diff --git a/host_vars/bitwarden.yaml b/host_vars/bitwarden.yaml index 6bc1aeb..e56755f 100644 --- a/host_vars/bitwarden.yaml +++ b/host_vars/bitwarden.yaml @@ -4,5 +4,5 @@ webserver: - domain: "bitwarden.tormakristof.eu" port: 8080 bigrequests: false - https: true + https: false ... diff --git a/infra.yaml b/infra.yaml index be1a71d..ae6ff03 100644 --- a/infra.yaml +++ b/infra.yaml @@ -66,4 +66,13 @@ - internalsmtp - backupscript - backuphost + +- name: "Deploy OpenVPN server" + hosts: openvpn + roles: + - netplan + - common + - openvpn + - customfirewall + - internalsmtp ... \ No newline at end of file diff --git a/roles/openvpn/tasks/main.yaml b/roles/openvpn/tasks/main.yaml index 5164a24..302e2fd 100644 --- a/roles/openvpn/tasks/main.yaml +++ b/roles/openvpn/tasks/main.yaml @@ -4,7 +4,7 @@ update_cache: yes state: present name: - - openvpn-server + - openvpn - name : "Enable ipv4 forwarding via sysctl" ansible.posix.sysctl: @@ -16,7 +16,7 @@ - name: Enable and restart openvpn daemon service: - name: openvpn + name: openvpn-server@stargate state: restarted enabled: yes @@ -41,6 +41,13 @@ -A POSTROUTING -s 192.168.37.0/24 -o eth0 -j MASQUERADE -A POSTROUTING -s 192.168.37.0/24 -o eth2 -j MASQUERADE COMMIT + -A ufw-before-input -i tun+ -j ACCEPT + -A ufw-before-forward -i tun+ -j ACCEPT + -A ufw-before-forward -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT + -A ufw-before-forward -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT + -A ufw-before-forward -i tun+ -o eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT + -A ufw-before-forward -i eth2 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT + COMMIT # END OPENVPN RULES - name: Reload ufw diff --git a/roles/webgateway/templates/nginx.conf b/roles/webgateway/templates/nginx.conf index 89aced4..5065994 100644 --- a/roles/webgateway/templates/nginx.conf +++ b/roles/webgateway/templates/nginx.conf @@ -90,7 +90,7 @@ http { } } - {% endfor %} + {%- endfor %} {%- for staticsite in static %} server { @@ -105,7 +105,7 @@ http { } } - {% endfor %} + {%- endfor %} {%- for redirectsite in redirect %} server { @@ -117,7 +117,7 @@ http { return 301 {{ redirectsite.destination }}; } - {% endfor %} + {%- endfor %} server { listen 443 ssl http2; diff --git a/roles/webgateway/vars/main.yaml b/roles/webgateway/vars/main.yaml index 9a35905..9e17093 100644 --- a/roles/webgateway/vars/main.yaml +++ b/roles/webgateway/vars/main.yaml @@ -13,7 +13,6 @@ proxy: - {domain: grafana.tormakristof.eu, ip: monitoring.intra.tormakris.dev, bigrequests: false} - {domain: yt.tormakristof.eu, ip: ytmirror.intra.tormakris.dev, bigrequests: true} - {domain: mastodon.tormakristof.eu, ip: mastodon.intra.tormakris.dev, bigrequests: true} - - {domain: jitsi.tormakristof.eu, ip: jitsi.intra.tormakris.dev, bigrequests: false} - {domain: speedtest.tormakristof.eu, ip: librespeed.intra.tormakris.dev, bigrequests: true} diff --git a/roles/webserver/templates/nginx.conf b/roles/webserver/templates/nginx.conf index 10990b3..9f80180 100644 --- a/roles/webserver/templates/nginx.conf +++ b/roles/webserver/templates/nginx.conf @@ -69,9 +69,9 @@ http { server_name {{ server.domain }}; ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; - {%- if server.bigrequests %} + {% if server.bigrequests %} client_max_body_size 8G; - {%- endif %} + {% endif %} location /{ {% if server.https %} proxy_pass https://127.0.0.1:{{ server.port }}; @@ -88,8 +88,8 @@ http { allow 192.168.69.0/24; deny all; } - {%- if server.additionallocations is defined %} - {%- for location in server.additionallocations %} + {% if server.additionallocations is defined %} + {% for location in server.additionallocations %} location {{location.location}}{ {% if location.https %} proxy_pass https://127.0.0.1:{{ location.port }}; @@ -97,11 +97,11 @@ http { proxy_pass http://127.0.0.1:{{ location.port }}; {% endif %} } - {%- endfor %} - {%- endif %} + {% endfor %} + {% endif %} } - {% endfor %} + {%- endfor %} server { listen 8888;