add unbound

.drone.yml

@@ -0,0 +1,22 @@
+---
+kind: pipeline
+type: docker
+name: ansible
+
+steps:
+- name: ansible nightly run
+  image: alpinelinux/ansible
+  environment:
+    ANSIBLE_HOST_KEY_CHECKING: "False"
+    ANSIBLE_PRIVATE_KEY_FILE: "/drone/src/id_rsa"
+    ANSIBLE_CONFIG: "/drone/src/ansible.cfg"
+    CLOUDFLARE_TOKEN:
+      from_secret: CLOUDFLARE_TOKEN
+    SSH_KEY:
+      from_secret: SSH_KEY
+  commands:
+    - echo "$SSH_KEY" > $PWD/id_rsa
+    - chmod 0600 $PWD/id_rsa
+    - ansible-galaxy collection install -r requirements.yaml
+    - ansible-playbook -i inventory.yaml nightly.yaml
+...

.gitignore

@@ -1,2 +1,3 @@
 .vault_password_file
 venv/
+.DS_Store

ansible.cfg

@@ -0,0 +1,6 @@
+[ssh_connection]
+ssh_args = -o ControlMaster=auto -o ControlPersist=60s
+[defaults]
+forks=10
+pipelining = True
+strategy = free

docker-host.yaml

@@ -1,8 +0,0 @@
----
-- name: "Deploy basic webhost with Docker"
-  hosts: keycloak
-  roles:
-    - netplan
-    - common
-    - docker
-    - webserver

group_vars/all.yaml

@@ -0,0 +1,8 @@
+---
+ansible_become: true
+ansible_user: ansible@intra.tormakris.dev
+#ansible_user: ansible
+allowedranges:
+  - 192.168.69.0/24
+  - 192.168.1.0/24
+...

group_vars/mckay.yaml

@@ -1,2 +1,4 @@
 ---
-default_gateway: "192.168.69.254"
+netplan:
+  default_gateway: "192.168.69.253"
+...

group_vars/woolsey.yaml

@@ -1,2 +1,4 @@
 ---
-default_gateway: "192.168.69.1"
+netplan:
+  default_gateway: "192.168.69.253"
+...

host_vars/backup.yaml

@@ -0,0 +1,8 @@
+---
+ansible_host: backup.intra.tormakris.dev
+servicename: mckay
+backup:
+  host: oniel.tormakristof.eu
+  internal: false
+  basedir: /mnt/backupstore
+...

host_vars/bitwarden.yaml

@@ -0,0 +1,8 @@
+---
+ansible_host: bitwarden.intra.tormakris.dev
+webserver:
+  - domain: "bitwarden.tormakristof.eu"
+    port: 8080
+    bigrequests: false
+    https: false
+...

host_vars/cloudlog.yaml

@@ -0,0 +1,8 @@
+---
+ansible_host: cloudlog.intra.tormakris.dev
+webserver:
+  - domain: "cloudlog.tormakristof.eu"
+    port: 8080
+    bigrequests: false
+    https: false
+...

host_vars/drone-runner.yaml

@@ -0,0 +1,3 @@
+---
+ansible_host: drone-runner.intra.tormakris.dev
+...

host_vars/drone.yaml

@@ -0,0 +1,8 @@
+---
+ansible_host: drone.intra.tormakris.dev
+webserver:
+  - domain: "drone.kmlabz.com"
+    port: 8080
+    bigrequests: false
+    https: false
+...

host_vars/git.yaml

@@ -0,0 +1,20 @@
+---
+ansible_host: git.intra.tormakris.dev
+servicename: git
+backup:
+  folder: "/home/service-user"
+  tarfolder: "gitea docker-compose.yml"
+  host: backup.intra.tormakris.dev
+  internal: true
+  prearecommand: ""
+  basedir: /mnt/backupstore
+firewall:
+  - port: "2222"
+    proto: tcp
+    interface: "eth0"
+webserver:
+  - domain: "git.kmlabz.com"
+    port: 8080
+    bigrequests: false
+    https: false
+...

host_vars/guacamole.yaml

@@ -0,0 +1,8 @@
+---
+ansible_host: guacamole.intra.tormakris.dev
+webserver:
+  - domain: "guacamole.tormakristof.eu"
+    port: 8080
+    bigrequests: false
+    https: false
+...

host_vars/librespeed.yaml

@@ -0,0 +1,8 @@
+---
+ansible_host: librespeed.intra.tormakris.dev
+webserver:
+  - domain: "speedtest.tormakristof.eu"
+    port: 8080
+    bigrequests: true
+    https: false
+...

host_vars/matrix.yaml

@@ -0,0 +1,16 @@
+---
+ansible_host: matrix.intra.tormakris.dev
+webserver:
+  - domain: "matrix.tormakristof.eu"
+    port: 8080
+    bigrequests: true
+    https: false
+  - domain: "chat.tormakristof.eu"
+    port: 8181
+    bigrequests: true
+    https: false
+firewall:
+  - port: "9000"
+    proto: tcp
+    interface: "eth0"
+...

host_vars/monitoring.yaml

@@ -0,0 +1,8 @@
+---
+ansible_host: monitoring.intra.tormakris.dev
+webserver:
+  - domain: "grafana.tormakristof.eu"
+    port: 8181
+    bigrequests: false
+    https: false
+...

host_vars/neko.yaml

@@ -0,0 +1,28 @@
+---
+ansible_host: zelenka.intra.tormakris.dev
+firewall:
+  - port: "ssh"
+    proto: tcp
+    interface: "eth0"
+  - port: "http"
+    proto: tcp
+    interface: "eth0"
+  - port: "https"
+    proto: tcp
+    interface: "eth0"
+  - port: "59000:59009"
+    proto: udp
+    interface: "eth0"
+  - port: "3478"
+    proto: tcp
+    interface: "eth0"
+  - port: "3478"
+    proto: any
+    interface: "eth0"
+  - port: "5349"
+    proto: any
+    interface: "eth0"
+  - port: "9101"
+    proto: tcp
+    interface: "eth0"
+...

host_vars/nextcloud.yaml

@@ -0,0 +1,8 @@
+---
+ansible_host: nextcloud.intra.tormakris.dev
+webserver:
+  - domain: "nextcloud.tormakristof.eu"
+    port: 8080
+    bigrequests: true
+    https: false
+...

host_vars/nexus.yaml

@@ -0,0 +1,12 @@
+---
+ansible_host: nexus.intra.tormakris.dev
+webserver:
+  - domain: "nexus.kmlabz.com"
+    port: 8080
+    bigrequests: true
+    https: false
+  - domain: "registry.kmlabz.com"
+    port: 4269
+    bigrequests: true
+    https: false
+...

host_vars/openvpn.yaml

@@ -0,0 +1,24 @@
+---
+ansible_host: openvpn.intra.tormakris.dev
+firewall:
+  - port: "1194"
+    proto: udp
+    interface: "eth0"
+  - port: "1194"
+    proto: udp
+    interface: "eth1"
+netplan:
+  default_gateway: ""
+  additionalinterfaces:
+    - name: "eth1"
+      dhcp4: false
+      dhcp6: false
+      addresses:
+      - "2001:738:2001:207f:0:211:211:23/64"
+      gateway6: "fe80::"
+      denydns: true
+    - name: "eth2"
+      dhcp4: true
+      dhcp6: false
+      denydns: true
+...

host_vars/plex.yaml

@@ -0,0 +1,18 @@
+---
+ansible_host: plex.intra.tormakris.dev
+webserver:
+  - domain: "plex.tormakristof.eu"
+    port: 8080
+    bigrequests: true
+    https: false
+netplan:
+  default_gateway: "192.168.69.254"
+  additionalinterfaces:
+    - name: "eth1"
+      dhcp4: false
+      dhcp6: false
+      denydns: true
+      addresses:
+        - '2001:738:2001:207f:0:211:211:31/64'
+      gateway6: 'fe80::'
+...

host_vars/postgres.yaml

@@ -0,0 +1,18 @@
+---
+ansible_host: postgres.intra.tormakris.dev
+servicename: postgres
+firewall:
+  - port: "5432"
+    proto: tcp
+    interface: "eth0"
+  - port: "9187"
+    proto: tcp
+    interface: "eth0"
+backup:
+  folder: "/var/lib/postgresql/backup"
+  tarfolder: "backup"
+  host: backup.intra.tormakris.dev
+  internal: true
+  prearecommand: "time ( sudo -u postgres pg_dumpall > /var/lib/postgresql/backup/postgres.sql )"
+  basedir: /mnt/backupstore
+...

host_vars/smtp.yaml

@@ -0,0 +1,3 @@
+---
+ansible_host: smtp.intra.tormakris.dev
+...

host_vars/testhost.yaml

@@ -1,2 +0,0 @@
----
-backupscript_name: "test-backupscript.sh"

host_vars/unbound.yaml

@@ -0,0 +1,8 @@
+---
+ansible_host: unbound.intra.tormakris.dev
+webserver:
+  - domain: "dns.tormakristof.eu"
+    port: 8080
+    bigrequests: true
+    https: true
+...

host_vars/vikunja.yaml

@@ -0,0 +1,12 @@
+---
+ansible_host: vikunja.intra.tormakris.dev
+webserver:
+  - domain: "vikunja.tormakristof.eu"
+    port: 8081
+    bigrequests: false
+    https: false
+    additionallocations:
+      - https: false
+        port: 8080
+        location: '~* ^/(api|dav|\.well-known)/'
+...

host_vars/webgateway.yaml

@@ -0,0 +1,3 @@
+---
+ansible_host: apache.intra.tormakris.dev
+...

host_vars/ytmirror.yaml

@@ -0,0 +1,8 @@
+---
+ansible_host: ytmirror.intra.tormakris.dev
+webserver:
+  - domain: "yt.tormakristof.eu"
+    port: 8080
+    bigrequests: false
+    https: false
+...

infra.yaml

@@ -0,0 +1,84 @@
+---
+- name: "Deploy basic webhost with Docker"
+  hosts: dockerwebhosts
+  roles:
+    - netplan
+    - common
+    - docker
+    - webserver
+    - internalsmtp
+
+- name: "Deploy database server base"
+  hosts: postgres
+  roles:
+    - netplan
+    - common
+    - backupscript
+    - customfirewall
+
+- name: "Deploy basic Docker host to drone-runner"
+  hosts: drone-runner
+  roles:
+    - netplan
+    - common
+    - docker
+    - internalsmtp
+
+- name: "Deploy gitea in Docker"
+  hosts: git
+  roles:
+    - netplan
+    - common
+    - docker
+    - webserver
+    - internalsmtp
+    - backupscript
+    - customfirewall
+
+- name: "Setup neko"
+  hosts: neko
+  roles:
+    - common
+    - docker
+    - customfirewall
+    - internalsmtp
+
+- name: "Deploy smtpgateway to smtp.intra.tormakris.dev"
+  hosts: smtp
+  roles:
+    - netplan
+    - common
+    - smtpgateway
+
+- name: "Deploy managed web gateway"
+  hosts: webgateway
+  roles:
+    - common
+    - webgateway
+    - internalsmtp
+
+- name: "Deploy backup server"
+  hosts: backup
+  roles:
+    - netplan
+    - common
+    - internalsmtp
+    - backupscript
+    - backuphost
+
+- name: "Deploy OpenVPN server"
+  hosts: openvpn
+  roles:
+    - netplan
+    - common
+    - openvpn
+    - customfirewall
+    - internalsmtp
+
+- name: "Deploy Game server"
+  hosts: gameservers
+  roles:
+    - netplan
+    - common
+    - internalsmtp
+...

inventory.yaml

@@ -1,20 +1,55 @@
 ---
 all:
-  vars:
-    ansible_become: true
-    ansible_user: tormakris
   children:
     woolsey:
       hosts:
         neko:
-          ansible_host: zelenka.stargate.internal
         drone:
-          ansible_host: drone.stargate.internal
+        matrix:
-        keycloak:
-          ansible_host: keycloak.stargate.internal
-        sonar:
-          ansible_host: sonar.stargate.internal
-        swagger:
-          ansible_host: swagger.stargate.internal
         drone-runner:
-          ansible_host: drone-runner.stargate.internal
+        smtp:
+        webgateway:
+        openvpn:
+        nexus:
+        git:
+        postgres:
+        monitoring:
+        ytmirror:
+        cloudlog:
+        unbound:
+    mckay:
+      hosts:
+        guacamole:
+        bitwarden:
+        nextcloud:
+        backup:
+        librespeed:
+        plex:
+    dockerwebhosts:
+      hosts:
+        matrix:
+        drone:
+        guacamole:
+        bitwarden:
+        nexus:
+        nextcloud:
+        monitoring:
+        ytmirror:
+        librespeed:
+        plex:
+        cloudlog:
+    nightlydocker:
+      hosts:
+        matrix:
+        guacamole:
+        bitwarden:
+        nexus:
+        nextcloud:
+        monitoring:
+        ytmirror:
+        librespeed:
+        plex:
+        cloudlog:
+    gameservers:
+      hosts:
+...

neko.yaml

@@ -1,7 +0,0 @@
----
-- name: "Setup neko"
-  hosts: neko
-  roles:
-    - common
-    - docker
-    - neko

nightly.yaml

@@ -0,0 +1,22 @@
+---
+- name: "Deploy basic webhost with Docker"
+  hosts: nightlydocker
+  roles:
+    - common
+    - webserver
+    - internalsmtp
+
+- name: "Deploy smtpgateway to smtp.intra.tormakris.dev"
+  hosts: smtp
+  roles:
+    - common
+    - smtpgateway
+
+- name: "Deploy backup server"
+  hosts: backup
+  roles:
+    - common
+    - internalsmtp
+    - backupscript
+    - backuphost
+...

realmd.yaml

@@ -0,0 +1,6 @@
+---
+- name: "Deploy basic webhost with Docker"
+  hosts: all
+  roles:
+    - realmd
+...

requirements.yaml

@@ -2,3 +2,4 @@
 collections:
 - ansible.posix
 - community.general
+...

roles/backuphost/files/authorized_keys

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCqSr3e/u2WtarrtKFhcj2E4MM/NpfREVxKnBO66HRoAUmjtNNMqS4O0OKlTLAKTFiftKeBfuvxtvdFXROXBAHekL0ff2DOuWz7k0IQjJd51x31FdVFUJZB2zk+UJENiJxwyqlQudJc7LYkztJyULfb0CYIkunTFO+fjZOUNrflrqe0JcLIgcuQqsi0gLwiQ+giWlZstdCGOq2ziqi5ZVi2Rhsgi1Lb4UsiO2B8dkxFiJMBkG+YvLl1EwZ6m9j8O92FsCsqbfoPIdcgR3XCzogSdjvKM72yKBEKs1hgGR6ajVkagWEOWXs8PC9toBcyZYt2GLncvyO1TnFDnPbecOdloifVDI23Osi+cFuOzLyi5CLs+sXaJNz1EOwlXwKhanqvCf+h11UKV7GuCjtlf6f8qOPtpTGgtOQnFie/jyNYBlcj2abNNPK5JaWtT4voY3GzpeYMV9c+bKgeS4r/7OqDn8Wpf8swWdwlGn0fBjwrVjEgAzwOH8XhHhQFGrNZbq0= root@backup-target

roles/backuphost/files/ssh_config

@@ -0,0 +1,4 @@
+Host oniel.tormakristof.eu
+        HostName oniel.tormakristof.eu
+        User backup
+        IdentityFile ~/.ssh/id_rsa

roles/backuphost/tasks/main.yaml

@@ -0,0 +1,29 @@
+# TODO: Make backup user part of AD
+---
+- name: "Add backup user"
+  user:
+    name: backup
+    comment: Backup user
+    shell: /bin/bash
+
+- name: Create .ssh directory of backup user
+  file:
+    path: /home/backup/.ssh
+    state: directory
+
+- name: Copy authorized_keys
+  copy:
+    src: authorized_keys
+    dest: /home/backup/.ssh/authorized_keys
+    mode: 0600
+    owner: backup
+    group: backup
+
+- name: Copy ssh config
+  copy:
+    src: ssh_config
+    dest: /home/backup/.ssh/config
+    mode: 0600
+    owner: backup
+    group: backup
+...

roles/backupscript/defaults/main.yaml

@@ -0,0 +1,7 @@
+---
+backup:
+  host: backup.intra.tormakris.dev
+  internal: true
+  prearecommand: ""
+  basedir: /mnt/backupstore
+...

roles/backupscript/files/backup-script.service

@@ -1,9 +0,0 @@
-[Unit]
-Description=Backup application data
-
-[Service]
-Type=simple
-ExecStart=/usr/bin/bash /opt/backupscript.sh
-
-[Install]
-WantedBy=backup.target

roles/backupscript/files/backup.target

@@ -1,5 +0,0 @@
-[Unit]
-Description=Script based backup for VMs
-
-[Install]
-WantedBy=default.target

roles/backupscript/files/backup.timer

@@ -1,10 +0,0 @@
-[Unit]
-Description=Backup VMs
-
-[Timer]
-OnBootSec=10min
-OnCalendar=Sun *-*-* 00:00:00
-Unit=backup.target
-
-[Install]
-WantedBy=multi-user.target

roles/backupscript/files/ssh_config

@@ -0,0 +1,4 @@
+Host backup backup.intra.tormakris.dev
+        HostName backup.intra.tormakris.dev
+        User backup
+        IdentityFile ~/.ssh/id_rsa

roles/backupscript/files/test-backupscript.sh

@@ -1 +0,0 @@
-echo "true"

roles/backupscript/tasks/main.yaml

@@ -1,47 +1,22 @@
 ---
-- name: Copy backupscript to target
+- name: "Generate backupscript"
+  template:
+    src: backupscript.sh
+    dest: /etc/cron.weekly/backupscript
+    owner: root
+    group: root
+    mode: '0700'
+
+- name: Create .ssh directory of root user
+  file:
+    path: /root/.ssh
+    state: directory
+
+- name: Copy ssh config
   copy:
-    src: "{{ backupscript_name }}"
+    src: ssh_config
-    dest: /opt/backupscript.sh
+    dest: /root/.ssh/config
-    mode: 700
+    mode: 0600
-    owner: service-user
+    owner: root
-
+    group: root
-- name: Copy backup-script.service to target
+...
-  copy:
-    src: backup-script.service
-    dest: /usr/lib/systemd/system/backup-script.service
-    mode: 644
-    owner: service-user
-
-- name: Copy backup.target to target
-  copy:
-    src: backup.target
-    dest: /usr/lib/systemd/system/backup.target
-    mode: 644
-    owner: service-user
-
-- name: Copy backup.timer to target
-  copy:
-    src: backup.timer
-    dest: /usr/lib/systemd/system/backup.timer
-    mode: 644
-    owner: service-user
-
-- name: Enable backup-script.service and reload systemd daemon
-  when: ansible_service_mgr == "systemd"
-  ansible.builtin.systemd:
-    enabled: yes
-    daemon_reload: yes
-    name: backup-script.service
-
-- name: Enable backup.target
-  when: ansible_service_mgr == "systemd"
-  ansible.builtin.systemd:
-    enabled: yes
-    name: backup.target
-
-- name: Enable backup.timer
-  when: ansible_service_mgr == "systemd"
-  ansible.builtin.systemd:
-    enabled: yes
-    name: backup.timer

roles/backupscript/templates/backupscript.sh

@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+# {{ansible_managed}}
+
+{% if backup.prearecommand is defined and backup.prearecommand|length > 0 %}
+{{backup.prearecommand}}
+{% endif %}
+
+{% if backup.internal %}
+
+time ( rsync -azP --delete {{backup.folder}} backup@{{backup.host}}:{{backup.basedir}}/{{servicename}}/staging )
+
+time ( ssh backup@{{backup.host}} 'tar -zcvf {{backup.basedir}}/{{servicename}}/{{servicename}}-$(date +"%Y-%m-%d").tar.gz -C {{backup.basedir}}/{{servicename}}/staging {{backup.tarfolder}}' )
+
+{% else %}
+
+time ( rsync -azPr --delete --prune-empty-dirs --include "*/" --include="*.tar.gz" --include="*.sql" --include="*.zip" --exclude="*" {{backup.basedir}}/ backup@{{backup.host}}:/mnt/backup/{{servicename}} )
+
+{% endif %}

roles/common/defaults/main.yaml

@@ -1,7 +1,8 @@
 ---
 # defaults file for timedatectl
-timedatectl_timeservers: ['noc-a.sch.bme.hu', 'noc-b.sch.bme.hu']
+timedatectl_timeservers: ['time.intra.tormakris.dev']
 
-timedatectl_timeservers_fallback: ['time.bme.hu']
+timedatectl_timeservers_fallback: ['time.kfki.hu']
 
 timedatectl_timezone: 'Europe/Budapest'
+...

roles/common/files/authorized_keys

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDFkYMmPYQ8hs6D5tuTt+sEofoMd2GTXyS97mh8maXmets3eS8iMm2W4Pppaqj9lMIsYdDX0BZvbmuQa+iNKchj6HJPtvdx2Rhus1UGn74iy/NtgogWFHL9YEYILzc5lBqotV5o3z/wRMfSwqnVwYBZ7OI+LJenwf76bIUm6lVqyh2Qh9/wWOyGpUVitDpUVi/h2J3xZf8Z2r1vHFdMHJygrrKn3C4vsZobHJ48iq8QWj1vwfMavq6dgJtiS4/WUTvHuzjfHdyyO7akBM66Ul41UlGG5iqkIKTIzLECXPPWWe/vCIcumkeMxtoY0pxpsgKu1kgqhNs8Q+hgF/H+lIlXtzsZ5gKUwhS7sUNejNywaMjcOUVvnRVXh3FaH9t8HK7mGouaN7q+ghNbMKLlxueP5mpgzK+APaRcNjA/4JyXN750l22xM6YQkxqOeuK5FS/TVmn2H6otaxGrfGz1sfYyynvWSMqpNStuCjCYfEHBLqPKX5tpG8z/gGNa/51CQvM= tormakris@woolsey.tormakris.dev

roles/common/handlers/main.yaml

@@ -1,3 +1,4 @@
 ---
 - name: run Timedatectl
   command: timedatectl set-ntp true
+...

roles/common/tasks/apt.yaml

@@ -1,4 +1,11 @@
 ---
+- name: "Use custom Ubuntu mirror"
+  replace:
+    path: /etc/apt/sources.list
+    regexp: 'http://hu.archive.ubuntu.com'
+    replace: 'https://mirrors.sth.sze.hu'
+    backup: yes
+
 - name: "Remove Ubuntu bloatware"
   apt: 
     state: absent
@@ -35,3 +42,6 @@
      - tcpdump
      - xxd
      - git
+     - ncdu
+     - cron
+...

roles/common/tasks/clean-motd.yaml

@@ -2,7 +2,8 @@
 - name: clean motd
   file:
     state: touch
-    owner: tormakris
+    owner: tormakris@intra.tormakris.dev
-    group: tormakris
+    group: domain users@intra.tormakris.dev
     mode: "0644"
-    path: /home/tormakris/.hushlogin
+    path: /home/tormakris@intra.tormakris.dev/.hushlogin
+...

roles/common/tasks/disable-cloudinit.yaml

@@ -10,4 +10,4 @@
     content: "network: {config: disabled}"
     dest: /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg
     force: no
-
+...

roles/common/tasks/main.yaml

@@ -7,3 +7,5 @@
 - include_tasks: user-ops.yaml
 - include_tasks: ssh-security-settings.yaml
 - include_tasks: timesync.yaml
+- include_tasks: node-exporter.yaml
+...

roles/common/tasks/node-exporter.yaml

@@ -0,0 +1,21 @@
+---
+- name: "Install node exporter"
+  apt:
+    update_cache: yes
+    state: present
+    name:
+     - prometheus-node-exporter
+
+- name: Allow node-exporter via ufw
+  community.general.ufw:
+    rule: allow
+    port: 9100
+    proto: tcp
+    src: 192.168.69.0/24
+
+- name: Enable and restart exporter daemon
+  service:
+    name: prometheus-node-exporter
+    state: restarted
+    enabled: yes
+...

roles/common/tasks/remove-snap.yaml

@@ -16,3 +16,4 @@
     - /var/lib/snapd
     - "/home/{{ ansible_user }}/snap"
   when: ansible_distribution == "Ubuntu"
+...

roles/common/tasks/ssh-security-settings.yaml

@@ -1,10 +1,4 @@
 ---
-- name: Disable password authentication
-  replace:
-    path: /etc/ssh/sshd_config
-    regexp: 'PasswordAuthentication yes'
-    replace: 'PasswordAuthentication no'
-
 - name: Disable root authentication
   replace:
     path: /etc/ssh/sshd_config
@@ -23,18 +17,8 @@
     regexp: '#AddressFamily any'
     replace: 'AddressFamily inet'
 
-- name: Check if AllowUsers is defined
+- name: "Restart sshd"
-  lineinfile:
+  service:
-    state: absent
+    name: sshd
-    path: /etc/ssh/sshd_config
+    state: restarted
-    regexp: "^AllowUsers"
+...
-  check_mode: true
-  changed_when: false
-  register: checkallowusers
-
-- name: Define AllowUsers if undefined
-  lineinfile:
-    state: present
-    path: /etc/ssh/sshd_config
-    line: "AllowUsers tormakris ansible service-user"
-  when: checkallowusers.found == 0

roles/common/tasks/timesync.yaml

@@ -12,7 +12,8 @@
 
 - name: Reastart timesyncd to apply changes
   when: ansible_service_mgr == "systemd"
-  ansible.builtin.systemd:
+  systemd:
     state: restarted
     daemon_reload: yes
     name: systemd-timesyncd
+...

roles/common/tasks/ufw.yaml

@@ -18,3 +18,6 @@
   community.general.ufw:
     rule: allow
     port: ssh
+    src: "{{ item }}"
+  with_items: "{{ allowedranges }}"
+...

roles/common/tasks/user-ops.yaml

@@ -1,11 +1,38 @@
 ---
-- name: "Add service user"
+- name: Create .ssh directory of ansible user
-  ansible.builtin.user:
+  file:
-    name: service-user
+    path: /home/ansible@intra.tormakris.dev/.ssh
-    comment: Service user
+    state: directory
+    owner: ansible@intra.tormakris.dev
+    group: domain users@intra.tormakris.dev
+
+- name: Copy authorized_keys
+  copy:
+    src: authorized_keys
+    dest: /home/ansible@intra.tormakris.dev/.ssh/authorized_keys
+    mode: 0600
+    owner: ansible@intra.tormakris.dev
+    group: domain users@intra.tormakris.dev
+
+- name: Check if group is present in sudoers
+  lineinfile:
+    state: absent
+    path: /etc/sudoers
+    regexp: "^%linuxadmins"
+  check_mode: true
+  changed_when: false
+  register: checksudoers
+
+- name: Define group in sudoers
+  lineinfile:
+    state: present
+    path: /etc/sudoers
+    line: "%linuxadmins@intra.tormakris.dev ALL=(ALL) NOPASSWD: ALL"
+  when: checksudoers.found == 0
 
 - name: "Update authorized_keys of tormakris"
   ansible.posix.authorized_key:
-    user: tormakris
+    user: tormakris@intra.tormakris.dev
     state: present
     key: https://static.tormakristof.eu/ssh.keys
+...

roles/common/templates/jfrog.conf.template

@@ -0,0 +1,3 @@
+machine tormakris.jfrog.io
+login apt
+password {{ artifactory_password }}

roles/customfirewall/tasks/main.yaml

@@ -0,0 +1,10 @@
+---
+- name: Apply custom ufw rules
+  community.general.ufw:
+    rule: allow
+    direction: "in"
+    port: "{{item.port}}"
+    proto: "{{item.proto}}"
+    interface: "{{item.interface}}"
+  with_items: "{{ firewall }}"
+...

roles/docker/files/daemon.json

@@ -1,3 +1,7 @@
 {
-    "userland-proxy": false
+    "userland-proxy": false,
+    "dns": [
+      "192.168.69.3",
+      "192.168.69.18"
+    ]
 }

roles/docker/tasks/main.yaml

@@ -13,6 +13,7 @@
     dest: /etc/docker/daemon.json
     mode: 644
     owner: root
+    group: backup
 
 - name: Enable and restart Docker daemon
   service:
@@ -21,8 +22,15 @@
     enabled: yes
 
 - name: "Add service user to docker group"
-  ansible.builtin.user:
+  user:
-    name: service-user
+    name: service-user@intra.tormakris.dev
-    comment: Service user
     groups: docker
     append: yes
+
+- name: Allow docker exporter via ufw
+  community.general.ufw:
+    rule: allow
+    port: "4194"
+    proto: tcp
+    src: 192.168.69.0/24
+...

roles/internalsmtp/defaults/main.yaml

@@ -1,4 +1,5 @@
 ---
-postfix_relayhost: 'smtp.stargate.internal'
+postfix_relayhost: 'smtp.intra.tormakris.dev'
 
-external_domain: 'kmlabz.com'
+external_domain: 'tormakris.dev'
+...

roles/internalsmtp/files/prometheus-postfix-exporter

@@ -0,0 +1,15 @@
+# Private log file from Postfix to read and truncate. Configured in
+# /etc/rsyslog.d/prometheus-postfix-exporter.conf
+POSTFIXLOGFILE=/var/log/mail.log
+
+# Extra arguments for the daemon.
+ARGS=''
+
+# Prometheus-postfix-exporter supports the following options:
+#  --postfix.showq_path string
+#        Path at which Postfix places its showq socket.
+#        (default "/var/spool/postfix/public/showq")
+#  --web.listen-address string
+#        Address to listen on for web interface and telemetry. (default ":9154")
+#  --web.telemetry-path string
+#        Path under which to expose metrics. (default "/metrics")

roles/internalsmtp/tasks/main.yaml

@@ -16,3 +16,38 @@
     name: postfix
     state: restarted
     enabled: yes
+
+- name: "Install postfix exporter"
+  apt:
+    update_cache: yes
+    state: present
+    name:
+     - prometheus-postfix-exporter
+
+- name: Copy postfix exporter config
+  copy:
+    src: prometheus-postfix-exporter
+    dest: /etc/default/prometheus-postfix-exporter
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Add the prometheus user to postdrop group
+  user:
+    name: prometheus
+    groups: postdrop
+    append: yes
+
+- name: Enable and restart exporter daemon
+  service:
+    name: prometheus-postfix-exporter
+    state: restarted
+    enabled: yes
+
+- name: Allow postfix exporter via ufw
+  community.general.ufw:
+    rule: allow
+    port: "9154"
+    proto: tcp
+    src: 192.168.69.0/24
+...

roles/mariadb/tasks/main.yaml

@@ -1,19 +0,0 @@
----
-- name: "Install MariaDB via apt"
-  apt:
-    update_cache: yes
-    state: present
-    name:
-     - mariadb-server
-
-- name: Enable and restart MariaDB daemon
-  service:
-    name: mariadb
-    state: restarted
-    enabled: yes
-
-- name: Allow mysql port via ufw
-  community.general.ufw:
-    rule: allow
-    port: "3306"
-    proto: tcp

roles/mountpoint/tasks/main.yaml

@@ -1,8 +0,0 @@
----
-- name: Mount up device by UUID
-  ansible.posix.mount:
-    path: "{{ mountpoint_path }}"
-    src: "UUID={{ mountpoint_uuid }}"
-    fstype: "{{ mountpoint_fstype }}"
-    opts: "{{ mountpoint_opts }}"
-    state: mounted

roles/neko/tasks/main.yaml

@@ -1,65 +0,0 @@
----
-- name: "Install haproxy via apt"
-  apt:
-    update_cache: yes
-    state: present
-    name:
-     - haproxy
-
-- name: Enable haproxy
-  service:
-    name: haproxy
-    state: started
-    enabled: yes
-
-- name: "Install certbot via apt"
-  apt:
-    update_cache: yes
-    state: present
-    name:
-     - python3-certbot
-
-- name: Reset ufw rules to default
-  community.general.ufw:
-    state: reset
-
-- name: Enable ufw
-  community.general.ufw:
-    state: enabled
-
-- name: Allow ssh via ufw from localnet
-  community.general.ufw:
-    rule: allow
-    direction: in
-    port: ssh
-    from_ip: "192.168.69.0/24"
-    interface: eth0
-
-- name: Allow http via ufw from internet
-  community.general.ufw:
-    rule: allow
-    direction: in
-    port: http
-    interface: eth1
-
-- name: Allow https via ufw from internet
-  community.general.ufw:
-    rule: allow
-    direction: in
-    port: https
-    interface: eth1
-
-- name: Allow http via ufw from internet
-  community.general.ufw:
-    rule: allow
-    direction: in
-    port: http
-    interface: eth1
-
-- name: Allow neko ports via ufw from internet
-  community.general.ufw:
-    rule: allow
-    direction: in
-    port: 52000:52100
-    proto: udp
-    interface: eth1

roles/netplan/defaults/main.yaml

@@ -0,0 +1,4 @@
+---
+netplan:
+  additionalinterfaces: []
+...

roles/netplan/handlers/main.yaml

@@ -3,3 +3,4 @@
   command: netplan apply
   async: 45
   poll: 0
+...

roles/netplan/tasks/main.yaml

@@ -14,3 +14,4 @@
     src: templates/netplan.yaml
     dest: /etc/netplan/00-static.yaml
   notify: netplanapply
+...

roles/netplan/templates/netplan.yaml

@@ -6,6 +6,36 @@ network:
     {{ ansible_default_ipv4.interface }}:
       dhcp4: true
       dhcp-identifier: mac
+{% if netplan.default_gateway is defined and netplan.default_gateway|length > 0 %}
       dhcp4-overrides:
         use-routes: false
-      gateway4: {{default_gateway}}
+      gateway4: {{netplan.default_gateway}}
+{% endif %}
+{% if netplan.additionalinterfaces is defined and netplan.additionalinterfaces|length > 0 %}
+{% for interface in netplan.additionalinterfaces %}
+    {{ interface.name }}:
+      dhcp4: {{ interface.dhcp4 }}
+      dhcp6: {{ interface.dhcp6 }}
+      dhcp-identifier: mac
+      dhcp4-overrides:
+        use-routes: false
+{% if interface.addresses is defined and interface.addresses|length > 0 %}
+      addresses:
+{% for address in interface.addresses %}
+        - {{address}}
+{% endfor %}
+{% endif %}
+{% if interface.gateway4 is defined and interface.gateway4|length > 0 %}
+      gateway4: {{interface.gateway4}}
+{% endif %}
+{% if interface.gateway6 is defined and interface.gateway6|length > 0  %}
+      gateway6: '{{interface.gateway6}}'
+{% endif %}
+{% if interface.denydns %}
+      nameservers:
+        addresses: []
+        search: []
+{% endif %}
+{% endfor %}
+{% endif %}
+...

roles/openvpn/tasks/main.yaml

@@ -0,0 +1,64 @@
+---
+- name: "Install openvpn-server via apt"
+  apt:
+    update_cache: yes
+    state: present
+    name:
+     - openvpn
+
+- name : "Enable ipv4 forwarding via sysctl"
+  ansible.posix.sysctl:
+    name: net.ipv4.ip_forward
+    value: '1'
+    sysctl_set: yes
+    state: present
+    reload: yes
+
+- name: Enable and restart openvpn daemon
+  service:
+    name: openvpn-server@stargate
+    state: restarted
+    enabled: yes
+
+- name: Check if AllowUsers is defined
+  lineinfile:
+    state: absent
+    path: /etc/ufw/before.rules
+    regexp: "^# START OPENVPN"
+  check_mode: true
+  changed_when: false
+  register: checkufwrules
+
+- name: Insert openvpn iptables rules
+  blockinfile:
+    path: /etc/ufw/before.rules
+    block: |
+      # START OPENVPN RULES
+      # NAT table rules
+      *nat
+      -F
+      :POSTROUTING ACCEPT [0:0]
+      # Allow traffic from OpenVPN client to everywhere
+      -A POSTROUTING -s 192.168.37.0/24 -o eth0 -j MASQUERADE
+      -A POSTROUTING -s 192.168.37.0/24 -o eth2 -j MASQUERADE
+      COMMIT
+      *filter
+      -A ufw-before-input -i tun+ -j ACCEPT
+      -A ufw-before-forward -i tun+ -j ACCEPT
+      -A ufw-before-forward -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
+      -A ufw-before-forward -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
+      -A ufw-before-forward -i tun+ -o eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT
+      -A ufw-before-forward -i eth2 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
+      COMMIT
+      # END OPENVPN RULES
+
+- name: Reload ufw
+  community.general.ufw:
+    state: reloaded
+
+- name: Apply custom ufw rules
+  community.general.ufw:
+    rule: allow
+    direction: "in"
+    interface: tun0
+...

roles/postgresql/tasks/main.yaml

@@ -1,19 +0,0 @@
----
-- name: "Install PostgreSQL via apt"
-  apt:
-    update_cache: yes
-    state: present
-    name:
-     - postgresql
-
-- name: Enable and restart PostgreSQL daemon
-  service:
-    name: postgresql
-    state: restarted
-    enabled: yes
-
-- name: Allow postgresql port via ufw
-  community.general.ufw:
-    rule: allow
-    port: "5432"
-    proto: tcp

roles/realmd/tasks/main.yaml

@@ -0,0 +1,94 @@
+---
+- name: "Install realmd and dependencies"
+  apt:
+    update_cache: yes
+    state: present
+    name:
+     - realmd
+     - sssd
+     - sssd-tools
+     - libnss-sss
+     - libpam-sss
+     - adcli
+     - samba-common-bin
+     - oddjob
+     - oddjob-mkhomedir
+     - packagekit
+
+- name: Check if computer is joined to domain
+  lineinfile:
+    state: absent
+    path: /etc/sssd/sssd.conf
+    line: "^ad_access_filter"
+  check_mode: true
+  changed_when: false
+  register: checkjoined
+
+- name: "Get join password from local environment variable"
+  set_fact:
+    join_passw: "{{ lookup('env', 'JOIN_PASSW') }}"
+  delegate_to: localhost
+  when: checkjoined.found == 0
+
+- name: Join to AD with realmd
+  shell:
+    cmd: echo {{ join_passw }} | realm join -v -U tormakris_admin intra.tormakris.dev
+  when: checkjoined.found == 0
+
+- name: Enable pam homedir create on first logon
+  command:
+    cmd: pam-auth-update --enable mkhomedir
+
+- name: Check if ad_gpo_access_control is disabled
+  lineinfile:
+    state: absent
+    path: /etc/sssd/sssd.conf
+    regexp: "^ad_gpo_access_control"
+  check_mode: true
+  changed_when: false
+  register: checkadgpoac
+
+- name: Set ad_gpo_access_control to disabled
+  lineinfile:
+    state: present
+    path: /etc/sssd/sssd.conf
+    line: "ad_gpo_access_control = disabled"
+  when: checkadgpoac.found == 0
+
+- name: Check if ad_access_filter is set
+  lineinfile:
+    state: absent
+    path: /etc/sssd/sssd.conf
+    regexp: "^ad_access_filter"
+  check_mode: true
+  changed_when: false
+  register: checkadaf
+
+- name: Set ad_gpo_access_control to disabled
+  lineinfile:
+    state: present
+    path: /etc/sssd/sssd.conf
+    line: "ad_access_filter = memberOf=CN=LinuxUsers,OU=Service Groups,DC=intra,DC=tormakris,DC=dev"
+  when: checkadaf.found == 0
+
+- name: "Restart sssd"
+  service:
+    name: sssd
+    state: restarted
+
+- name: Check if group is presend in sudoers
+  lineinfile:
+    state: absent
+    path: /etc/sudoers
+    regexp: "^%linuxadmins"
+  check_mode: true
+  changed_when: false
+  register: checksudoers
+
+- name: Define group in sudoers
+  lineinfile:
+    state: present
+    path: /etc/sudoers
+    line: "%linuxadmins@intra.tormakris.dev ALL=(ALL) NOPASSWD: ALL"
+  when: checksudoers.found == 0
+...

roles/smtpgateway/defaults/main.yaml

@@ -1,5 +1,4 @@
 ---
-postfix_relayhost: 'smtp.sendgrid.net'
+postfix_relayhost: 'tormakris-dev.mail.protection.outlook.com'
-external_domain: 'kmlabz.com'
+external_domain: 'tormakris.dev'
-username: lofasz
+...
-password: lofasz

roles/smtpgateway/files/prometheus-postfix-exporter

@@ -0,0 +1,15 @@
+# Private log file from Postfix to read and truncate. Configured in
+# /etc/rsyslog.d/prometheus-postfix-exporter.conf
+POSTFIXLOGFILE=/var/log/mail.log
+
+# Extra arguments for the daemon.
+ARGS=''
+
+# Prometheus-postfix-exporter supports the following options:
+#  --postfix.showq_path string
+#        Path at which Postfix places its showq socket.
+#        (default "/var/spool/postfix/public/showq")
+#  --web.listen-address string
+#        Address to listen on for web interface and telemetry. (default ":9154")
+#  --web.telemetry-path string
+#        Path under which to expose metrics. (default "/metrics")

roles/smtpgateway/tasks/main.yaml

@@ -6,22 +6,14 @@
     name:
      - postfix
 
-- name: Install Postfix SASL credentials
-  template:
-    src: templates/sasl_passwd
-    mode: 600
-    dest: /etc/postfix/sasl_passwd
-
 - name: Install Postfix mail gateway config
   template:
     src: templates/main.cf
     dest: /etc/postfix/main.cf
 
 - name: Build /etc/mailname
-  shell: hostname --fqdn > /etc/mailname
+  shell:
-
+    cmd: "hostname --fqdn > /etc/mailname"
-- name: Build hashtable of SASL creds
-  command: postmap /etc/postfix/sasl_passwd
 
 - name: Restart Postfix
   service:
@@ -33,3 +25,39 @@
   community.general.ufw:
     rule: allow
     port: smtp
+    src: 192.168.69.0/24
+
+- name: "Install postfix exporter"
+  apt:
+    update_cache: yes
+    state: present
+    name:
+     - prometheus-postfix-exporter
+
+- name: Copy exporter config
+  copy:
+    src: prometheus-postfix-exporter
+    dest: /etc/default/prometheus-postfix-exporter
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Add the prometheus user to postdrop group
+  user:
+    name: prometheus
+    groups: postdrop
+    append: yes
+
+- name: Enable and restart exporter daemon
+  service:
+    name: prometheus-postfix-exporter
+    state: restarted
+    enabled: yes
+
+- name: Allow postfix exporter via ufw
+  community.general.ufw:
+    rule: allow
+    port: "9154"
+    proto: tcp
+    src: 192.168.69.0/24
+...

roles/smtpgateway/templates/main.cf

@@ -14,10 +14,6 @@ smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
 smtpd_tls_security_level=may
 
 smtp_tls_CApath=/etc/ssl/certs
-smtp_sasl_auth_enable = yes
-smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
-smtp_sasl_security_options = noanonymous
-smtp_sasl_tls_security_options = noanonymous
 smtp_tls_security_level = encrypt
 header_size_limit = 4096000
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
@@ -29,8 +25,8 @@ alias_maps = hash:/etc/aliases
 alias_database = hash:/etc/aliases
 myorigin = /etc/mailname
 mydestination = {{ansible_hostname}}.{{external_domain}}, $myhostname, {{ansible_hostname}}, localhost.localdomain, localhost
-relayhost = {{postfix_relayhost}}
+relayhost = [{{postfix_relayhost}}]
-mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 {{ansible_default_ipv4.network}}/24
 mailbox_size_limit = 0
 recipient_delimiter = +
 inet_interfaces = all

roles/smtpgateway/templates/sasl_passwd

@@ -1 +0,0 @@
-[{{postfix_relayhost}}:587 {{username}}:{{password}}

roles/webgateway/files/nginx.conf

@@ -0,0 +1,63 @@
+user www-data;
+worker_processes auto;
+pid /run/nginx.pid;
+include /etc/nginx/modules-enabled/*.conf;
+
+events {
+        worker_connections 768;
+        # multi_accept on;
+}
+
+http {
+
+        ##
+        # Basic Settings
+        ##
+
+        sendfile on;
+        tcp_nopush on;
+        tcp_nodelay on;
+        keepalive_timeout 65;
+        types_hash_max_size 2048;
+        # server_tokens off;
+
+        # server_names_hash_bucket_size 64;
+        # server_name_in_redirect off;
+
+        include /etc/nginx/mime.types;
+        default_type application/octet-stream;
+
+        ##
+        # SSL Settings
+        ##
+
+        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
+        ssl_prefer_server_ciphers on;
+
+        ##
+        # Logging Settings
+        ##
+
+        access_log /var/log/nginx/access.log;
+        error_log /var/log/nginx/error.log;
+
+        ##
+        # Gzip Settings
+        ##
+
+        gzip on;
+
+        # gzip_vary on;
+        # gzip_proxied any;
+        # gzip_comp_level 6;
+        # gzip_buffers 16 8k;
+        # gzip_http_version 1.1;
+        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+        ##
+        # Virtual Host Configs
+        ##
+
+        include /etc/nginx/conf.d/*.conf;
+        include /etc/nginx/sites-enabled/*;
+}

roles/webgateway/files/prometheus-nginx-exporter

@@ -0,0 +1,14 @@
+ARGS="-nginx.scrape-uri http://127.0.0.1:8080/stub_status"
+
+# Prometheus-nginx-exporter supports the following options:
+#  -nginx.plus
+#        Start the exporter for NGINX Plus. By default, the exporter is started
+#        for NGINX.
+#  -nginx.scrape-uri string
+#        A URI for scraping NGINX or NGINX Plus metrics.
+#        For NGINX, the stub_status page must be available through the URI.
+#        For NGINX Plus -- the API. (default "http://127.0.0.1:8080/stub_status")
+#  -web.listen-address string
+#        An address to listen on for web interface and telemetry. (default ":9113")
+#  -web.telemetry-path string
+#        A path under which to expose metrics. (default "/metrics"

roles/webgateway/tasks/main.yaml

@@ -1,18 +1,12 @@
 ---
-- name: "Install Apache via apt"
+- name: "Install nginx via apt"
   apt:
     update_cache: yes
     state: present
     name:
-     - apache2
+     - nginx
-
+     - python3-certbot
-# TODO: Felmasolni a templatelt konfigokat es bekapcsolni oket
+     - python3-certbot-nginx
-
-- name: Enable and restart Apache2 daemon
-  service:
-    name: apache2
-    state: restarted
-    enabled: yes
 
 - name: Allow http port via ufw
   community.general.ufw:
@@ -23,3 +17,104 @@
   community.general.ufw:
     rule: allow
     port: https
+
+- name: Copy default nginx config
+  copy:
+    src: nginx.conf
+    dest: /etc/nginx/nginx.conf
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Enable and restart nginx daemon
+  service:
+    name: nginx
+    state: restarted
+    enabled: yes
+
+- name: Generate certificate for all proxied domains
+  command:
+    cmd: certbot certonly --non-interactive --agree-tos -m tormakristof@tormakristof.eu --nginx -d {{item.domain}}
+  with_items: "{{ proxy }}"
+
+- name: Generate certificate for all static sites
+  command:
+    cmd: certbot certonly --non-interactive --agree-tos -m tormakristof@tormakristof.eu --nginx -d {{item.domain}}
+  with_items: "{{ static }}"
+
+- name: Generate certificate for all redirect sites
+  command:
+    cmd: certbot certonly --non-interactive --agree-tos -m tormakristof@tormakristof.eu --nginx -d {{item.domain}}
+  with_items: "{{ redirect }}"
+
+- name: "Generate certbot script"
+  template:
+    src: certbot.sh
+    dest: /etc/cron.weekly/certbot
+    owner: root
+    group: root
+    mode: '0700'
+
+- name: "Generate nginx configuration"
+  template:
+    src: nginx.conf
+    dest: /etc/nginx/nginx.conf
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Validate nginx configuration
+  command:
+    cmd: nginx -t
+
+- name: Reload nginx after configuration change
+  service:
+    name: nginx
+    state: reloaded
+
+- name: "Remove any existing static file directories"
+  file:
+    path: "{{ item.directory }}"
+    state: absent
+  with_items: "{{ static }}"
+
+- name: "Checkout static websites from git"
+  git:
+    repo: "{{ item.repo }}"
+    dest: "{{ item.directory }}"
+  with_items: "{{ static }}"
+
+- name: "Remove .git directory from static websites"
+  file:
+    path: "{{ item.directory }}/.git"
+    state: absent
+  with_items: "{{ static }}"
+
+- name: "Install nginx exporter"
+  apt:
+    update_cache: yes
+    state: present
+    name:
+     - prometheus-nginx-exporter
+
+- name: Copy nginx exporter config
+  copy:
+    src: prometheus-nginx-exporter
+    dest: /etc/default/prometheus-nginx-exporter
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Enable and restart exporter daemon
+  service:
+    name: prometheus-nginx-exporter
+    state: restarted
+    enabled: yes
+
+- name: Allow nginx exporter via ufw
+  community.general.ufw:
+    rule: allow
+    port: 9113
+    proto: tcp
+    src: 192.168.69.0/24
+...

roles/webgateway/templates/certbot.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+# {{ansible_managed}}
+certbot renew --nginx --cert-name tormakristof.eu
+{% for proxysite in proxy %}
+certbot renew --nginx --cert-name {{ proxysite.domain }}
+{% endfor %}
+{% for staticsite in static %}
+certbot renew --nginx --cert-name {{ staticsite.domain }}
+{% endfor %}
+{% for redirectsite in redirect %}
+certbot renew --nginx --cert-name {{ redirectsite.domain }}
+{% endfor %}

roles/webgateway/templates/nginx.conf

@@ -0,0 +1,152 @@
+# {{ ansible_managed }}
+user www-data;
+worker_processes auto;
+pid /run/nginx.pid;
+include /etc/nginx/modules-enabled/*.conf;
+
+events {
+        worker_connections 768;
+        multi_accept on;
+}
+
+http {
+
+        sendfile on;
+        tcp_nopush on;
+        tcp_nodelay on;
+        keepalive_timeout 65;
+        types_hash_max_size 2048;
+
+        server_names_hash_bucket_size 64;
+
+        include /etc/nginx/mime.types;
+        default_type application/octet-stream;
+
+        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_prefer_server_ciphers on;
+
+        access_log /var/log/nginx/access.log;
+        error_log /var/log/nginx/error.log;
+
+        gzip on;
+
+        gzip_vary on;
+        gzip_proxied any;
+        gzip_comp_level 6;
+        gzip_buffers 16 8k;
+        gzip_http_version 1.1;
+        gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+        proxy_redirect  off;
+        proxy_set_header    Host    $host;
+        proxy_set_header    X-Real-IP   $remote_addr;
+        proxy_set_header    X-MS-Proxy  webgateway.intra.tormakris.dev;
+        proxy_set_header    X-MS-Forwarded-Client-IP    $remote_addr;
+        proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header    Upgrade $http_upgrade;
+		proxy_set_header    Connection $http_connection;
+        proxy_set_header    X-Forwarded-Proto https;
+        proxy_ssl_server_name on;
+        client_body_buffer_size 128k;
+        proxy_connect_timeout   90;
+        proxy_send_timeout 120;
+        proxy_read_timeout 300;
+        proxy_buffer_size          128k;
+        proxy_buffers              4 256k;
+        proxy_busy_buffers_size    256k;
+        proxy_buffering    off;
+        proxy_request_buffering off;
+        server_tokens off;
+
+        server {
+
+            listen 80 default_server;
+            listen [::]:80 default_server;
+            server_name _;
+            return 301 https://$host$request_uri;
+        }
+
+        {%- for proxysite in proxy -%}
+        server {
+            listen 443 ssl http2;
+            listen [::]:443 ssl http2;
+            server_name {{ proxysite.domain }};
+            proxy_ssl_name {{ proxysite.domain }};
+            ssl_certificate /etc/letsencrypt/live/{{ proxysite.domain }}/fullchain.pem;
+            ssl_certificate_key /etc/letsencrypt/live/{{ proxysite.domain }}/privkey.pem;
+            ssl_stapling on;
+            ssl_stapling_verify on;
+            {%- if proxysite.bigrequests %}
+            client_max_body_size    8G;
+            {%- endif %}
+            location /{
+                proxy_pass  https://{{ proxysite.ip }};
+                {%- if proxysite.ignorecert %}
+                proxy_ssl_verify    off;
+                {%- endif %}
+            }
+            location /metrics{
+                proxy_pass  https://{{ proxysite.ip }};
+                allow 192.168.69.0/24;
+                deny all;
+            }
+        }
+
+        {%- endfor -%}
+
+        {%- for staticsite in static -%}
+        server {
+            listen 443 ssl http2;
+            listen [::]:443 ssl http2;
+            server_name {{ staticsite.domain }};
+            ssl_certificate /etc/letsencrypt/live/{{ staticsite.domain }}/fullchain.pem;
+            ssl_certificate_key /etc/letsencrypt/live/{{ staticsite.domain }}/privkey.pem;
+            root    {{ staticsite.directory }};
+            location /{
+                try_files $uri $uri/ =404;
+            }
+        }
+
+        {%- endfor -%}
+
+        {%- for redirectsite in redirect -%}
+        server {
+            listen 443 ssl http2;
+            listen [::]:443 ssl http2;
+            server_name {{ redirectsite.domain }};
+            ssl_certificate /etc/letsencrypt/live/{{ redirectsite.domain }}/fullchain.pem;
+            ssl_certificate_key /etc/letsencrypt/live/{{ redirectsite.domain }}/privkey.pem;
+            return 301 {{ redirectsite.destination }};
+        }
+
+        {%- endfor -%}
+
+        server {
+            listen 443 ssl http2;
+            listen [::]:443 ssl http2;
+            server_name tormakristof.eu;
+            ssl_certificate /etc/letsencrypt/live/tormakristof.eu/fullchain.pem;
+            ssl_certificate_key /etc/letsencrypt/live/tormakristof.eu/privkey.pem;
+            root /var/www/tormakristof.eu;
+            location /{
+                return 301 https://www.tormakristof.eu;
+            }
+            location /.well-known{
+                try_files $uri $uri/ =404;
+            }
+
+            location /.well-known/webfinger {
+                 return 301 https://mastodon.tormakristof.eu$request_uri;
+            }
+        }
+
+        server {
+            listen 8080;
+            
+            location /stub_status {
+                stub_status;
+ 	            allow 127.0.0.1;
+ 	            deny all;		
+            }
+        }
+}

roles/webgateway/vars/main.yaml

@@ -0,0 +1,26 @@
+proxy:
+  - {domain: bitwarden.tormakristof.eu, ip: bitwarden.intra.tormakris.dev, bigrequests: false, ignorecert: false}
+  - {domain: nextcloud.tormakristof.eu, ip: nextcloud.intra.tormakris.dev, bigrequests: true, ignorecert: false}
+  - {domain: drone.kmlabz.com, ip: drone.intra.tormakris.dev, bigrequests: false, ignorecert: false}
+  - {domain: git.kmlabz.com, ip: git.intra.tormakris.dev, bigrequests: false, ignorecert: false}
+  - {domain: guacamole.tormakristof.eu, ip: guacamole.intra.tormakris.dev, bigrequests: false, ignorecert: false}
+  - {domain: matrix.tormakristof.eu, ip: matrix.intra.tormakris.dev, bigrequests: true, ignorecert: false}
+  - {domain: chat.tormakristof.eu, ip: matrix.intra.tormakris.dev, bigrequests: true, ignorecert: false}
+  - {domain: nexus.kmlabz.com, ip: nexus.intra.tormakris.dev, bigrequests: true, ignorecert: false}
+  - {domain: registry.kmlabz.com, ip: nexus.intra.tormakris.dev, bigrequests: true, ignorecert: false}
+  - {domain: fs.tormakristof.eu, ip: adfs.intra.tormakris.dev, bigrequests: false, ignorecert: true}
+  - {domain: certauth.fs.tormakristof.eu, ip: adfs.intra.tormakris.dev, bigrequests: false, ignorecert: true}
+  - {domain: grafana.tormakristof.eu, ip: monitoring.intra.tormakris.dev, bigrequests: false, ignorecert: false}
+  - {domain: yt.tormakristof.eu, ip: ytmirror.intra.tormakris.dev, bigrequests: false, ignorecert: false}
+  - {domain: speedtest.tormakristof.eu, ip: librespeed.intra.tormakris.dev, bigrequests: true, ignorecert: false}
+  - {domain: plex.tormakristof.eu, ip: plex.intra.tormakris.dev, bigrequests: true, ignorecert: false}
+  - {domain: neko.tormakristof.eu, ip: vzelenka.intra.tormakris.dev, bigrequests: false, ignorecert: false}
+  - {domain: cloudlog.tormakristof.eu, ip: cloudlog.intra.tormakris.dev, bigrequests: false, ignorecert: false}
+  - {domain: dns.tormakristof.eu, ip: unbound.intra.tormakris.dev, bigrequests: true, ignorecert: false}
+
+static:
+  []
+
+redirect:
+  []
+...

roles/webserver/defaults/main.yaml

@@ -0,0 +1,6 @@
+webserver:
+  - domain: "_"
+    port: 8080
+    bigrequests: false
+    https: false
+...

roles/webserver/files/apache-site.conf

@@ -1,17 +0,0 @@
-<IfModule mod_ssl.c>
-        <VirtualHost _default_:443>
-                ServerAdmin webmaster@kmlabz.com
-
-                DocumentRoot /var/www/html
-
-                ErrorLog ${APACHE_LOG_DIR}/error.log
-                CustomLog ${APACHE_LOG_DIR}/access.log combined
-
-                SSLEngine on
-                SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
-                SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
-
-                ProxyPass "/" "http://127.0.0.1:8080/" retry=1 acquire=3000 timeout=600 Keepalive=On
-                ProxyPassReverse "/" "http://127.0.0.1:8080/"
-        </VirtualHost>
-</IfModule>

roles/webserver/files/nginx.conf

@@ -0,0 +1,72 @@
+user www-data;
+worker_processes auto;
+pid /run/nginx.pid;
+include /etc/nginx/modules-enabled/*.conf;
+
+events {
+        worker_connections 768;
+        # multi_accept on;
+}
+
+http {
+
+        ##
+        # Basic Settings
+        ##
+
+        sendfile on;
+        tcp_nopush on;
+        tcp_nodelay on;
+        keepalive_timeout 65;
+        types_hash_max_size 2048;
+        # server_tokens off;
+
+        # server_names_hash_bucket_size 64;
+        # server_name_in_redirect off;
+
+        include /etc/nginx/mime.types;
+        default_type application/octet-stream;
+
+        ##
+        # SSL Settings
+        ##
+
+        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
+        ssl_prefer_server_ciphers on;
+
+        ##
+        # Logging Settings
+        ##
+
+        access_log /var/log/nginx/access.log;
+        error_log /var/log/nginx/error.log;
+
+        ##
+        # Gzip Settings
+        ##
+
+        gzip on;
+
+        # gzip_vary on;
+        # gzip_proxied any;
+        # gzip_comp_level 6;
+        # gzip_buffers 16 8k;
+        # gzip_http_version 1.1;
+        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+        ##
+        # Virtual Host Configs
+        ##
+
+        server {
+            root /var/www/html;
+            server_name _;
+            listen 443 ssl http2;
+            listen [::]:443 ssl http2;
+            ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
+            ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
+            location /{
+                try_files $uri $uri/ =404;
+            }
+        }
+}

roles/webserver/files/prometheus-nginx-exporter

@@ -0,0 +1,14 @@
+ARGS="-nginx.scrape-uri http://127.0.0.1:8888/stub_status"
+
+# Prometheus-nginx-exporter supports the following options:
+#  -nginx.plus
+#        Start the exporter for NGINX Plus. By default, the exporter is started
+#        for NGINX.
+#  -nginx.scrape-uri string
+#        A URI for scraping NGINX or NGINX Plus metrics.
+#        For NGINX, the stub_status page must be available through the URI.
+#        For NGINX Plus -- the API. (default "http://127.0.0.1:8080/stub_status")
+#  -web.listen-address string
+#        An address to listen on for web interface and telemetry. (default ":9113")
+#  -web.telemetry-path string
+#        A path under which to expose metrics. (default "/metrics"

roles/webserver/tasks/main.yaml

@@ -1,28 +1,98 @@
 ---
-- name: "Install Apache via apt"
-  apt:
-    update_cache: yes
-    state: present
-    name:
-     - apache2
-
-- name: Upload site config to destination
-  copy:
-    src: apache-site.conf
-    dest: /etc/apache2/sites-available/site.conf
-    mode: 644
-    owner: root
-
-- name: Enable site
-  command: a2ensite site.conf
-
-- name: Enable and restart Apache2 daemon
-  service:
-    name: apache2
-    state: restarted
-    enabled: yes
-
 - name: Allow https port via ufw
   community.general.ufw:
     rule: allow
     port: https
+    src: "{{ item }}"
+  with_items: "{{ allowedranges }}"
+
+- name: "Install Nginx via apt"
+  apt:
+    update_cache: yes
+    state: present
+    name:
+     - nginx
+     - python3-certbot
+     - python3-certbot-dns-cloudflare
+
+- name: Copy default nginx config
+  copy:
+    src: nginx.conf
+    dest: /etc/nginx/nginx.conf
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Enable and restart nginx daemon
+  service:
+    name: nginx
+    state: restarted
+    enabled: yes
+
+- name: "Get Cloudflare token from local environment variable"
+  set_fact:
+    cloudflare_token: "{{ lookup('env', 'CLOUDFLARE_TOKEN') }}"
+  delegate_to: localhost
+
+- name: "Render Cloudflare Certbot plugin configuration"
+  template:
+    src: cf-creds.ini
+    dest: /root/cf-creds.ini
+    owner: root
+    group: root
+    mode: 0600
+
+- name: Generate certificate for all server instances
+  shell:
+    cmd: certbot certonly --non-interactive --agree-tos -m iam@tormakristof.eu --dns-cloudflare --dns-cloudflare-credentials /root/cf-creds.ini -d {{item.domain}}
+  with_items: "{{ webserver }}"
+
+- name: "Generate certbot script"
+  template:
+    src: certbot.sh
+    dest: /etc/cron.weekly/certbot
+    owner: root
+    group: root
+    mode: '0700'
+
+- name: "Generate nginx configuration"
+  template:
+    src: nginx.conf
+    dest: /etc/nginx/nginx.conf
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Reload nginx daemon
+  service:
+    name: nginx
+    state: reloaded
+
+- name: "Install nginx exporter"
+  apt:
+    update_cache: yes
+    state: present
+    name:
+     - prometheus-nginx-exporter
+
+- name: Allow nginx exporter via ufw
+  community.general.ufw:
+    rule: allow
+    port: 9113
+    proto: tcp
+    src: 192.168.69.0/24
+
+- name: Copy nginx exporter config
+  copy:
+    src: prometheus-nginx-exporter
+    dest: /etc/default/prometheus-nginx-exporter
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Enable and restart exporter daemon
+  service:
+    name: prometheus-nginx-exporter
+    state: restarted
+    enabled: yes
+...

roles/webserver/templates/certbot.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+# {{ansible_managed}}
+{% for server in webserver %}
+certbot renew --dns-cloudflare --dns-cloudflare-credentials /root/cf-creds.ini 10 --cert-name {{ server.domain }}
+{% endfor %}

roles/webserver/templates/cf-creds.ini

@@ -0,0 +1,4 @@
+# Cloudflare API token used by Certbot
+# {{ ansible_managed }}
+dns_cloudflare_email = tormakristof@outlook.com
+dns_cloudflare_api_key = {{ cloudflare_token }}

roles/webserver/templates/nginx.conf

@@ -0,0 +1,118 @@
+# {{ansible_managed}}
+user www-data;
+worker_processes auto;
+pid /run/nginx.pid;
+include /etc/nginx/modules-enabled/*.conf;
+
+events {
+        worker_connections 768;
+        multi_accept on;
+}
+
+http {
+
+        sendfile on;
+        tcp_nopush on;
+        tcp_nodelay on;
+        keepalive_timeout 65;
+        types_hash_max_size 2048;
+
+        server_names_hash_bucket_size 64;
+
+        include /etc/nginx/mime.types;
+        default_type application/octet-stream;
+
+        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_prefer_server_ciphers on;
+
+        access_log /var/log/nginx/access.log;
+        error_log /var/log/nginx/error.log;
+
+        gzip on;
+
+        gzip_vary on;
+        gzip_proxied any;
+        gzip_comp_level 6;
+        gzip_buffers 16 8k;
+        gzip_http_version 1.1;
+        gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+        proxy_redirect  off;
+        proxy_set_header    Host    $host;
+        proxy_set_header    X-Real-IP   $remote_addr;
+        proxy_set_header    X-MS-Proxy  webgateway.intra.tormakris.dev;
+        proxy_set_header    X-MS-Forwarded-Client-IP    $remote_addr;
+        proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header    Upgrade $http_upgrade;
+        proxy_set_header    Connection $http_connection;
+        proxy_set_header    X-Forwarded-Proto https;
+        client_body_buffer_size 128k;
+        proxy_connect_timeout   90;
+        proxy_send_timeout 120;
+        proxy_read_timeout 300;
+        proxy_buffer_size          128k;
+        proxy_buffers              4 256k;
+        proxy_busy_buffers_size    256k;
+        proxy_buffering    off;
+        proxy_request_buffering off;
+        server_tokens off;
+
+        server {
+
+            listen 80 default_server;
+            listen [::]:80 default_server;
+            server_name _;
+            return 301 https://$host$request_uri;
+        }
+
+        {% for server in webserver %}
+        server {
+            listen 443 ssl http2;
+            listen [::]:443 ssl http2;
+            server_name {{ server.domain }};
+            ssl_certificate /etc/letsencrypt/live/{{ server.domain }}/fullchain.pem;
+            ssl_certificate_key /etc/letsencrypt/live/{{ server.domain }}/privkey.pem;
+            {% if server.bigrequests %}
+            client_max_body_size    8G;
+            {% endif %}
+            location /{
+                {% if server.https %}
+                proxy_pass  https://127.0.0.1:{{ server.port }};
+                {% else %}
+                proxy_pass  http://127.0.0.1:{{ server.port }};
+                {% endif %}
+            }
+            location /metrics{
+                {%- if server.https %}
+                proxy_pass  https://127.0.0.1:{{ server.port }};
+                {% else %}
+                proxy_pass  http://127.0.0.1:{{ server.port }};
+                {% endif %}
+ 	            allow 192.168.69.0/24;
+ 	            deny all;
+            }
+            {% if server.additionallocations is defined %}
+            {% for location in server.additionallocations %}
+            location {{location.location}}{
+                {% if location.https %}
+                proxy_pass  https://127.0.0.1:{{ location.port }};
+                {% else %}
+                proxy_pass  http://127.0.0.1:{{ location.port }};
+                {% endif %}
+            }
+            {% endfor %}
+            {% endif %}
+        }
+
+        {%- endfor -%}
+
+        server {
+            listen 8888;
+            
+            location /stub_status {
+                stub_status;
+ 	            allow 127.0.0.1;
+ 	            deny all;		
+            }
+        }
+}

run.sh

@@ -1,4 +1,7 @@
 #!/bin/bash
 
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+
 ansible-galaxy collection install -r requirements.yaml
-ansible-playbook --ask-become-pass -i inventory.yaml test.yaml
+#ansible-playbook --ask-become-pass --ask-pass -i inventory.yaml $1
+ANSIBLE_CONFIG="$SCRIPT_DIR/ansible.cfg" ansible-playbook -i inventory.yaml $1

webserver-refresh.yaml

@@ -0,0 +1,8 @@
+---
+- name: "Deploy managed web gateway"
+  hosts: webgateway
+  roles:
+    - common
+    - webgateway
+    - internalsmtp
+...