docs: agregar guía completa de testing para Ansible

Agrega TESTING.md con documentación exhaustiva sobre:
- Molecule (framework oficial de testing)
- Ansible Lint (análisis estático)
- Testinfra (testing de infraestructura con Python)
- YAML Lint (validación de sintaxis)
- Estrategias de CI/CD con GitHub Actions y GitLab CI
- Comandos útiles y mejores prácticas
- Estrategia de testing por fases para Abyaya.la

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

README-root-domain.md

@@ -1,99 +0,0 @@
-# Plan: Añadir Soporte para Dominio Principal www.abyaya.la
-
-## Objetivo
-Habilitar que el dominio raíz `abyaya.la` y `www.abyaya.la` apunten al servidor `sutty.comun`, mientras se mantienen funcionando todos los subdominios existentes (ej: `sutty.abyaya.la`, `marmite.abyaya.la`).
-
-## Estrategia de Desarrollo
-
-### Rama Tópica
-Los cambios se implementarán en esta rama tópica:
-- **Nombre de rama**: `root-domain`
-- **Bifurcada desde**: `master`
-
-## Contexto Técnico
-
-### Arquitectura Actual
-- **Certificados**: Cada servicio en `abyayala.yml` con `domains` + `nodo` genera un certificado con certbot: `-d DOMAIN -d *.DOMAIN`
-- **Patron actual**: Todos los dominios siguen el patrón `subdomain.abyaya.la` (ej: `sutty.abyaya.la`)
-
-### Decisión de Diseño
-Crear un **servicio separado** para el dominio raíz con un nuevo flag `root: yes` que indica a certbot que NO solicite el certificado wildcard. Esto mantiene limpia la separación de responsabilidades:
-- Servicio `sutty`: maneja `sutty.abyaya.la` y `*.sutty.abyaya.la`
-- Servicio `abyaya_root`: maneja únicamente `abyaya.la` y `www.abyaya.la` (sin wildcard)
-
-## Cambios Implementados
-
-### 1. `roles/certbot/tasks/certbot.yml`
-- Lee el flag `root` del servicio y lo mapea a variable `is_root_domain`
-- Dividido el bloque de certificados en dos tareas condicionales:
-  - Modo estándar (con wildcard): para subdominios (`when: not is_root_domain`)
-  - Modo sin wildcard: para dominios raíz (`when: is_root_domain`)
-
-### 2. `roles/proxy/templates/vhost.conf`
-- Agregado condicional para manejar flag `root`
-- Cuando `root: yes`: genera `server_name` sin punto prefijo (exacto)
-- Cuando `root: no` (default): genera `server_name .domain` (con wildcard)
-
-### 3. `abyayala.yml`
-- Agregado servicio `abyaya_root` con:
-  - Dominios: `abyaya.la` y `www.abyaya.la`
-  - Enrutamiento a: `sutty.comun`
-  - Flag: `root: yes`
-  - HTTPS forzado y compresión habilitada
-
-## Comandos de Despliegue
-
-### Despliegue completo
-```bash
-ansible-playbook deploy.yml -e "alt=abyayala host=hetzner"
-```
-
-### Despliegue solo del servicio nuevo (para testing)
-```bash
-ansible-playbook deploy.yml -e "alt=abyayala host=hetzner service=abyaya_root"
-```
-
-## Verificación Post-Despliegue
-
-### 1. Verificar certificado
-```bash
-ssh root@hetzner
-ls -la /var/lib/docker/volumes/abyayala_certs_data/_data/live/abyaya.la/
-docker run --rm -v abyayala_certs_data:/etc/letsencrypt certbot/certbot certificates | grep abyaya.la
-```
-
-Debe contener: `abyaya.la`, `www.abyaya.la` (SIN `*.abyaya.la`)
-
-### 2. Verificar nginx
-```bash
-cat /opt/abyayala/proxy/vhosts/abyaya.la.conf
-docker exec abyayala_proxy nginx -t
-```
-
-### 3. Verificar enrutamiento
-```bash
-curl -I http://abyaya.la        # Debe redirigir a HTTPS
-curl -I https://abyaya.la       # Debe devolver 200 OK
-curl -I https://www.abyaya.la   # Debe devolver 200 OK
-```
-
-### 4. Verificar subdominios siguen funcionando
-```bash
-curl -I https://sutty.abyaya.la
-curl -I https://marmite.abyaya.la
-```
-
-## Requisitos DNS
-
-Antes del despliegue, configurar:
-```
-abyaya.la       A     <IP-del-proxy>
-www.abyaya.la   A     <IP-del-proxy>
-```
-
-## Extensibilidad Futura
-
-Este patrón `root: yes` puede reutilizarse para otros dominios raíz:
-1. Agregar entrada en `abyayala.yml` con `root: yes`
-2. Desplegar con ansible-playbook
-3. Configurar DNS

TESTING.md

@@ -0,0 +1,401 @@
+# Testing en Abyaya.la
+
+Esta guía documenta las estrategias y herramientas de testing para infraestructura como código (IaC) basada en Ansible.
+
+## Índice
+
+1. [Testing de Ansible](#testing-de-ansible)
+2. [Validación y Sintaxis](#validación-y-sintaxis)
+3. [Testing de Infraestructura](#testing-de-infraestructura)
+4. [CI/CD para Ansible](#cicd-para-ansible)
+5. [Recursos Adicionales](#recursos-adicionales)
+
+---
+
+## Testing de Ansible
+
+### Molecule (Framework oficial - RECOMENDADO)
+
+Molecule es el framework oficial para testing de roles de Ansible. Permite ejecutar tests unitarios, de integración y verificar idempotencia.
+
+**Documentación Oficial:**
+- Documentación principal: https://ansible.readthedocs.io/projects/molecule/
+- Getting Started: https://ansible.readthedocs.io/projects/molecule/getting-started/
+- Guía de escenarios: https://ansible.readthedocs.io/projects/molecule/configuration/
+
+**Características:**
+- Tests unitarios de roles individuales
+- Tests de integración
+- Tests de idempotencia (verificar que ejecutar dos veces da el mismo resultado)
+- Soporte para Docker/Podman para simular entornos
+
+**Instalación:**
+```bash
+pip install molecule molecule-docker
+```
+
+**Uso básico:**
+```bash
+cd roles/rap
+molecule init scenario
+molecule test
+```
+
+---
+
+### Ansible Lint
+
+Herramienta de análisis estático que verifica mejores prácticas y patrones comunes en playbooks y roles de Ansible.
+
+**Documentación:**
+- Documentación principal: https://ansible-lint.readthedocs.io/
+- Catálogo de reglas: https://ansible-lint.readthedocs.io/rules/
+
+**Instalación:**
+```bash
+pip install ansible-lint
+```
+
+**Uso:**
+```bash
+# Verificar un playbook específico
+ansible-lint deploy.yml
+
+# Verificar todos los archivos del proyecto
+ansible-lint
+
+# Verificar un rol específico
+ansible-lint roles/proxy/
+```
+
+---
+
+### Testinfra
+
+Framework de testing de infraestructura escrito en Python. Permite verificar el estado real de los servidores después del despliegue.
+
+**Documentación:**
+- Documentación principal: https://testinfra.readthedocs.io/
+- Ejemplos: https://testinfra.readthedocs.io/en/latest/examples.html
+
+**Instalación:**
+```bash
+pip install testinfra
+```
+
+**Ejemplo de test:**
+```python
+# tests/test_vpn.py
+def test_tinc_is_running(host):
+    """Verificar que el servicio Tinc está corriendo"""
+    tinc = host.service("tinc@comun")
+    assert tinc.is_running
+    assert tinc.is_enabled
+
+def test_vpn_interface_exists(host):
+    """Verificar que la interfaz VPN existe"""
+    assert host.interface("comun").exists
+
+def test_vpn_ip_assigned(host):
+    """Verificar que la IP VPN está asignada"""
+    comun = host.interface("comun")
+    assert comun.addresses[0].startswith("10.13.12.")
+
+def test_nginx_is_running(host):
+    """Verificar que Nginx está corriendo"""
+    nginx = host.service("nginx")
+    assert nginx.is_running
+
+def test_port_443_listening(host):
+    """Verificar que el puerto 443 está escuchando"""
+    assert host.socket("tcp://0.0.0.0:443").is_listening
+```
+
+**Ejecución:**
+```bash
+# Ejecutar tests contra un host
+testinfra --hosts=ssh://root@hetzner tests/test_vpn.py
+
+# Ejecutar con Ansible inventory
+testinfra --ansible-inventory=hosts.production tests/
+```
+
+---
+
+## Validación y Sintaxis
+
+### YAML Lint
+
+Validador de sintaxis YAML con verificación de estilos y buenas prácticas.
+
+**Documentación:**
+- Repositorio: https://github.com/adrienverge/yamllint
+- Configuración: https://yamllint.readthedocs.io/en/stable/configuration.html
+
+**Instalación:**
+```bash
+pip install yamllint
+```
+
+**Uso:**
+```bash
+# Validar archivos específicos
+yamllint deploy.yml abyayala.yml
+
+# Validar todos los YAML del proyecto
+yamllint *.yml roles/*/tasks/*.yml roles/*/templates/*.yml
+```
+
+**Configuración (.yamllint):**
+```yaml
+extends: default
+
+rules:
+  line-length:
+    max: 120
+  indentation:
+    spaces: 2
+```
+
+---
+
+### Ansible Syntax Check (Built-in)
+
+Verificación de sintaxis integrada en Ansible.
+
+**Documentación:**
+- Testing strategies: https://docs.ansible.com/ansible/latest/reference_appendices/test_strategies.html
+- Syntax check: https://docs.ansible.com/ansible/latest/cli/ansible-playbook.html#cmdoption-ansible-playbook-syntax-check
+
+**Uso:**
+```bash
+# Verificar sintaxis de un playbook
+ansible-playbook deploy.yml --syntax-check
+
+# Dry-run (simular sin ejecutar)
+ansible-playbook deploy.yml --check
+
+# Dry-run con diff de cambios
+ansible-playbook deploy.yml --check --diff
+```
+
+---
+
+## Testing de Infraestructura
+
+### InSpec (Chef)
+
+Framework de testing de infraestructura enterprise. Alternativa más robusta a Testinfra.
+
+**Documentación:**
+- Documentación principal: https://docs.chef.io/inspec/
+
+**Características:**
+- Lenguaje DSL específico para infraestructura
+- Compliance as Code
+- Perfiles de seguridad predefinidos
+
+---
+
+## CI/CD para Ansible
+
+### GitHub Actions
+
+**Documentación:**
+- GitHub Actions para Ansible: https://github.com/marketplace/actions/run-ansible-playbook
+
+**Ejemplo de workflow:**
+```yaml
+# .github/workflows/test.yml
+name: Test Ansible Playbooks
+
+on: [push, pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Set up Python
+        uses: actions/setup-python@v2
+        with:
+          python-version: '3.x'
+
+      - name: Install dependencies
+        run: |
+          pip install ansible ansible-lint yamllint molecule molecule-docker
+
+      - name: Run YAML Lint
+        run: yamllint .
+
+      - name: Run Ansible Lint
+        run: ansible-lint
+
+      - name: Syntax check
+        run: ansible-playbook deploy.yml --syntax-check
+
+      - name: Run Molecule tests
+        run: |
+          cd roles/rap
+          molecule test
+```
+
+---
+
+### GitLab CI
+
+**Documentación:**
+- GitLab CI para Ansible: https://docs.gitlab.com/ee/ci/examples/ansible/
+
+**Ejemplo de pipeline:**
+```yaml
+# .gitlab-ci.yml
+stages:
+  - lint
+  - test
+
+lint:yaml:
+  stage: lint
+  image: python:3.9
+  script:
+    - pip install yamllint
+    - yamllint .
+
+lint:ansible:
+  stage: lint
+  image: python:3.9
+  script:
+    - pip install ansible-lint
+    - ansible-lint
+
+test:syntax:
+  stage: test
+  image: python:3.9
+  script:
+    - pip install ansible
+    - ansible-playbook deploy.yml --syntax-check
+
+test:molecule:
+  stage: test
+  image: python:3.9
+  services:
+    - docker:dind
+  script:
+    - pip install molecule molecule-docker
+    - cd roles/rap && molecule test
+```
+
+---
+
+## Recursos Adicionales
+
+### Guías y Tutoriales
+
+- **Testing Ansible Roles with Molecule**: https://www.digitalocean.com/community/tutorials/how-to-test-ansible-roles-with-molecule-on-ubuntu-20-04
+- **Developing and Testing Ansible Roles with Molecule and Podman** (Serie de artículos): https://www.ansible.com/blog/developing-and-testing-ansible-roles-with-molecule-and-podman-part-1
+
+### Best Practices
+
+- **Ansible Best Practices**: https://docs.ansible.com/ansible/latest/tips_tricks/ansible_tips_tricks.html
+- **Ansible Style Guide**: https://docs.ansible.com/ansible/latest/dev_guide/style_guide/
+
+### Libros
+
+- **Ansible for DevOps** (Jeff Geerling): https://www.ansiblefordevops.com/
+  - Capítulos relevantes sobre testing y CI/CD
+
+---
+
+## Estrategia de Testing Recomendada para Abyaya.la
+
+### Fase 1: Inmediato (Quick Wins)
+
+1. **Validación de sintaxis**
+   ```bash
+   ansible-playbook deploy.yml --syntax-check
+   ```
+
+2. **YAML Lint**
+   ```bash
+   pip install yamllint
+   yamllint .
+   ```
+
+3. **Ansible Lint**
+   ```bash
+   pip install ansible-lint
+   ansible-lint
+   ```
+
+### Fase 2: Corto Plazo (1-2 semanas)
+
+1. **Molecule para roles críticos**
+   - Empezar con `roles/rap` (VPN es crítico)
+   - Continuar con `roles/proxy` (punto de entrada público)
+   - Agregar `roles/certbot` (seguridad SSL)
+
+2. **Pre-commit hooks**
+   ```bash
+   pip install pre-commit
+   # Crear .pre-commit-config.yaml
+   pre-commit install
+   ```
+
+### Fase 3: Largo Plazo (1-2 meses)
+
+1. **Testinfra para verificación post-despliegue**
+   - Tests de conectividad VPN
+   - Tests de disponibilidad de servicios
+   - Tests de configuración de firewall
+   - Tests de certificados SSL
+
+2. **CI/CD Pipeline**
+   - GitHub Actions o GitLab CI
+   - Tests automáticos en cada push
+   - Tests de integración en staging
+
+3. **Tests de integración end-to-end**
+   - Despliegue completo en entorno de prueba
+   - Verificación de flujo completo: VPN → Proxy → Servicio
+
+---
+
+## Comandos Útiles de Testing
+
+```bash
+# Testing rápido de sintaxis
+ansible-playbook deploy.yml --syntax-check
+
+# Dry-run (ver qué cambiaría sin aplicar)
+ansible-playbook deploy.yml --check --diff -e "host=hetzner alt=abyayala"
+
+# Verificar sintaxis YAML
+yamllint *.yml roles/
+
+# Análisis estático con ansible-lint
+ansible-lint deploy.yml
+
+# Test de un rol específico con Molecule
+cd roles/rap && molecule test
+
+# Verificación post-despliegue con Testinfra
+testinfra --hosts=ssh://root@hetzner tests/
+
+# Ver qué tareas se ejecutarían
+ansible-playbook deploy.yml --list-tasks -e "host=hetzner alt=abyayala"
+
+# Ejecutar solo con tags específicos en check mode
+ansible-playbook deploy.yml --check --tags=vpn -e "host=hetzner alt=abyayala"
+```
+
+---
+
+## Contribuir
+
+Al agregar nuevos roles o modificar existentes:
+
+1. Ejecutar ansible-lint antes de commit
+2. Verificar sintaxis con --syntax-check
+3. Si es un rol crítico, agregar tests de Molecule
+4. Documentar casos de prueba en este archivo

abyayala.yml

@@ -14,6 +14,7 @@ matrix:
     roles:
       - rap
     nodos:
+      - llavero
       - marmite
       - nodochasqui
       - yanapak
@@ -58,8 +59,6 @@ matrix:
       - carabobolibre
       - samatuun
       - kaasavi
-      - llavero
-      - deabajo
 
   - service_name: respaldos
     domains:
@@ -166,15 +165,6 @@ matrix:
     force_https: yes
     enable_compression: yes
 
-  - service_name: abyaya_root
-    domains:
-      - abyaya.la
-      - www.abyaya.la
-    nodo: sutty.comun
-    force_https: yes
-    enable_compression: yes
-    root: yes
-
   - service_name: mexe
     domains:
       - mexe.abyaya.la
@@ -214,14 +204,11 @@ matrix:
 
   - service_name: kipu
     domains:
-#      - abyaya.la
-#      - www.abyaya.la
       - kipu.latina.red
     nodo: kipu.comun
+    ssl: no
     ports:
       - 223
-    ssl: yes
-#    root: yes
 
   - service_name: carabobolibre
     domains:
@@ -240,15 +227,3 @@ matrix:
       - kaasavi.abyaya.la
     nodo: kaasavi.comun
     force_https: yes
-
-  - service_name: llavero
-    domains:
-      - llavero.abyaya.la
-    nodo: llavero.comun
-    force_https: yes
-
-  - service_name: deabajo
-    domains:
-      - deabajo.abyaya.la
-    nodo: deabajo.comun
-    force_https: yes

group_vars/testing/vars

@@ -1 +0,0 @@
-host_ip: 157.180.114.62

hosts.production

@@ -1,5 +1,5 @@
 [localhost]
-127.0.0.1 ansible_connection=local
+127.0.0.1
 
 [hetzner]
 5.161.236.18
@@ -11,9 +11,3 @@ ansible_ssh_user=root
 sutty.nl
 
 [sutty:vars]
-
-[testing]
-157.180.114.62
-
-[testing:vars]
-ansible_ssh_user=root

roles/althost/tasks/compose.yml

@@ -1,13 +1,13 @@
     - name: check if service volumes exists
-      stat:
+      local_action:
+        module: stat
         path: "{{ playbook_dir }}/roles/{{ item.roles[0] | default('proxy') }}/templates/volumes.yml"
-      delegate_to: localhost
       register: volumes_def
 
     - name: check if service networks exists
-      stat:
+      local_action:
+        module: stat
         path: "{{ playbook_dir }}/roles/{{ item.roles[0] | default('proxy') }}/templates/networks.yml"
-      delegate_to: localhost
       register: networks_def
 
     - set_fact:
@@ -22,53 +22,53 @@
       when: networks_def.stat.exists
 
     - name: define services in local composition
-      blockinfile:
+      local_action:
+        module: blockinfile
         path: "{{ local_compose_path }}/docker-compose.yml"
         insertafter: "services:"
         marker: "# {mark} {{ service_name|upper }}"
         block: "{{ services_content }}"
-      delegate_to: localhost
       changed_when: false
 
     - name: define volumes in local composition
-      lineinfile:
+      local_action:
+        module: lineinfile
         path: "{{ local_compose_path }}/docker-compose.yml"
         insertafter: "# volumenes compartidos"
         line: "volumes: #"
         state: present
         regexp: "volumes: #"
-      delegate_to: localhost
       when: volumes_def.stat.exists
       changed_when: false
 
     - name: define volumes content in local composition
-      lineinfile:
+      local_action:
+        module: lineinfile
         path: "{{ local_compose_path }}/docker-compose.yml"
         insertafter: "volumes: #"
         line: "{{ volumes_content }}"
         state: present
         regexp: "{{ volumes_content }}"
-      delegate_to: localhost
       when: volumes_content is defined
       changed_when: false
 
     - name: define networks in local composition
-      lineinfile:
+      local_action:
+        module: lineinfile
         path: "{{ local_compose_path }}/docker-compose.yml"
         insertafter: "# redes compartidas"
         line: "networks: #"
         state: present
         regexp: "networks: #"
-      delegate_to: localhost
       when: networks_def.stat.exists
       changed_when: false
 
     - name: define networks content in local composition
-      lineinfile:
+      local_action:
+        module: lineinfile
         path: "{{ local_compose_path }}/docker-compose.yml"
         insertafter: "networks: #"
         line: "{{ networks_content }}"
         state: present
-      delegate_to: localhost
       when: networks_content is defined
       changed_when: false

roles/althost/tasks/main.yml

@@ -1,56 +1,28 @@
     # DOCKER CE this is specific for Debian
     # https://docs.docker.com/install/linux/docker-ce/debian/
-    # Soporta Debian 12 (bookworm) y Debian 13 (trixie)
-
-    # Clean up conflicting Docker repositories first (always runs, even with --skip-tags=installation)
-    - name: remove old docker repository files to avoid APT conflicts
-      file:
-        path: "{{ item }}"
-        state: absent
-      loop:
-        - /etc/apt/sources.list.d/docker.list
-        - /etc/apt/sources.list.d/download_docker_com_linux_debian.list
-
     - block:
       - name: "unattended upgrades"
         apt:
           name: "unattended-upgrades"
           state: "present"
-
+              
       - name: required packages
         apt:
-          name: ['ca-certificates', 'curl', 'python3-pip']
+          name: ['apt-transport-https', 'ca-certificates', 'curl', 'gnupg2', 'software-properties-common', 'python3-pip']
           state: present
 
-      - name: create keyrings directory
-        file:
-          path: /etc/apt/keyrings
-          state: directory
-          mode: '0755'
-
-      - name: download docker gpg key
-        get_url:
+      - name: docker signing key
+        apt_key:
           url: https://download.docker.com/linux/debian/gpg
-          dest: /etc/apt/keyrings/docker.asc
-          mode: '0644'
+          state: present
+        
+      - name: docker apt repository
+        apt_repository:
+          repo: deb [arch=amd64] https://download.docker.com/linux/debian bookworm stable
 
-      - name: add docker repository with deb822 format
-        deb822_repository:
-          name: docker
-          types: [deb]
-          uris: https://download.docker.com/linux/debian
-          suites: ["{{ ansible_distribution_release }}"]
-          components: [stable]
-          architectures: [amd64]
-          signed_by: /etc/apt/keyrings/docker.asc
-
-      - name: install docker community edition and compose plugin
+      - name: install docker community edition
         apt:
-          name:
-            - docker-ce
-            - docker-ce-cli
-            - containerd.io
-            - docker-compose-plugin
+          name: docker-ce
           update_cache: yes
 
       - name: is node already in swarm mode
@@ -76,11 +48,23 @@
           state: present
 
       # ansible-docker requirements
-      # Use system packages instead of pip to avoid break_system_packages
-      - name: ensure python3-docker package is present
-        apt:
-          name: python3-docker
+      - name: python package docker-py is deprecated
+        pip:
+          name: docker-py
+          state: absent
+          break_system_packages: true
+
+      - name: ensure python package docker is present
+        pip:
+          name: docker
           state: present
+          break_system_packages: true
+
+      - name: ensure python package docker-compose is present
+        pip:
+          name: docker-compose
+          state: present
+          break_system_packages: true
 
       tags: installation
 
@@ -90,16 +74,16 @@
         file: path={{ compose_path }} state=directory
       
       - name: make sure local compose path exists
-        file:
-          path: "{{ local_compose_path }}"
+        local_action:
+          module: file
+          path: "{{ local_compose_path }}" 
           state: directory
-        delegate_to: localhost
 
       - name: clean docker-compose.yml
-        template:
+        local_action:
+          module: template
           dest: "{{ local_compose_path }}/docker-compose.yml"
           src: roles/althost/templates/docker-compose.yml
-        delegate_to: localhost
         changed_when: false
 
       - name: execute roles per domain mapping

roles/certbot/tasks/certbot.yml

@@ -10,55 +10,33 @@
       register: vhost_stat
 
     - set_fact:
-        needs_cert: "{{ ((loop.ssl | default(domains_default_ssl) | bool) or (loop.force_https | default(domains_default_force_https) | bool)) | bool }}"
-
-    - set_fact:
-        needs_vhost: "{{ (needs_cert | bool and not vhost_stat.stat.exists) | bool }}"
-        obtain_cert: "{{ (needs_cert | bool and not ssl_cert.stat.exists) | bool }}"
+        needs_cert: (loop.ssl | default(domains_default_ssl) ) or (loop.force_https | default(domains_default_force_https))
+        needs_vhost: needs_cert and not vhost_stat.stat.exists
+        obtain_cert: needs_cert and not ssl_cert.stat.exists
 
     - name: certificate obtention
       block:
         - set_fact:
             vhost: "{{ loop }}"
 
-        - set_fact:
-            is_root_domain: "{{ loop.root | default(false) | bool }}"
-
-        - name: fetch certificate with certbot container (with wildcard)
+        - name: fetch certificate with certbot container
           docker_container:
             name: chencriptemos
             image: "{{ CERTBOT_image }}"
             state: started
             volumes:
               - "{{ althost }}_certs_data:/etc/letsencrypt"
-            command: "--non-interactive --agree-tos --expand --email {{ webmaster_email }} certonly --preferred-challenges dns --authenticator dns-standalone --dns-standalone-address={{ host_ip }} --dns-standalone-port=53 --dns-standalone-propagation-seconds=10 {% for domain in loop.domains %} -d {{ domain }} -d *.{{ domain }} {% endfor %}"
+            command: "--non-interactive --agree-tos --email {{ webmaster_email }} certonly --preferred-challenges dns --authenticator dns-standalone --dns-standalone-address={{ host_ip }} --dns-standalone-port=53 --dns-standalone-propagation-seconds=10 {% for domain in loop.domains %} -d {{ domain }} -d *.{{ domain }} {% endfor %}"
             detach: no
             cleanup: yes
-            ports:
+            ports: 
               - "{{ host_ip }}:53:53/tcp"
               - "{{ host_ip }}:53:53/udp"
           notify:
             - reload proxy
           register: cert_result
-          when: not is_root_domain | bool
 
-        - name: fetch certificate with certbot container (without wildcard, root domain - using webroot)
-          docker_container:
-            name: chencriptemos
-            image: certbot/certbot:latest
-            state: started
-            volumes:
-              - "{{ althost }}_certs_data:/etc/letsencrypt"
-              - "{{ althost }}_certbot_webroot:{{ certbot_webroot }}"
-            command: "--non-interactive --agree-tos --expand --email {{ webmaster_email }} certonly --webroot --webroot-path {{ certbot_webroot }} {% for domain in loop.domains %} -d {{ domain }} {% endfor %}"
-            detach: no
-            cleanup: yes
-          notify:
-            - reload proxy
-          register: cert_result
-          when: is_root_domain | bool
-
-      when: obtain_cert | bool
+      when: obtain_cert
 
     # RESET
     - set_fact:

roles/certbot/tasks/main.yml

@@ -36,7 +36,7 @@
         day: 4,18
         hour: 0
         minute: 0
-        job: "docker run --rm -v {{ althost }}_certs_data:/etc/letsencrypt --network host {{ CERTBOT_image }} renew --dns-standalone-address={{ host_ip }} --dns-standalone-port=53 --log-driver=journald"
+        job: "docker run --rm -v {{ althost }}_certs_data:/etc/letsencrypt --network host {{ CERTBOT_image }} renew --dns-standalone-address={{ host_ip }} --dns-standalone-port=53 >> /var/log/renewal.log 2>&1"
 
     - name: proxy update, after certs renewal
       cron:

roles/knsupdate/files/dns_extras/pilmaiken.abyaya.la

@@ -1,8 +0,0 @@
-del pilmaiken mx
-del pilmaiken txt
-del pilmaiken spf
-add pilmaiken mx 10 correspondencia.latina.red.
-add pilmaiken txt "v=spf1 mx a:correspondencia.latina.red -all"
-add pilmaiken spf "v=spf1 mx a:correspondencia.latina.red -all"
-add dkim._domainkey.pilmaiken txt "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDQ6JwPaawDzMXuscSgDpvipRFLGXSqgmvvI6jk18lcg0kK2lfxsvXGJ/6U7oCtKa35IEVzdigxD0o7DzklKxAsNIVbcExPJkFWzQuKuP6ATBESo7YUn7Z5qjfxBiNPS0FJp8XpbpUzN+zg/NTgmkggnwwC0tKgcEQ6HnI9AOa1LQIDAQAB"
-add _dmarc.pilmaiken txt "v=DMARC1; p=reject; rua=mailto:postmaster@correspondencia.latina.red; ruf=mailto:postmaster@correspondencia.latina.red; adkim=s; aspf=s"

roles/knsupdate/tasks/main.yml

@@ -2,6 +2,5 @@
       apt:
         name: "knot-dnsutils"
         state: "present"
-      tags: installation
-
+    
     - include_tasks: loop.yml

roles/knsupdate/tasks/templates/commands.j2

@@ -1,31 +1,24 @@
 {% for dns_server in dns_servers %}
-
 server {{ dns_server }}
 zone {{ zone }}
 origin {{ zone }}
 ttl 60
-
 del {{ hostname }} a
 del {{ hostname }} ns
 add {{ hostname }} a {{ host_ip }}
-
-{% if hostname != '@' and hostname != 'www' %}
+{% if is_abyayala_subdomain %}
 add *.{{ hostname }} a {{ host_ip }}
 {% else %}
 add {{ domain }} a {{ host_ip }}
 add *.{{ domain }} a {{ host_ip }}
 {% endif %}
-
-{% if hostname == '@' %}
-add _acme-challenge a {{ host_ip }}
-add _acme-challenge ns _acme-challenge
-{% else %}
 add _acme-challenge.{{ hostname }} a {{ host_ip }}
 add _acme-challenge.{{ hostname }} ns _acme-challenge
+{% if vhost.dns_extras is defined %}
+{% for dns_extra in vhost.dns_extras %}
+{{ dns_extra }}
+{% endfor %}
 {% endif %}
-
-{% include "files/dns_extras/" ~ vhost.domains[0] ignore missing %}
-
 send
 {% endfor %}
 quit

roles/knsupdate/tasks/templates/dns_info.j2

@@ -1,21 +0,0 @@
-
-========================================
-Configuracion de DNS requerida: {{ domain }}
-========================================
-Por favor configue los siguiente registros DNS en su proveedor:
-
-{% if hostname == '@' %}
-{{ zone | regex_replace('\\.$', '') }}     IN A     {{ host_ip }}
-*.{{ zone | regex_replace('\\.$', '') }}   IN A     {{ host_ip }}
-
-_acme-challenge.{{ zone | regex_replace('\\.$', '') }} IN NS ns-acme.{{ zone | regex_replace('\\.$', '') }}.
-ns-acme.{{ zone | regex_replace('\\.$', '') }}         IN A  {{ host_ip }}
-{% else %}
-{{ hostname }}.{{ zone | regex_replace('\\.$', '') }}     IN A     {{ host_ip }}
-*.{{ hostname }}.{{ zone | regex_replace('\\.$', '') }}   IN A     {{ host_ip }}
-
-_acme-challenge.{{ hostname }}.{{ zone | regex_replace('\\.$', '') }} IN NS ns-acme.{{ hostname }}.{{ zone | regex_replace('\\.$', '') }}.
-ns-acme.{{ hostname }}.{{ zone | regex_replace('\\.$', '') }}         IN A  {{ host_ip }}
-{% endif %}
-
-========================================

roles/knsupdate/tasks/update.yml

@@ -2,4 +2,4 @@
       include_tasks: update_domain.yml
       with_items: "{{ vhost.domains }}"
       loop_control:
-        loop_var: domain
+        loop_var: domain

roles/knsupdate/tasks/update_domain.yml

@@ -34,9 +34,3 @@
       shell: knsupdate
       args:
         stdin: "{{ lookup('template', 'templates/commands.j2') }}"
-      when: is_abyayala_subdomain
-
-    - name: display DNS configuration instructions for external domains
-      debug:
-        msg: "{{ lookup('template', 'templates/dns_info.j2') }}"
-      when: not is_abyayala_subdomain

roles/knsupdate/vars/main.yml

@@ -7,6 +7,14 @@ dns_servers:
 compound_tlds:
   - com.ar
   - com.mx
+  - co.uk
   - com.br
+  - gov.ar
   - org.ar
-  - edu.ar
+  - gob.ar
+  - net.ar
+  - mil.ar
+  - edu.ar
+  - co.nz
+  - net.nz
+  - org.nz

roles/proxy/files/custom_proxy_includes/sutty.abyaya.la

@@ -0,0 +1,11 @@
+proxy_buffering off;
+proxy_request_buffering off;
+proxy_redirect off;
+proxy_connect_timeout 3m;
+proxy_send_timeout 3m;
+proxy_read_timeout 3m;
+
+limit_conn connection_limit 50;
+limit_req zone=request_limit nodelay burst=20;
+
+add_header Retry-After $retry_after always;

roles/proxy/files/custom_server_includes/sutty.abyaya.la

@@ -0,0 +1,4 @@
+add_header X-Frame-Options "sameorigin";
+add_header X-XSS-Protection "1; mode=block";
+add_header X-Content-Type-Options "nosniff";
+add_header Referrer-Policy "strict-origin-when-cross-origin";

roles/proxy/tasks/main.yml

@@ -15,7 +15,6 @@
       with_items:
         - "{{ stream_path }}"
         - "{{ conf_path }}"
-        - "{{ certbot_webroot }}"
       loop_control:
         loop_var: comun
 
@@ -33,7 +32,6 @@
         - common.conf
         - common_ssl.conf
         - nginx.conf
-        - acme_challenge.conf
       loop_control:
         loop_var: common
 
@@ -47,16 +45,13 @@
           loop_control:
             loop_var: domino
 
-        - name: ensure abyaya.la subdomain is always first in domains list
+        - name: add default abyaya.la subdomain if not present
           set_fact:
             matrix_loop_with_defaults: "{{ matrix_loop_with_defaults | default([]) | union([ item_with_default ]) }}"
           vars:
-            existing_abyayala_domains: "{{ item.domains | select('match', '.*\\.abyaya\\.la$') | list }}"
-            has_abyayala_domain: "{{ existing_abyayala_domains | length > 0 }}"
+            has_abyayala_domain: "{{ item.domains | select('match', '.*\\.abyaya\\.la$') | list | length > 0 }}"
             default_domain: "{{ item.service_name }}.abyaya.la"
-            other_domains: "{{ item.domains | reject('match', '.*\\.abyaya\\.la$') | list }}"
-            abyayala_domain_to_use: "{{ existing_abyayala_domains[0] if has_abyayala_domain else default_domain }}"
-            domains_with_default: "{{ [abyayala_domain_to_use] + other_domains }}"
+            domains_with_default: "{{ item.domains + [default_domain] if not has_abyayala_domain else item.domains }}"
             item_with_default: "{{ item | combine({'domains': domains_with_default}) }}"
           with_items: "{{ matrix_loop | default([]) }}"
 

roles/proxy/templates/acme_challenge.conf

@@ -1,25 +0,0 @@
-# Let's Encrypt ACME challenge configuration
-# This configuration serves the .well-known/acme-challenge directory
-# for HTTP-01 validation when using webroot method
-
-location ^~ /.well-known/acme-challenge/ {
-    # Serve files from the certbot webroot
-    root {{ certbot_webroot }};
-
-    # Allow access to challenge files
-    allow all;
-
-    # Ensure plain text content type
-    default_type "text/plain";
-
-    # Disable any authentication
-    auth_basic off;
-
-    # Serve the challenge file directly
-    try_files $uri =404;
-}
-
-# Deny access to other .well-known paths for security
-location ~ /\.well-known/ {
-    deny all;
-}

roles/proxy/templates/common.conf

@@ -1,4 +0,0 @@
-    add_header X-Frame-Options "sameorigin";
-    add_header X-XSS-Protection "1; mode=block";
-    add_header X-Content-Type-Options "nosniff";
-    add_header Referrer-Policy "strict-origin-when-cross-origin";

roles/proxy/templates/default_proxy.conf

@@ -12,12 +12,10 @@
 
         gzip_disable "msie6";
         {% endif %}
-
         client_max_body_size 1G;
-
         proxy_ssl_verify off;
         proxy_ssl_server_name on;
-        proxy_ssl_name $ssl_server_name;
+        proxy_ssl_name $host;
 
         proxy_pass https://$comun_{{ vhost.nodo | replace(".", "") }};
 
@@ -29,18 +27,6 @@
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection upgrade;
 
-        proxy_buffering off;
-        proxy_request_buffering off;
-        proxy_redirect off;
-        proxy_connect_timeout 3m;
-        proxy_send_timeout 3m;
-        proxy_read_timeout 3m;
-
-        limit_conn connection_limit 50;
-        limit_req zone=request_limit nodelay burst=20;
-
-        add_header Retry-After $retry_after always;
-
         {% include "files/custom_proxy_includes/" ~ vhost.domains[0] ignore missing %}
 }
       # END PROXY

roles/proxy/templates/services.yml

@@ -19,4 +19,3 @@
       - "certs_data:{{ nginx_certs_path }}:ro"
       - "{{ conf_path }}/nginx.conf:/etc/nginx/nginx.conf:ro"
       - "{{ stream_path }}:/etc/nginx/stream.d/"
-      - "certbot_webroot:{{ certbot_webroot }}"

roles/proxy/templates/stream.conf

@@ -5,11 +5,7 @@ upstream ssh_{{ vhost.nodo | replace(".", "") }} {
 server {
     listen {{ vhost.ports[0] }};
 
-    {% if vhost.root | default(false) %}
-    server_name {{ vhost.domains | join(' ') }};
-    {% else %}
-    server_name .{{ vhost.domains | join(' .') }};
-    {% endif %}
+    server_name  {{ vhost.service_name }}.abyaya.la;
 
     proxy_pass ssh_{{ vhost.nodo | replace(".", "") }};
 }

roles/proxy/templates/vhost.conf

@@ -1,31 +1,18 @@
 map $http_host $comun_{{ vhost.nodo | replace(".", "") }} {
     hostnames;
     {% for domain in vhost.domains %}
-    {% if vhost.root | default(false) %}
-    {{ domain }} {{ vhost.nodo }};
-    {% else %}
     .{{ domain }} {{ vhost.nodo }};
-    {% endif %}
     {% endfor %}
 }
 
 server {
-    {% if vhost.root | default(false) %}
-    server_name {{ vhost.domains | join(' ') }};
-    {% else %}
     server_name .{{ vhost.domains | join(' .') }};
-    {% endif %}
 
     listen 80;
 
     resolver 10.13.12.1 valid=300s;
     resolver_timeout 5s;
 
-{% if vhost.root | default(false) %}
-    # ACME challenge for HTTP-01 validation (webroot method for root domains)
-    include conf/acme_challenge.conf;
-{% endif %}
-
 {% if not needs_vhost and ((vhost.ssl | default(domains_default_ssl) ) or (vhost.force_https | default(domains_default_force_https))) %}
     listen 443 ssl;
 

roles/proxy/templates/volumes.yml

@@ -1,2 +1 @@
   certs_data:
-  certbot_webroot:

roles/proxy/vars/main.yml

@@ -15,4 +15,3 @@ default_stream: roles/proxy/templates/stream.conf
 # certbot
 webmaster_email: webmaster@numerica.cl
 CERTBOT_image: numericalatina/certbot-wildcard
-certbot_webroot: /var/www/certbot

testnet.yml

@@ -1,23 +0,0 @@
-althost: testnet
-matrix:
-  - service_name: comun
-    roles:
-      - kemal
-    domains:
-      - comun.abyayala.red
-
-  - service_name: dns
-    roles:
-      - knsupdate
-
-  - service_name: vpn
-    roles:
-      - rap
-    nodos:
-      - qi
-
-  - service_name: qi
-    domains:
-      - qi.abyayala.red
-    nodo: qi.comun
-#    force_https: yes