feat: servidor de testing

bifurca de #issue42 en que ya estan parametrizadas zones y asi

DNS_ARCHITECTURE.md

@@ -1,162 +0,0 @@
-# Arquitectura DNS y Validación ACME
-
-Este documento explica cómo funciona el sistema DNS distribuido y la validación de certificados SSL para dominios FQDN.
-
-## Componentes DNS
-
-### 1. Servidores Knot (Autoritativos Remotos)
-
-**Ubicación:** `anarres.sutty.nl`, `athshe.sutty.nl`, `gethen.sutty.nl`, `ganam.sutty.nl`
-
-**Función:** DNS autoritativo real para:
-- Zona `abyaya.la`
-- Zonas FQDN (ej: `latina.red`, `example.com.ar`)
-
-**Actualización:** Via `knsupdate` ejecutado desde el proxy
-
-### 2. Proxy (Hetzner: 5.161.236.18)
-
-**Servicios DNS en diferentes IPs:**
-
-| Servicio | IP | Puerto | Función |
-|----------|-------|--------|---------|
-| **dnsmasq** | `10.13.12.1` + `127.0.0.1` | 53 | DNS cache/resolver para VPN interna |
-| **certbot dns-standalone** | `5.161.236.18` | 53 | DNS temporal para validación ACME |
-
-**No hay conflicto de puertos** porque usan IPs diferentes en la misma máquina.
-
-## Flujo de Validación ACME para Dominios FQDN
-
-### Ejemplo: Certificado para `kipu.latina.red`
-
-#### Paso 1: knsupdate configura delegación en Knot
-
-Cuando se despliega un servicio con FQDN, `knsupdate` crea estos registros en los servidores Knot:
-
-```dns
-; En zona latina.red
-kipu.latina.red                    IN A     5.161.236.18
-*.kipu.latina.red                  IN A     5.161.236.18
-_acme-challenge.kipu.latina.red    IN CNAME abyaya.la.
-_acme-challenge.kipu.latina.red    IN NS    _acme-challenge.abyaya.la.
-
-; En zona abyaya.la
-_acme-challenge.abyaya.la          IN A     5.161.236.18
-_acme-challenge                    IN NS    _acme-challenge.abyaya.la.
-```
-
-**Propósito de la delegación:**
-- El CNAME redirige la validación a `abyaya.la`
-- El NS delega la autoridad a `_acme-challenge.abyaya.la`
-- Que apunta al proxy donde certbot corre
-
-#### Paso 2: Certbot obtiene/renueva certificado
-
-```bash
-docker run --rm \
-  -v abyayala_certs_data:/etc/letsencrypt \
-  --network host \
-  numericalatina/certbot-wildcard \
-  certonly --dns-standalone-address=5.161.236.18 --dns-standalone-port=53 \
-  -d kipu.latina.red -d *.kipu.latina.red
-```
-
-**Certbot:**
-1. Levanta un servidor DNS temporal en `5.161.236.18:53`
-2. Crea el registro TXT con el token de validación
-3. Notifica a Let's Encrypt que está listo
-
-#### Paso 3: Let's Encrypt valida
-
-```
-Let's Encrypt consulta: _acme-challenge.kipu.latina.red
-   ↓ Consulta a nameservers de latina.red (Knot)
-   ↓ Knot responde con CNAME
-
-Redirigido a: _acme-challenge.abyaya.la
-   ↓ Consulta delegación NS
-   ↓ Knot indica: usar nameserver _acme-challenge.abyaya.la
-
-Consulta directa a: 5.161.236.18:53
-   ↓ certbot dns-standalone responde
-   ↓ Proporciona el token TXT
-
-✓ Validación exitosa
-```
-
-## Configuración Requerida en DNS Externo
-
-Para que un dominio FQDN externo (no `.abyaya.la`) pueda delegar la validación ACME al proxy, es necesario agregar estos registros en el DNS del dominio:
-
-```dns
-_acme-challenge IN CNAME abyaya.la.
-_acme-challenge IN NS _acme-challenge.abyaya.la.
-```
-
-**Ejemplo para `kipu.latina.red`:**
-```dns
-; En el DNS de latina.red
-_acme-challenge.kipu IN CNAME abyaya.la.
-_acme-challenge.kipu IN NS _acme-challenge.abyaya.la.
-```
-
-Esto se hace **una sola vez por dominio** y permite que todos los subdominios deleguen automáticamente.
-
-## Renovación Automática
-
-La renovación de certificados funciona automáticamente porque:
-
-1. ✅ **Delegación persistente**: Los registros `_acme-challenge` ya están en Knot
-2. ✅ **Cron configurado**: Se ejecuta los días 4 y 18 de cada mes
-3. ✅ **Sin conflictos**: dnsmasq y certbot usan IPs diferentes
-4. ✅ **Mismo método**: `certbot renew` usa dns-standalone automáticamente
-
-```yaml
-# Configurado en roles/certbot/tasks/main.yml
-- name: automatic letsencrypt certs renewal
-  cron:
-    name: certificate renewal
-    day: 4,18
-    hour: 0
-    minute: 0
-    job: "docker run --rm -v abyayala_certs_data:/etc/letsencrypt --network host numericalatina/certbot-wildcard renew --dns-standalone-address=5.161.236.18 --dns-standalone-port=53 >> /var/log/renewal.log 2>&1"
-```
-
-## Ventajas de esta Arquitectura
-
-1. **Centralizada**: Un solo proxy maneja validación ACME para todos los dominios
-2. **Segura**: No requiere credenciales API de proveedores DNS externos
-3. **Flexible**: Soporta dominios `.abyaya.la` y FQDN externos
-4. **Automatizada**: Renovación sin intervención manual
-5. **Escalable**: Agregar nuevos dominios solo requiere actualizar `abyayala.yml`
-
-## Troubleshooting
-
-### Verificar delegación DNS
-
-```bash
-# Verificar CNAME
-dig _acme-challenge.kipu.latina.red CNAME
-
-# Verificar NS delegation
-dig _acme-challenge.kipu.latina.red NS
-
-# Probar resolución completa
-dig @5.161.236.18 _acme-challenge.kipu.latina.red TXT
-```
-
-### Ver logs de renovación
-
-```bash
-tail -f /var/log/renewal.log
-```
-
-### Probar renovación manualmente
-
-```bash
-docker run --rm \
-  -v abyayala_certs_data:/etc/letsencrypt \
-  --network host \
-  numericalatina/certbot-wildcard \
-  renew --dns-standalone-address=5.161.236.18 --dns-standalone-port=53 --dry-run
-```

README-root-domain.md

@@ -1,99 +0,0 @@
-# Plan: Añadir Soporte para Dominio Principal www.abyaya.la
-
-## Objetivo
-Habilitar que el dominio raíz `abyaya.la` y `www.abyaya.la` apunten al servidor `sutty.comun`, mientras se mantienen funcionando todos los subdominios existentes (ej: `sutty.abyaya.la`, `marmite.abyaya.la`).
-
-## Estrategia de Desarrollo
-
-### Rama Tópica
-Los cambios se implementarán en esta rama tópica:
-- **Nombre de rama**: `root-domain`
-- **Bifurcada desde**: `master`
-
-## Contexto Técnico
-
-### Arquitectura Actual
-- **Certificados**: Cada servicio en `abyayala.yml` con `domains` + `nodo` genera un certificado con certbot: `-d DOMAIN -d *.DOMAIN`
-- **Patron actual**: Todos los dominios siguen el patrón `subdomain.abyaya.la` (ej: `sutty.abyaya.la`)
-
-### Decisión de Diseño
-Crear un **servicio separado** para el dominio raíz con un nuevo flag `root: yes` que indica a certbot que NO solicite el certificado wildcard. Esto mantiene limpia la separación de responsabilidades:
-- Servicio `sutty`: maneja `sutty.abyaya.la` y `*.sutty.abyaya.la`
-- Servicio `abyaya_root`: maneja únicamente `abyaya.la` y `www.abyaya.la` (sin wildcard)
-
-## Cambios Implementados
-
-### 1. `roles/certbot/tasks/certbot.yml`
-- Lee el flag `root` del servicio y lo mapea a variable `is_root_domain`
-- Dividido el bloque de certificados en dos tareas condicionales:
-  - Modo estándar (con wildcard): para subdominios (`when: not is_root_domain`)
-  - Modo sin wildcard: para dominios raíz (`when: is_root_domain`)
-
-### 2. `roles/proxy/templates/vhost.conf`
-- Agregado condicional para manejar flag `root`
-- Cuando `root: yes`: genera `server_name` sin punto prefijo (exacto)
-- Cuando `root: no` (default): genera `server_name .domain` (con wildcard)
-
-### 3. `abyayala.yml`
-- Agregado servicio `abyaya_root` con:
-  - Dominios: `abyaya.la` y `www.abyaya.la`
-  - Enrutamiento a: `sutty.comun`
-  - Flag: `root: yes`
-  - HTTPS forzado y compresión habilitada
-
-## Comandos de Despliegue
-
-### Despliegue completo
-```bash
-ansible-playbook deploy.yml -e "alt=abyayala host=hetzner"
-```
-
-### Despliegue solo del servicio nuevo (para testing)
-```bash
-ansible-playbook deploy.yml -e "alt=abyayala host=hetzner service=abyaya_root"
-```
-
-## Verificación Post-Despliegue
-
-### 1. Verificar certificado
-```bash
-ssh root@hetzner
-ls -la /var/lib/docker/volumes/abyayala_certs_data/_data/live/abyaya.la/
-docker run --rm -v abyayala_certs_data:/etc/letsencrypt certbot/certbot certificates | grep abyaya.la
-```
-
-Debe contener: `abyaya.la`, `www.abyaya.la` (SIN `*.abyaya.la`)
-
-### 2. Verificar nginx
-```bash
-cat /opt/abyayala/proxy/vhosts/abyaya.la.conf
-docker exec abyayala_proxy nginx -t
-```
-
-### 3. Verificar enrutamiento
-```bash
-curl -I http://abyaya.la        # Debe redirigir a HTTPS
-curl -I https://abyaya.la       # Debe devolver 200 OK
-curl -I https://www.abyaya.la   # Debe devolver 200 OK
-```
-
-### 4. Verificar subdominios siguen funcionando
-```bash
-curl -I https://sutty.abyaya.la
-curl -I https://marmite.abyaya.la
-```
-
-## Requisitos DNS
-
-Antes del despliegue, configurar:
-```
-abyaya.la       A     <IP-del-proxy>
-www.abyaya.la   A     <IP-del-proxy>
-```
-
-## Extensibilidad Futura
-
-Este patrón `root: yes` puede reutilizarse para otros dominios raíz:
-1. Agregar entrada en `abyayala.yml` con `root: yes`
-2. Desplegar con ansible-playbook
-3. Configurar DNS

abyayala.yml

@@ -59,7 +59,6 @@ matrix:
       - samatuun
       - kaasavi
       - llavero
-      - deabajo
 
   - service_name: respaldos
     domains:
@@ -166,15 +165,6 @@ matrix:
     force_https: yes
     enable_compression: yes
 
-  - service_name: abyaya_root
-    domains:
-      - abyaya.la
-      - www.abyaya.la
-    nodo: sutty.comun
-    force_https: yes
-    enable_compression: yes
-    root: yes
-
   - service_name: mexe
     domains:
       - mexe.abyaya.la
@@ -214,14 +204,10 @@ matrix:
 
   - service_name: kipu
     domains:
-#      - abyaya.la
-#      - www.abyaya.la
       - kipu.latina.red
     nodo: kipu.comun
     ports:
       - 223
-    ssl: yes
-#    root: yes
 
   - service_name: carabobolibre
     domains:
@@ -245,10 +231,4 @@ matrix:
     domains:
       - llavero.abyaya.la
     nodo: llavero.comun
-    force_https: yes
-
-  - service_name: deabajo
-    domains:
-      - deabajo.abyaya.la
-    nodo: deabajo.comun
-    force_https: yes
+    force_https: yes

group_vars/hetzner/vars

@@ -1,3 +1,5 @@
 host_ip: 5.161.236.18
+main_zone: abyaya.la
+vpn_name: comun
 proxy_scale: 2
 domains_default_force_https: yes

group_vars/testing/vars

@@ -1 +1,2 @@
 host_ip: 157.180.114.62
+main_zone: abyayala.red

roles/althost/tasks/main.yml

@@ -1,16 +1,6 @@
     # DOCKER CE this is specific for Debian
     # https://docs.docker.com/install/linux/docker-ce/debian/
     # Soporta Debian 12 (bookworm) y Debian 13 (trixie)
-
-    # Clean up conflicting Docker repositories first (always runs, even with --skip-tags=installation)
-    - name: remove old docker repository files to avoid APT conflicts
-      file:
-        path: "{{ item }}"
-        state: absent
-      loop:
-        - /etc/apt/sources.list.d/docker.list
-        - /etc/apt/sources.list.d/download_docker_com_linux_debian.list
-
     - block:
       - name: "unattended upgrades"
         apt:

roles/certbot/tasks/certbot.yml

@@ -10,55 +10,33 @@
       register: vhost_stat
 
     - set_fact:
-        needs_cert: "{{ ((loop.ssl | default(domains_default_ssl) | bool) or (loop.force_https | default(domains_default_force_https) | bool)) | bool }}"
-
-    - set_fact:
-        needs_vhost: "{{ (needs_cert | bool and not vhost_stat.stat.exists) | bool }}"
-        obtain_cert: "{{ (needs_cert | bool and not ssl_cert.stat.exists) | bool }}"
+        needs_cert: (loop.ssl | default(domains_default_ssl) ) or (loop.force_https | default(domains_default_force_https))
+        needs_vhost: needs_cert and not vhost_stat.stat.exists
+        obtain_cert: needs_cert and not ssl_cert.stat.exists
 
     - name: certificate obtention
       block:
         - set_fact:
             vhost: "{{ loop }}"
 
-        - set_fact:
-            is_root_domain: "{{ loop.root | default(false) | bool }}"
-
-        - name: fetch certificate with certbot container (with wildcard)
+        - name: fetch certificate with certbot container
           docker_container:
             name: chencriptemos
             image: "{{ CERTBOT_image }}"
             state: started
             volumes:
               - "{{ althost }}_certs_data:/etc/letsencrypt"
-            command: "--non-interactive --agree-tos --expand --email {{ webmaster_email }} certonly --preferred-challenges dns --authenticator dns-standalone --dns-standalone-address={{ host_ip }} --dns-standalone-port=53 --dns-standalone-propagation-seconds=10 {% for domain in loop.domains %} -d {{ domain }} -d *.{{ domain }} {% endfor %}"
+            command: "--non-interactive --agree-tos --email {{ webmaster_email }} certonly --preferred-challenges dns --authenticator dns-standalone --dns-standalone-address={{ host_ip }} --dns-standalone-port=53 --dns-standalone-propagation-seconds=10 {% for domain in loop.domains %} -d {{ domain }} -d *.{{ domain }} {% endfor %}"
             detach: no
             cleanup: yes
-            ports:
+            ports: 
               - "{{ host_ip }}:53:53/tcp"
               - "{{ host_ip }}:53:53/udp"
           notify:
             - reload proxy
           register: cert_result
-          when: not is_root_domain | bool
 
-        - name: fetch certificate with certbot container (without wildcard, root domain - using webroot)
-          docker_container:
-            name: chencriptemos
-            image: certbot/certbot:latest
-            state: started
-            volumes:
-              - "{{ althost }}_certs_data:/etc/letsencrypt"
-              - "{{ althost }}_certbot_webroot:{{ certbot_webroot }}"
-            command: "--non-interactive --agree-tos --expand --email {{ webmaster_email }} certonly --webroot --webroot-path {{ certbot_webroot }} {% for domain in loop.domains %} -d {{ domain }} {% endfor %}"
-            detach: no
-            cleanup: yes
-          notify:
-            - reload proxy
-          register: cert_result
-          when: is_root_domain | bool
-
-      when: obtain_cert | bool
+      when: obtain_cert
 
     # RESET
     - set_fact:

roles/certbot/tasks/main.yml

@@ -30,13 +30,14 @@
         env: yes
         value: /bin/bash
 
-    - name: automatic letsencrypt certs renewal
-      cron:
-        name: certificate renewal
-        day: 4,18
-        hour: 0
-        minute: 0
-        job: "docker run --rm -v {{ althost }}_certs_data:/etc/letsencrypt --network host {{ CERTBOT_image }} renew --dns-standalone-address={{ host_ip }} --dns-standalone-port=53 --log-driver=journald"
+# TODO
+#    - name: automatic letsencrypt certs renewal
+#      cron:
+#        name: certificate renewal
+#        day: 4,18
+#        hour: 0
+#        minute: 0
+#        job: "docker run --rm -v {{ althost }}_certs_data:/etc/letsencrypt -v {{ althost }}_certs_www:/var/www/letsencrypt certbot/certbot renew >> /var/log/renewal.log 2>&1"
 
     - name: proxy update, after certs renewal
       cron:

roles/dnsmasq/tasks/main.yml

@@ -2,12 +2,14 @@
       apt:
         name: dnsmasq
         state: present
+
     - name: configuracion de red comun
       template:
         src: dnsmasq.conf
         dest: "/etc/dnsmasq.conf"
       notify:
         - restart dnsmasq
+
     - name: activar el servicio
       systemd_service:
         name: dnsmasq

roles/dnsmasq/templates/dnsmasq.conf

@@ -74,8 +74,8 @@ resolv-file=/etc/resolv.local
 
 # Add local-only domains here, queries in these domains are answered
 # from /etc/hosts or DHCP only.
-local=/comun/
-domain=comun
+local=/{{ vpn_name }}/
+domain={{ vpn_name }}
 
 # Add domains which you want to force to an IP address here.
 # The example below send any host in double-click.net to a local
@@ -117,7 +117,7 @@ domain=comun
 # specified interfaces (and the loopback) give the name of the
 # interface (eg eth0) here.
 # Repeat the line for more than one interface.
-interface=comun
+interface={{ vpn_name }}
 # Or you can specify which interface _not_ to listen on
 except-interface=eth0
 # Or which to listen on by address (remember to include 127.0.0.1 if

roles/firewall/templates/rules.v4.j2

@@ -6,7 +6,7 @@
 -A INPUT -m conntrack --ctstate INVALID -j DROP
 -A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
 -A INPUT -i lo -j ACCEPT
--A INPUT -i comun -j ACCEPT
+-A INPUT -i {{ vpn_name }} -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
 -A INPUT -p udp -m udp --dport 53 -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT

roles/knsupdate/files/dns_extras/pilmaiken.abyaya.la

@@ -1,8 +0,0 @@
-del pilmaiken mx
-del pilmaiken txt
-del pilmaiken spf
-add pilmaiken mx 10 correspondencia.latina.red.
-add pilmaiken txt "v=spf1 mx a:correspondencia.latina.red -all"
-add pilmaiken spf "v=spf1 mx a:correspondencia.latina.red -all"
-add dkim._domainkey.pilmaiken txt "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDQ6JwPaawDzMXuscSgDpvipRFLGXSqgmvvI6jk18lcg0kK2lfxsvXGJ/6U7oCtKa35IEVzdigxD0o7DzklKxAsNIVbcExPJkFWzQuKuP6ATBESo7YUn7Z5qjfxBiNPS0FJp8XpbpUzN+zg/NTgmkggnwwC0tKgcEQ6HnI9AOa1LQIDAQAB"
-add _dmarc.pilmaiken txt "v=DMARC1; p=reject; rua=mailto:postmaster@correspondencia.latina.red; ruf=mailto:postmaster@correspondencia.latina.red; adkim=s; aspf=s"

roles/knsupdate/tasks/main.yml

@@ -2,6 +2,5 @@
       apt:
         name: "knot-dnsutils"
         state: "present"
-      tags: installation
-
+    
     - include_tasks: loop.yml

roles/knsupdate/tasks/templates/commands.j2

@@ -1,31 +1,24 @@
 {% for dns_server in dns_servers %}
-
 server {{ dns_server }}
 zone {{ zone }}
 origin {{ zone }}
 ttl 60
-
 del {{ hostname }} a
 del {{ hostname }} ns
 add {{ hostname }} a {{ host_ip }}
-
-{% if hostname != '@' and hostname != 'www' %}
+{% if is_abyayala_subdomain %}
 add *.{{ hostname }} a {{ host_ip }}
 {% else %}
 add {{ domain }} a {{ host_ip }}
 add *.{{ domain }} a {{ host_ip }}
 {% endif %}
-
-{% if hostname == '@' %}
-add _acme-challenge a {{ host_ip }}
-add _acme-challenge ns _acme-challenge
-{% else %}
 add _acme-challenge.{{ hostname }} a {{ host_ip }}
 add _acme-challenge.{{ hostname }} ns _acme-challenge
+{% if vhost.dns_extras is defined %}
+{% for dns_extra in vhost.dns_extras %}
+{{ dns_extra }}
+{% endfor %}
 {% endif %}
-
-{% include "files/dns_extras/" ~ vhost.domains[0] ignore missing %}
-
 send
 {% endfor %}
 quit

roles/knsupdate/tasks/templates/dns_info.j2

@@ -1,21 +0,0 @@
-
-========================================
-Configuracion de DNS requerida: {{ domain }}
-========================================
-Por favor configue los siguiente registros DNS en su proveedor:
-
-{% if hostname == '@' %}
-{{ zone | regex_replace('\\.$', '') }}     IN A     {{ host_ip }}
-*.{{ zone | regex_replace('\\.$', '') }}   IN A     {{ host_ip }}
-
-_acme-challenge.{{ zone | regex_replace('\\.$', '') }} IN NS ns-acme.{{ zone | regex_replace('\\.$', '') }}.
-ns-acme.{{ zone | regex_replace('\\.$', '') }}         IN A  {{ host_ip }}
-{% else %}
-{{ hostname }}.{{ zone | regex_replace('\\.$', '') }}     IN A     {{ host_ip }}
-*.{{ hostname }}.{{ zone | regex_replace('\\.$', '') }}   IN A     {{ host_ip }}
-
-_acme-challenge.{{ hostname }}.{{ zone | regex_replace('\\.$', '') }} IN NS ns-acme.{{ hostname }}.{{ zone | regex_replace('\\.$', '') }}.
-ns-acme.{{ hostname }}.{{ zone | regex_replace('\\.$', '') }}         IN A  {{ host_ip }}
-{% endif %}
-
-========================================

roles/knsupdate/tasks/update.yml

@@ -2,4 +2,4 @@
       include_tasks: update_domain.yml
       with_items: "{{ vhost.domains }}"
       loop_control:
-        loop_var: domain
+        loop_var: domain

roles/knsupdate/tasks/update_domain.yml

@@ -1,10 +1,10 @@
     - set_fact:
-        is_abyayala_subdomain: "{{ domain.endswith('.abyaya.la') }}"
+        is_abyayala_subdomain: "{{ domain.endswith('.' ~ main_zone) }}"
 
-    - name: extract zone and hostname for abyaya.la subdomains
+    - name: extract zone and hostname for main zone subdomains
       set_fact:
-        zone: "abyaya.la."
-        hostname: "{{ domain | regex_replace('([a-z0-9-]+)\\.abyaya\\.la', '\\1') }}"
+        zone: "{{ main_zone ~ '.' }}"
+        hostname: "{{ domain | regex_replace('([a-z0-9-]+)\\.' ~ main_zone|regex_escape , '\\1') }}"
       when: is_abyayala_subdomain
 
     - name: split domain into parts
@@ -29,14 +29,10 @@
         zone: "{{ domain_parts[-2:] | join('.') }}."
         hostname: "{{ domain_parts[:-2] | join('.') if domain_parts | length > 2 else '@' }}"
       when: not is_abyayala_subdomain and not uses_compound_tld
+    - debug:
+        msg: "{{ lookup('template', 'templates/commands.j2') }}"
 
     - name: knsupdate for this domain
       shell: knsupdate
       args:
         stdin: "{{ lookup('template', 'templates/commands.j2') }}"
-      when: is_abyayala_subdomain
-
-    - name: display DNS configuration instructions for external domains
-      debug:
-        msg: "{{ lookup('template', 'templates/dns_info.j2') }}"
-      when: not is_abyayala_subdomain

roles/proxy/tasks/main.yml

@@ -11,13 +11,12 @@
       tags: certbot
 
     - name: configuration paths
-      file: path={{ comun }} state=directory
+      file: path={{ abc }} state=directory
       with_items:
         - "{{ stream_path }}"
         - "{{ conf_path }}"
-        - "{{ certbot_webroot }}"
       loop_control:
-        loop_var: comun
+        loop_var: abc
 
     - name: virtual hosts path
       file: path={{ vhosts_path }} state=directory
@@ -33,7 +32,6 @@
         - common.conf
         - common_ssl.conf
         - nginx.conf
-        - acme_challenge.conf
       loop_control:
         loop_var: common
 
@@ -47,16 +45,13 @@
           loop_control:
             loop_var: domino
 
-        - name: ensure abyaya.la subdomain is always first in domains list
+        - name: add default main zone subdomain if not present
           set_fact:
             matrix_loop_with_defaults: "{{ matrix_loop_with_defaults | default([]) | union([ item_with_default ]) }}"
           vars:
-            existing_abyayala_domains: "{{ item.domains | select('match', '.*\\.abyaya\\.la$') | list }}"
-            has_abyayala_domain: "{{ existing_abyayala_domains | length > 0 }}"
-            default_domain: "{{ item.service_name }}.abyaya.la"
-            other_domains: "{{ item.domains | reject('match', '.*\\.abyaya\\.la$') | list }}"
-            abyayala_domain_to_use: "{{ existing_abyayala_domains[0] if has_abyayala_domain else default_domain }}"
-            domains_with_default: "{{ [abyayala_domain_to_use] + other_domains }}"
+            has_abyayala_domain: "{{ item.domains | select('match', '.*\\.' ~ (main_zone | regex_escape) ~ '$') | list | length > 0 }}"
+            default_domain: "{{ item.service_name ~ '.' ~ main_zone }}"
+            domains_with_default: "{{ item.domains + [default_domain] if not has_abyayala_domain else item.domains }}"
             item_with_default: "{{ item | combine({'domains': domains_with_default}) }}"
           with_items: "{{ matrix_loop | default([]) }}"
 

roles/proxy/templates/acme_challenge.conf

@@ -1,25 +0,0 @@
-# Let's Encrypt ACME challenge configuration
-# This configuration serves the .well-known/acme-challenge directory
-# for HTTP-01 validation when using webroot method
-
-location ^~ /.well-known/acme-challenge/ {
-    # Serve files from the certbot webroot
-    root {{ certbot_webroot }};
-
-    # Allow access to challenge files
-    allow all;
-
-    # Ensure plain text content type
-    default_type "text/plain";
-
-    # Disable any authentication
-    auth_basic off;
-
-    # Serve the challenge file directly
-    try_files $uri =404;
-}
-
-# Deny access to other .well-known paths for security
-location ~ /\.well-known/ {
-    deny all;
-}

roles/proxy/templates/services.yml

@@ -19,4 +19,3 @@
       - "certs_data:{{ nginx_certs_path }}:ro"
       - "{{ conf_path }}/nginx.conf:/etc/nginx/nginx.conf:ro"
       - "{{ stream_path }}:/etc/nginx/stream.d/"
-      - "certbot_webroot:{{ certbot_webroot }}"

roles/proxy/templates/stream.conf

@@ -5,11 +5,7 @@ upstream ssh_{{ vhost.nodo | replace(".", "") }} {
 server {
     listen {{ vhost.ports[0] }};
 
-    {% if vhost.root | default(false) %}
-    server_name {{ vhost.domains | join(' ') }};
-    {% else %}
-    server_name .{{ vhost.domains | join(' .') }};
-    {% endif %}
+    server_name  {{ vhost.service_name }}.{{ main_zone }};
 
     proxy_pass ssh_{{ vhost.nodo | replace(".", "") }};
 }

roles/proxy/templates/vhost.conf

@@ -1,31 +1,18 @@
 map $http_host $comun_{{ vhost.nodo | replace(".", "") }} {
     hostnames;
     {% for domain in vhost.domains %}
-    {% if vhost.root | default(false) %}
-    {{ domain }} {{ vhost.nodo }};
-    {% else %}
     .{{ domain }} {{ vhost.nodo }};
-    {% endif %}
     {% endfor %}
 }
 
 server {
-    {% if vhost.root | default(false) %}
-    server_name {{ vhost.domains | join(' ') }};
-    {% else %}
     server_name .{{ vhost.domains | join(' .') }};
-    {% endif %}
 
     listen 80;
 
     resolver 10.13.12.1 valid=300s;
     resolver_timeout 5s;
 
-{% if vhost.root | default(false) %}
-    # ACME challenge for HTTP-01 validation (webroot method for root domains)
-    include conf/acme_challenge.conf;
-{% endif %}
-
 {% if not needs_vhost and ((vhost.ssl | default(domains_default_ssl) ) or (vhost.force_https | default(domains_default_force_https))) %}
     listen 443 ssl;
 

roles/proxy/templates/volumes.yml

@@ -1,2 +1 @@
   certs_data:
-  certbot_webroot:

roles/proxy/vars/main.yml

@@ -15,4 +15,3 @@ default_stream: roles/proxy/templates/stream.conf
 # certbot
 webmaster_email: webmaster@numerica.cl
 CERTBOT_image: numericalatina/certbot-wildcard
-certbot_webroot: /var/www/certbot

roles/rap/tasks/client.yml

@@ -28,11 +28,11 @@
         cmd: "./rap init -i {{ nodo }}"
         chdir: "{{ rap_path }}/rap"
       environment:
-        NETWORK: comun
+        NETWORK: "{{ vpn_name }}"
 
     - name: instalar el nodo
       shell: 
         cmd: "./rap install -v {{ nodo }}"
         chdir: "{{ rap_path }}/rap"
       environment:
-        NETWORK: comun
+        NETWORK: "{{ vpn_name }}"

roles/rap/tasks/main.yml

@@ -24,9 +24,9 @@
         cmd: "./rap add-host {{ althost }} {{ nod }}"
         chdir: "{{ rap_path }}"
       args:
-        creates: "{{ rap_path }}/networks/comun/abyayala/hosts/{{ nod }}"
+        creates: "{{ rap_path }}/networks/{{ vpn_name }}/abyayala/hosts/{{ nod }}"
       environment:
-        NETWORK: comun
+        NETWORK: "{{ vpn_name }}"
       with_items: "{{ item.nodos }}"
       loop_control:
         loop_var: nod
@@ -36,4 +36,4 @@
         cmd: "./rap install -v {{ althost }}"
         chdir: "{{ rap_path }}"
       environment:
-        NETWORK: comun
+        NETWORK: "{{ vpn_name }}"