summaryrefslogtreecommitdiff
path: root/chaos-at-home/ch-http-proxy.yml
blob: c742c2199bed078df05a7766d4a43bc0750b940e (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
---
- name: Basic Setup
  hosts: ch-http-proxy
  roles:
  - role: apt-repo/base
  - role: core/base
  - role: core/sshd/base
  - role: core/zsh
  - role: core/ntp

- name: Payload Setup
  hosts: ch-http-proxy
  roles:
  - role: apt-repo/spreadspace
  - role: monitoring/prometheus/exporter
  - role: x509/acmetool/base
  - role: whawty/auth/store
  - role: nginx/base
  - role: nginx/auth/whawty-sso/base
  - role: nginx/auth/whawty-sso/login
  - role: apps/publish/base
  post_tasks:
  #### web.chaos-at-home.org (default-server)
  - name: create directory for default server
    file:
      path: /var/www/default
      state: directory

  - name: copy chaos-at-home logo file
    copy:
      src: "{{ global_files_dir }}/chaos-at-home/logo.jpg"
      dest: /var/www/default/logo.jpg

  - name: install index.html for default server
    copy:
      dest: /var/www/default/index.html
      content: |
        <html>
          <head>
            <title>No Such Site</title>
          </head>
          <body style="font-family: Helvetica, Arial, Sans-Serif; color: white; background: black;">
            <div style="text-align: center; margin-top: 4em; margin-left:auto; margin-right:auto;">
              <img src="logo.jpg" alt="chaos@home Logo" />
              <h2 style="">You have reached the chaos@home internal webserver, however the URL that you used is unknown to this host.</h2>
            </div>
          </body>
        </html>

  - name: configure default vhost web.chaos-at-home.org
    vars:
      nginx_vhost:
        default: yes
        name: web
        template: generic
        tls:
          certificate_provider: acmetool
          certificate_config:
            request:
              challenge:
                http-self-test: false
        hostnames:
        - web.chaos-at-home.org
        locations:
          '/':
            root: /var/www/default
            index: index.html
    include_role:
      name: nginx/vhost


  #### webmail.chaos-at-home.org and webdav.chaos-at-home.org
  - name: create directory for prometheus-old ca cert
    file:
      path: /etc/ssl/prometheus-old-ca
      state: directory

  - name: install prometheus-old ca cert
    copy:
      dest: /etc/ssl/prometheus-old-ca/ca.pem
      content: |
        -----BEGIN CERTIFICATE-----
        MIIF6jCCA9KgAwIBAgIUXDQZo0d3tcTa4oilKki+E9md8GIwDQYJKoZIhvcNAQEN
        BQAwgYwxCzAJBgNVBAYTAkFUMQ8wDQYDVQQIEwZTdHlyaWExDTALBgNVBAcTBEdy
        YXoxFjAUBgNVBAoTDWNoYW9zLWF0LWhvbWUxFzAVBgNVBAsTDnByb21ldGhldXMt
        b2xkMSwwKgYDVQQDEyNjaGFvcy1hdC1ob21lIENBIGZvciBwcm9tZXRoZXVzLW9s
        ZDAeFw0yMDA4MjgyMTMwMDBaFw0yNTA4MjcyMTMwMDBaMIGMMQswCQYDVQQGEwJB
        VDEPMA0GA1UECBMGU3R5cmlhMQ0wCwYDVQQHEwRHcmF6MRYwFAYDVQQKEw1jaGFv
        cy1hdC1ob21lMRcwFQYDVQQLEw5wcm9tZXRoZXVzLW9sZDEsMCoGA1UEAxMjY2hh
        b3MtYXQtaG9tZSBDQSBmb3IgcHJvbWV0aGV1cy1vbGQwggIiMA0GCSqGSIb3DQEB
        AQUAA4ICDwAwggIKAoICAQDS1hSM5E7mhsv1c3S+cPmjxWAFz8N9xqSGk4JjRNxR
        wsM7o2aS18FZus+w/Ikp3sTfyNiK017lrnD1iwkTV+yHV9FFNq5FC7Jry3kZcjhH
        HirmRFJhXvsimsK6Ir/9ZuQ1EqhRv7HEnnG1W19UyQuk0VpTfcis4jNtMOuEcqG2
        arXah/8OOKpcsvIK03XWpLjw0UzNhemka66BC1W+Sg0iB3PmYOSUjJfxSulfZYN8
        YAP8QPhXCCrOw39EKiW4KcGnKhNQD8lulpk8kCZlr0Hd8bgxBzrQ+bDhMGEkbxnS
        7VaSSTLZIKUWT/4IzCMOrLFbL0k7e0DcOL0+D9lgGjqgDSKKxOi7U3BavilTRJvU
        9mq1B+7qrYrx3UfELNgYjUhF575iJmRRH+XKf4b/LGqyrAymRPpwnrubg7KUwGPa
        zScuGI4QakOVc5/zU6XML9msyz7p2IXmKqkAi/cxrH6VLK49r63Q8OPbLp17vaDp
        9TJaMyQ2QQDVaBulEfwIb1vSKiG+e+8frlXKBf7rtVbZxTda3VmUMFw56hbnT1vn
        zvnWwbTWj2in4BhCMbjyvA+HgPd5CAvXkQff4rX5+quLa6hqP/GbslDxtceDSrN0
        +GLRcFbBwxFSJhPmAyspUBDgKI6TaBwsaQIp54UF4wtmPOSmx7iRkYWELh7Jrfib
        YQIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNV
        HQ4EFgQUTSq7rSadFGLpZQMEOpI9Mt6ViM0wDQYJKoZIhvcNAQENBQADggIBAKeZ
        FH+eabDb1JU41hIYrboPbL3N6G8IW9VxfAIQ/W3jYEHz+gLf7CAOZIqbZCrexajs
        +hqamNAZ+eXQ+9o9IcGXHx5ifDDWLDVl0i/7qQ1cl+oXQ4Ua6jSN/I1UghPkV+Pt
        X3Rptl+HLGtTjUcP8Sd78ugBnhM1T8oB9i/xkP9idP7H95C/JKnBER+uH8u67LVe
        gYRZS6R+tI3vX1CrjdI0zps0TDWU9sixsu2BF8HHc6AJ6t+1oAVtvpNQcwl1Kll5
        XtSUp+rdc5SHQ2Omq+S4WZ8nW88IrT+VG6WflYvg2F1Wzk9D1KYcAl1vox/nqKg5
        iqy0BlygrwTLJGS1uNSbIPTHFPgIX7VVQc+u3TLwqFaexXwG5382jD3n4uAr65SM
        zP2O8JWZMukdWSP2cAFkKCNUCpYNiA0cyCtdtNw+vWqXXFdc0uvnILROB/dQ6RJA
        MviUhGFMdtcoW/bMXDlpJTVFQhhFwJmMatvPIAq9Z+OkvV+T/y87NfE/KUDKB+Hy
        oFx9xgax8wsZUNEZMyDMVGcV1oLn1/dsKhHShYVQsDoJcc1egkL+Di8TtT7SwNxg
        zT1Rzi1tmVUMLM+CeyP1bbf4YPrH4ulk1Evj2ZHzF6hwKxavvm8hHidmd82FVcik
        ePVA2hh60RUIGEAKyJS23SWUdaFe5+hxxYFQ3qAB
        -----END CERTIFICATE-----

  - name: configure vhost for webmail.chaos-at-home.org
    vars:
      nginx_vhost:
        name: webmail
        template: generic
        tls:
          certificate_provider: acmetool
          certificate_config:
            request:
              challenge:
                http-self-test: false
        hostnames:
        - webmail.chaos-at-home.org
        locations:
          '/':
            proxy_pass: "https://{{ network_zones.lan.prefix | ansible.utils.ipaddr(network_zones.lan.offsets['ch-prometheus-legacy']) | ansible.utils.ipaddr('address') }}/"
            proxy_ssl:
              verify: "on"
              trusted_certificate: /etc/ssl/prometheus-old-ca/ca.pem
              protocols: TLSv1
              ciphers: "DEFAULT@SECLEVEL=0"
            extra_directives: |-
              client_max_body_size 200M;
    include_role:
      name: nginx/vhost

  - name: configure vhost for webdav.chaos-at-home.org
    vars:
      nginx_vhost:
        name: webdav
        template: generic
        tls:
          certificate_provider: acmetool
          certificate_config:
            request:
              challenge:
                http-self-test: false
        hostnames:
        - webdav.chaos-at-home.org
        locations:
          '/':
            proxy_pass: "https://{{ network_zones.lan.prefix | ansible.utils.ipaddr(network_zones.lan.offsets['ch-prometheus-legacy']) | ansible.utils.ipaddr('address') }}/"
            proxy_ssl:
              verify: "on"
              trusted_certificate: /etc/ssl/prometheus-old-ca/ca.pem
              protocols: TLSv1
              ciphers: "DEFAULT@SECLEVEL=0"
    include_role:
      name: nginx/vhost


  #### imap.chaos-at-home.org
  - name: configure vhost for imap.chaos-at-home.org
    vars:
      nginx_vhost:
        name: imap
        content: |
          server {
            listen 80;
            listen [::]:80;
            server_name imap.chaos-at-home.org;

            location /.well-known/acme-challenge/ {
              proxy_pass http://{{ network_services.imap.addr }};
            }

            location / {
              return 303 https://webmail.chaos-at-home.org;
            }
          }
    include_role:
      name: nginx/vhost


  ### Service IP
  - name: install systemd service unit for service-ip
    copy:
      dest: /etc/systemd/system/http-service-ip.service
      content: |
        [Unit]
        Description=Assign HTTP Sevice IP
        After=network.target

        [Service]
        Type=oneshot
        ExecStart=/usr/sbin/ip addr add dev {{ network.primary.name }} {{ network_services.http.addr }}/32
        ExecStop=/usr/sbin/ip addr del dev {{ network.primary.name }} {{ network_services.http.addr }}/32
        RemainAfterExit=yes

        [Install]
        WantedBy=multi-user.target
    register: service_ip_systemd_unit

  - name: make sure service-ip systemd unit is enabeld and started
    systemd:
      daemon_reload: yes
      name: http-service-ip.service
      state: "{{ (service_ip_systemd_unit is changed) | ternary('restarted', 'started') }}"
      enabled: yes