feat: restore gitea proxy functionality with conditional support

Recupera la funcionalidad de proxy para repositorios git (gitea) que se perdió
al integrar el proxy SSH con stream.conf. Los servicios ahora pueden habilitar
opcionalmente el acceso a gitea agregando el atributo gitea_port.

Cambios:
- Agregado soporte condicional de upstream y servidor gitea en stream.conf
- El puerto gitea se agrega dinámicamente a matrix_ports cuando está definido
- Usa el mismo server_name que SSH, diferenciado solo por puerto
- Respeta la configuración root para dominios raíz

Uso: Agregar gitea_port: 2222 a cualquier servicio en abyayala.yml

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

DNS_ARCHITECTURE.md

@@ -0,0 +1,162 @@
+# Arquitectura DNS y Validación ACME
+
+Este documento explica cómo funciona el sistema DNS distribuido y la validación de certificados SSL para dominios FQDN.
+
+## Componentes DNS
+
+### 1. Servidores Knot (Autoritativos Remotos)
+
+**Ubicación:** `anarres.sutty.nl`, `athshe.sutty.nl`, `gethen.sutty.nl`, `ganam.sutty.nl`
+
+**Función:** DNS autoritativo real para:
+- Zona `abyaya.la`
+- Zonas FQDN (ej: `latina.red`, `example.com.ar`)
+
+**Actualización:** Via `knsupdate` ejecutado desde el proxy
+
+### 2. Proxy (Hetzner: 5.161.236.18)
+
+**Servicios DNS en diferentes IPs:**
+
+| Servicio | IP | Puerto | Función |
+|----------|-------|--------|---------|
+| **dnsmasq** | `10.13.12.1` + `127.0.0.1` | 53 | DNS cache/resolver para VPN interna |
+| **certbot dns-standalone** | `5.161.236.18` | 53 | DNS temporal para validación ACME |
+
+**No hay conflicto de puertos** porque usan IPs diferentes en la misma máquina.
+
+## Flujo de Validación ACME para Dominios FQDN
+
+### Ejemplo: Certificado para `kipu.latina.red`
+
+#### Paso 1: knsupdate configura delegación en Knot
+
+Cuando se despliega un servicio con FQDN, `knsupdate` crea estos registros en los servidores Knot:
+
+```dns
+; En zona latina.red
+kipu.latina.red                    IN A     5.161.236.18
+*.kipu.latina.red                  IN A     5.161.236.18
+_acme-challenge.kipu.latina.red    IN CNAME abyaya.la.
+_acme-challenge.kipu.latina.red    IN NS    _acme-challenge.abyaya.la.
+
+; En zona abyaya.la
+_acme-challenge.abyaya.la          IN A     5.161.236.18
+_acme-challenge                    IN NS    _acme-challenge.abyaya.la.
+```
+
+**Propósito de la delegación:**
+- El CNAME redirige la validación a `abyaya.la`
+- El NS delega la autoridad a `_acme-challenge.abyaya.la`
+- Que apunta al proxy donde certbot corre
+
+#### Paso 2: Certbot obtiene/renueva certificado
+
+```bash
+docker run --rm \
+  -v abyayala_certs_data:/etc/letsencrypt \
+  --network host \
+  numericalatina/certbot-wildcard \
+  certonly --dns-standalone-address=5.161.236.18 --dns-standalone-port=53 \
+  -d kipu.latina.red -d *.kipu.latina.red
+```
+
+**Certbot:**
+1. Levanta un servidor DNS temporal en `5.161.236.18:53`
+2. Crea el registro TXT con el token de validación
+3. Notifica a Let's Encrypt que está listo
+
+#### Paso 3: Let's Encrypt valida
+
+```
+Let's Encrypt consulta: _acme-challenge.kipu.latina.red
+   ↓ Consulta a nameservers de latina.red (Knot)
+   ↓ Knot responde con CNAME
+
+Redirigido a: _acme-challenge.abyaya.la
+   ↓ Consulta delegación NS
+   ↓ Knot indica: usar nameserver _acme-challenge.abyaya.la
+
+Consulta directa a: 5.161.236.18:53
+   ↓ certbot dns-standalone responde
+   ↓ Proporciona el token TXT
+
+✓ Validación exitosa
+```
+
+## Configuración Requerida en DNS Externo
+
+Para que un dominio FQDN externo (no `.abyaya.la`) pueda delegar la validación ACME al proxy, es necesario agregar estos registros en el DNS del dominio:
+
+```dns
+_acme-challenge IN CNAME abyaya.la.
+_acme-challenge IN NS _acme-challenge.abyaya.la.
+```
+
+**Ejemplo para `kipu.latina.red`:**
+```dns
+; En el DNS de latina.red
+_acme-challenge.kipu IN CNAME abyaya.la.
+_acme-challenge.kipu IN NS _acme-challenge.abyaya.la.
+```
+
+Esto se hace **una sola vez por dominio** y permite que todos los subdominios deleguen automáticamente.
+
+## Renovación Automática
+
+La renovación de certificados funciona automáticamente porque:
+
+1. ✅ **Delegación persistente**: Los registros `_acme-challenge` ya están en Knot
+2. ✅ **Cron configurado**: Se ejecuta los días 4 y 18 de cada mes
+3. ✅ **Sin conflictos**: dnsmasq y certbot usan IPs diferentes
+4. ✅ **Mismo método**: `certbot renew` usa dns-standalone automáticamente
+
+```yaml
+# Configurado en roles/certbot/tasks/main.yml
+- name: automatic letsencrypt certs renewal
+  cron:
+    name: certificate renewal
+    day: 4,18
+    hour: 0
+    minute: 0
+    job: "docker run --rm -v abyayala_certs_data:/etc/letsencrypt --network host numericalatina/certbot-wildcard renew --dns-standalone-address=5.161.236.18 --dns-standalone-port=53 >> /var/log/renewal.log 2>&1"
+```
+
+## Ventajas de esta Arquitectura
+
+1. **Centralizada**: Un solo proxy maneja validación ACME para todos los dominios
+2. **Segura**: No requiere credenciales API de proveedores DNS externos
+3. **Flexible**: Soporta dominios `.abyaya.la` y FQDN externos
+4. **Automatizada**: Renovación sin intervención manual
+5. **Escalable**: Agregar nuevos dominios solo requiere actualizar `abyayala.yml`
+
+## Troubleshooting
+
+### Verificar delegación DNS
+
+```bash
+# Verificar CNAME
+dig _acme-challenge.kipu.latina.red CNAME
+
+# Verificar NS delegation
+dig _acme-challenge.kipu.latina.red NS
+
+# Probar resolución completa
+dig @5.161.236.18 _acme-challenge.kipu.latina.red TXT
+```
+
+### Ver logs de renovación
+
+```bash
+tail -f /var/log/renewal.log
+```
+
+### Probar renovación manualmente
+
+```bash
+docker run --rm \
+  -v abyayala_certs_data:/etc/letsencrypt \
+  --network host \
+  numericalatina/certbot-wildcard \
+  renew --dns-standalone-address=5.161.236.18 --dns-standalone-port=53 --dry-run
+```

FQDN_AUTHORITATIVE.md

@@ -0,0 +1,133 @@
+# Soporte para Dominios FQDN Autoritativos
+
+Esta feature añade soporte para usar dominios FQDN externos (ejemplo.com, kipu.latina.red, etc.) además de subdominios .abyaya.la.
+
+## Cambios Implementados
+
+### 1. Generación Automática de Subdominio Default
+
+Cuando se define un dominio FQDN, el sistema genera automáticamente un subdominio `.abyaya.la` basado en el `service_name` que funciona como alias.
+
+**Ejemplo:**
+```yaml
+- service_name: kipu
+  domains:
+    - kipu.latina.red
+  nodo: kipu.comun
+  force_https: yes
+```
+
+El sistema automáticamente añade `kipu.abyaya.la` a la lista de dominios, por lo que ambos dominios funcionarán y redirigirán al primero de la lista.
+
+### 2. Soporte para TLDs Compuestos
+
+El sistema detecta automáticamente TLDs compuestos como `.com.ar`, `.co.uk`, `.com.br`, etc., y extrae correctamente la zona DNS.
+
+**TLDs soportados:**
+- com.ar, gov.ar, org.ar, gob.ar, net.ar, mil.ar, edu.ar
+- com.mx
+- co.uk
+- com.br
+- co.nz, net.nz, org.nz
+
+Para añadir más TLDs, editar `roles/knsupdate/vars/main.yml`.
+
+### 3. Actualización DNS Multi-Zona
+
+El sistema ahora actualiza correctamente el DNS en Knot para cada dominio según su tipo:
+
+- **Subdominios .abyaya.la**: Se actualizan en la zona `abyaya.la.`
+- **FQDN autoritativos**: Se actualizan en su zona correspondiente (ej: `latina.red.`, `example.com.ar.`)
+
+La detección es **completamente automática** basada en el sufijo del dominio.
+
+## Uso
+
+### Caso Básico: Solo FQDN
+
+```yaml
+- service_name: ejemplo
+  domains:
+    - ejemplo.latina.red
+  nodo: ejemplo.comun
+  force_https: yes
+```
+
+**Resultado:**
+- `ejemplo.latina.red` → Dominio principal (detectado como FQDN)
+- `ejemplo.abyaya.la` → Generado automáticamente como alias
+- Ambos tienen certificados SSL wildcard
+- Ambos redirigen al primero (ejemplo.latina.red)
+
+### Caso Avanzado: Múltiples Dominios
+
+```yaml
+- service_name: miapp
+  domains:
+    - miapp.com.ar
+    - miapp.latina.red
+    - miapp.abyaya.la
+  nodo: miapp.comun
+  force_https: yes
+```
+
+**Resultado:**
+- Los tres dominios funcionan
+- Todos redirigen al primero (miapp.com.ar)
+- Certificados SSL para cada dominio + wildcards
+- DNS actualizado en zonas: `com.ar.`, `latina.red.`, `abyaya.la.`
+
+### Subdominios de FQDN
+
+```yaml
+- service_name: api
+  domains:
+    - api.ejemplo.com.ar
+  nodo: api.comun
+  force_https: yes
+```
+
+**Resultado:**
+- `api.ejemplo.com.ar` → Dominio principal (hostname: api, zona: com.ar.)
+- `api.abyaya.la` → Generado automáticamente
+
+## Archivos Modificados
+
+1. **roles/proxy/tasks/main.yml**: Añade dominio default .abyaya.la automáticamente
+2. **roles/knsupdate/vars/main.yml**: Lista de TLDs compuestos
+3. **roles/knsupdate/tasks/update.yml**: Procesa múltiples dominios
+4. **roles/knsupdate/tasks/update_domain.yml**: Nuevo archivo que detecta tipo de dominio
+5. **roles/knsupdate/tasks/templates/commands.j2**: Usa zona y hostname dinámicos
+
+## Comportamiento de Certificados SSL
+
+Certbot obtiene certificados para **todos** los dominios listados más sus wildcards:
+
+```bash
+certbot certonly -d ejemplo.com.ar -d *.ejemplo.com.ar -d ejemplo.abyaya.la -d *.ejemplo.abyaya.la
+```
+
+Usa el método `dns-standalone` que requiere que el proxy controle el DNS autoritativo. Esto funciona porque knsupdate actualiza Knot con todos los dominios.
+
+## Migración desde Configuración Anterior
+
+La configuración anterior sigue funcionando sin cambios:
+
+```yaml
+- service_name: viejo
+  domains:
+    - viejo.abyaya.la
+  nodo: viejo.comun
+  force_https: yes
+```
+
+Todo funciona exactamente igual para subdominios .abyaya.la existentes.
+
+## Notas Técnicas
+
+- La detección de tipo de dominio es **completamente automática** basada en el sufijo `.abyaya.la`
+- Los subdominios .abyaya.la siempre se generan automáticamente si no están presentes
+- La zona DNS se detecta automáticamente considerando TLDs simples y compuestos
+- Todos los dominios apuntan al mismo nodo en la VPN
+- El primer dominio en la lista es considerado el principal para certificados SSL
+- No se requiere ningún flag especial en la configuración

README-root-domain.md

@@ -0,0 +1,99 @@
+# Plan: Añadir Soporte para Dominio Principal www.abyaya.la
+
+## Objetivo
+Habilitar que el dominio raíz `abyaya.la` y `www.abyaya.la` apunten al servidor `sutty.comun`, mientras se mantienen funcionando todos los subdominios existentes (ej: `sutty.abyaya.la`, `marmite.abyaya.la`).
+
+## Estrategia de Desarrollo
+
+### Rama Tópica
+Los cambios se implementarán en esta rama tópica:
+- **Nombre de rama**: `root-domain`
+- **Bifurcada desde**: `master`
+
+## Contexto Técnico
+
+### Arquitectura Actual
+- **Certificados**: Cada servicio en `abyayala.yml` con `domains` + `nodo` genera un certificado con certbot: `-d DOMAIN -d *.DOMAIN`
+- **Patron actual**: Todos los dominios siguen el patrón `subdomain.abyaya.la` (ej: `sutty.abyaya.la`)
+
+### Decisión de Diseño
+Crear un **servicio separado** para el dominio raíz con un nuevo flag `root: yes` que indica a certbot que NO solicite el certificado wildcard. Esto mantiene limpia la separación de responsabilidades:
+- Servicio `sutty`: maneja `sutty.abyaya.la` y `*.sutty.abyaya.la`
+- Servicio `abyaya_root`: maneja únicamente `abyaya.la` y `www.abyaya.la` (sin wildcard)
+
+## Cambios Implementados
+
+### 1. `roles/certbot/tasks/certbot.yml`
+- Lee el flag `root` del servicio y lo mapea a variable `is_root_domain`
+- Dividido el bloque de certificados en dos tareas condicionales:
+  - Modo estándar (con wildcard): para subdominios (`when: not is_root_domain`)
+  - Modo sin wildcard: para dominios raíz (`when: is_root_domain`)
+
+### 2. `roles/proxy/templates/vhost.conf`
+- Agregado condicional para manejar flag `root`
+- Cuando `root: yes`: genera `server_name` sin punto prefijo (exacto)
+- Cuando `root: no` (default): genera `server_name .domain` (con wildcard)
+
+### 3. `abyayala.yml`
+- Agregado servicio `abyaya_root` con:
+  - Dominios: `abyaya.la` y `www.abyaya.la`
+  - Enrutamiento a: `sutty.comun`
+  - Flag: `root: yes`
+  - HTTPS forzado y compresión habilitada
+
+## Comandos de Despliegue
+
+### Despliegue completo
+```bash
+ansible-playbook deploy.yml -e "alt=abyayala host=hetzner"
+```
+
+### Despliegue solo del servicio nuevo (para testing)
+```bash
+ansible-playbook deploy.yml -e "alt=abyayala host=hetzner service=abyaya_root"
+```
+
+## Verificación Post-Despliegue
+
+### 1. Verificar certificado
+```bash
+ssh root@hetzner
+ls -la /var/lib/docker/volumes/abyayala_certs_data/_data/live/abyaya.la/
+docker run --rm -v abyayala_certs_data:/etc/letsencrypt certbot/certbot certificates | grep abyaya.la
+```
+
+Debe contener: `abyaya.la`, `www.abyaya.la` (SIN `*.abyaya.la`)
+
+### 2. Verificar nginx
+```bash
+cat /opt/abyayala/proxy/vhosts/abyaya.la.conf
+docker exec abyayala_proxy nginx -t
+```
+
+### 3. Verificar enrutamiento
+```bash
+curl -I http://abyaya.la        # Debe redirigir a HTTPS
+curl -I https://abyaya.la       # Debe devolver 200 OK
+curl -I https://www.abyaya.la   # Debe devolver 200 OK
+```
+
+### 4. Verificar subdominios siguen funcionando
+```bash
+curl -I https://sutty.abyaya.la
+curl -I https://marmite.abyaya.la
+```
+
+## Requisitos DNS
+
+Antes del despliegue, configurar:
+```
+abyaya.la       A     <IP-del-proxy>
+www.abyaya.la   A     <IP-del-proxy>
+```
+
+## Extensibilidad Futura
+
+Este patrón `root: yes` puede reutilizarse para otros dominios raíz:
+1. Agregar entrada en `abyayala.yml` con `root: yes`
+2. Desplegar con ansible-playbook
+3. Configurar DNS

abyayala.yml

@@ -15,7 +15,6 @@ matrix:
       - rap
     nodos:
       - marmite
-      - ka
       - nodochasqui
       - yanapak
       - comun01
@@ -57,6 +56,10 @@ matrix:
       - kipu
       - resistencia
       - carabobolibre
+      - samatuun
+      - kaasavi
+      - llavero
+      - deabajo
 
   - service_name: respaldos
     domains:
@@ -70,12 +73,6 @@ matrix:
     nodo: marmite.comun
     force_https: yes
 
-  - service_name: ka
-    domains:
-      - 2012k.abyaya.la
-    nodo: ka.comun
-    force_https: yes
-
   - service_name: yanapak
     domains:
       - yanapak.abyaya.la
@@ -93,16 +90,8 @@ matrix:
       - pilmaiken.abyaya.la
     nodo: pilmaiken.comun
     force_https: yes
-    dns_extras:
-    - 'del pilmaiken mx'
-    - 'del pilmaiken txt'
-    - 'del pilmaiken spf'
-    - 'add pilmaiken mx 10 correspondencia.latina.red.'
-    - 'add pilmaiken txt "v=spf1 mx a:correspondencia.latina.red -all"'
-    - 'add pilmaiken spf "v=spf1 mx a:correspondencia.latina.red -all"'
-    - 'add dkim._domainkey.pilmaiken txt "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDQ6JwPaawDzMXuscSgDpvipRFLGXSqgmvvI6jk18lcg0kK2lfxsvXGJ/6U7oCtKa35IEVzdigxD0o7DzklKxAsNIVbcExPJkFWzQuKuP6ATBESo7YUn7Z5qjfxBiNPS0FJp8XpbpUzN+zg/NTgmkggnwwC0tKgcEQ6HnI9AOa1LQIDAQAB"'
-    - 'add _dmarc.pilmaiken txt "v=DMARC1; p=reject; rua=mailto:postmaster@correspondencia.latina.red; ruf=mailto:postmaster@correspondencia.latina.red; adkim=s; aspf=s"'
-
+    ports: 
+      - 222
 
   - service_name: fundeps
     domains:
@@ -177,6 +166,15 @@ matrix:
     force_https: yes
     enable_compression: yes
 
+  - service_name: abyaya_root
+    domains:
+      - abyaya.la
+      - www.abyaya.la
+    nodo: sutty.comun
+    force_https: yes
+    enable_compression: yes
+    root: yes
+
   - service_name: mexe
     domains:
       - mexe.abyaya.la
@@ -216,9 +214,14 @@ matrix:
 
   - service_name: kipu
     domains:
-      - kipu.abyaya.la
+#      - abyaya.la
+#      - www.abyaya.la
+      - kipu.latina.red
     nodo: kipu.comun
-    force_https: yes
+    ports:
+      - 223
+    ssl: yes
+#    root: yes
 
   - service_name: carabobolibre
     domains:
@@ -226,3 +229,26 @@ matrix:
     nodo: carabobolibre.comun
     force_https: yes
 
+  - service_name: samatuun
+    domains:
+      - samatuun.abyaya.la
+    nodo: samatuun.comun
+    force_https: yes
+
+  - service_name: kaasavi
+    domains:
+      - kaasavi.abyaya.la
+    nodo: kaasavi.comun
+    force_https: yes
+
+  - service_name: llavero
+    domains:
+      - llavero.abyaya.la
+    nodo: llavero.comun
+    force_https: yes
+
+  - service_name: deabajo
+    domains:
+      - deabajo.abyaya.la
+    nodo: deabajo.comun
+    force_https: yes

deploy.yml

@@ -3,15 +3,14 @@
 ---
 - hosts: "{{ host }}"
   tasks:
-    - name: "unnattended upgrades"
-      apt:
-        name: "unnattended-upgrades"
-        state: "present"
     - name: import matrix
       local_action: "include_vars dir=./ files_matching={{ alt }}.yml"
 
     - include_role: name=althost
 
+    - include_role: name=firewall
+      tags: firewall
+    
     - include_role: name=proxy
       tags: proxy
 

group_vars/all/ssh_users.yml

@@ -1,6 +1,6 @@
 ---
 ssh_users:
-  - name: numerica
+  - name: berto
     comment: "Roberto Soto"
     sudo: yes
     servers_allow:

group_vars/testing/vars

@@ -0,0 +1 @@
+host_ip: 157.180.114.62

hosts.production

@@ -1,5 +1,5 @@
 [localhost]
-127.0.0.1
+127.0.0.1 ansible_connection=local
 
 [hetzner]
 5.161.236.18
@@ -11,3 +11,9 @@ ansible_ssh_user=root
 sutty.nl
 
 [sutty:vars]
+
+[testing]
+157.180.114.62
+
+[testing:vars]
+ansible_ssh_user=root

roles/althost/tasks/compose.yml

@@ -1,13 +1,13 @@
     - name: check if service volumes exists
-      local_action:
-        module: stat
+      stat:
         path: "{{ playbook_dir }}/roles/{{ item.roles[0] | default('proxy') }}/templates/volumes.yml"
+      delegate_to: localhost
       register: volumes_def
 
     - name: check if service networks exists
-      local_action:
-        module: stat
+      stat:
         path: "{{ playbook_dir }}/roles/{{ item.roles[0] | default('proxy') }}/templates/networks.yml"
+      delegate_to: localhost
       register: networks_def
 
     - set_fact:
@@ -22,53 +22,53 @@
       when: networks_def.stat.exists
 
     - name: define services in local composition
-      local_action:
-        module: blockinfile
+      blockinfile:
         path: "{{ local_compose_path }}/docker-compose.yml"
         insertafter: "services:"
         marker: "# {mark} {{ service_name|upper }}"
         block: "{{ services_content }}"
+      delegate_to: localhost
       changed_when: false
 
     - name: define volumes in local composition
-      local_action:
-        module: lineinfile
+      lineinfile:
         path: "{{ local_compose_path }}/docker-compose.yml"
         insertafter: "# volumenes compartidos"
         line: "volumes: #"
         state: present
         regexp: "volumes: #"
+      delegate_to: localhost
       when: volumes_def.stat.exists
       changed_when: false
 
     - name: define volumes content in local composition
-      local_action:
-        module: lineinfile
+      lineinfile:
         path: "{{ local_compose_path }}/docker-compose.yml"
         insertafter: "volumes: #"
         line: "{{ volumes_content }}"
         state: present
         regexp: "{{ volumes_content }}"
+      delegate_to: localhost
       when: volumes_content is defined
       changed_when: false
 
     - name: define networks in local composition
-      local_action:
-        module: lineinfile
+      lineinfile:
         path: "{{ local_compose_path }}/docker-compose.yml"
         insertafter: "# redes compartidas"
         line: "networks: #"
         state: present
         regexp: "networks: #"
+      delegate_to: localhost
       when: networks_def.stat.exists
       changed_when: false
 
     - name: define networks content in local composition
-      local_action:
-        module: lineinfile
+      lineinfile:
         path: "{{ local_compose_path }}/docker-compose.yml"
         insertafter: "networks: #"
         line: "{{ networks_content }}"
         state: present
+      delegate_to: localhost
       when: networks_content is defined
       changed_when: false

roles/althost/tasks/main.yml

@@ -1,24 +1,56 @@
     # DOCKER CE this is specific for Debian
     # https://docs.docker.com/install/linux/docker-ce/debian/
+    # Soporta Debian 12 (bookworm) y Debian 13 (trixie)
+
+    # Clean up conflicting Docker repositories first (always runs, even with --skip-tags=installation)
+    - name: remove old docker repository files to avoid APT conflicts
+      file:
+        path: "{{ item }}"
+        state: absent
+      loop:
+        - /etc/apt/sources.list.d/docker.list
+        - /etc/apt/sources.list.d/download_docker_com_linux_debian.list
+
     - block:
-    
+      - name: "unattended upgrades"
+        apt:
+          name: "unattended-upgrades"
+          state: "present"
+
       - name: required packages
         apt:
-          name: ['apt-transport-https', 'ca-certificates', 'curl', 'gnupg2', 'software-properties-common', 'python3-pip']
+          name: ['ca-certificates', 'curl', 'python3-pip']
           state: present
 
-      - name: docker signing key
-        apt_key:
+      - name: create keyrings directory
+        file:
+          path: /etc/apt/keyrings
+          state: directory
+          mode: '0755'
+
+      - name: download docker gpg key
+        get_url:
           url: https://download.docker.com/linux/debian/gpg
-          state: present
-        
-      - name: docker apt repository
-        apt_repository:
-          repo: deb [arch=amd64] https://download.docker.com/linux/debian bookworm stable
+          dest: /etc/apt/keyrings/docker.asc
+          mode: '0644'
 
-      - name: install docker community edition
+      - name: add docker repository with deb822 format
+        deb822_repository:
+          name: docker
+          types: [deb]
+          uris: https://download.docker.com/linux/debian
+          suites: ["{{ ansible_distribution_release }}"]
+          components: [stable]
+          architectures: [amd64]
+          signed_by: /etc/apt/keyrings/docker.asc
+
+      - name: install docker community edition and compose plugin
         apt:
-          name: docker-ce
+          name:
+            - docker-ce
+            - docker-ce-cli
+            - containerd.io
+            - docker-compose-plugin
           update_cache: yes
 
       - name: is node already in swarm mode
@@ -44,55 +76,30 @@
           state: present
 
       # ansible-docker requirements
-      - name: python package docker-py is deprecated
-        pip:
-          name: docker-py
-          state: absent
-          break_system_packages: true
-
-      - name: ensure python package docker is present
-        pip:
-          name: docker
+      # Use system packages instead of pip to avoid break_system_packages
+      - name: ensure python3-docker package is present
+        apt:
+          name: python3-docker
           state: present
-          break_system_packages: true
-
-#      # https://stackoverflow.com/questions/77490435/attributeerror-cython-sources
-#      - name: fix python package Cython version
-#        pip:
-#          name: Cython
-#          state: present
-#          version: <3.0.0
-#          break_system_packages: true
-#        changed_when: false
-
-#      - name: fix python package PyYAML version
-#        shell: pip install "pyyaml==5.4.1" --no-build-isolation --break-system-packages
-
-      - name: ensure python package docker-compose is present
-        pip:
-          name: docker-compose
-          state: present
-          break_system_packages: true
 
       tags: installation
 
-
     # DOCKER COMPOSITION IN MASTER
     - block:
       - name: make sure compose path exists
         file: path={{ compose_path }} state=directory
       
       - name: make sure local compose path exists
-        local_action:
-          module: file
-          path: "{{ local_compose_path }}" 
+        file:
+          path: "{{ local_compose_path }}"
           state: directory
+        delegate_to: localhost
 
       - name: clean docker-compose.yml
-        local_action:
-          module: template
+        template:
           dest: "{{ local_compose_path }}/docker-compose.yml"
           src: roles/althost/templates/docker-compose.yml
+        delegate_to: localhost
         changed_when: false
 
       - name: execute roles per domain mapping

roles/certbot/tasks/certbot.yml

@@ -10,33 +10,55 @@
       register: vhost_stat
 
     - set_fact:
-        needs_cert: (loop.ssl | default(domains_default_ssl) ) or (loop.force_https | default(domains_default_force_https))
-        needs_vhost: needs_cert and not vhost_stat.stat.exists
-        obtain_cert: needs_cert and not ssl_cert.stat.exists
+        needs_cert: "{{ ((loop.ssl | default(domains_default_ssl) | bool) or (loop.force_https | default(domains_default_force_https) | bool)) | bool }}"
+
+    - set_fact:
+        needs_vhost: "{{ (needs_cert | bool and not vhost_stat.stat.exists) | bool }}"
+        obtain_cert: "{{ (needs_cert | bool and not ssl_cert.stat.exists) | bool }}"
 
     - name: certificate obtention
       block:
         - set_fact:
             vhost: "{{ loop }}"
 
-        - name: fetch certificate with certbot container
+        - set_fact:
+            is_root_domain: "{{ loop.root | default(false) | bool }}"
+
+        - name: fetch certificate with certbot container (with wildcard)
           docker_container:
             name: chencriptemos
             image: "{{ CERTBOT_image }}"
             state: started
             volumes:
               - "{{ althost }}_certs_data:/etc/letsencrypt"
-            command: "--non-interactive --agree-tos --email {{ webmaster_email }} certonly --preferred-challenges dns --authenticator dns-standalone --dns-standalone-address={{ host_ip }} --dns-standalone-port=53 --dns-standalone-propagation-seconds=10 {% for domain in loop.domains %} -d {{ domain }} -d *.{{ domain }} {% endfor %}"
+            command: "--non-interactive --agree-tos --expand --email {{ webmaster_email }} certonly --preferred-challenges dns --authenticator dns-standalone --dns-standalone-address={{ host_ip }} --dns-standalone-port=53 --dns-standalone-propagation-seconds=10 {% for domain in loop.domains %} -d {{ domain }} -d *.{{ domain }} {% endfor %}"
             detach: no
             cleanup: yes
-            ports: 
+            ports:
               - "{{ host_ip }}:53:53/tcp"
               - "{{ host_ip }}:53:53/udp"
           notify:
             - reload proxy
           register: cert_result
+          when: not is_root_domain | bool
 
-      when: obtain_cert
+        - name: fetch certificate with certbot container (without wildcard, root domain - using webroot)
+          docker_container:
+            name: chencriptemos
+            image: certbot/certbot:latest
+            state: started
+            volumes:
+              - "{{ althost }}_certs_data:/etc/letsencrypt"
+              - "{{ althost }}_certbot_webroot:{{ certbot_webroot }}"
+            command: "--non-interactive --agree-tos --expand --email {{ webmaster_email }} certonly --webroot --webroot-path {{ certbot_webroot }} {% for domain in loop.domains %} -d {{ domain }} {% endfor %}"
+            detach: no
+            cleanup: yes
+          notify:
+            - reload proxy
+          register: cert_result
+          when: is_root_domain | bool
+
+      when: obtain_cert | bool
 
     # RESET
     - set_fact:

roles/certbot/tasks/main.yml

@@ -30,14 +30,13 @@
         env: yes
         value: /bin/bash
 
-# TODO
-#    - name: automatic letsencrypt certs renewal
-#      cron:
-#        name: certificate renewal
-#        day: 4,18
-#        hour: 0
-#        minute: 0
-#        job: "docker run --rm -v {{ althost }}_certs_data:/etc/letsencrypt -v {{ althost }}_certs_www:/var/www/letsencrypt certbot/certbot renew >> /var/log/renewal.log 2>&1"
+    - name: automatic letsencrypt certs renewal
+      cron:
+        name: certificate renewal
+        day: 4,18
+        hour: 0
+        minute: 0
+        job: "docker run --rm -v {{ althost }}_certs_data:/etc/letsencrypt --network host {{ CERTBOT_image }} renew --dns-standalone-address={{ host_ip }} --dns-standalone-port=53 --log-driver=journald"
 
     - name: proxy update, after certs renewal
       cron:
@@ -45,12 +44,4 @@
         day: 4,18
         hour: 6
         minute: 10
-        job: "docker service update --force {{ althost }}_proxy"
-
-    - name: mail proxy update, after certs renewal
-      cron:
-        name: mail proxy update
-        day: 4,18
-        hour: 6
-        minute: 20
-        job: "docker service update {{ althost }}_correspondencia_front"
+        job: "docker service update --force {{ althost }}_proxy"

roles/firewall/tasks/main.yml

@@ -0,0 +1,14 @@
+    - name: "Paquetes"
+      apt:
+        name:
+        - "iptables-persistent"
+        - "ipset-persistent"
+        state: "present"
+
+    - name: "Rules"
+      with_items:
+      - "rules.v4"
+      - "rules.v6"
+      template:
+        src: "{{ item }}.j2"
+        dest: "/etc/iptables/{{ item }}"

roles/firewall/templates/rules.v4.j2

@@ -0,0 +1,18 @@
+*filter
+:INPUT DROP [106:5591]
+:FORWARD DROP [28:1715]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -m conntrack --ctstate INVALID -j DROP
+-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -i comun -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
+-A INPUT -p udp -m udp --dport 53 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
+-A INPUT -p udp -m udp --dport 655 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 655 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 3000 -j ACCEPT
+COMMIT

roles/firewall/templates/rules.v6.j2

@@ -0,0 +1,5 @@
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT

roles/knsupdate/files/dns_extras/pilmaiken.abyaya.la

@@ -0,0 +1,8 @@
+del pilmaiken mx
+del pilmaiken txt
+del pilmaiken spf
+add pilmaiken mx 10 correspondencia.latina.red.
+add pilmaiken txt "v=spf1 mx a:correspondencia.latina.red -all"
+add pilmaiken spf "v=spf1 mx a:correspondencia.latina.red -all"
+add dkim._domainkey.pilmaiken txt "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDQ6JwPaawDzMXuscSgDpvipRFLGXSqgmvvI6jk18lcg0kK2lfxsvXGJ/6U7oCtKa35IEVzdigxD0o7DzklKxAsNIVbcExPJkFWzQuKuP6ATBESo7YUn7Z5qjfxBiNPS0FJp8XpbpUzN+zg/NTgmkggnwwC0tKgcEQ6HnI9AOa1LQIDAQAB"
+add _dmarc.pilmaiken txt "v=DMARC1; p=reject; rua=mailto:postmaster@correspondencia.latina.red; ruf=mailto:postmaster@correspondencia.latina.red; adkim=s; aspf=s"

roles/knsupdate/tasks/main.yml

@@ -2,5 +2,6 @@
       apt:
         name: "knot-dnsutils"
         state: "present"
-    
+      tags: installation
+
     - include_tasks: loop.yml

roles/knsupdate/tasks/templates/commands.j2

@@ -1,19 +1,31 @@
 {% for dns_server in dns_servers %}
+
 server {{ dns_server }}
-zone abyaya.la.
-origin abyaya.la.
+zone {{ zone }}
+origin {{ zone }}
 ttl 60
-del {{ vho }} a
-del {{ vho }} ns
-add {{ vho }} a {{ host_ip }}
-add *.{{ vho }} a {{ host_ip }}
-add _acme-challenge.{{ vho }} a {{ host_ip }}
-add _acme-challenge.{{ vho }} ns _acme-challenge
-{% if vhost.dns_extras is defined %}
-{% for dns_extra in vhost.dns_extras %}
-{{ dns_extra }}
-{% endfor %}
+
+del {{ hostname }} a
+del {{ hostname }} ns
+add {{ hostname }} a {{ host_ip }}
+
+{% if hostname != '@' and hostname != 'www' %}
+add *.{{ hostname }} a {{ host_ip }}
+{% else %}
+add {{ domain }} a {{ host_ip }}
+add *.{{ domain }} a {{ host_ip }}
 {% endif %}
+
+{% if hostname == '@' %}
+add _acme-challenge a {{ host_ip }}
+add _acme-challenge ns _acme-challenge
+{% else %}
+add _acme-challenge.{{ hostname }} a {{ host_ip }}
+add _acme-challenge.{{ hostname }} ns _acme-challenge
+{% endif %}
+
+{% include "files/dns_extras/" ~ vhost.domains[0] ignore missing %}
+
 send
 {% endfor %}
 quit

roles/knsupdate/tasks/templates/dns_info.j2

@@ -0,0 +1,21 @@
+
+========================================
+Configuracion de DNS requerida: {{ domain }}
+========================================
+Por favor configue los siguiente registros DNS en su proveedor:
+
+{% if hostname == '@' %}
+{{ zone | regex_replace('\\.$', '') }}     IN A     {{ host_ip }}
+*.{{ zone | regex_replace('\\.$', '') }}   IN A     {{ host_ip }}
+
+_acme-challenge.{{ zone | regex_replace('\\.$', '') }} IN NS ns-acme.{{ zone | regex_replace('\\.$', '') }}.
+ns-acme.{{ zone | regex_replace('\\.$', '') }}         IN A  {{ host_ip }}
+{% else %}
+{{ hostname }}.{{ zone | regex_replace('\\.$', '') }}     IN A     {{ host_ip }}
+*.{{ hostname }}.{{ zone | regex_replace('\\.$', '') }}   IN A     {{ host_ip }}
+
+_acme-challenge.{{ hostname }}.{{ zone | regex_replace('\\.$', '') }} IN NS ns-acme.{{ hostname }}.{{ zone | regex_replace('\\.$', '') }}.
+ns-acme.{{ hostname }}.{{ zone | regex_replace('\\.$', '') }}         IN A  {{ host_ip }}
+{% endif %}
+
+========================================

roles/knsupdate/tasks/update.yml

@@ -1,7 +1,5 @@
-    - set_fact:
-        vho: "{{ vhost.domains[0] | regex_replace('([a-z0-9]+)\\.abyaya\\.la', '\\1')}}"
-
-    - name: knsupdate
-      shell: knsupdate
-      args:
-        stdin: "{{ lookup('template', 'templates/commands.j2') }}"
+    - name: process each domain in the list
+      include_tasks: update_domain.yml
+      with_items: "{{ vhost.domains }}"
+      loop_control:
+        loop_var: domain

roles/knsupdate/tasks/update_domain.yml

@@ -0,0 +1,42 @@
+    - set_fact:
+        is_abyayala_subdomain: "{{ domain.endswith('.abyaya.la') }}"
+
+    - name: extract zone and hostname for abyaya.la subdomains
+      set_fact:
+        zone: "abyaya.la."
+        hostname: "{{ domain | regex_replace('([a-z0-9-]+)\\.abyaya\\.la', '\\1') }}"
+      when: is_abyayala_subdomain
+
+    - name: split domain into parts
+      set_fact:
+        domain_parts: "{{ domain.split('.') }}"
+      when: not is_abyayala_subdomain
+
+    - name: detect if domain uses compound TLD
+      set_fact:
+        domain_suffix_2: "{{ domain_parts[-2:] | join('.') }}"
+        uses_compound_tld: "{{ domain_parts[-2:] | join('.') in compound_tlds }}"
+      when: not is_abyayala_subdomain
+
+    - name: extract zone and hostname for FQDN with compound TLD
+      set_fact:
+        zone: "{{ domain_parts[-3:] | join('.') }}."
+        hostname: "{{ domain_parts[:-3] | join('.') if domain_parts | length > 3 else '@' }}"
+      when: not is_abyayala_subdomain and uses_compound_tld
+
+    - name: extract zone and hostname for FQDN with simple TLD
+      set_fact:
+        zone: "{{ domain_parts[-2:] | join('.') }}."
+        hostname: "{{ domain_parts[:-2] | join('.') if domain_parts | length > 2 else '@' }}"
+      when: not is_abyayala_subdomain and not uses_compound_tld
+
+    - name: knsupdate for this domain
+      shell: knsupdate
+      args:
+        stdin: "{{ lookup('template', 'templates/commands.j2') }}"
+      when: is_abyayala_subdomain
+
+    - name: display DNS configuration instructions for external domains
+      debug:
+        msg: "{{ lookup('template', 'templates/dns_info.j2') }}"
+      when: not is_abyayala_subdomain

roles/knsupdate/vars/main.yml

@@ -3,3 +3,10 @@ dns_servers:
 - "athshe.sutty.nl"
 - "gethen.sutty.nl"
 - "ganam.sutty.nl"
+
+compound_tlds:
+  - com.ar
+  - com.mx
+  - com.br
+  - org.ar
+  - edu.ar

roles/proxy/files/custom_proxy_includes/sutty.abyaya.la

@@ -1,6 +0,0 @@
-proxy_buffering off;
-proxy_request_buffering off;
-proxy_redirect off;
-proxy_connect_timeout 3m;
-proxy_send_timeout 3m;
-proxy_read_timeout 3m;

roles/proxy/tasks/main.yml

@@ -10,17 +10,14 @@
       include_role: name=certbot
       tags: certbot
 
-    - include_tasks: ../../althost/tasks/compose.yml
-      vars: # forcing since this role is included statically
-        service_name: proxy
-
-    - name: configuration path
-      file: path={{ conf_path }} state=directory
-
-#   TODO leaving unused vhosts bugs proxy    
-    - name: clean vhosts_path
-      file: path={{ vhosts_path }} state=absent
-      when: clean_vhosts is defined
+    - name: configuration paths
+      file: path={{ comun }} state=directory
+      with_items:
+        - "{{ stream_path }}"
+        - "{{ conf_path }}"
+        - "{{ certbot_webroot }}"
+      loop_control:
+        loop_var: comun
 
     - name: virtual hosts path
       file: path={{ vhosts_path }} state=directory
@@ -35,6 +32,8 @@
       with_items:
         - common.conf
         - common_ssl.conf
+        - nginx.conf
+        - acme_challenge.conf
       loop_control:
         loop_var: common
 
@@ -48,6 +47,24 @@
           loop_control:
             loop_var: domino
 
+        - name: ensure abyaya.la subdomain is always first in domains list
+          set_fact:
+            matrix_loop_with_defaults: "{{ matrix_loop_with_defaults | default([]) | union([ item_with_default ]) }}"
+          vars:
+            existing_abyayala_domains: "{{ item.domains | select('match', '.*\\.abyaya\\.la$') | list }}"
+            has_abyayala_domain: "{{ existing_abyayala_domains | length > 0 }}"
+            default_domain: "{{ item.service_name }}.abyaya.la"
+            other_domains: "{{ item.domains | reject('match', '.*\\.abyaya\\.la$') | list }}"
+            abyayala_domain_to_use: "{{ existing_abyayala_domains[0] if has_abyayala_domain else default_domain }}"
+            domains_with_default: "{{ [abyayala_domain_to_use] + other_domains }}"
+            item_with_default: "{{ item | combine({'domains': domains_with_default}) }}"
+          with_items: "{{ matrix_loop | default([]) }}"
+
+        - name: update matrix_loop with defaults
+          set_fact:
+            matrix_loop: "{{ matrix_loop_with_defaults }}"
+          when: matrix_loop_with_defaults is defined
+
         - name: certificates loop
           include_tasks: ../../certbot/tasks/certbot.yml
           with_items: "{{ matrix_loop | default([]) }}"
@@ -62,3 +79,30 @@
           loop_control:
             loop_var: vhost
           when: (service is undefined) or (service is defined and service == vhost.service_name)
+        
+        - name: streams loop
+          include_tasks: stream.yml
+          with_items: "{{ matrix_loop }}"
+          loop_control:
+            loop_var: vhost
+          when: (service is undefined) or (service is defined and service == vhost.service_name)
+
+        - name: slice matrix with those having ports defined
+          set_fact:
+            matrix_ports: "{{ matrix_ports | default([]) | union(ma.ports) }}"
+          with_items: "{{ matrix }}"
+          when: (ma.ports is defined)
+          loop_control:
+            loop_var: ma
+
+        - name: add gitea port if any service has gitea_port defined
+          set_fact:
+            matrix_ports: "{{ matrix_ports | default([]) | union([ma.gitea_port]) }}"
+          with_items: "{{ matrix }}"
+          when: (ma.gitea_port is defined)
+          loop_control:
+            loop_var: ma
+    
+    - include_tasks: ../../althost/tasks/compose.yml
+      vars: # forcing since this role is included statically
+        service_name: proxy

roles/proxy/tasks/stream.yml

@@ -0,0 +1,10 @@
+- set_fact:
+    vhost_dest: "{{ stream_path }}/{{ vhost.domains[0] }}.conf"
+    
+- name: default stream for ssh
+  template:
+    src: "{{ default_stream }}"
+    dest: "{{ vhost_dest }}"
+  when: vhost.ports is defined
+  notify:
+    - reload proxy

roles/proxy/templates/acme_challenge.conf

@@ -0,0 +1,25 @@
+# Let's Encrypt ACME challenge configuration
+# This configuration serves the .well-known/acme-challenge directory
+# for HTTP-01 validation when using webroot method
+
+location ^~ /.well-known/acme-challenge/ {
+    # Serve files from the certbot webroot
+    root {{ certbot_webroot }};
+
+    # Allow access to challenge files
+    allow all;
+
+    # Ensure plain text content type
+    default_type "text/plain";
+
+    # Disable any authentication
+    auth_basic off;
+
+    # Serve the challenge file directly
+    try_files $uri =404;
+}
+
+# Deny access to other .well-known paths for security
+location ~ /\.well-known/ {
+    deny all;
+}

roles/proxy/templates/common.conf

@@ -0,0 +1,4 @@
+    add_header X-Frame-Options "sameorigin";
+    add_header X-XSS-Protection "1; mode=block";
+    add_header X-Content-Type-Options "nosniff";
+    add_header Referrer-Policy "strict-origin-when-cross-origin";

roles/proxy/templates/common_ssl.conf

@@ -6,6 +6,14 @@
     #   openssl dhparam -outform pem -out dhparam2048.pem 2048
     ssl_dhparam /etc/nginx/conf/dhparam2048.pem;
 
-    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
-    ssl_prefer_server_ciphers on;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ecdh_curve X25519:prime256v1:secp384r1;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
+    ssl_prefer_server_ciphers off;
 
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:MozSSL:10m;
+
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+
+    ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;

roles/proxy/templates/default_proxy.conf

@@ -12,7 +12,9 @@
 
         gzip_disable "msie6";
         {% endif %}
+
         client_max_body_size 1G;
+
         proxy_ssl_verify off;
         proxy_ssl_server_name on;
         proxy_ssl_name $ssl_server_name;
@@ -27,6 +29,18 @@
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection upgrade;
 
+        proxy_buffering off;
+        proxy_request_buffering off;
+        proxy_redirect off;
+        proxy_connect_timeout 3m;
+        proxy_send_timeout 3m;
+        proxy_read_timeout 3m;
+
+        limit_conn connection_limit 50;
+        limit_req zone=request_limit nodelay burst=20;
+
+        add_header Retry-After $retry_after always;
+
         {% include "files/custom_proxy_includes/" ~ vhost.domains[0] ignore missing %}
 }
       # END PROXY

roles/proxy/templates/nginx.conf

@@ -0,0 +1,56 @@
+user  nginx;
+worker_processes  auto;
+
+error_log  /var/log/nginx/error.log notice;
+pid        /var/run/nginx.pid;
+
+
+events {
+    worker_connections  1024;
+}
+
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    server_tokens off;
+
+    sendfile        on;
+    #tcp_nopush     on;
+
+    keepalive_timeout  65;
+
+    # Limitar cada dirección IP a 50 peticiones por segundo por IP y
+    # servidor.
+    limit_req_zone $server_name$binary_remote_addr zone=request_limit:10m rate=10r/s;
+    limit_req_status 429;
+
+    # Limita la cantidad de conexiones concurrentes por IP. Según la
+    # documentación de Nginx, cada request en HTTP/2 se cuenta como una
+    # conexión separada aunque sean la misma.
+    limit_conn_zone $binary_remote_addr zone=connection_limit:10m;
+    limit_conn_status 429;
+
+    # Informar a los navegadores que cuando reciban un error de muchas
+    # conexiones, esperen un segundo antes de reintentar.
+    map $status $retry_after {
+      default '';
+      429 '1';
+    }
+
+    #gzip  on;
+
+    include /etc/nginx/conf.d/*.conf;
+}
+
+stream {
+    include /etc/nginx/stream.d/*.conf;
+}
+

roles/proxy/templates/services.yml

@@ -8,11 +8,15 @@
     ports:
       - "80:80"
       - "443:443"
+{% for port in matrix_ports %}
+      - "{{ port }}:{{ port }}"
+{% endfor %}
     networks:
       - proxy
     volumes:
       - "{{ vhosts_path }}:/etc/nginx/conf.d/"
       - "{{ conf_path }}:/etc/nginx/conf/"
       - "certs_data:{{ nginx_certs_path }}:ro"
-
-
+      - "{{ conf_path }}/nginx.conf:/etc/nginx/nginx.conf:ro"
+      - "{{ stream_path }}:/etc/nginx/stream.d/"
+      - "certbot_webroot:{{ certbot_webroot }}"

roles/proxy/templates/stream.conf

@@ -0,0 +1,35 @@
+upstream ssh_{{ vhost.nodo | replace(".", "") }} {
+    server {{ vhost.nodo }}:22;
+}
+
+{% if vhost.gitea_port is defined %}
+upstream gitea_{{ vhost.nodo | replace(".", "") }} {
+    server {{ vhost.nodo }}:{{ vhost.gitea_port }};
+}
+{% endif %}
+
+server {
+    listen {{ vhost.ports[0] }};
+
+    {% if vhost.root | default(false) %}
+    server_name {{ vhost.domains | join(' ') }};
+    {% else %}
+    server_name .{{ vhost.domains | join(' .') }};
+    {% endif %}
+
+    proxy_pass ssh_{{ vhost.nodo | replace(".", "") }};
+}
+
+{% if vhost.gitea_port is defined %}
+server {
+    listen {{ vhost.gitea_port }};
+
+    {% if vhost.root | default(false) %}
+    server_name {{ vhost.domains | join(' ') }};
+    {% else %}
+    server_name .{{ vhost.domains | join(' .') }};
+    {% endif %}
+
+    proxy_pass gitea_{{ vhost.nodo | replace(".", "") }};
+}
+{% endif %}

roles/proxy/templates/vhost.conf

@@ -1,18 +1,31 @@
 map $http_host $comun_{{ vhost.nodo | replace(".", "") }} {
     hostnames;
     {% for domain in vhost.domains %}
+    {% if vhost.root | default(false) %}
+    {{ domain }} {{ vhost.nodo }};
+    {% else %}
     .{{ domain }} {{ vhost.nodo }};
+    {% endif %}
     {% endfor %}
 }
 
 server {
+    {% if vhost.root | default(false) %}
+    server_name {{ vhost.domains | join(' ') }};
+    {% else %}
     server_name .{{ vhost.domains | join(' .') }};
+    {% endif %}
 
     listen 80;
 
     resolver 10.13.12.1 valid=300s;
     resolver_timeout 5s;
 
+{% if vhost.root | default(false) %}
+    # ACME challenge for HTTP-01 validation (webroot method for root domains)
+    include conf/acme_challenge.conf;
+{% endif %}
+
 {% if not needs_vhost and ((vhost.ssl | default(domains_default_ssl) ) or (vhost.force_https | default(domains_default_force_https))) %}
     listen 443 ssl;
 

roles/proxy/templates/volumes.yml

@@ -1 +1,2 @@
   certs_data:
+  certbot_webroot:

roles/proxy/vars/main.yml

@@ -3,13 +3,16 @@ domains_default_force_https: no
 
 # nginx
 vhosts_path: "{{ compose_path }}/proxy/vhosts"
+stream_path: "{{ compose_path }}/proxy/stream"
 conf_path: "{{ compose_path }}/proxy/conf"
 nginx_certs_path: /etc/nginx/certs
 
 # defaults
 needs_vhost: no
 default_vhost: roles/proxy/templates/vhost.conf
+default_stream: roles/proxy/templates/stream.conf
 
 # certbot
 webmaster_email: webmaster@numerica.cl
 CERTBOT_image: numericalatina/certbot-wildcard
+certbot_webroot: /var/www/certbot

roles/rap/tasks/main.yml

@@ -4,16 +4,20 @@
         state: present
       tags: installation
 
-# TODO: ERROR! conflicting action statements: synchronize, creates
-#    - name: copiar el codigo fuente
-#      synchronize:
-#        src: ../roles/rap/code/rap/
-#        dest: "{{ rap_path }}"
-#        perms: true
-#        rsync_opts:
-#          - "--exclude=.git"
-#      tags: rap
-#      creates: "{{ rap_path }}"
+    - name: Verificar si ya existe el codigo fuente
+      stat:
+        path: "{{ rap_path }}"
+      register: rap_status
+
+    - name: copiar el codigo fuente, si no existe
+      synchronize:
+        src: ../roles/rap/code/rap/
+        dest: "{{ rap_path }}"
+        perms: true
+        rsync_opts:
+          - "--exclude=.git"
+      tags: rap
+      when: not rap_status.stat.exists
 
     - name: agregar nodos a la VPN
       shell: 

tasks/files/ssh/berto.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCrhho0oQcAWX6ndpwxkNykJTohUg6vvEplqBa5pENU1gD61eahP4BU4weGrOWY28fBy3BhXOYFITWOxmdv7V7T9fG8WKXqT8MHkC9zaLzAZJ11tHq8OeDo0QGkBOoetf0dv0e3+FNijA9QKhqiwz+v0t5Ev0bSuSl28zHI3Tr0vF98SZulIR9CxDTTPA+Hel2Tl+LcVDZb80/tG9oAFBctzMK7AWB80X/DgXVfY0qgP97809JPX+Cqo/Q+LK55HxeDnfqDsA3m3KXQPODZm6ATEfmcx3MBYqJ8m0rdMKBwR16xDvAyB/LezHVCgmQvmzTRgzTwwwitOX83F5oIEArTK64s1dm0VLzj+Pw5Tetkde4YPHfajffXUbUxGTgD6M3NCvCLHedDMQDQT3LNOfFJGngGcwWJdStmMCWR6dd81epzPZiWHEZ093UWCPtE8kvrL4fRfIc/qSKWNCIyAoagKw4SwwyOfg0ONBJpjOfI7+vBKJVCZSDZQYyU/+Bo60k= berto@concon

testnet.yml

@@ -0,0 +1,23 @@
+althost: testnet
+matrix:
+  - service_name: comun
+    roles:
+      - kemal
+    domains:
+      - comun.abyayala.red
+
+  - service_name: dns
+    roles:
+      - knsupdate
+
+  - service_name: vpn
+    roles:
+      - rap
+    nodos:
+      - qi
+
+  - service_name: qi
+    domains:
+      - qi.abyayala.red
+    nodo: qi.comun
+#    force_https: yes