add unbound

.drone.yml

@@ -0,0 +1,22 @@
+---
+kind: pipeline
+type: docker
+name: ansible
+
+steps:
+- name: ansible nightly run
+  image: alpinelinux/ansible
+  environment:
+    ANSIBLE_HOST_KEY_CHECKING: "False"
+    ANSIBLE_PRIVATE_KEY_FILE: "/drone/src/id_rsa"
+    ANSIBLE_CONFIG: "/drone/src/ansible.cfg"
+    CLOUDFLARE_TOKEN:
+      from_secret: CLOUDFLARE_TOKEN
+    SSH_KEY:
+      from_secret: SSH_KEY
+  commands:
+    - echo "$SSH_KEY" > $PWD/id_rsa
+    - chmod 0600 $PWD/id_rsa
+    - ansible-galaxy collection install -r requirements.yaml
+    - ansible-playbook -i inventory.yaml nightly.yaml
+...

.gitignore

@@ -1,2 +1,3 @@
 .vault_password_file
 venv/
+.DS_Store

ansible.cfg

@@ -0,0 +1,6 @@
+[ssh_connection]
+ssh_args = -o ControlMaster=auto -o ControlPersist=60s
+[defaults]
+forks=10
+pipelining = True
+strategy = free

group_vars/all.yaml

@@ -1,4 +1,8 @@
 ---
 ansible_become: true
-ansible_user: ansible
+ansible_user: ansible@intra.tormakris.dev
+#ansible_user: ansible
+allowedranges:
+  - 192.168.69.0/24
+  - 192.168.1.0/24
 ...

group_vars/mckay.yaml

@@ -1,4 +1,4 @@
 ---
 netplan:
-  default_gateway: "192.168.69.254"
+  default_gateway: "192.168.69.253"
 ...

group_vars/woolsey.yaml

@@ -1,4 +1,4 @@
 ---
 netplan:
-  default_gateway: "192.168.69.1"
+  default_gateway: "192.168.69.253"
 ...

host_vars/bitwarden.yaml

@@ -1,3 +1,8 @@
 ---
 ansible_host: bitwarden.intra.tormakris.dev
+webserver:
+  - domain: "bitwarden.tormakristof.eu"
+    port: 8080
+    bigrequests: false
+    https: false
 ...

host_vars/cloudlog.yaml

@@ -0,0 +1,8 @@
+---
+ansible_host: cloudlog.intra.tormakris.dev
+webserver:
+  - domain: "cloudlog.tormakristof.eu"
+    port: 8080
+    bigrequests: false
+    https: false
+...

host_vars/drone.yaml

@@ -1,3 +1,8 @@
 ---
 ansible_host: drone.intra.tormakris.dev
+webserver:
+  - domain: "drone.kmlabz.com"
+    port: 8080
+    bigrequests: false
+    https: false
 ...

host_vars/git.yaml

@@ -12,4 +12,9 @@ firewall:
   - port: "2222"
     proto: tcp
     interface: "eth0"
+webserver:
+  - domain: "git.kmlabz.com"
+    port: 8080
+    bigrequests: false
+    https: false
 ...

host_vars/guacamole.yaml

@@ -1,3 +1,8 @@
 ---
 ansible_host: guacamole.intra.tormakris.dev
+webserver:
+  - domain: "guacamole.tormakristof.eu"
+    port: 8080
+    bigrequests: false
+    https: false
 ...

host_vars/keycloak.yaml

@@ -1,3 +0,0 @@
----
-ansible_host: keycloak.intra.tormakris.dev
-...

host_vars/librespeed.yaml

@@ -0,0 +1,8 @@
+---
+ansible_host: librespeed.intra.tormakris.dev
+webserver:
+  - domain: "speedtest.tormakristof.eu"
+    port: 8080
+    bigrequests: true
+    https: false
+...

host_vars/matrix.yaml

@@ -0,0 +1,16 @@
+---
+ansible_host: matrix.intra.tormakris.dev
+webserver:
+  - domain: "matrix.tormakristof.eu"
+    port: 8080
+    bigrequests: true
+    https: false
+  - domain: "chat.tormakristof.eu"
+    port: 8181
+    bigrequests: true
+    https: false
+firewall:
+  - port: "9000"
+    proto: tcp
+    interface: "eth0"
+...

host_vars/monitoring.yaml

@@ -0,0 +1,8 @@
+---
+ansible_host: monitoring.intra.tormakris.dev
+webserver:
+  - domain: "grafana.tormakristof.eu"
+    port: 8181
+    bigrequests: false
+    https: false
+...

host_vars/neko.yaml

@@ -6,21 +6,23 @@ firewall:
     interface: "eth0"
   - port: "http"
     proto: tcp
-    interface: "eth1"
+    interface: "eth0"
   - port: "https"
     proto: tcp
-    interface: "eth1"
+    interface: "eth0"
-  - port: "ssh"
+  - port: "59000:59009"
-    proto: tcp
-    interface: "eth1"
-  - port: "59000:59049"
     proto: udp
-    interface: "eth1"
+    interface: "eth0"
-netplan:
+  - port: "3478"
-  default_gateway: ""
+    proto: tcp
-  additionalinterfaces:
+    interface: "eth0"
-    - name: "eth1"
+  - port: "3478"
-      dhcp4: true
+    proto: any
-      dhcp6: true
+    interface: "eth0"
-      denydns: true
+  - port: "5349"
+    proto: any
+    interface: "eth0"
+  - port: "9101"
+    proto: tcp
+    interface: "eth0"
 ...

host_vars/nextcloud.yaml

@@ -1,3 +1,8 @@
 ---
 ansible_host: nextcloud.intra.tormakris.dev
+webserver:
+  - domain: "nextcloud.tormakristof.eu"
+    port: 8080
+    bigrequests: true
+    https: false
 ...

host_vars/nexus.yaml

@@ -3,6 +3,10 @@ ansible_host: nexus.intra.tormakris.dev
 webserver:
   - domain: "nexus.kmlabz.com"
     port: 8080
+    bigrequests: true
+    https: false
   - domain: "registry.kmlabz.com"
     port: 4269
+    bigrequests: true
+    https: false
 ...

host_vars/plex.yaml

@@ -0,0 +1,18 @@
+---
+ansible_host: plex.intra.tormakris.dev
+webserver:
+  - domain: "plex.tormakristof.eu"
+    port: 8080
+    bigrequests: true
+    https: false
+netplan:
+  default_gateway: "192.168.69.254"
+  additionalinterfaces:
+    - name: "eth1"
+      dhcp4: false
+      dhcp6: false
+      denydns: true
+      addresses:
+        - '2001:738:2001:207f:0:211:211:31/64'
+      gateway6: 'fe80::'
+...

host_vars/postgres.yaml

@@ -5,6 +5,9 @@ firewall:
   - port: "5432"
     proto: tcp
     interface: "eth0"
+  - port: "9187"
+    proto: tcp
+    interface: "eth0"
 backup:
   folder: "/var/lib/postgresql/backup"
   tarfolder: "backup"

host_vars/sonar.yaml

@@ -1,3 +0,0 @@
----
-ansible_host: sonar.intra.tormakris.dev
-...

host_vars/swagger.yaml

@@ -1,3 +0,0 @@
----
-ansible_host: swagger.intra.tormakris.dev
-...

host_vars/unbound.yaml

@@ -0,0 +1,8 @@
+---
+ansible_host: unbound.intra.tormakris.dev
+webserver:
+  - domain: "dns.tormakristof.eu"
+    port: 8080
+    bigrequests: true
+    https: true
+...

host_vars/vikunja.yaml

@@ -0,0 +1,12 @@
+---
+ansible_host: vikunja.intra.tormakris.dev
+webserver:
+  - domain: "vikunja.tormakristof.eu"
+    port: 8081
+    bigrequests: false
+    https: false
+    additionallocations:
+      - https: false
+        port: 8080
+        location: '~* ^/(api|dav|\.well-known)/'
+...

host_vars/ytmirror.yaml

@@ -0,0 +1,8 @@
+---
+ansible_host: ytmirror.intra.tormakris.dev
+webserver:
+  - domain: "yt.tormakristof.eu"
+    port: 8080
+    bigrequests: false
+    https: false
+...

infra.yaml

@@ -13,7 +13,6 @@
   roles:
     - netplan
     - common
-    - customfirewall
     - backupscript
     - customfirewall
 
@@ -41,7 +40,6 @@
   roles:
     - common
     - docker
-    - neko
     - customfirewall
     - internalsmtp
 
@@ -67,4 +65,20 @@
     - internalsmtp
     - backupscript
     - backuphost
+
+- name: "Deploy OpenVPN server"
+  hosts: openvpn
+  roles:
+    - netplan
+    - common
+    - openvpn
+    - customfirewall
+    - internalsmtp
+
+- name: "Deploy Game server"
+  hosts: gameservers
+  roles:
+    - netplan
+    - common
+    - internalsmtp
 ...

inventory.yaml

@@ -5,8 +5,7 @@ all:
       hosts:
         neko:
         drone:
-        keycloak:
+        matrix:
-        swagger:
         drone-runner:
         smtp:
         webgateway:
@@ -14,19 +13,43 @@ all:
         nexus:
         git:
         postgres:
+        monitoring:
+        ytmirror:
+        cloudlog:
+        unbound:
     mckay:
       hosts:
         guacamole:
         bitwarden:
         nextcloud:
         backup:
+        librespeed:
+        plex:
     dockerwebhosts:
-        keycloak:
+      hosts:
+        matrix:
         drone:
-        swagger:
         guacamole:
         bitwarden:
         nexus:
         nextcloud:
-        neko:
+        monitoring:
+        ytmirror:
+        librespeed:
+        plex:
+        cloudlog:
+    nightlydocker:
+      hosts:
+        matrix:
+        guacamole:
+        bitwarden:
+        nexus:
+        nextcloud:
+        monitoring:
+        ytmirror:
+        librespeed:
+        plex:
+        cloudlog:
+    gameservers:
+      hosts:
 ...

nightly.yaml

@@ -0,0 +1,22 @@
+---
+- name: "Deploy basic webhost with Docker"
+  hosts: nightlydocker
+  roles:
+    - common
+    - webserver
+    - internalsmtp
+
+- name: "Deploy smtpgateway to smtp.intra.tormakris.dev"
+  hosts: smtp
+  roles:
+    - common
+    - smtpgateway
+
+- name: "Deploy backup server"
+  hosts: backup
+  roles:
+    - common
+    - internalsmtp
+    - backupscript
+    - backuphost
+...

realmd.yaml

@@ -0,0 +1,6 @@
+---
+- name: "Deploy basic webhost with Docker"
+  hosts: all
+  roles:
+    - realmd
+...

roles/backuphost/tasks/main.yaml

@@ -1,44 +1,11 @@
+# TODO: Make backup user part of AD
 ---
 - name: "Add backup user"
-  ansible.builtin.user:
+  user:
     name: backup
     comment: Backup user
     shell: /bin/bash
 
-- name: "Dsiable service user"
-  ansible.builtin.user:
-    name: service-user
-    state: present
-    password_lock: true
-    shell: "/sbin/nologin"
-
-- name: Undefine AllowUsers
-  lineinfile:
-    state: absent
-    path: /etc/ssh/sshd_config
-    line: "AllowUsers tormakris ansible service-user"
-
-- name: Check if AllowUsers is defined
-  lineinfile:
-    state: absent
-    path: /etc/ssh/sshd_config
-    regexp: "^AllowUsers"
-  check_mode: true
-  changed_when: false
-  register: checkallowusers
-
-- name: Define AllowUsers if undefined
-  lineinfile:
-    state: present
-    path: /etc/ssh/sshd_config
-    line: "AllowUsers tormakris ansible backup"
-  when: checkallowusers.found == 0
-
-- name: "Restart sshd"
-  service:
-    name: sshd
-    state: restarted
-
 - name: Create .ssh directory of backup user
   file:
     path: /home/backup/.ssh

roles/backupscript/files/backup-script.service

@@ -1,9 +0,0 @@
-[Unit]
-Description=Backup application data
-
-[Service]
-Type=simple
-ExecStart=/usr/bin/bash /opt/backupscript.sh
-
-[Install]
-WantedBy=backup.target

roles/backupscript/files/backup.target

@@ -1,5 +0,0 @@
-[Unit]
-Description=Script based backup for VMs
-
-[Install]
-WantedBy=default.target

roles/backupscript/files/backup.timer

@@ -1,10 +0,0 @@
-[Unit]
-Description=Backup VMs
-
-[Timer]
-OnBootSec=10min
-OnCalendar=Sun *-*-* 00:00:00
-Unit=backup.target
-
-[Install]
-WantedBy=multi-user.target

roles/backupscript/tasks/main.yaml

@@ -1,55 +1,12 @@
 ---
 - name: "Generate backupscript"
-  ansible.builtin.template:
+  template:
     src: backupscript.sh
-    dest: /opt/backupscript.sh
+    dest: /etc/cron.weekly/backupscript
     owner: root
     group: root
     mode: '0700'
 
-- name: Copy backup-script.service to target
-  copy:
-    src: backup-script.service
-    dest: /usr/lib/systemd/system/backup-script.service
-    mode: 0644
-    owner: root
-    group: root
-
-- name: Copy backup.target to target
-  copy:
-    src: backup.target
-    dest: /usr/lib/systemd/system/backup.target
-    mode: 0644
-    owner: root
-    group: root
-
-- name: Copy backup.timer to target
-  copy:
-    src: backup.timer
-    dest: /usr/lib/systemd/system/backup.timer
-    mode: 0644
-    owner: root
-    group: root
-
-- name: Enable backup-script.service and reload systemd daemon
-  when: ansible_service_mgr == "systemd"
-  ansible.builtin.systemd:
-    enabled: yes
-    daemon_reload: yes
-    name: backup-script.service
-
-- name: Enable backup.target
-  when: ansible_service_mgr == "systemd"
-  ansible.builtin.systemd:
-    enabled: yes
-    name: backup.target
-
-- name: Enable backup.timer
-  when: ansible_service_mgr == "systemd"
-  ansible.builtin.systemd:
-    enabled: yes
-    name: backup.timer
-
 - name: Create .ssh directory of root user
   file:
     path: /root/.ssh

roles/common/defaults/main.yaml

@@ -1,8 +1,8 @@
 ---
 # defaults file for timedatectl
-timedatectl_timeservers: ['noc-a.sch.bme.hu', 'noc-b.sch.bme.hu']
+timedatectl_timeservers: ['time.intra.tormakris.dev']
 
-timedatectl_timeservers_fallback: ['time.bme.hu']
+timedatectl_timeservers_fallback: ['time.kfki.hu']
 
 timedatectl_timezone: 'Europe/Budapest'
 ...

roles/common/tasks/apt.yaml

@@ -1,4 +1,11 @@
 ---
+- name: "Use custom Ubuntu mirror"
+  replace:
+    path: /etc/apt/sources.list
+    regexp: 'http://hu.archive.ubuntu.com'
+    replace: 'https://mirrors.sth.sze.hu'
+    backup: yes
+
 - name: "Remove Ubuntu bloatware"
   apt: 
     state: absent
@@ -35,4 +42,6 @@
      - tcpdump
      - xxd
      - git
+     - ncdu
+     - cron
 ...

roles/common/tasks/clean-motd.yaml

@@ -2,8 +2,8 @@
 - name: clean motd
   file:
     state: touch
-    owner: tormakris
+    owner: tormakris@intra.tormakris.dev
-    group: tormakris
+    group: domain users@intra.tormakris.dev
     mode: "0644"
-    path: /home/tormakris/.hushlogin
+    path: /home/tormakris@intra.tormakris.dev/.hushlogin
 ...

roles/common/tasks/main.yaml

@@ -7,4 +7,5 @@
 - include_tasks: user-ops.yaml
 - include_tasks: ssh-security-settings.yaml
 - include_tasks: timesync.yaml
+- include_tasks: node-exporter.yaml
 ...

roles/common/tasks/node-exporter.yaml

@@ -0,0 +1,21 @@
+---
+- name: "Install node exporter"
+  apt:
+    update_cache: yes
+    state: present
+    name:
+     - prometheus-node-exporter
+
+- name: Allow node-exporter via ufw
+  community.general.ufw:
+    rule: allow
+    port: 9100
+    proto: tcp
+    src: 192.168.69.0/24
+
+- name: Enable and restart exporter daemon
+  service:
+    name: prometheus-node-exporter
+    state: restarted
+    enabled: yes
+...

roles/common/tasks/ssh-security-settings.yaml

@@ -1,10 +1,4 @@
 ---
-- name: Disable password authentication
-  replace:
-    path: /etc/ssh/sshd_config
-    regexp: 'PasswordAuthentication yes'
-    replace: 'PasswordAuthentication no'
-
 - name: Disable root authentication
   replace:
     path: /etc/ssh/sshd_config
@@ -23,22 +17,6 @@
     regexp: '#AddressFamily any'
     replace: 'AddressFamily inet'
 
-- name: Check if AllowUsers is defined
-  lineinfile:
-    state: absent
-    path: /etc/ssh/sshd_config
-    regexp: "^AllowUsers"
-  check_mode: true
-  changed_when: false
-  register: checkallowusers
-
-- name: Define AllowUsers if undefined
-  lineinfile:
-    state: present
-    path: /etc/ssh/sshd_config
-    line: "AllowUsers tormakris ansible service-user"
-  when: checkallowusers.found == 0
-
 - name: "Restart sshd"
   service:
     name: sshd

roles/common/tasks/timesync.yaml

@@ -12,7 +12,7 @@
 
 - name: Reastart timesyncd to apply changes
   when: ansible_service_mgr == "systemd"
-  ansible.builtin.systemd:
+  systemd:
     state: restarted
     daemon_reload: yes
     name: systemd-timesyncd

roles/common/tasks/ufw.yaml

@@ -18,4 +18,6 @@
   community.general.ufw:
     rule: allow
     port: ssh
+    src: "{{ item }}"
+  with_items: "{{ allowedranges }}"
 ...

roles/common/tasks/user-ops.yaml

@@ -1,57 +1,38 @@
 ---
-- name: "Add service user"
+- name: Create .ssh directory of ansible user
-  ansible.builtin.user:
-    name: service-user
-    comment: Service user
-    shell: /bin/bash
-
-- name: "Add ansible user"
-  ansible.builtin.user:
-    name: ansible
-    comment: Ansible
-    shell: /bin/bash
-
-- name: "Add ansible user to sudo group"
-  ansible.builtin.user:
-    name: ansible
-    comment: Ansible
-    groups: sudo
-    append: yes
-
-- name: Create .ssh directory of root user
   file:
-    path: /home/ansible/.ssh
+    path: /home/ansible@intra.tormakris.dev/.ssh
     state: directory
-    owner: ansible
+    owner: ansible@intra.tormakris.dev
-    group: ansible
+    group: domain users@intra.tormakris.dev
 
 - name: Copy authorized_keys
   copy:
     src: authorized_keys
-    dest: /home/ansible/.ssh/authorized_keys
+    dest: /home/ansible@intra.tormakris.dev/.ssh/authorized_keys
     mode: 0600
-    owner: ansible
+    owner: ansible@intra.tormakris.dev
-    group: ansible
+    group: domain users@intra.tormakris.dev
 
-- name: Check if ansible is already nopasswd in sudoers
+- name: Check if group is present in sudoers
   lineinfile:
     state: absent
     path: /etc/sudoers
-    regexp: "^ansible"
+    regexp: "^%linuxadmins"
   check_mode: true
   changed_when: false
-  register: checkallowusers
+  register: checksudoers
 
-- name: Define ansible nopasswd in sudoers
+- name: Define group in sudoers
   lineinfile:
     state: present
     path: /etc/sudoers
-    line: "ansible ALL=(ALL:ALL) NOPASSWD:ALL"
+    line: "%linuxadmins@intra.tormakris.dev ALL=(ALL) NOPASSWD: ALL"
-  when: checkallowusers.found == 0
+  when: checksudoers.found == 0
 
 - name: "Update authorized_keys of tormakris"
   ansible.posix.authorized_key:
-    user: tormakris
+    user: tormakris@intra.tormakris.dev
     state: present
     key: https://static.tormakristof.eu/ssh.keys
 ...

roles/common/templates/jfrog.conf.template

@@ -0,0 +1,3 @@
+machine tormakris.jfrog.io
+login apt
+password {{ artifactory_password }}

roles/docker/files/daemon.json

@@ -1,3 +1,7 @@
 {
-    "userland-proxy": false
+    "userland-proxy": false,
+    "dns": [
+      "192.168.69.3",
+      "192.168.69.18"
+    ]
 }

roles/docker/tasks/main.yaml

@@ -22,9 +22,15 @@
     enabled: yes
 
 - name: "Add service user to docker group"
-  ansible.builtin.user:
+  user:
-    name: service-user
+    name: service-user@intra.tormakris.dev
-    comment: Service user
     groups: docker
     append: yes
+
+- name: Allow docker exporter via ufw
+  community.general.ufw:
+    rule: allow
+    port: "4194"
+    proto: tcp
+    src: 192.168.69.0/24
 ...

roles/internalsmtp/files/prometheus-postfix-exporter

@@ -0,0 +1,15 @@
+# Private log file from Postfix to read and truncate. Configured in
+# /etc/rsyslog.d/prometheus-postfix-exporter.conf
+POSTFIXLOGFILE=/var/log/mail.log
+
+# Extra arguments for the daemon.
+ARGS=''
+
+# Prometheus-postfix-exporter supports the following options:
+#  --postfix.showq_path string
+#        Path at which Postfix places its showq socket.
+#        (default "/var/spool/postfix/public/showq")
+#  --web.listen-address string
+#        Address to listen on for web interface and telemetry. (default ":9154")
+#  --web.telemetry-path string
+#        Path under which to expose metrics. (default "/metrics")

roles/internalsmtp/tasks/main.yaml

@@ -16,4 +16,38 @@
     name: postfix
     state: restarted
     enabled: yes
+
+- name: "Install postfix exporter"
+  apt:
+    update_cache: yes
+    state: present
+    name:
+     - prometheus-postfix-exporter
+
+- name: Copy postfix exporter config
+  copy:
+    src: prometheus-postfix-exporter
+    dest: /etc/default/prometheus-postfix-exporter
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Add the prometheus user to postdrop group
+  user:
+    name: prometheus
+    groups: postdrop
+    append: yes
+
+- name: Enable and restart exporter daemon
+  service:
+    name: prometheus-postfix-exporter
+    state: restarted
+    enabled: yes
+
+- name: Allow postfix exporter via ufw
+  community.general.ufw:
+    rule: allow
+    port: "9154"
+    proto: tcp
+    src: 192.168.69.0/24
 ...

roles/neko/defaults/main.yaml

@@ -1,4 +0,0 @@
----
-datadog:
-  apikey: ""
-...

roles/neko/files/certbot

@@ -1,4 +0,0 @@
-#! /bin/bash
-systemctl stop haproxy
-certbot renew --standalone --cert-name neko.tormakristof.eu
-systemctl start haproxy

roles/neko/files/datadog.list

@@ -1 +0,0 @@
-deb [signed-by=/usr/share/keyrings/datadog-archive-keyring.gpg] https://apt.datadoghq.com/ stable 7

roles/neko/files/haproxy.cfg

@@ -1,55 +0,0 @@
-global
-        log /dev/log    local0
-        log /dev/log    local1 notice
-        chroot /var/lib/haproxy
-        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
-        stats timeout 30s
-        user haproxy
-        group haproxy
-        daemon
-
-        # Default SSL material locations
-        ca-base /etc/ssl/certs
-        crt-base /etc/ssl/private
-
-        # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
-        ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
-        ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
-        ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
-
-defaults
-        log     global
-        mode    http
-        option  httplog
-        option  dontlognull
-        timeout connect 5000
-        timeout client  50000
-        timeout server  50000
-        errorfile 400 /etc/haproxy/errors/400.http
-        errorfile 403 /etc/haproxy/errors/403.http
-        errorfile 408 /etc/haproxy/errors/408.http
-        errorfile 500 /etc/haproxy/errors/500.http
-        errorfile 502 /etc/haproxy/errors/502.http
-        errorfile 503 /etc/haproxy/errors/503.http
-        errorfile 504 /etc/haproxy/errors/504.http
-
-frontend http-in
-   bind *:80
-   mode http
-   redirect scheme https code 301
-
-frontend https-front
-   bind :443
-   mode tcp
-   use_backend https-back
-
-backend https-back
-   mode tcp
-   balance roundrobin
-   server docker 127.0.0.1:8080 check
-
-listen stats # Define a listen section called "stats"
-        bind 127.0.0.1:9000 # Listen on localhost:9000
-        mode http
-        stats enable  # Enable stats page
-        stats uri /haproxy_stats  # Stats URI

roles/neko/tasks/main.yaml

@@ -1,78 +0,0 @@
----
-- name: "Install haproxy via apt"
-  apt:
-    update_cache: yes
-    state: present
-    name:
-     - haproxy
-
-- name: Copy haproxy configuration
-  copy:
-    src: haproxy.cfg
-    dest: /etc/haproxy/haproxy.cfg
-    mode: 0644
-    owner: root
-    group: root
-
-- name: Enable and stop haproxy
-  service:
-    name: haproxy
-    state: stopped
-    enabled: yes
-
-- name: "Install certbot via apt"
-  apt:
-    update_cache: yes
-    state: present
-    name:
-     - python3-certbot
-
-- name: Generate certificate for all proxied domains
-  command:
-    cmd: certbot certonly --non-interactive --agree-tos -m tormakristof@tormakristof.eu --standalone -d neko.tormakristof.eu
-
-- name: Enable and start haproxy
-  service:
-    name: haproxy
-    state: started
-    enabled: yes
-
-- name: Copy certbot cronjob
-  copy:
-    src: certbot
-    dest: /etc/cron.weekly/certbot
-    mode: 0755
-    owner: root
-    group: root
-
-- name: Reset ufw rules to default
-  community.general.ufw:
-    state: reset
-
-- name: Enable ufw
-  community.general.ufw:
-    state: enabled
-
-- name: Copy datadog repo config
-  copy:
-    src: datadog.list
-    dest: /etc/apt/sources.list.d/datadog.list
-    mode: 0655
-    owner: root
-    group: root
-
-- name: "Install datadog-agent"
-  apt:
-    update_cache: yes
-    state: present
-    name:
-      - datadog-agent
-
-- name: "Generate datadog configuration"
-  ansible.builtin.template:
-    src: datadog.yaml
-    dest: /etc/datadog-agent/datadog.yaml
-    owner: dd-agent
-    group: dd-agent
-    mode: '0640'
-...

roles/netplan/templates/netplan.yaml

@@ -6,9 +6,9 @@ network:
     {{ ansible_default_ipv4.interface }}:
       dhcp4: true
       dhcp-identifier: mac
+{% if netplan.default_gateway is defined and netplan.default_gateway|length > 0 %}
       dhcp4-overrides:
         use-routes: false
-{% if netplan.default_gateway is defined and netplan.default_gateway|length > 0 %}
       gateway4: {{netplan.default_gateway}}
 {% endif %}
 {% if netplan.additionalinterfaces is defined and netplan.additionalinterfaces|length > 0 %}
@@ -29,7 +29,7 @@ network:
       gateway4: {{interface.gateway4}}
 {% endif %}
 {% if interface.gateway6 is defined and interface.gateway6|length > 0  %}
-      gateway4: {{interface.gateway6}}
+      gateway6: '{{interface.gateway6}}'
 {% endif %}
 {% if interface.denydns %}
       nameservers:

roles/openvpn/tasks/main.yaml

@@ -4,7 +4,7 @@
     update_cache: yes
     state: present
     name:
-     - openvpn-server
+     - openvpn
 
 - name : "Enable ipv4 forwarding via sysctl"
   ansible.posix.sysctl:
@@ -16,7 +16,7 @@
 
 - name: Enable and restart openvpn daemon
   service:
-    name: openvpn
+    name: openvpn-server@stargate
     state: restarted
     enabled: yes
 
@@ -36,14 +36,29 @@
       # START OPENVPN RULES
       # NAT table rules
       *nat
+      -F
       :POSTROUTING ACCEPT [0:0]
       # Allow traffic from OpenVPN client to everywhere
       -A POSTROUTING -s 192.168.37.0/24 -o eth0 -j MASQUERADE
       -A POSTROUTING -s 192.168.37.0/24 -o eth2 -j MASQUERADE
       COMMIT
+      *filter
+      -A ufw-before-input -i tun+ -j ACCEPT
+      -A ufw-before-forward -i tun+ -j ACCEPT
+      -A ufw-before-forward -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
+      -A ufw-before-forward -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
+      -A ufw-before-forward -i tun+ -o eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT
+      -A ufw-before-forward -i eth2 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
+      COMMIT
       # END OPENVPN RULES
 
 - name: Reload ufw
   community.general.ufw:
     state: reloaded
+
+- name: Apply custom ufw rules
+  community.general.ufw:
+    rule: allow
+    direction: "in"
+    interface: tun0
 ...

roles/realmd/tasks/main.yaml

@@ -0,0 +1,94 @@
+---
+- name: "Install realmd and dependencies"
+  apt:
+    update_cache: yes
+    state: present
+    name:
+     - realmd
+     - sssd
+     - sssd-tools
+     - libnss-sss
+     - libpam-sss
+     - adcli
+     - samba-common-bin
+     - oddjob
+     - oddjob-mkhomedir
+     - packagekit
+
+- name: Check if computer is joined to domain
+  lineinfile:
+    state: absent
+    path: /etc/sssd/sssd.conf
+    line: "^ad_access_filter"
+  check_mode: true
+  changed_when: false
+  register: checkjoined
+
+- name: "Get join password from local environment variable"
+  set_fact:
+    join_passw: "{{ lookup('env', 'JOIN_PASSW') }}"
+  delegate_to: localhost
+  when: checkjoined.found == 0
+
+- name: Join to AD with realmd
+  shell:
+    cmd: echo {{ join_passw }} | realm join -v -U tormakris_admin intra.tormakris.dev
+  when: checkjoined.found == 0
+
+- name: Enable pam homedir create on first logon
+  command:
+    cmd: pam-auth-update --enable mkhomedir
+
+- name: Check if ad_gpo_access_control is disabled
+  lineinfile:
+    state: absent
+    path: /etc/sssd/sssd.conf
+    regexp: "^ad_gpo_access_control"
+  check_mode: true
+  changed_when: false
+  register: checkadgpoac
+
+- name: Set ad_gpo_access_control to disabled
+  lineinfile:
+    state: present
+    path: /etc/sssd/sssd.conf
+    line: "ad_gpo_access_control = disabled"
+  when: checkadgpoac.found == 0
+
+- name: Check if ad_access_filter is set
+  lineinfile:
+    state: absent
+    path: /etc/sssd/sssd.conf
+    regexp: "^ad_access_filter"
+  check_mode: true
+  changed_when: false
+  register: checkadaf
+
+- name: Set ad_gpo_access_control to disabled
+  lineinfile:
+    state: present
+    path: /etc/sssd/sssd.conf
+    line: "ad_access_filter = memberOf=CN=LinuxUsers,OU=Service Groups,DC=intra,DC=tormakris,DC=dev"
+  when: checkadaf.found == 0
+
+- name: "Restart sssd"
+  service:
+    name: sssd
+    state: restarted
+
+- name: Check if group is presend in sudoers
+  lineinfile:
+    state: absent
+    path: /etc/sudoers
+    regexp: "^%linuxadmins"
+  check_mode: true
+  changed_when: false
+  register: checksudoers
+
+- name: Define group in sudoers
+  lineinfile:
+    state: present
+    path: /etc/sudoers
+    line: "%linuxadmins@intra.tormakris.dev ALL=(ALL) NOPASSWD: ALL"
+  when: checksudoers.found == 0
+...

roles/smtpgateway/defaults/main.yaml

@@ -1,4 +1,4 @@
 ---
-postfix_relayhost: 'smtp-relay.gmail.com'
+postfix_relayhost: 'tormakris-dev.mail.protection.outlook.com'
 external_domain: 'tormakris.dev'
 ...

roles/smtpgateway/files/prometheus-postfix-exporter

@@ -0,0 +1,15 @@
+# Private log file from Postfix to read and truncate. Configured in
+# /etc/rsyslog.d/prometheus-postfix-exporter.conf
+POSTFIXLOGFILE=/var/log/mail.log
+
+# Extra arguments for the daemon.
+ARGS=''
+
+# Prometheus-postfix-exporter supports the following options:
+#  --postfix.showq_path string
+#        Path at which Postfix places its showq socket.
+#        (default "/var/spool/postfix/public/showq")
+#  --web.listen-address string
+#        Address to listen on for web interface and telemetry. (default ":9154")
+#  --web.telemetry-path string
+#        Path under which to expose metrics. (default "/metrics")

roles/smtpgateway/tasks/main.yaml

@@ -12,7 +12,8 @@
     dest: /etc/postfix/main.cf
 
 - name: Build /etc/mailname
-  shell: hostname --fqdn > /etc/mailname
+  shell:
+    cmd: "hostname --fqdn > /etc/mailname"
 
 - name: Restart Postfix
   service:
@@ -24,4 +25,39 @@
   community.general.ufw:
     rule: allow
     port: smtp
+    src: 192.168.69.0/24
+
+- name: "Install postfix exporter"
+  apt:
+    update_cache: yes
+    state: present
+    name:
+     - prometheus-postfix-exporter
+
+- name: Copy exporter config
+  copy:
+    src: prometheus-postfix-exporter
+    dest: /etc/default/prometheus-postfix-exporter
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Add the prometheus user to postdrop group
+  user:
+    name: prometheus
+    groups: postdrop
+    append: yes
+
+- name: Enable and restart exporter daemon
+  service:
+    name: prometheus-postfix-exporter
+    state: restarted
+    enabled: yes
+
+- name: Allow postfix exporter via ufw
+  community.general.ufw:
+    rule: allow
+    port: "9154"
+    proto: tcp
+    src: 192.168.69.0/24
 ...

roles/webgateway/files/certbot-script.service

@@ -1,9 +0,0 @@
-[Unit]
-Description=Renew certificates with certbot
-
-[Service]
-Type=simple
-ExecStart=/usr/bin/bash /opt/certbot.sh
-
-[Install]
-WantedBy=certbot.target

roles/webgateway/files/certbot.target

@@ -1,5 +0,0 @@
-[Unit]
-Description=Script based certificate renewal via certbot
-
-[Install]
-WantedBy=default.target

roles/webgateway/files/certbot.timer

@@ -1,10 +0,0 @@
-[Unit]
-Description=Periodic certificate renewal
-
-[Timer]
-OnBootSec=10min
-OnCalendar=Sun *-*-* 00:00:00
-Unit=certbot.target
-
-[Install]
-WantedBy=multi-user.target

roles/webgateway/files/prometheus-nginx-exporter

@@ -0,0 +1,14 @@
+ARGS="-nginx.scrape-uri http://127.0.0.1:8080/stub_status"
+
+# Prometheus-nginx-exporter supports the following options:
+#  -nginx.plus
+#        Start the exporter for NGINX Plus. By default, the exporter is started
+#        for NGINX.
+#  -nginx.scrape-uri string
+#        A URI for scraping NGINX or NGINX Plus metrics.
+#        For NGINX, the stub_status page must be available through the URI.
+#        For NGINX Plus -- the API. (default "http://127.0.0.1:8080/stub_status")
+#  -web.listen-address string
+#        An address to listen on for web interface and telemetry. (default ":9113")
+#  -web.telemetry-path string
+#        A path under which to expose metrics. (default "/metrics"

roles/webgateway/tasks/main.yaml

@@ -19,7 +19,7 @@
     port: https
 
 - name: Copy default nginx config
-  ansible.builtin.copy:
+  copy:
     src: nginx.conf
     dest: /etc/nginx/nginx.conf
     owner: root
@@ -42,61 +42,21 @@
     cmd: certbot certonly --non-interactive --agree-tos -m tormakristof@tormakristof.eu --nginx -d {{item.domain}}
   with_items: "{{ static }}"
 
-- name: Generate certificate for all static sites
+- name: Generate certificate for all redirect sites
   command:
     cmd: certbot certonly --non-interactive --agree-tos -m tormakristof@tormakristof.eu --nginx -d {{item.domain}}
   with_items: "{{ redirect }}"
 
 - name: "Generate certbot script"
-  ansible.builtin.template:
+  template:
     src: certbot.sh
-    dest: /opt/certbot.sh
+    dest: /etc/cron.weekly/certbot
     owner: root
     group: root
     mode: '0700'
 
-- name: Copy certbot-script.service to target
-  copy:
-    src: certbot-script.service
-    dest: /usr/lib/systemd/system/certbot-script.service
-    mode: 644
-    owner: root
-
-- name: Copy certbot.target to target
-  copy:
-    src: certbot.target
-    dest: /usr/lib/systemd/system/certbot.target
-    mode: 644
-    owner: root
-
-- name: Copy certbot.timer to target
-  copy:
-    src: certbot.timer
-    dest: /usr/lib/systemd/system/certbot.timer
-    mode: 644
-    owner: root
-
-- name: Enable certbot-script.service and reload systemd daemon
-  when: ansible_service_mgr == "systemd"
-  ansible.builtin.systemd:
-    enabled: yes
-    daemon_reload: yes
-    name: certbot-script.service
-
-- name: Enable certbot.target
-  when: ansible_service_mgr == "systemd"
-  ansible.builtin.systemd:
-    enabled: yes
-    name: certbot.target
-
-- name: Enable certbot.timer
-  when: ansible_service_mgr == "systemd"
-  ansible.builtin.systemd:
-    enabled: yes
-    name: certbot.timer
-
 - name: "Generate nginx configuration"
-  ansible.builtin.template:
+  template:
     src: nginx.conf
     dest: /etc/nginx/nginx.conf
     owner: root
@@ -113,20 +73,48 @@
     state: reloaded
 
 - name: "Remove any existing static file directories"
-  ansible.builtin.file:
+  file:
     path: "{{ item.directory }}"
     state: absent
   with_items: "{{ static }}"
 
 - name: "Checkout static websites from git"
-  ansible.builtin.git:
+  git:
     repo: "{{ item.repo }}"
     dest: "{{ item.directory }}"
   with_items: "{{ static }}"
 
 - name: "Remove .git directory from static websites"
-  ansible.builtin.file:
+  file:
     path: "{{ item.directory }}/.git"
     state: absent
   with_items: "{{ static }}"
+
+- name: "Install nginx exporter"
+  apt:
+    update_cache: yes
+    state: present
+    name:
+     - prometheus-nginx-exporter
+
+- name: Copy nginx exporter config
+  copy:
+    src: prometheus-nginx-exporter
+    dest: /etc/default/prometheus-nginx-exporter
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Enable and restart exporter daemon
+  service:
+    name: prometheus-nginx-exporter
+    state: restarted
+    enabled: yes
+
+- name: Allow nginx exporter via ufw
+  community.general.ufw:
+    rule: allow
+    port: 9113
+    proto: tcp
+    src: 192.168.69.0/24
 ...

roles/webgateway/templates/certbot.sh

@@ -1,5 +1,6 @@
 #!/bin/bash
 # {{ansible_managed}}
+certbot renew --nginx --cert-name tormakristof.eu
 {% for proxysite in proxy %}
 certbot renew --nginx --cert-name {{ proxysite.domain }}
 {% endfor %}

roles/webgateway/templates/nginx.conf

@@ -1,4 +1,4 @@
-# {{ansible_managed}}
+# {{ ansible_managed }}
 user www-data;
 worker_processes auto;
 pid /run/nginx.pid;
@@ -40,11 +40,13 @@ http {
         proxy_redirect  off;
         proxy_set_header    Host    $host;
         proxy_set_header    X-Real-IP   $remote_addr;
+        proxy_set_header    X-MS-Proxy  webgateway.intra.tormakris.dev;
+        proxy_set_header    X-MS-Forwarded-Client-IP    $remote_addr;
         proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
 		proxy_set_header    Upgrade $http_upgrade;
 		proxy_set_header    Connection $http_connection;
         proxy_set_header    X-Forwarded-Proto https;
-        client_max_body_size    10m;
+        proxy_ssl_server_name on;
         client_body_buffer_size 128k;
         proxy_connect_timeout   90;
         proxy_send_timeout 120;
@@ -54,6 +56,7 @@ http {
         proxy_busy_buffers_size    256k;
         proxy_buffering    off;
         proxy_request_buffering off;
+        server_tokens off;
 
         server {
 
@@ -63,22 +66,35 @@ http {
             return 301 https://$host$request_uri;
         }
 
-        {% for proxysite in proxy %}
+        {%- for proxysite in proxy -%}
         server {
             listen 443 ssl http2;
             listen [::]:443 ssl http2;
             server_name {{ proxysite.domain }};
+            proxy_ssl_name {{ proxysite.domain }};
             ssl_certificate /etc/letsencrypt/live/{{ proxysite.domain }}/fullchain.pem;
             ssl_certificate_key /etc/letsencrypt/live/{{ proxysite.domain }}/privkey.pem;
+            ssl_stapling on;
+            ssl_stapling_verify on;
+            {%- if proxysite.bigrequests %}
+            client_max_body_size    8G;
+            {%- endif %}
             location /{
                 proxy_pass  https://{{ proxysite.ip }};
+                {%- if proxysite.ignorecert %}
                 proxy_ssl_verify    off;
+                {%- endif %}
+            }
+            location /metrics{
+                proxy_pass  https://{{ proxysite.ip }};
+                allow 192.168.69.0/24;
+                deny all;
             }
         }
 
-        {% endfor %}
+        {%- endfor -%}
 
-        {% for staticsite in static %}
+        {%- for staticsite in static -%}
         server {
             listen 443 ssl http2;
             listen [::]:443 ssl http2;
@@ -91,9 +107,9 @@ http {
             }
         }
 
-        {% endfor %}
+        {%- endfor -%}
 
-        {% for redirectsite in redirect %}
+        {%- for redirectsite in redirect -%}
         server {
             listen 443 ssl http2;
             listen [::]:443 ssl http2;
@@ -103,5 +119,34 @@ http {
             return 301 {{ redirectsite.destination }};
         }
 
-        {% endfor %}
+        {%- endfor -%}
+
+        server {
+            listen 443 ssl http2;
+            listen [::]:443 ssl http2;
+            server_name tormakristof.eu;
+            ssl_certificate /etc/letsencrypt/live/tormakristof.eu/fullchain.pem;
+            ssl_certificate_key /etc/letsencrypt/live/tormakristof.eu/privkey.pem;
+            root /var/www/tormakristof.eu;
+            location /{
+                return 301 https://www.tormakristof.eu;
+            }
+            location /.well-known{
+                try_files $uri $uri/ =404;
+            }
+
+            location /.well-known/webfinger {
+                 return 301 https://mastodon.tormakristof.eu$request_uri;
+            }
+        }
+
+        server {
+            listen 8080;
+            
+            location /stub_status {
+                stub_status;
+ 	            allow 127.0.0.1;
+ 	            deny all;		
+            }
+        }
 }

roles/webgateway/vars/main.yaml

@@ -1,19 +1,26 @@
 proxy:
-  - {domain: bitwarden.tormakristof.eu, ip: bitwarden.intra.tormakris.dev}
+  - {domain: bitwarden.tormakristof.eu, ip: bitwarden.intra.tormakris.dev, bigrequests: false, ignorecert: false}
-  - {domain: nextcloud.tormakristof.eu, ip: nextcloud.intra.tormakris.dev}
+  - {domain: nextcloud.tormakristof.eu, ip: nextcloud.intra.tormakris.dev, bigrequests: true, ignorecert: false}
-  - {domain: drone.kmlabz.com, ip: drone.intra.tormakris.dev}
+  - {domain: drone.kmlabz.com, ip: drone.intra.tormakris.dev, bigrequests: false, ignorecert: false}
-  - {domain: git.kmlabz.com, ip: git.intra.tormakris.dev}
+  - {domain: git.kmlabz.com, ip: git.intra.tormakris.dev, bigrequests: false, ignorecert: false}
-  - {domain: guacamole.kmlabz.com, ip: guacamole.intra.tormakris.dev}
+  - {domain: guacamole.tormakristof.eu, ip: guacamole.intra.tormakris.dev, bigrequests: false, ignorecert: false}
-  - {domain: keycloak.kmlabz.com, ip: keycloak.intra.tormakris.dev}
+  - {domain: matrix.tormakristof.eu, ip: matrix.intra.tormakris.dev, bigrequests: true, ignorecert: false}
-  - {domain: nexus.kmlabz.com, ip: nexus.intra.tormakris.dev}
+  - {domain: chat.tormakristof.eu, ip: matrix.intra.tormakris.dev, bigrequests: true, ignorecert: false}
-  - {domain: registry.kmlabz.com, ip: nexus.intra.tormakris.dev}
+  - {domain: nexus.kmlabz.com, ip: nexus.intra.tormakris.dev, bigrequests: true, ignorecert: false}
-  - {domain: swagger.kmlabz.com, ip: swagger.intra.tormakris.dev}
+  - {domain: registry.kmlabz.com, ip: nexus.intra.tormakris.dev, bigrequests: true, ignorecert: false}
+  - {domain: fs.tormakristof.eu, ip: adfs.intra.tormakris.dev, bigrequests: false, ignorecert: true}
+  - {domain: certauth.fs.tormakristof.eu, ip: adfs.intra.tormakris.dev, bigrequests: false, ignorecert: true}
+  - {domain: grafana.tormakristof.eu, ip: monitoring.intra.tormakris.dev, bigrequests: false, ignorecert: false}
+  - {domain: yt.tormakristof.eu, ip: ytmirror.intra.tormakris.dev, bigrequests: false, ignorecert: false}
+  - {domain: speedtest.tormakristof.eu, ip: librespeed.intra.tormakris.dev, bigrequests: true, ignorecert: false}
+  - {domain: plex.tormakristof.eu, ip: plex.intra.tormakris.dev, bigrequests: true, ignorecert: false}
+  - {domain: neko.tormakristof.eu, ip: vzelenka.intra.tormakris.dev, bigrequests: false, ignorecert: false}
+  - {domain: cloudlog.tormakristof.eu, ip: cloudlog.intra.tormakris.dev, bigrequests: false, ignorecert: false}
+  - {domain: dns.tormakristof.eu, ip: unbound.intra.tormakris.dev, bigrequests: true, ignorecert: false}
 
 static:
-  - {domain: kmlabz.com, directory: /var/www/kmlabz.com, repo: "https://git.kmlabz.com/kmlabz/homepage.git"}
+  []
 
 redirect:
-  - {domain: tormakristof.eu, destination: "https://www.tormakristof.eu"}
+  []
-  - {domain: tormakris.dev, destination: "https://www.tormakristof.eu"}
-  - {domain: torma.xyz, destination: "https://www.tormakristof.eu"}
 ...

roles/webserver/defaults/main.yaml

@@ -1,4 +1,6 @@
 webserver:
   - domain: "_"
     port: 8080
+    bigrequests: false
+    https: false
 ...

roles/webserver/files/nginx.conf

@@ -58,6 +58,15 @@ http {
         # Virtual Host Configs
         ##
 
-        include /etc/nginx/conf.d/*.conf;
+        server {
-        include /etc/nginx/sites-enabled/*;
+            root /var/www/html;
+            server_name _;
+            listen 443 ssl http2;
+            listen [::]:443 ssl http2;
+            ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
+            ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
+            location /{
+                try_files $uri $uri/ =404;
+            }
+        }
 }

roles/webserver/files/prometheus-nginx-exporter

@@ -0,0 +1,14 @@
+ARGS="-nginx.scrape-uri http://127.0.0.1:8888/stub_status"
+
+# Prometheus-nginx-exporter supports the following options:
+#  -nginx.plus
+#        Start the exporter for NGINX Plus. By default, the exporter is started
+#        for NGINX.
+#  -nginx.scrape-uri string
+#        A URI for scraping NGINX or NGINX Plus metrics.
+#        For NGINX, the stub_status page must be available through the URI.
+#        For NGINX Plus -- the API. (default "http://127.0.0.1:8080/stub_status")
+#  -web.listen-address string
+#        An address to listen on for web interface and telemetry. (default ":9113")
+#  -web.telemetry-path string
+#        A path under which to expose metrics. (default "/metrics"

roles/webserver/tasks/main.yaml

@@ -1,13 +1,22 @@
 ---
+- name: Allow https port via ufw
+  community.general.ufw:
+    rule: allow
+    port: https
+    src: "{{ item }}"
+  with_items: "{{ allowedranges }}"
+
 - name: "Install Nginx via apt"
   apt:
     update_cache: yes
     state: present
     name:
      - nginx
+     - python3-certbot
+     - python3-certbot-dns-cloudflare
 
 - name: Copy default nginx config
-  ansible.builtin.copy:
+  copy:
     src: nginx.conf
     dest: /etc/nginx/nginx.conf
     owner: root
@@ -20,8 +29,34 @@
     state: restarted
     enabled: yes
 
+- name: "Get Cloudflare token from local environment variable"
+  set_fact:
+    cloudflare_token: "{{ lookup('env', 'CLOUDFLARE_TOKEN') }}"
+  delegate_to: localhost
+
+- name: "Render Cloudflare Certbot plugin configuration"
+  template:
+    src: cf-creds.ini
+    dest: /root/cf-creds.ini
+    owner: root
+    group: root
+    mode: 0600
+
+- name: Generate certificate for all server instances
+  shell:
+    cmd: certbot certonly --non-interactive --agree-tos -m iam@tormakristof.eu --dns-cloudflare --dns-cloudflare-credentials /root/cf-creds.ini -d {{item.domain}}
+  with_items: "{{ webserver }}"
+
+- name: "Generate certbot script"
+  template:
+    src: certbot.sh
+    dest: /etc/cron.weekly/certbot
+    owner: root
+    group: root
+    mode: '0700'
+
 - name: "Generate nginx configuration"
-  ansible.builtin.template:
+  template:
     src: nginx.conf
     dest: /etc/nginx/nginx.conf
     owner: root
@@ -33,8 +68,31 @@
     name: nginx
     state: reloaded
 
-- name: Allow https port via ufw
+- name: "Install nginx exporter"
+  apt:
+    update_cache: yes
+    state: present
+    name:
+     - prometheus-nginx-exporter
+
+- name: Allow nginx exporter via ufw
   community.general.ufw:
     rule: allow
-    port: https
+    port: 9113
+    proto: tcp
+    src: 192.168.69.0/24
+
+- name: Copy nginx exporter config
+  copy:
+    src: prometheus-nginx-exporter
+    dest: /etc/default/prometheus-nginx-exporter
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Enable and restart exporter daemon
+  service:
+    name: prometheus-nginx-exporter
+    state: restarted
+    enabled: yes
 ...

roles/webserver/templates/certbot.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+# {{ansible_managed}}
+{% for server in webserver %}
+certbot renew --dns-cloudflare --dns-cloudflare-credentials /root/cf-creds.ini 10 --cert-name {{ server.domain }}
+{% endfor %}

roles/webserver/templates/cf-creds.ini

@@ -0,0 +1,4 @@
+# Cloudflare API token used by Certbot
+# {{ ansible_managed }}
+dns_cloudflare_email = tormakristof@outlook.com
+dns_cloudflare_api_key = {{ cloudflare_token }}

roles/webserver/templates/nginx.conf

@@ -40,10 +40,12 @@ http {
         proxy_redirect  off;
         proxy_set_header    Host    $host;
         proxy_set_header    X-Real-IP   $remote_addr;
+        proxy_set_header    X-MS-Proxy  webgateway.intra.tormakris.dev;
+        proxy_set_header    X-MS-Forwarded-Client-IP    $remote_addr;
         proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
-	    proxy_set_header    Upgrade $http_upgrade;
+        proxy_set_header    Upgrade $http_upgrade;
-	    proxy_set_header    Connection $http_connection;
+        proxy_set_header    Connection $http_connection;
-        client_max_body_size    10m;
+        proxy_set_header    X-Forwarded-Proto https;
         client_body_buffer_size 128k;
         proxy_connect_timeout   90;
         proxy_send_timeout 120;
@@ -53,6 +55,7 @@ http {
         proxy_busy_buffers_size    256k;
         proxy_buffering    off;
         proxy_request_buffering off;
+        server_tokens off;
 
         server {
 
@@ -67,12 +70,49 @@ http {
             listen 443 ssl http2;
             listen [::]:443 ssl http2;
             server_name {{ server.domain }};
-            ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
+            ssl_certificate /etc/letsencrypt/live/{{ server.domain }}/fullchain.pem;
-            ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
+            ssl_certificate_key /etc/letsencrypt/live/{{ server.domain }}/privkey.pem;
+            {% if server.bigrequests %}
+            client_max_body_size    8G;
+            {% endif %}
             location /{
+                {% if server.https %}
+                proxy_pass  https://127.0.0.1:{{ server.port }};
+                {% else %}
                 proxy_pass  http://127.0.0.1:{{ server.port }};
+                {% endif %}
             }
+            location /metrics{
+                {%- if server.https %}
+                proxy_pass  https://127.0.0.1:{{ server.port }};
+                {% else %}
+                proxy_pass  http://127.0.0.1:{{ server.port }};
+                {% endif %}
+ 	            allow 192.168.69.0/24;
+ 	            deny all;
+            }
+            {% if server.additionallocations is defined %}
+            {% for location in server.additionallocations %}
+            location {{location.location}}{
+                {% if location.https %}
+                proxy_pass  https://127.0.0.1:{{ location.port }};
+                {% else %}
+                proxy_pass  http://127.0.0.1:{{ location.port }};
+                {% endif %}
+            }
+            {% endfor %}
+            {% endif %}
         }
 
-        {% endfor %}
+        {%- endfor -%}
+
+        server {
+            listen 8888;
+            
+            location /stub_status {
+                stub_status;
+ 	            allow 127.0.0.1;
+ 	            deny all;		
+            }
+        }
 }

run.sh

@@ -1,5 +1,7 @@
 #!/bin/bash
 
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+
 ansible-galaxy collection install -r requirements.yaml
-ansible-playbook --ask-become-pass --ask-pass -i inventory.yaml $1
+#ansible-playbook --ask-become-pass --ask-pass -i inventory.yaml $1
-#ansible-playbook --ask-become-pass -i inventory.yaml $1
+ANSIBLE_CONFIG="$SCRIPT_DIR/ansible.cfg" ansible-playbook -i inventory.yaml $1