update to latest state

host_vars/bitwarden.yaml

@@ -4,5 +4,5 @@ webserver:
   - domain: "bitwarden.tormakristof.eu"
     port: 8080
     bigrequests: false
-    https: true
+    https: false
 ...

infra.yaml

@@ -66,4 +66,13 @@
     - internalsmtp
     - backupscript
     - backuphost
+
+- name: "Deploy OpenVPN server"
+  hosts: openvpn
+  roles:
+    - netplan
+    - common
+    - openvpn
+    - customfirewall
+    - internalsmtp
 ...

roles/openvpn/tasks/main.yaml

@@ -4,7 +4,7 @@
     update_cache: yes
     state: present
     name:
-     - openvpn-server
+     - openvpn
 
 - name : "Enable ipv4 forwarding via sysctl"
   ansible.posix.sysctl:
@@ -16,7 +16,7 @@
 
 - name: Enable and restart openvpn daemon
   service:
-    name: openvpn
+    name: openvpn-server@stargate
     state: restarted
     enabled: yes
 
@@ -41,6 +41,13 @@
       -A POSTROUTING -s 192.168.37.0/24 -o eth0 -j MASQUERADE
       -A POSTROUTING -s 192.168.37.0/24 -o eth2 -j MASQUERADE
       COMMIT
+      -A ufw-before-input -i tun+ -j ACCEPT
+      -A ufw-before-forward -i tun+ -j ACCEPT
+      -A ufw-before-forward -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
+      -A ufw-before-forward -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
+      -A ufw-before-forward -i tun+ -o eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT
+      -A ufw-before-forward -i eth2 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
+      COMMIT
       # END OPENVPN RULES
 
 - name: Reload ufw

roles/webgateway/templates/nginx.conf

@@ -90,7 +90,7 @@ http {
             }
         }
 
-        {% endfor %}
+        {%- endfor %}
 
         {%- for staticsite in static %}
         server {
@@ -105,7 +105,7 @@ http {
             }
         }
 
-        {% endfor %}
+        {%- endfor %}
 
         {%- for redirectsite in redirect %}
         server {
@@ -117,7 +117,7 @@ http {
             return 301 {{ redirectsite.destination }};
         }
 
-        {% endfor %}
+        {%- endfor %}
 
         server {
             listen 443 ssl http2;

roles/webgateway/vars/main.yaml

@@ -13,7 +13,6 @@ proxy:
   - {domain: grafana.tormakristof.eu, ip: monitoring.intra.tormakris.dev, bigrequests: false}
   - {domain: yt.tormakristof.eu, ip: ytmirror.intra.tormakris.dev, bigrequests: true}
   - {domain: mastodon.tormakristof.eu, ip: mastodon.intra.tormakris.dev, bigrequests: true}
-  - {domain: jitsi.tormakristof.eu, ip: jitsi.intra.tormakris.dev, bigrequests: false}
   - {domain: speedtest.tormakristof.eu, ip: librespeed.intra.tormakris.dev, bigrequests: true}
 
 

roles/webserver/templates/nginx.conf

@@ -69,9 +69,9 @@ http {
             server_name {{ server.domain }};
             ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
             ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
-            {%- if server.bigrequests %}
+            {% if server.bigrequests %}
             client_max_body_size    8G;
-            {%- endif %}
+            {% endif %}
             location /{
                 {% if server.https %}
                 proxy_pass  https://127.0.0.1:{{ server.port }};
@@ -88,8 +88,8 @@ http {
  	            allow 192.168.69.0/24;
  	            deny all;
             }
-            {%- if server.additionallocations is defined %}
+            {% if server.additionallocations is defined %}
-            {%- for location in server.additionallocations %}
+            {% for location in server.additionallocations %}
             location {{location.location}}{
                 {% if location.https %}
                 proxy_pass  https://127.0.0.1:{{ location.port }};
@@ -97,11 +97,11 @@ http {
                 proxy_pass  http://127.0.0.1:{{ location.port }};
                 {% endif %}
             }
-            {%- endfor %}
+            {% endfor %}
-            {%- endif %}
+            {% endif %}
         }
 
-        {% endfor %}
+        {%- endfor %}
 
         server {
             listen 8888;