes
      name: http-service-ip.service
      state: "{{ (service_ip_systemd_unit is changed) | ternary('restarted', 'started') }}"
      enabled: yes