add unbound

.drone.yml

@@ -0,0 +1,22 @@
+---
+kind: pipeline
+type: docker
+name: ansible
+
+steps:
+- name: ansible nightly run
+  image: alpinelinux/ansible
+  environment:
+    ANSIBLE_HOST_KEY_CHECKING: "False"
+    ANSIBLE_PRIVATE_KEY_FILE: "/drone/src/id_rsa"
+    ANSIBLE_CONFIG: "/drone/src/ansible.cfg"
+    CLOUDFLARE_TOKEN:
+      from_secret: CLOUDFLARE_TOKEN
+    SSH_KEY:
+      from_secret: SSH_KEY
+  commands:
+    - echo "$SSH_KEY" > $PWD/id_rsa
+    - chmod 0600 $PWD/id_rsa
+    - ansible-galaxy collection install -r requirements.yaml
+    - ansible-playbook -i inventory.yaml nightly.yaml
+...

.gitignore

@@ -1,2 +1,3 @@
 .vault_password_file
-venv/
+venv/
+.DS_Store

ansible.cfg

@@ -0,0 +1,6 @@
+[ssh_connection]
+ssh_args = -o ControlMaster=auto -o ControlPersist=60s
+[defaults]
+forks=10
+pipelining = True
+strategy = free

backup.yaml

@@ -1,10 +0,0 @@
----
-- name: "Deploy backup server"
-  hosts: backup
-  roles:
-    - netplan
-    - common
-    - internalsmtp
-    - backupscript
-    - backuphost
-...

dbhosts.yaml

@@ -1,10 +0,0 @@
----
-- name: "Deploy database server base"
-  hosts: postgres, mariadb
-  roles:
-    - netplan
-    - common
-    - customfirewall
-    - backupscript
-    - customfirewall
-...

docker-host.yaml

@@ -1,9 +0,0 @@
----
-- name: "Deploy basic webhost with Docker"
-  hosts: keycloak, drone, swagger, guacamole, bitwarden, nexus, nextcloud 
-  roles:
-    - netplan
-    - common
-    - docker
-    - webserver
-    - internalsmtp

drone-runner.yaml

@@ -1,9 +0,0 @@
----
-- name: "Deploy basic Docker host to drone-runner"
-  hosts: drone-runner
-  roles:
-    - netplan
-    - common
-    - docker
-    - internalsmtp
-...

gitea.yaml

@@ -1,12 +0,0 @@
----
-- name: "Deploy gitea in Docker"
-  hosts: git
-  roles:
-    - netplan
-    - common
-    - docker
-    - webserver
-    - internalsmtp
-    - backupscript
-    - customfirewall
-...

group_vars/all.yaml

@@ -0,0 +1,8 @@
+---
+ansible_become: true
+ansible_user: ansible@intra.tormakris.dev
+#ansible_user: ansible
+allowedranges:
+  - 192.168.69.0/24
+  - 192.168.1.0/24
+...

group_vars/mckay.yaml

@@ -1,4 +1,4 @@
 ---
 netplan:
-  default_gateway: "192.168.69.254"
+  default_gateway: "192.168.69.253"
 ...

group_vars/woolsey.yaml

@@ -1,4 +1,4 @@
 ---
 netplan:
-  default_gateway: "192.168.69.1"
+  default_gateway: "192.168.69.253"
 ...

host_vars/backup.yaml

@@ -1,4 +1,5 @@
 ---
+ansible_host: backup.intra.tormakris.dev
 servicename: mckay
 backup:
   host: oniel.tormakristof.eu

host_vars/bitwarden.yaml

@@ -0,0 +1,8 @@
+---
+ansible_host: bitwarden.intra.tormakris.dev
+webserver:
+  - domain: "bitwarden.tormakristof.eu"
+    port: 8080
+    bigrequests: false
+    https: false
+...

host_vars/cloudlog.yaml

@@ -0,0 +1,8 @@
+---
+ansible_host: cloudlog.intra.tormakris.dev
+webserver:
+  - domain: "cloudlog.tormakristof.eu"
+    port: 8080
+    bigrequests: false
+    https: false
+...

host_vars/drone-runner.yaml

@@ -0,0 +1,3 @@
+---
+ansible_host: drone-runner.intra.tormakris.dev
+...

host_vars/drone.yaml

@@ -0,0 +1,8 @@
+---
+ansible_host: drone.intra.tormakris.dev
+webserver:
+  - domain: "drone.kmlabz.com"
+    port: 8080
+    bigrequests: false
+    https: false
+...

host_vars/git.yaml

@@ -1,13 +1,20 @@
 ---
+ansible_host: git.intra.tormakris.dev
 servicename: git
 backup:
   folder: "/home/service-user"
   tarfolder: "gitea docker-compose.yml"
-  host: backup.stargate.internal
+  host: backup.intra.tormakris.dev
   internal: true
   prearecommand: ""
+  basedir: /mnt/backupstore
 firewall:
   - port: "2222"
     proto: tcp
     interface: "eth0"
+webserver:
+  - domain: "git.kmlabz.com"
+    port: 8080
+    bigrequests: false
+    https: false
 ...

host_vars/guacamole.yaml

@@ -0,0 +1,8 @@
+---
+ansible_host: guacamole.intra.tormakris.dev
+webserver:
+  - domain: "guacamole.tormakristof.eu"
+    port: 8080
+    bigrequests: false
+    https: false
+...

host_vars/librespeed.yaml

@@ -0,0 +1,8 @@
+---
+ansible_host: librespeed.intra.tormakris.dev
+webserver:
+  - domain: "speedtest.tormakristof.eu"
+    port: 8080
+    bigrequests: true
+    https: false
+...

host_vars/mariadb.yaml

@@ -1,6 +0,0 @@
----
-firewall:
-  - port: "3306"
-    proto: tcp
-    interface: "eth0"
-...

host_vars/matrix.yaml

@@ -0,0 +1,16 @@
+---
+ansible_host: matrix.intra.tormakris.dev
+webserver:
+  - domain: "matrix.tormakristof.eu"
+    port: 8080
+    bigrequests: true
+    https: false
+  - domain: "chat.tormakristof.eu"
+    port: 8181
+    bigrequests: true
+    https: false
+firewall:
+  - port: "9000"
+    proto: tcp
+    interface: "eth0"
+...

host_vars/monitoring.yaml

@@ -0,0 +1,8 @@
+---
+ansible_host: monitoring.intra.tormakris.dev
+webserver:
+  - domain: "grafana.tormakristof.eu"
+    port: 8181
+    bigrequests: false
+    https: false
+...

host_vars/neko.yaml

@@ -1,25 +1,28 @@
 ---
+ansible_host: zelenka.intra.tormakris.dev
 firewall:
   - port: "ssh"
     proto: tcp
     interface: "eth0"
   - port: "http"
     proto: tcp
-    interface: "eth1"
+    interface: "eth0"
   - port: "https"
     proto: tcp
-    interface: "eth1"
-  - port: "ssh"
-    proto: tcp
-    interface: "eth1"
-  - port: "59000:59049"
+    interface: "eth0"
+  - port: "59000:59009"
     proto: udp
-    interface: "eth1"
-netplan:
-  default_gateway: ""
-  additionalinterfaces:
-    - name: "eth1"
-      dhcp4: true
-      dhcp6: true
-      denydns: true
+    interface: "eth0"
+  - port: "3478"
+    proto: tcp
+    interface: "eth0"
+  - port: "3478"
+    proto: any
+    interface: "eth0"
+  - port: "5349"
+    proto: any
+    interface: "eth0"
+  - port: "9101"
+    proto: tcp
+    interface: "eth0"
 ...

host_vars/nextcloud.yaml

@@ -0,0 +1,8 @@
+---
+ansible_host: nextcloud.intra.tormakris.dev
+webserver:
+  - domain: "nextcloud.tormakristof.eu"
+    port: 8080
+    bigrequests: true
+    https: false
+...

host_vars/nexus.yaml

@@ -1,7 +1,12 @@
 ---
+ansible_host: nexus.intra.tormakris.dev
 webserver:
   - domain: "nexus.kmlabz.com"
     port: 8080
+    bigrequests: true
+    https: false
   - domain: "registry.kmlabz.com"
     port: 4269
+    bigrequests: true
+    https: false
 ...

host_vars/openvpn.yaml

@@ -1,4 +1,5 @@
 ---
+ansible_host: openvpn.intra.tormakris.dev
 firewall:
   - port: "1194"
     proto: udp

host_vars/plex.yaml

@@ -0,0 +1,18 @@
+---
+ansible_host: plex.intra.tormakris.dev
+webserver:
+  - domain: "plex.tormakristof.eu"
+    port: 8080
+    bigrequests: true
+    https: false
+netplan:
+  default_gateway: "192.168.69.254"
+  additionalinterfaces:
+    - name: "eth1"
+      dhcp4: false
+      dhcp6: false
+      denydns: true
+      addresses:
+        - '2001:738:2001:207f:0:211:211:31/64'
+      gateway6: 'fe80::'
+...

host_vars/postgres.yaml

@@ -1,6 +1,18 @@
 ---
+ansible_host: postgres.intra.tormakris.dev
+servicename: postgres
 firewall:
   - port: "5432"
     proto: tcp
     interface: "eth0"
+  - port: "9187"
+    proto: tcp
+    interface: "eth0"
+backup:
+  folder: "/var/lib/postgresql/backup"
+  tarfolder: "backup"
+  host: backup.intra.tormakris.dev
+  internal: true
+  prearecommand: "time ( sudo -u postgres pg_dumpall > /var/lib/postgresql/backup/postgres.sql )"
+  basedir: /mnt/backupstore
 ...

host_vars/smtp.yaml

@@ -0,0 +1,3 @@
+---
+ansible_host: smtp.intra.tormakris.dev
+...

host_vars/unbound.yaml

@@ -0,0 +1,8 @@
+---
+ansible_host: unbound.intra.tormakris.dev
+webserver:
+  - domain: "dns.tormakristof.eu"
+    port: 8080
+    bigrequests: true
+    https: true
+...

host_vars/vikunja.yaml

@@ -0,0 +1,12 @@
+---
+ansible_host: vikunja.intra.tormakris.dev
+webserver:
+  - domain: "vikunja.tormakristof.eu"
+    port: 8081
+    bigrequests: false
+    https: false
+    additionallocations:
+      - https: false
+        port: 8080
+        location: '~* ^/(api|dav|\.well-known)/'
+...

host_vars/webgateway.yaml

@@ -0,0 +1,3 @@
+---
+ansible_host: apache.intra.tormakris.dev
+...

host_vars/ytmirror.yaml

@@ -0,0 +1,8 @@
+---
+ansible_host: ytmirror.intra.tormakris.dev
+webserver:
+  - domain: "yt.tormakristof.eu"
+    port: 8080
+    bigrequests: false
+    https: false
+...

infra.yaml

@@ -0,0 +1,84 @@
+---
+- name: "Deploy basic webhost with Docker"
+  hosts: dockerwebhosts
+  roles:
+    - netplan
+    - common
+    - docker
+    - webserver
+    - internalsmtp
+
+- name: "Deploy database server base"
+  hosts: postgres
+  roles:
+    - netplan
+    - common
+    - backupscript
+    - customfirewall
+
+- name: "Deploy basic Docker host to drone-runner"
+  hosts: drone-runner
+  roles:
+    - netplan
+    - common
+    - docker
+    - internalsmtp
+
+- name: "Deploy gitea in Docker"
+  hosts: git
+  roles:
+    - netplan
+    - common
+    - docker
+    - webserver
+    - internalsmtp
+    - backupscript
+    - customfirewall
+
+- name: "Setup neko"
+  hosts: neko
+  roles:
+    - common
+    - docker
+    - customfirewall
+    - internalsmtp
+
+- name: "Deploy smtpgateway to smtp.intra.tormakris.dev"
+  hosts: smtp
+  roles:
+    - netplan
+    - common
+    - smtpgateway
+
+- name: "Deploy managed web gateway"
+  hosts: webgateway
+  roles:
+    - common
+    - webgateway
+    - internalsmtp
+
+- name: "Deploy backup server"
+  hosts: backup
+  roles:
+    - netplan
+    - common
+    - internalsmtp
+    - backupscript
+    - backuphost
+
+- name: "Deploy OpenVPN server"
+  hosts: openvpn
+  roles:
+    - netplan
+    - common
+    - openvpn
+    - customfirewall
+    - internalsmtp
+
+- name: "Deploy Game server"
+  hosts: gameservers
+  roles:
+    - netplan
+    - common
+    - internalsmtp
+...

inventory.yaml

@@ -1,45 +1,55 @@
 ---
 all:
-  vars:
-    ansible_become: true
-    ansible_user: tormakris
   children:
     woolsey:
       hosts:
         neko:
-          ansible_host: zelenka.stargate.internal
         drone:
-          ansible_host: drone.stargate.internal
-        keycloak:
-          ansible_host: keycloak.stargate.internal
-        sonar:
-          ansible_host: sonar.stargate.internal
-        swagger:
-          ansible_host: swagger.stargate.internal
+        matrix:
         drone-runner:
-          ansible_host: drone-runner.stargate.internal
         smtp:
-          ansible_host: smtp.stargate.internal
         webgateway:
-          ansible_host: apache.stargate.internal
         openvpn:
-          ansible_host: openvpn.stargate.internal
         nexus:
-          ansible_host: nexus.stargate.internal
         git:
-          ansible_host: git.stargate.internal
         postgres:
-          ansible_host: postgres.stargate.internal
+        monitoring:
+        ytmirror:
+        cloudlog:
+        unbound:
     mckay:
       hosts:
         guacamole:
-          ansible_host: guacamole.stargate.internal
         bitwarden:
-          ansible_host: bitwarden.stargate.internal
         nextcloud:
-          ansible_host: nextcloud.stargate.internal
-        mariadb:
-          ansible_host: mariadb.stargate.internal
         backup:
-          ansible_host: backup.stargate.internal
+        librespeed:
+        plex:
+    dockerwebhosts:
+      hosts:
+        matrix:
+        drone:
+        guacamole:
+        bitwarden:
+        nexus:
+        nextcloud:
+        monitoring:
+        ytmirror:
+        librespeed:
+        plex:
+        cloudlog:
+    nightlydocker:
+      hosts:
+        matrix:
+        guacamole:
+        bitwarden:
+        nexus:
+        nextcloud:
+        monitoring:
+        ytmirror:
+        librespeed:
+        plex:
+        cloudlog:
+    gameservers:
+      hosts:
 ...

neko.yaml

@@ -1,10 +0,0 @@
----
-- name: "Setup neko"
-  hosts: neko
-  roles:
-    - common
-    - docker
-    - neko
-    - customfirewall
-    - internalsmtp
-...

nightly.yaml

@@ -0,0 +1,22 @@
+---
+- name: "Deploy basic webhost with Docker"
+  hosts: nightlydocker
+  roles:
+    - common
+    - webserver
+    - internalsmtp
+
+- name: "Deploy smtpgateway to smtp.intra.tormakris.dev"
+  hosts: smtp
+  roles:
+    - common
+    - smtpgateway
+
+- name: "Deploy backup server"
+  hosts: backup
+  roles:
+    - common
+    - internalsmtp
+    - backupscript
+    - backuphost
+...

realmd.yaml

@@ -0,0 +1,6 @@
+---
+- name: "Deploy basic webhost with Docker"
+  hosts: all
+  roles:
+    - realmd
+...

roles/backuphost/tasks/main.yaml

@@ -1,44 +1,11 @@
+# TODO: Make backup user part of AD
 ---
 - name: "Add backup user"
-  ansible.builtin.user:
+  user:
     name: backup
     comment: Backup user
     shell: /bin/bash
 
-- name: "Dsiable service user"
-  ansible.builtin.user:
-    name: service-user
-    state: present
-    password_lock: true
-    shell: "/sbin/nologin"
-
-- name: Undefine AllowUsers
-  lineinfile:
-    state: absent
-    path: /etc/ssh/sshd_config
-    line: "AllowUsers tormakris ansible service-user"
-
-- name: Check if AllowUsers is defined
-  lineinfile:
-    state: absent
-    path: /etc/ssh/sshd_config
-    regexp: "^AllowUsers"
-  check_mode: true
-  changed_when: false
-  register: checkallowusers
-
-- name: Define AllowUsers if undefined
-  lineinfile:
-    state: present
-    path: /etc/ssh/sshd_config
-    line: "AllowUsers tormakris ansible backup"
-  when: checkallowusers.found == 0
-
-- name: "Restart sshd"
-  service:
-    name: sshd
-    state: restarted
-
 - name: Create .ssh directory of backup user
   file:
     path: /home/backup/.ssh

roles/backupscript/defaults/main.yaml

@@ -1,6 +1,6 @@
 ---
 backup:
-  host: backup.stargate.internal
+  host: backup.intra.tormakris.dev
   internal: true
   prearecommand: ""
   basedir: /mnt/backupstore

roles/backupscript/files/backup-script.service

@@ -1,9 +0,0 @@
-[Unit]
-Description=Backup application data
-
-[Service]
-Type=simple
-ExecStart=/usr/bin/bash /opt/backupscript.sh
-
-[Install]
-WantedBy=backup.target

roles/backupscript/files/backup.target

@@ -1,5 +0,0 @@
-[Unit]
-Description=Script based backup for VMs
-
-[Install]
-WantedBy=default.target

roles/backupscript/files/backup.timer

@@ -1,10 +0,0 @@
-[Unit]
-Description=Backup VMs
-
-[Timer]
-OnBootSec=10min
-OnCalendar=Sun *-*-* 00:00:00
-Unit=backup.target
-
-[Install]
-WantedBy=multi-user.target

roles/backupscript/files/ssh_config

@@ -1,4 +1,4 @@
-Host backup backup.stargate.internal
-        HostName backup.stargate.internal
+Host backup backup.intra.tormakris.dev
+        HostName backup.intra.tormakris.dev
         User backup
         IdentityFile ~/.ssh/id_rsa

roles/backupscript/tasks/main.yaml

@@ -1,55 +1,12 @@
 ---
 - name: "Generate backupscript"
-  ansible.builtin.template:
+  template:
     src: backupscript.sh
-    dest: /opt/backupscript.sh
+    dest: /etc/cron.weekly/backupscript
     owner: root
     group: root
     mode: '0700'
 
-- name: Copy backup-script.service to target
-  copy:
-    src: backup-script.service
-    dest: /usr/lib/systemd/system/backup-script.service
-    mode: 0644
-    owner: root
-    group: root
-
-- name: Copy backup.target to target
-  copy:
-    src: backup.target
-    dest: /usr/lib/systemd/system/backup.target
-    mode: 0644
-    owner: root
-    group: root
-
-- name: Copy backup.timer to target
-  copy:
-    src: backup.timer
-    dest: /usr/lib/systemd/system/backup.timer
-    mode: 0644
-    owner: root
-    group: root
-
-- name: Enable backup-script.service and reload systemd daemon
-  when: ansible_service_mgr == "systemd"
-  ansible.builtin.systemd:
-    enabled: yes
-    daemon_reload: yes
-    name: backup-script.service
-
-- name: Enable backup.target
-  when: ansible_service_mgr == "systemd"
-  ansible.builtin.systemd:
-    enabled: yes
-    name: backup.target
-
-- name: Enable backup.timer
-  when: ansible_service_mgr == "systemd"
-  ansible.builtin.systemd:
-    enabled: yes
-    name: backup.timer
-
 - name: Create .ssh directory of root user
   file:
     path: /root/.ssh

roles/common/defaults/main.yaml

@@ -1,8 +1,8 @@
 ---
 # defaults file for timedatectl
-timedatectl_timeservers: ['noc-a.sch.bme.hu', 'noc-b.sch.bme.hu']
+timedatectl_timeservers: ['time.intra.tormakris.dev']
 
-timedatectl_timeservers_fallback: ['time.bme.hu']
+timedatectl_timeservers_fallback: ['time.kfki.hu']
 
 timedatectl_timezone: 'Europe/Budapest'
 ...

roles/common/files/authorized_keys

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDFkYMmPYQ8hs6D5tuTt+sEofoMd2GTXyS97mh8maXmets3eS8iMm2W4Pppaqj9lMIsYdDX0BZvbmuQa+iNKchj6HJPtvdx2Rhus1UGn74iy/NtgogWFHL9YEYILzc5lBqotV5o3z/wRMfSwqnVwYBZ7OI+LJenwf76bIUm6lVqyh2Qh9/wWOyGpUVitDpUVi/h2J3xZf8Z2r1vHFdMHJygrrKn3C4vsZobHJ48iq8QWj1vwfMavq6dgJtiS4/WUTvHuzjfHdyyO7akBM66Ul41UlGG5iqkIKTIzLECXPPWWe/vCIcumkeMxtoY0pxpsgKu1kgqhNs8Q+hgF/H+lIlXtzsZ5gKUwhS7sUNejNywaMjcOUVvnRVXh3FaH9t8HK7mGouaN7q+ghNbMKLlxueP5mpgzK+APaRcNjA/4JyXN750l22xM6YQkxqOeuK5FS/TVmn2H6otaxGrfGz1sfYyynvWSMqpNStuCjCYfEHBLqPKX5tpG8z/gGNa/51CQvM= tormakris@woolsey.tormakris.dev

roles/common/tasks/apt.yaml

@@ -1,4 +1,11 @@
 ---
+- name: "Use custom Ubuntu mirror"
+  replace:
+    path: /etc/apt/sources.list
+    regexp: 'http://hu.archive.ubuntu.com'
+    replace: 'https://mirrors.sth.sze.hu'
+    backup: yes
+
 - name: "Remove Ubuntu bloatware"
   apt: 
     state: absent
@@ -35,4 +42,6 @@
      - tcpdump
      - xxd
      - git
+     - ncdu
+     - cron
 ...

roles/common/tasks/clean-motd.yaml

@@ -2,8 +2,8 @@
 - name: clean motd
   file:
     state: touch
-    owner: tormakris
-    group: tormakris
+    owner: tormakris@intra.tormakris.dev
+    group: domain users@intra.tormakris.dev
     mode: "0644"
-    path: /home/tormakris/.hushlogin
+    path: /home/tormakris@intra.tormakris.dev/.hushlogin
 ...

roles/common/tasks/main.yaml

@@ -7,4 +7,5 @@
 - include_tasks: user-ops.yaml
 - include_tasks: ssh-security-settings.yaml
 - include_tasks: timesync.yaml
+- include_tasks: node-exporter.yaml
 ...

roles/common/tasks/node-exporter.yaml

@@ -0,0 +1,21 @@
+---
+- name: "Install node exporter"
+  apt:
+    update_cache: yes
+    state: present
+    name:
+     - prometheus-node-exporter
+
+- name: Allow node-exporter via ufw
+  community.general.ufw:
+    rule: allow
+    port: 9100
+    proto: tcp
+    src: 192.168.69.0/24
+
+- name: Enable and restart exporter daemon
+  service:
+    name: prometheus-node-exporter
+    state: restarted
+    enabled: yes
+...

roles/common/tasks/ssh-security-settings.yaml

@@ -1,10 +1,4 @@
 ---
-- name: Disable password authentication
-  replace:
-    path: /etc/ssh/sshd_config
-    regexp: 'PasswordAuthentication yes'
-    replace: 'PasswordAuthentication no'
-
 - name: Disable root authentication
   replace:
     path: /etc/ssh/sshd_config
@@ -23,22 +17,6 @@
     regexp: '#AddressFamily any'
     replace: 'AddressFamily inet'
 
-- name: Check if AllowUsers is defined
-  lineinfile:
-    state: absent
-    path: /etc/ssh/sshd_config
-    regexp: "^AllowUsers"
-  check_mode: true
-  changed_when: false
-  register: checkallowusers
-
-- name: Define AllowUsers if undefined
-  lineinfile:
-    state: present
-    path: /etc/ssh/sshd_config
-    line: "AllowUsers tormakris ansible service-user"
-  when: checkallowusers.found == 0
-
 - name: "Restart sshd"
   service:
     name: sshd

roles/common/tasks/timesync.yaml

@@ -12,7 +12,7 @@
 
 - name: Reastart timesyncd to apply changes
   when: ansible_service_mgr == "systemd"
-  ansible.builtin.systemd:
+  systemd:
     state: restarted
     daemon_reload: yes
     name: systemd-timesyncd

roles/common/tasks/ufw.yaml

@@ -18,4 +18,6 @@
   community.general.ufw:
     rule: allow
     port: ssh
+    src: "{{ item }}"
+  with_items: "{{ allowedranges }}"
 ...

roles/common/tasks/user-ops.yaml

@@ -1,13 +1,38 @@
 ---
-- name: "Add service user"
-  ansible.builtin.user:
-    name: service-user
-    comment: Service user
-    shell: /bin/bash
+- name: Create .ssh directory of ansible user
+  file:
+    path: /home/ansible@intra.tormakris.dev/.ssh
+    state: directory
+    owner: ansible@intra.tormakris.dev
+    group: domain users@intra.tormakris.dev
+
+- name: Copy authorized_keys
+  copy:
+    src: authorized_keys
+    dest: /home/ansible@intra.tormakris.dev/.ssh/authorized_keys
+    mode: 0600
+    owner: ansible@intra.tormakris.dev
+    group: domain users@intra.tormakris.dev
+
+- name: Check if group is present in sudoers
+  lineinfile:
+    state: absent
+    path: /etc/sudoers
+    regexp: "^%linuxadmins"
+  check_mode: true
+  changed_when: false
+  register: checksudoers
+
+- name: Define group in sudoers
+  lineinfile:
+    state: present
+    path: /etc/sudoers
+    line: "%linuxadmins@intra.tormakris.dev ALL=(ALL) NOPASSWD: ALL"
+  when: checksudoers.found == 0
 
 - name: "Update authorized_keys of tormakris"
   ansible.posix.authorized_key:
-    user: tormakris
+    user: tormakris@intra.tormakris.dev
     state: present
     key: https://static.tormakristof.eu/ssh.keys
 ...

roles/common/templates/jfrog.conf.template

@@ -0,0 +1,3 @@
+machine tormakris.jfrog.io
+login apt
+password {{ artifactory_password }}

roles/docker/files/daemon.json

@@ -1,3 +1,7 @@
 {
-    "userland-proxy": false
+    "userland-proxy": false,
+    "dns": [
+      "192.168.69.3",
+      "192.168.69.18"
+    ]
 }

roles/docker/tasks/main.yaml

@@ -22,9 +22,15 @@
     enabled: yes
 
 - name: "Add service user to docker group"
-  ansible.builtin.user:
-    name: service-user
-    comment: Service user
+  user:
+    name: service-user@intra.tormakris.dev
     groups: docker
     append: yes
+
+- name: Allow docker exporter via ufw
+  community.general.ufw:
+    rule: allow
+    port: "4194"
+    proto: tcp
+    src: 192.168.69.0/24
 ...

roles/internalsmtp/defaults/main.yaml

@@ -1,5 +1,5 @@
 ---
-postfix_relayhost: 'smtp.stargate.internal'
+postfix_relayhost: 'smtp.intra.tormakris.dev'
 
 external_domain: 'tormakris.dev'
 ...

roles/internalsmtp/files/prometheus-postfix-exporter

@@ -0,0 +1,15 @@
+# Private log file from Postfix to read and truncate. Configured in
+# /etc/rsyslog.d/prometheus-postfix-exporter.conf
+POSTFIXLOGFILE=/var/log/mail.log
+
+# Extra arguments for the daemon.
+ARGS=''
+
+# Prometheus-postfix-exporter supports the following options:
+#  --postfix.showq_path string
+#        Path at which Postfix places its showq socket.
+#        (default "/var/spool/postfix/public/showq")
+#  --web.listen-address string
+#        Address to listen on for web interface and telemetry. (default ":9154")
+#  --web.telemetry-path string
+#        Path under which to expose metrics. (default "/metrics")

roles/internalsmtp/tasks/main.yaml

@@ -16,4 +16,38 @@
     name: postfix
     state: restarted
     enabled: yes
+
+- name: "Install postfix exporter"
+  apt:
+    update_cache: yes
+    state: present
+    name:
+     - prometheus-postfix-exporter
+
+- name: Copy postfix exporter config
+  copy:
+    src: prometheus-postfix-exporter
+    dest: /etc/default/prometheus-postfix-exporter
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Add the prometheus user to postdrop group
+  user:
+    name: prometheus
+    groups: postdrop
+    append: yes
+
+- name: Enable and restart exporter daemon
+  service:
+    name: prometheus-postfix-exporter
+    state: restarted
+    enabled: yes
+
+- name: Allow postfix exporter via ufw
+  community.general.ufw:
+    rule: allow
+    port: "9154"
+    proto: tcp
+    src: 192.168.69.0/24
 ...

roles/neko/tasks/main.yaml

@@ -1,29 +0,0 @@
----
-- name: "Install haproxy via apt"
-  apt:
-    update_cache: yes
-    state: present
-    name:
-     - haproxy
-
-- name: Enable haproxy
-  service:
-    name: haproxy
-    state: started
-    enabled: yes
-
-- name: "Install certbot via apt"
-  apt:
-    update_cache: yes
-    state: present
-    name:
-     - python3-certbot
-
-- name: Reset ufw rules to default
-  community.general.ufw:
-    state: reset
-
-- name: Enable ufw
-  community.general.ufw:
-    state: enabled
-...

roles/netplan/templates/netplan.yaml

@@ -6,9 +6,9 @@ network:
     {{ ansible_default_ipv4.interface }}:
       dhcp4: true
       dhcp-identifier: mac
+{% if netplan.default_gateway is defined and netplan.default_gateway|length > 0 %}
       dhcp4-overrides:
         use-routes: false
-{% if netplan.default_gateway is defined and netplan.default_gateway|length > 0 %}
       gateway4: {{netplan.default_gateway}}
 {% endif %}
 {% if netplan.additionalinterfaces is defined and netplan.additionalinterfaces|length > 0 %}
@@ -29,7 +29,7 @@ network:
       gateway4: {{interface.gateway4}}
 {% endif %}
 {% if interface.gateway6 is defined and interface.gateway6|length > 0  %}
-      gateway4: {{interface.gateway6}}
+      gateway6: '{{interface.gateway6}}'
 {% endif %}
 {% if interface.denydns %}
       nameservers:

roles/openvpn/tasks/main.yaml

@@ -4,7 +4,7 @@
     update_cache: yes
     state: present
     name:
-     - openvpn-server
+     - openvpn
 
 - name : "Enable ipv4 forwarding via sysctl"
   ansible.posix.sysctl:
@@ -14,14 +14,51 @@
     state: present
     reload: yes
 
-- name: Upload openvpn config to server
-  ansible.posix.synchronize:
-    src: openvpn-config
-    dest: /etc/openvpn/server
-
 - name: Enable and restart openvpn daemon
   service:
-    name: openvpn
+    name: openvpn-server@stargate
     state: restarted
     enabled: yes
+
+- name: Check if AllowUsers is defined
+  lineinfile:
+    state: absent
+    path: /etc/ufw/before.rules
+    regexp: "^# START OPENVPN"
+  check_mode: true
+  changed_when: false
+  register: checkufwrules
+
+- name: Insert openvpn iptables rules
+  blockinfile:
+    path: /etc/ufw/before.rules
+    block: |
+      # START OPENVPN RULES
+      # NAT table rules
+      *nat
+      -F
+      :POSTROUTING ACCEPT [0:0]
+      # Allow traffic from OpenVPN client to everywhere
+      -A POSTROUTING -s 192.168.37.0/24 -o eth0 -j MASQUERADE
+      -A POSTROUTING -s 192.168.37.0/24 -o eth2 -j MASQUERADE
+      COMMIT
+      *filter
+      -A ufw-before-input -i tun+ -j ACCEPT
+      -A ufw-before-forward -i tun+ -j ACCEPT
+      -A ufw-before-forward -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
+      -A ufw-before-forward -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
+      -A ufw-before-forward -i tun+ -o eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT
+      -A ufw-before-forward -i eth2 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
+      COMMIT
+      # END OPENVPN RULES
+
+- name: Reload ufw
+  community.general.ufw:
+    state: reloaded
+
+- name: Apply custom ufw rules
+  community.general.ufw:
+    rule: allow
+    direction: "in"
+    interface: tun0
 ...

roles/realmd/tasks/main.yaml

@@ -0,0 +1,94 @@
+---
+- name: "Install realmd and dependencies"
+  apt:
+    update_cache: yes
+    state: present
+    name:
+     - realmd
+     - sssd
+     - sssd-tools
+     - libnss-sss
+     - libpam-sss
+     - adcli
+     - samba-common-bin
+     - oddjob
+     - oddjob-mkhomedir
+     - packagekit
+
+- name: Check if computer is joined to domain
+  lineinfile:
+    state: absent
+    path: /etc/sssd/sssd.conf
+    line: "^ad_access_filter"
+  check_mode: true
+  changed_when: false
+  register: checkjoined
+
+- name: "Get join password from local environment variable"
+  set_fact:
+    join_passw: "{{ lookup('env', 'JOIN_PASSW') }}"
+  delegate_to: localhost
+  when: checkjoined.found == 0
+
+- name: Join to AD with realmd
+  shell:
+    cmd: echo {{ join_passw }} | realm join -v -U tormakris_admin intra.tormakris.dev
+  when: checkjoined.found == 0
+
+- name: Enable pam homedir create on first logon
+  command:
+    cmd: pam-auth-update --enable mkhomedir
+
+- name: Check if ad_gpo_access_control is disabled
+  lineinfile:
+    state: absent
+    path: /etc/sssd/sssd.conf
+    regexp: "^ad_gpo_access_control"
+  check_mode: true
+  changed_when: false
+  register: checkadgpoac
+
+- name: Set ad_gpo_access_control to disabled
+  lineinfile:
+    state: present
+    path: /etc/sssd/sssd.conf
+    line: "ad_gpo_access_control = disabled"
+  when: checkadgpoac.found == 0
+
+- name: Check if ad_access_filter is set
+  lineinfile:
+    state: absent
+    path: /etc/sssd/sssd.conf
+    regexp: "^ad_access_filter"
+  check_mode: true
+  changed_when: false
+  register: checkadaf
+
+- name: Set ad_gpo_access_control to disabled
+  lineinfile:
+    state: present
+    path: /etc/sssd/sssd.conf
+    line: "ad_access_filter = memberOf=CN=LinuxUsers,OU=Service Groups,DC=intra,DC=tormakris,DC=dev"
+  when: checkadaf.found == 0
+
+- name: "Restart sssd"
+  service:
+    name: sssd
+    state: restarted
+
+- name: Check if group is presend in sudoers
+  lineinfile:
+    state: absent
+    path: /etc/sudoers
+    regexp: "^%linuxadmins"
+  check_mode: true
+  changed_when: false
+  register: checksudoers
+
+- name: Define group in sudoers
+  lineinfile:
+    state: present
+    path: /etc/sudoers
+    line: "%linuxadmins@intra.tormakris.dev ALL=(ALL) NOPASSWD: ALL"
+  when: checksudoers.found == 0
+...

roles/smtpgateway/defaults/main.yaml

@@ -1,4 +1,4 @@
 ---
-postfix_relayhost: 'smtp-relay.gmail.com'
+postfix_relayhost: 'tormakris-dev.mail.protection.outlook.com'
 external_domain: 'tormakris.dev'
 ...

roles/smtpgateway/files/prometheus-postfix-exporter

@@ -0,0 +1,15 @@
+# Private log file from Postfix to read and truncate. Configured in
+# /etc/rsyslog.d/prometheus-postfix-exporter.conf
+POSTFIXLOGFILE=/var/log/mail.log
+
+# Extra arguments for the daemon.
+ARGS=''
+
+# Prometheus-postfix-exporter supports the following options:
+#  --postfix.showq_path string
+#        Path at which Postfix places its showq socket.
+#        (default "/var/spool/postfix/public/showq")
+#  --web.listen-address string
+#        Address to listen on for web interface and telemetry. (default ":9154")
+#  --web.telemetry-path string
+#        Path under which to expose metrics. (default "/metrics")

roles/smtpgateway/tasks/main.yaml

@@ -12,7 +12,8 @@
     dest: /etc/postfix/main.cf
 
 - name: Build /etc/mailname
-  shell: hostname --fqdn > /etc/mailname
+  shell:
+    cmd: "hostname --fqdn > /etc/mailname"
 
 - name: Restart Postfix
   service:
@@ -24,4 +25,39 @@
   community.general.ufw:
     rule: allow
     port: smtp
+    src: 192.168.69.0/24
+
+- name: "Install postfix exporter"
+  apt:
+    update_cache: yes
+    state: present
+    name:
+     - prometheus-postfix-exporter
+
+- name: Copy exporter config
+  copy:
+    src: prometheus-postfix-exporter
+    dest: /etc/default/prometheus-postfix-exporter
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Add the prometheus user to postdrop group
+  user:
+    name: prometheus
+    groups: postdrop
+    append: yes
+
+- name: Enable and restart exporter daemon
+  service:
+    name: prometheus-postfix-exporter
+    state: restarted
+    enabled: yes
+
+- name: Allow postfix exporter via ufw
+  community.general.ufw:
+    rule: allow
+    port: "9154"
+    proto: tcp
+    src: 192.168.69.0/24
 ...

roles/webgateway/files/certbot-script.service

@@ -1,9 +0,0 @@
-[Unit]
-Description=Renew certificates with certbot
-
-[Service]
-Type=simple
-ExecStart=/usr/bin/bash /opt/certbot.sh
-
-[Install]
-WantedBy=certbot.target

roles/webgateway/files/certbot.target

@@ -1,5 +0,0 @@
-[Unit]
-Description=Script based certificate renewal via certbot
-
-[Install]
-WantedBy=default.target

roles/webgateway/files/certbot.timer

@@ -1,10 +0,0 @@
-[Unit]
-Description=Periodic certificate renewal
-
-[Timer]
-OnBootSec=10min
-OnCalendar=Sun *-*-* 00:00:00
-Unit=certbot.target
-
-[Install]
-WantedBy=multi-user.target

roles/webgateway/files/prometheus-nginx-exporter

@@ -0,0 +1,14 @@
+ARGS="-nginx.scrape-uri http://127.0.0.1:8080/stub_status"
+
+# Prometheus-nginx-exporter supports the following options:
+#  -nginx.plus
+#        Start the exporter for NGINX Plus. By default, the exporter is started
+#        for NGINX.
+#  -nginx.scrape-uri string
+#        A URI for scraping NGINX or NGINX Plus metrics.
+#        For NGINX, the stub_status page must be available through the URI.
+#        For NGINX Plus -- the API. (default "http://127.0.0.1:8080/stub_status")
+#  -web.listen-address string
+#        An address to listen on for web interface and telemetry. (default ":9113")
+#  -web.telemetry-path string
+#        A path under which to expose metrics. (default "/metrics"

roles/webgateway/tasks/main.yaml

@@ -19,7 +19,7 @@
     port: https
 
 - name: Copy default nginx config
-  ansible.builtin.copy:
+  copy:
     src: nginx.conf
     dest: /etc/nginx/nginx.conf
     owner: root
@@ -42,56 +42,21 @@
     cmd: certbot certonly --non-interactive --agree-tos -m tormakristof@tormakristof.eu --nginx -d {{item.domain}}
   with_items: "{{ static }}"
 
+- name: Generate certificate for all redirect sites
+  command:
+    cmd: certbot certonly --non-interactive --agree-tos -m tormakristof@tormakristof.eu --nginx -d {{item.domain}}
+  with_items: "{{ redirect }}"
+
 - name: "Generate certbot script"
-  ansible.builtin.template:
+  template:
     src: certbot.sh
-    dest: /opt/certbot.sh
+    dest: /etc/cron.weekly/certbot
     owner: root
     group: root
     mode: '0700'
 
-- name: Copy certbot-script.service to target
-  copy:
-    src: certbot-script.service
-    dest: /usr/lib/systemd/system/certbot-script.service
-    mode: 644
-    owner: root
-
-- name: Copy certbot.target to target
-  copy:
-    src: certbot.target
-    dest: /usr/lib/systemd/system/certbot.target
-    mode: 644
-    owner: root
-
-- name: Copy certbot.timer to target
-  copy:
-    src: certbot.timer
-    dest: /usr/lib/systemd/system/certbot.timer
-    mode: 644
-    owner: root
-
-- name: Enable certbot-script.service and reload systemd daemon
-  when: ansible_service_mgr == "systemd"
-  ansible.builtin.systemd:
-    enabled: yes
-    daemon_reload: yes
-    name: certbot-script.service
-
-- name: Enable certbot.target
-  when: ansible_service_mgr == "systemd"
-  ansible.builtin.systemd:
-    enabled: yes
-    name: certbot.target
-
-- name: Enable certbot.timer
-  when: ansible_service_mgr == "systemd"
-  ansible.builtin.systemd:
-    enabled: yes
-    name: certbot.timer
-
 - name: "Generate nginx configuration"
-  ansible.builtin.template:
+  template:
     src: nginx.conf
     dest: /etc/nginx/nginx.conf
     owner: root
@@ -108,20 +73,48 @@
     state: reloaded
 
 - name: "Remove any existing static file directories"
-  ansible.builtin.file:
+  file:
     path: "{{ item.directory }}"
     state: absent
   with_items: "{{ static }}"
 
 - name: "Checkout static websites from git"
-  ansible.builtin.git:
+  git:
     repo: "{{ item.repo }}"
     dest: "{{ item.directory }}"
   with_items: "{{ static }}"
 
 - name: "Remove .git directory from static websites"
-  ansible.builtin.file:
+  file:
     path: "{{ item.directory }}/.git"
     state: absent
   with_items: "{{ static }}"
+
+- name: "Install nginx exporter"
+  apt:
+    update_cache: yes
+    state: present
+    name:
+     - prometheus-nginx-exporter
+
+- name: Copy nginx exporter config
+  copy:
+    src: prometheus-nginx-exporter
+    dest: /etc/default/prometheus-nginx-exporter
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Enable and restart exporter daemon
+  service:
+    name: prometheus-nginx-exporter
+    state: restarted
+    enabled: yes
+
+- name: Allow nginx exporter via ufw
+  community.general.ufw:
+    rule: allow
+    port: 9113
+    proto: tcp
+    src: 192.168.69.0/24
 ...

roles/webgateway/templates/certbot.sh

@@ -1,8 +1,12 @@
 #!/bin/bash
 # {{ansible_managed}}
+certbot renew --nginx --cert-name tormakristof.eu
 {% for proxysite in proxy %}
 certbot renew --nginx --cert-name {{ proxysite.domain }}
 {% endfor %}
 {% for staticsite in static %}
 certbot renew --nginx --cert-name {{ staticsite.domain }}
 {% endfor %}
+{% for redirectsite in redirect %}
+certbot renew --nginx --cert-name {{ redirectsite.domain }}
+{% endfor %}

roles/webgateway/templates/nginx.conf

@@ -1,4 +1,4 @@
-# {{ansible_managed}}
+# {{ ansible_managed }}
 user www-data;
 worker_processes auto;
 pid /run/nginx.pid;
@@ -40,11 +40,13 @@ http {
         proxy_redirect  off;
         proxy_set_header    Host    $host;
         proxy_set_header    X-Real-IP   $remote_addr;
+        proxy_set_header    X-MS-Proxy  webgateway.intra.tormakris.dev;
+        proxy_set_header    X-MS-Forwarded-Client-IP    $remote_addr;
         proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
 		proxy_set_header    Upgrade $http_upgrade;
 		proxy_set_header    Connection $http_connection;
         proxy_set_header    X-Forwarded-Proto https;
-        client_max_body_size    10m;
+        proxy_ssl_server_name on;
         client_body_buffer_size 128k;
         proxy_connect_timeout   90;
         proxy_send_timeout 120;
@@ -54,6 +56,7 @@ http {
         proxy_busy_buffers_size    256k;
         proxy_buffering    off;
         proxy_request_buffering off;
+        server_tokens off;
 
         server {
 
@@ -63,22 +66,35 @@ http {
             return 301 https://$host$request_uri;
         }
 
-        {% for proxysite in proxy %}
+        {%- for proxysite in proxy -%}
         server {
             listen 443 ssl http2;
             listen [::]:443 ssl http2;
             server_name {{ proxysite.domain }};
+            proxy_ssl_name {{ proxysite.domain }};
             ssl_certificate /etc/letsencrypt/live/{{ proxysite.domain }}/fullchain.pem;
             ssl_certificate_key /etc/letsencrypt/live/{{ proxysite.domain }}/privkey.pem;
+            ssl_stapling on;
+            ssl_stapling_verify on;
+            {%- if proxysite.bigrequests %}
+            client_max_body_size    8G;
+            {%- endif %}
             location /{
                 proxy_pass  https://{{ proxysite.ip }};
+                {%- if proxysite.ignorecert %}
                 proxy_ssl_verify    off;
+                {%- endif %}
+            }
+            location /metrics{
+                proxy_pass  https://{{ proxysite.ip }};
+                allow 192.168.69.0/24;
+                deny all;
             }
         }
 
-        {% endfor %}
+        {%- endfor -%}
 
-        {% for staticsite in static %}
+        {%- for staticsite in static -%}
         server {
             listen 443 ssl http2;
             listen [::]:443 ssl http2;
@@ -91,5 +107,46 @@ http {
             }
         }
 
-        {% endfor %}
+        {%- endfor -%}
+
+        {%- for redirectsite in redirect -%}
+        server {
+            listen 443 ssl http2;
+            listen [::]:443 ssl http2;
+            server_name {{ redirectsite.domain }};
+            ssl_certificate /etc/letsencrypt/live/{{ redirectsite.domain }}/fullchain.pem;
+            ssl_certificate_key /etc/letsencrypt/live/{{ redirectsite.domain }}/privkey.pem;
+            return 301 {{ redirectsite.destination }};
+        }
+
+        {%- endfor -%}
+
+        server {
+            listen 443 ssl http2;
+            listen [::]:443 ssl http2;
+            server_name tormakristof.eu;
+            ssl_certificate /etc/letsencrypt/live/tormakristof.eu/fullchain.pem;
+            ssl_certificate_key /etc/letsencrypt/live/tormakristof.eu/privkey.pem;
+            root /var/www/tormakristof.eu;
+            location /{
+                return 301 https://www.tormakristof.eu;
+            }
+            location /.well-known{
+                try_files $uri $uri/ =404;
+            }
+
+            location /.well-known/webfinger {
+                 return 301 https://mastodon.tormakristof.eu$request_uri;
+            }
+        }
+
+        server {
+            listen 8080;
+            
+            location /stub_status {
+                stub_status;
+ 	            allow 127.0.0.1;
+ 	            deny all;		
+            }
+        }
 }

roles/webgateway/vars/main.yaml

@@ -1,17 +1,26 @@
 proxy:
-  - {domain: bitwarden.tormakristof.eu, ip: bitwarden.stargate.internal}
-  - {domain: nextcloud.tormakristof.eu, ip: nextcloud.stargate.internal}
-  - {domain: drone.kmlabz.com, ip: drone.stargate.internal}
-  - {domain: git.kmlabz.com, ip: git.stargate.internal}
-  - {domain: guacamole.kmlabz.com, ip: guacamole.stargate.internal}
-  - {domain: keycloak.kmlabz.com, ip: keycloak.stargate.internal}
-  - {domain: nexus.kmlabz.com, ip: nexus.stargate.internal}
-  - {domain: registry.kmlabz.com, ip: nexus.stargate.internal}
-  - {domain: swagger.kmlabz.com, ip: swagger.stargate.internal}
+  - {domain: bitwarden.tormakristof.eu, ip: bitwarden.intra.tormakris.dev, bigrequests: false, ignorecert: false}
+  - {domain: nextcloud.tormakristof.eu, ip: nextcloud.intra.tormakris.dev, bigrequests: true, ignorecert: false}
+  - {domain: drone.kmlabz.com, ip: drone.intra.tormakris.dev, bigrequests: false, ignorecert: false}
+  - {domain: git.kmlabz.com, ip: git.intra.tormakris.dev, bigrequests: false, ignorecert: false}
+  - {domain: guacamole.tormakristof.eu, ip: guacamole.intra.tormakris.dev, bigrequests: false, ignorecert: false}
+  - {domain: matrix.tormakristof.eu, ip: matrix.intra.tormakris.dev, bigrequests: true, ignorecert: false}
+  - {domain: chat.tormakristof.eu, ip: matrix.intra.tormakris.dev, bigrequests: true, ignorecert: false}
+  - {domain: nexus.kmlabz.com, ip: nexus.intra.tormakris.dev, bigrequests: true, ignorecert: false}
+  - {domain: registry.kmlabz.com, ip: nexus.intra.tormakris.dev, bigrequests: true, ignorecert: false}
+  - {domain: fs.tormakristof.eu, ip: adfs.intra.tormakris.dev, bigrequests: false, ignorecert: true}
+  - {domain: certauth.fs.tormakristof.eu, ip: adfs.intra.tormakris.dev, bigrequests: false, ignorecert: true}
+  - {domain: grafana.tormakristof.eu, ip: monitoring.intra.tormakris.dev, bigrequests: false, ignorecert: false}
+  - {domain: yt.tormakristof.eu, ip: ytmirror.intra.tormakris.dev, bigrequests: false, ignorecert: false}
+  - {domain: speedtest.tormakristof.eu, ip: librespeed.intra.tormakris.dev, bigrequests: true, ignorecert: false}
+  - {domain: plex.tormakristof.eu, ip: plex.intra.tormakris.dev, bigrequests: true, ignorecert: false}
+  - {domain: neko.tormakristof.eu, ip: vzelenka.intra.tormakris.dev, bigrequests: false, ignorecert: false}
+  - {domain: cloudlog.tormakristof.eu, ip: cloudlog.intra.tormakris.dev, bigrequests: false, ignorecert: false}
+  - {domain: dns.tormakristof.eu, ip: unbound.intra.tormakris.dev, bigrequests: true, ignorecert: false}
 
 static:
-  - {domain: tormakristof.eu, directory: /var/www/tormakristof.eu, repo: "https://git.kmlabz.com/kmlabz/homepage.git"}
-  - {domain: tormakris.dev, directory: /var/www/tormakristof.eu, repo: "https://git.kmlabz.com/kmlabz/homepage.git"}
-  - {domain: torma.xyz, directory: /var/www/tormakristof.eu, repo: "https://git.kmlabz.com/kmlabz/homepage.git"}
-  - {domain: kmlabz.com, directory: /var/www/kmlabz.com, repo: "https://git.kmlabz.com/kmlabz/homepage.git"}
+  []
+
+redirect:
+  []
 ...

roles/webserver/defaults/main.yaml

@@ -1,4 +1,6 @@
 webserver:
   - domain: "_"
     port: 8080
+    bigrequests: false
+    https: false
 ...

roles/webserver/files/nginx.conf

@@ -58,6 +58,15 @@ http {
         # Virtual Host Configs
         ##
 
-        include /etc/nginx/conf.d/*.conf;
-        include /etc/nginx/sites-enabled/*;
-}
+        server {
+            root /var/www/html;
+            server_name _;
+            listen 443 ssl http2;
+            listen [::]:443 ssl http2;
+            ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
+            ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
+            location /{
+                try_files $uri $uri/ =404;
+            }
+        }
+}

roles/webserver/files/prometheus-nginx-exporter

@@ -0,0 +1,14 @@
+ARGS="-nginx.scrape-uri http://127.0.0.1:8888/stub_status"
+
+# Prometheus-nginx-exporter supports the following options:
+#  -nginx.plus
+#        Start the exporter for NGINX Plus. By default, the exporter is started
+#        for NGINX.
+#  -nginx.scrape-uri string
+#        A URI for scraping NGINX or NGINX Plus metrics.
+#        For NGINX, the stub_status page must be available through the URI.
+#        For NGINX Plus -- the API. (default "http://127.0.0.1:8080/stub_status")
+#  -web.listen-address string
+#        An address to listen on for web interface and telemetry. (default ":9113")
+#  -web.telemetry-path string
+#        A path under which to expose metrics. (default "/metrics"

roles/webserver/tasks/main.yaml

@@ -1,13 +1,22 @@
 ---
+- name: Allow https port via ufw
+  community.general.ufw:
+    rule: allow
+    port: https
+    src: "{{ item }}"
+  with_items: "{{ allowedranges }}"
+
 - name: "Install Nginx via apt"
   apt:
     update_cache: yes
     state: present
     name:
      - nginx
+     - python3-certbot
+     - python3-certbot-dns-cloudflare
 
 - name: Copy default nginx config
-  ansible.builtin.copy:
+  copy:
     src: nginx.conf
     dest: /etc/nginx/nginx.conf
     owner: root
@@ -20,8 +29,34 @@
     state: restarted
     enabled: yes
 
+- name: "Get Cloudflare token from local environment variable"
+  set_fact:
+    cloudflare_token: "{{ lookup('env', 'CLOUDFLARE_TOKEN') }}"
+  delegate_to: localhost
+
+- name: "Render Cloudflare Certbot plugin configuration"
+  template:
+    src: cf-creds.ini
+    dest: /root/cf-creds.ini
+    owner: root
+    group: root
+    mode: 0600
+
+- name: Generate certificate for all server instances
+  shell:
+    cmd: certbot certonly --non-interactive --agree-tos -m iam@tormakristof.eu --dns-cloudflare --dns-cloudflare-credentials /root/cf-creds.ini -d {{item.domain}}
+  with_items: "{{ webserver }}"
+
+- name: "Generate certbot script"
+  template:
+    src: certbot.sh
+    dest: /etc/cron.weekly/certbot
+    owner: root
+    group: root
+    mode: '0700'
+
 - name: "Generate nginx configuration"
-  ansible.builtin.template:
+  template:
     src: nginx.conf
     dest: /etc/nginx/nginx.conf
     owner: root
@@ -33,8 +68,31 @@
     name: nginx
     state: reloaded
 
-- name: Allow https port via ufw
+- name: "Install nginx exporter"
+  apt:
+    update_cache: yes
+    state: present
+    name:
+     - prometheus-nginx-exporter
+
+- name: Allow nginx exporter via ufw
   community.general.ufw:
     rule: allow
-    port: https
+    port: 9113
+    proto: tcp
+    src: 192.168.69.0/24
+
+- name: Copy nginx exporter config
+  copy:
+    src: prometheus-nginx-exporter
+    dest: /etc/default/prometheus-nginx-exporter
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Enable and restart exporter daemon
+  service:
+    name: prometheus-nginx-exporter
+    state: restarted
+    enabled: yes
 ...

roles/webserver/templates/certbot.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+# {{ansible_managed}}
+{% for server in webserver %}
+certbot renew --dns-cloudflare --dns-cloudflare-credentials /root/cf-creds.ini 10 --cert-name {{ server.domain }}
+{% endfor %}

roles/webserver/templates/cf-creds.ini

@@ -0,0 +1,4 @@
+# Cloudflare API token used by Certbot
+# {{ ansible_managed }}
+dns_cloudflare_email = tormakristof@outlook.com
+dns_cloudflare_api_key = {{ cloudflare_token }}

roles/webserver/templates/nginx.conf

@@ -40,10 +40,12 @@ http {
         proxy_redirect  off;
         proxy_set_header    Host    $host;
         proxy_set_header    X-Real-IP   $remote_addr;
+        proxy_set_header    X-MS-Proxy  webgateway.intra.tormakris.dev;
+        proxy_set_header    X-MS-Forwarded-Client-IP    $remote_addr;
         proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
-	    proxy_set_header    Upgrade $http_upgrade;
-	    proxy_set_header    Connection $http_connection;
-        client_max_body_size    10m;
+        proxy_set_header    Upgrade $http_upgrade;
+        proxy_set_header    Connection $http_connection;
+        proxy_set_header    X-Forwarded-Proto https;
         client_body_buffer_size 128k;
         proxy_connect_timeout   90;
         proxy_send_timeout 120;
@@ -53,6 +55,7 @@ http {
         proxy_busy_buffers_size    256k;
         proxy_buffering    off;
         proxy_request_buffering off;
+        server_tokens off;
 
         server {
 
@@ -67,12 +70,49 @@ http {
             listen 443 ssl http2;
             listen [::]:443 ssl http2;
             server_name {{ server.domain }};
-            ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
-            ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
+            ssl_certificate /etc/letsencrypt/live/{{ server.domain }}/fullchain.pem;
+            ssl_certificate_key /etc/letsencrypt/live/{{ server.domain }}/privkey.pem;
+            {% if server.bigrequests %}
+            client_max_body_size    8G;
+            {% endif %}
             location /{
+                {% if server.https %}
+                proxy_pass  https://127.0.0.1:{{ server.port }};
+                {% else %}
                 proxy_pass  http://127.0.0.1:{{ server.port }};
+                {% endif %}
             }
+            location /metrics{
+                {%- if server.https %}
+                proxy_pass  https://127.0.0.1:{{ server.port }};
+                {% else %}
+                proxy_pass  http://127.0.0.1:{{ server.port }};
+                {% endif %}
+ 	            allow 192.168.69.0/24;
+ 	            deny all;
+            }
+            {% if server.additionallocations is defined %}
+            {% for location in server.additionallocations %}
+            location {{location.location}}{
+                {% if location.https %}
+                proxy_pass  https://127.0.0.1:{{ location.port }};
+                {% else %}
+                proxy_pass  http://127.0.0.1:{{ location.port }};
+                {% endif %}
+            }
+            {% endfor %}
+            {% endif %}
         }
 
-        {% endfor %}
+        {%- endfor -%}
+
+        server {
+            listen 8888;
+            
+            location /stub_status {
+                stub_status;
+ 	            allow 127.0.0.1;
+ 	            deny all;		
+            }
+        }
 }

run.sh

@@ -1,5 +1,7 @@
 #!/bin/bash
 
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+
 ansible-galaxy collection install -r requirements.yaml
-ansible-playbook --ask-become-pass --ask-pass -i inventory.yaml $1
-#ansible-playbook --ask-become-pass -i inventory.yaml $1
+#ansible-playbook --ask-become-pass --ask-pass -i inventory.yaml $1
+ANSIBLE_CONFIG="$SCRIPT_DIR/ansible.cfg" ansible-playbook -i inventory.yaml $1

smtp.yaml

@@ -1,8 +0,0 @@
----
-- name: "Deploy smtpgateway to smtp.stargate.internal"
-  hosts: smtp
-  roles:
-    - netplan
-    - common
-    - smtpgateway
-...