blob: 2dc38364253aee5b975d288f6273da359a4d7070 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
|
---
- name: Basic Setup
hosts: ch-http-proxy
roles:
- role: apt-repo/base
- role: core/base
- role: core/sshd
- role: core/zsh
- role: apt-repo/spreadspace
- role: acmetool/base
- role: nginx/base
post_tasks:
#### web.chaos-at-home.org (default-server)
- name: create directory for default server
file:
path: /var/www/default
state: directory
- name: copy chaos-at-home logo file
copy:
src: "{{ global_files_dir }}/chaos-at-home/logo.jpg"
dest: /var/www/default/logo.jpg
- name: install index.html for default server
copy:
dest: /var/www/default/index.html
content: |
<html>
<head>
<title>No Such Site</title>
</head>
<body style="font-family: Helvetica, Arial, Sans-Serif; color: white; background: black;">
<div style="text-align: center; margin-top: 4em; margin-left:auto; margin-right:auto;">
<img src="logo.jpg" alt="chaos@home Logo" />
<h2 style="">You have reached the chaos@home internal webserver, however the URL that you used is unknown to this host.</h2>
</div>
</body>
</html>
- name: configure default vhost web.chaos-at-home.org
vars:
nginx_vhost:
default: yes
name: web
template: static-files-with-acme
acme: yes
hostnames:
- web.chaos-at-home.org
root: /var/www/default
index: index.html
acmetool_cert_config:
request:
challenge:
http-self-test: false
include_role:
name: nginx/vhost
#### passwd.chaos-at-home.org
- name: create directory for whawty auth ca cert
file:
path: /etc/ssl/whawty-auth-ca
state: directory
- name: install whawty auth ca cert
copy:
dest: /etc/ssl/whawty-auth-ca/ca.pem
content: |
-----BEGIN CERTIFICATE-----
MIIF3jCCA8agAwIBAgIUQLP44rt/4d91qIT8oOVKMb3+WVQwDQYJKoZIhvcNAQEN
BQAwgYYxCzAJBgNVBAYTAkFUMQ8wDQYDVQQIEwZTdHlyaWExDTALBgNVBAcTBEdy
YXoxFjAUBgNVBAoTDWNoYW9zLWF0LWhvbWUxFDASBgNVBAsTC3doYXd0eS1hdXRo
MSkwJwYDVQQDEyBjaGFvcy1hdC1ob21lIENBIGZvciB3aGF3dHktYXV0aDAeFw0y
MDA4MjgxOTQzMDBaFw0yNTA4MjcxOTQzMDBaMIGGMQswCQYDVQQGEwJBVDEPMA0G
A1UECBMGU3R5cmlhMQ0wCwYDVQQHEwRHcmF6MRYwFAYDVQQKEw1jaGFvcy1hdC1o
b21lMRQwEgYDVQQLEwt3aGF3dHktYXV0aDEpMCcGA1UEAxMgY2hhb3MtYXQtaG9t
ZSBDQSBmb3Igd2hhd3R5LWF1dGgwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
AoICAQCyoleHLYcu2vBbwa3OuukNHKWKrdohAJPPOc5rRTNv2ENiTn1U3Mmuo2Sk
1DODyQCsuFS92wWNq7T+aFKoHt1VlUkT73ytVduCdu06j6N7I8CUqFBMKvs2e7iO
mjV8ur7F/0LpSvF812aqOEHqGKjjsaHGy8TMb9OnxtcvU4Icit7jnTDspIec8rQY
dfo4tHtYNvwmyiLk3nTorpFMREmyDRYNijtYy+RO+dN+8/Cg5GmiAVBPLHu0DyGA
VtRmZsKKWXCPloWNwdalKDfn8ZRP7zzurkAAtQMvYMJiTxucRfnvkeT1AK+mWVuJ
REpFOFNJtrdismIPaeQ0VwgJEOXmFCsOTJpksVbOoFK9HSDliNOVIIpbDxp7Pm5I
RIpw1f3RBEejrg7tqOM+tn7In1s783sPNqMFf7WDyl2wNaAoAQvmY+BL4jS/HTOj
KiAWEoU2ncPlL5VnWDkH2npSD3lGuSXUiIikL5MGPjwOjYICW5dKLtLzbC7ElODI
GWCzZRHFMewgBGsOfcLQjOYlwwtMWbkZ5OTXYAUDhW5k3WXav+7fHcV5Ydp+OLAH
mVkn3EiIWySuMdGp9eEFoxAQeJLnX1/gc30cWSh20VxUmE2HpgCW9UliCeUrRFFE
cI+cWdzmVNkOr6MyeGOA8dTThBrRW5kFBnrQTTd8fyGCds5uyQIDAQABo0IwQDAO
BgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUFFTxZcX0
E66DaRMRikHxfMfCf9AwDQYJKoZIhvcNAQENBQADggIBAJh4CyhxoQfWhyfpnbgh
yDjvtC9gHo3mGHUBjc4QOaAC0MQocEbk5+FCmV0cMzqJ7fWNCckXs+mV08GFqNxv
MzzyfLQuOc5WNnr7uLTQ/PCsjQ5ohzE40WKugfABiZhG49R1nWky5aM31LfhJ2Am
VqJhz8b50YC3aq1R2P0nJ7zLAZzfIpb3fgeLsENV9fxNDA5xLCTsqkdjTpZ79MZy
Ud3W02KZY0izd95gkvaWp8uCSTagYNBlMTIYLdEBnUIHlSGca5dXVACtuWBE3v3N
DcomliXUpHcCun9pzsgBjN1OpR9PN/FOXFHbiM734CHl6ddsWDFmpQC4mzA/QPNb
CZtfslr1WvWOTd8N+ksph68v7xFbIalYOfJf+f8VjunU7Kxgl6oQ/7m8GGnQ8Ah7
JUCeiEeOZuN6C4yRArYD55AG/5NcrwVJzJ2q/K3B8YlXIpuQVNEOUbyT97deD+cC
c+1HymHgT6RGVeU8W1M7JNv9Qwzo41Um1LVWk8c2mXuyq76E58XaC3aL/K6i5VfP
/04Dx9VVnGu2nUoCmryWgh+Pa3M20GWdG85cAb4b3srf7KoeaOeWzv5QqIj1tcJs
EdaZIyg65dC5dMuuQ0geCEoTaBjOWUiTzBGgvFXkdVHSfyBh+BRbTHMnIuPIwe+c
y8wejeuvOelX6YEzJpnebARk
-----END CERTIFICATE-----
- name: configure vhost for passwd.chaos-at-home.org
vars:
nginx_vhost:
name: passwd
template: generic-proxy-no-buffering-with-acme
acme: yes
hostnames:
- passwd.chaos-at-home.org
proxy_pass: "https://{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-auth-legacy']) | ipaddr('address') }}/"
proxy_ssl:
verify: "on"
trusted_certificate: /etc/ssl/whawty-auth-ca/ca.pem
acmetool_cert_config:
request:
challenge:
http-self-test: false
include_role:
name: nginx/vhost
#### webmail.chaos-at-home.org and webdav.chaos-at-home.org
- name: create directory for prometheus-old ca cert
file:
path: /etc/ssl/prometheus-old-ca
state: directory
- name: install prometheus-old ca cert
copy:
dest: /etc/ssl/prometheus-old-ca/ca.pem
content: |
-----BEGIN CERTIFICATE-----
MIIF6jCCA9KgAwIBAgIUXDQZo0d3tcTa4oilKki+E9md8GIwDQYJKoZIhvcNAQEN
BQAwgYwxCzAJBgNVBAYTAkFUMQ8wDQYDVQQIEwZTdHlyaWExDTALBgNVBAcTBEdy
YXoxFjAUBgNVBAoTDWNoYW9zLWF0LWhvbWUxFzAVBgNVBAsTDnByb21ldGhldXMt
b2xkMSwwKgYDVQQDEyNjaGFvcy1hdC1ob21lIENBIGZvciBwcm9tZXRoZXVzLW9s
ZDAeFw0yMDA4MjgyMTMwMDBaFw0yNTA4MjcyMTMwMDBaMIGMMQswCQYDVQQGEwJB
VDEPMA0GA1UECBMGU3R5cmlhMQ0wCwYDVQQHEwRHcmF6MRYwFAYDVQQKEw1jaGFv
cy1hdC1ob21lMRcwFQYDVQQLEw5wcm9tZXRoZXVzLW9sZDEsMCoGA1UEAxMjY2hh
b3MtYXQtaG9tZSBDQSBmb3IgcHJvbWV0aGV1cy1vbGQwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQDS1hSM5E7mhsv1c3S+cPmjxWAFz8N9xqSGk4JjRNxR
wsM7o2aS18FZus+w/Ikp3sTfyNiK017lrnD1iwkTV+yHV9FFNq5FC7Jry3kZcjhH
HirmRFJhXvsimsK6Ir/9ZuQ1EqhRv7HEnnG1W19UyQuk0VpTfcis4jNtMOuEcqG2
arXah/8OOKpcsvIK03XWpLjw0UzNhemka66BC1W+Sg0iB3PmYOSUjJfxSulfZYN8
YAP8QPhXCCrOw39EKiW4KcGnKhNQD8lulpk8kCZlr0Hd8bgxBzrQ+bDhMGEkbxnS
7VaSSTLZIKUWT/4IzCMOrLFbL0k7e0DcOL0+D9lgGjqgDSKKxOi7U3BavilTRJvU
9mq1B+7qrYrx3UfELNgYjUhF575iJmRRH+XKf4b/LGqyrAymRPpwnrubg7KUwGPa
zScuGI4QakOVc5/zU6XML9msyz7p2IXmKqkAi/cxrH6VLK49r63Q8OPbLp17vaDp
9TJaMyQ2QQDVaBulEfwIb1vSKiG+e+8frlXKBf7rtVbZxTda3VmUMFw56hbnT1vn
zvnWwbTWj2in4BhCMbjyvA+HgPd5CAvXkQff4rX5+quLa6hqP/GbslDxtceDSrN0
+GLRcFbBwxFSJhPmAyspUBDgKI6TaBwsaQIp54UF4wtmPOSmx7iRkYWELh7Jrfib
YQIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNV
HQ4EFgQUTSq7rSadFGLpZQMEOpI9Mt6ViM0wDQYJKoZIhvcNAQENBQADggIBAKeZ
FH+eabDb1JU41hIYrboPbL3N6G8IW9VxfAIQ/W3jYEHz+gLf7CAOZIqbZCrexajs
+hqamNAZ+eXQ+9o9IcGXHx5ifDDWLDVl0i/7qQ1cl+oXQ4Ua6jSN/I1UghPkV+Pt
X3Rptl+HLGtTjUcP8Sd78ugBnhM1T8oB9i/xkP9idP7H95C/JKnBER+uH8u67LVe
gYRZS6R+tI3vX1CrjdI0zps0TDWU9sixsu2BF8HHc6AJ6t+1oAVtvpNQcwl1Kll5
XtSUp+rdc5SHQ2Omq+S4WZ8nW88IrT+VG6WflYvg2F1Wzk9D1KYcAl1vox/nqKg5
iqy0BlygrwTLJGS1uNSbIPTHFPgIX7VVQc+u3TLwqFaexXwG5382jD3n4uAr65SM
zP2O8JWZMukdWSP2cAFkKCNUCpYNiA0cyCtdtNw+vWqXXFdc0uvnILROB/dQ6RJA
MviUhGFMdtcoW/bMXDlpJTVFQhhFwJmMatvPIAq9Z+OkvV+T/y87NfE/KUDKB+Hy
oFx9xgax8wsZUNEZMyDMVGcV1oLn1/dsKhHShYVQsDoJcc1egkL+Di8TtT7SwNxg
zT1Rzi1tmVUMLM+CeyP1bbf4YPrH4ulk1Evj2ZHzF6hwKxavvm8hHidmd82FVcik
ePVA2hh60RUIGEAKyJS23SWUdaFe5+hxxYFQ3qAB
-----END CERTIFICATE-----
- name: configure vhost for webmail.chaos-at-home.org
vars:
nginx_vhost:
name: webmail
template: generic-proxy-no-buffering-with-acme
acme: yes
hostnames:
- webmail.chaos-at-home.org
client_max_body_size: "200M"
proxy_pass: "https://{{ network_zones.lan.prefix | ipaddr(network_zones.lan.offsets['ch-prometheus-old']) | ipaddr('address') }}/"
proxy_ssl:
verify: "on"
trusted_certificate: /etc/ssl/prometheus-old-ca/ca.pem
protocols: TLSv1
ciphers: "DEFAULT@SECLEVEL=1"
acmetool_cert_config:
request:
challenge:
http-self-test: false
include_role:
name: nginx/vhost
- name: configure vhost for webdav.chaos-at-home.org
vars:
nginx_vhost:
name: webdav
template: generic-proxy-no-buffering-with-acme
acme: yes
hostnames:
- webdav.chaos-at-home.org
proxy_pass: "https://{{ network_zones.lan.prefix | ipaddr(network_zones.lan.offsets['ch-prometheus-old']) | ipaddr('address') }}/"
proxy_ssl:
verify: "on"
trusted_certificate: /etc/ssl/prometheus-old-ca/ca.pem
protocols: TLSv1
ciphers: "DEFAULT@SECLEVEL=1"
acmetool_cert_config:
request:
challenge:
http-self-test: false
include_role:
name: nginx/vhost
#### imap.chaos-at-home.org
- name: configure vhost for imap.chaos-at-home.org
vars:
nginx_vhost:
name: imap
acme: no
content: |
server {
listen 80;
listen [::]:80;
server_name imap.chaos-at-home.org;
location /.well-known/acme-challenge/ {
proxy_pass http://{{ network_services.imap.addr }};
}
location / {
return 303 https://webmail.chaos-at-home.org;
}
}
include_role:
name: nginx/vhost
### Service IP
- name: install systemd service unit for service-ip
copy:
dest: /etc/systemd/system/http-service-ip.service
content: |
[Unit]
Description=Assign HTTP Sevice IP
After=network.target
[Service]
Type=oneshot
ExecStart=/usr/sbin/ip addr add dev {{ network.primary.name }} {{ network_services.http.addr }}/32
ExecStop=/usr/sbin/ip addr del dev {{ network.primary.name }} {{ network_services.http.addr }}/32
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
register: service_ip_systemd_unit
- name: make sure service-ip systemd unit is enabeld and started
systemd:
daemon_reload: yes
name: http-service-ip.service
state: "{{ (service_ip_systemd_unit is changed) | ternary('restarted', 'started') }}"
enabled: yes
|