Merge branch 'master' into feat-cert-auto-renewal

Reviewed-on: #76

README-root-domain.md

@@ -0,0 +1,99 @@
+# Plan: Añadir Soporte para Dominio Principal www.abyaya.la
+
+## Objetivo
+Habilitar que el dominio raíz `abyaya.la` y `www.abyaya.la` apunten al servidor `sutty.comun`, mientras se mantienen funcionando todos los subdominios existentes (ej: `sutty.abyaya.la`, `marmite.abyaya.la`).
+
+## Estrategia de Desarrollo
+
+### Rama Tópica
+Los cambios se implementarán en esta rama tópica:
+- **Nombre de rama**: `root-domain`
+- **Bifurcada desde**: `master`
+
+## Contexto Técnico
+
+### Arquitectura Actual
+- **Certificados**: Cada servicio en `abyayala.yml` con `domains` + `nodo` genera un certificado con certbot: `-d DOMAIN -d *.DOMAIN`
+- **Patron actual**: Todos los dominios siguen el patrón `subdomain.abyaya.la` (ej: `sutty.abyaya.la`)
+
+### Decisión de Diseño
+Crear un **servicio separado** para el dominio raíz con un nuevo flag `root: yes` que indica a certbot que NO solicite el certificado wildcard. Esto mantiene limpia la separación de responsabilidades:
+- Servicio `sutty`: maneja `sutty.abyaya.la` y `*.sutty.abyaya.la`
+- Servicio `abyaya_root`: maneja únicamente `abyaya.la` y `www.abyaya.la` (sin wildcard)
+
+## Cambios Implementados
+
+### 1. `roles/certbot/tasks/certbot.yml`
+- Lee el flag `root` del servicio y lo mapea a variable `is_root_domain`
+- Dividido el bloque de certificados en dos tareas condicionales:
+  - Modo estándar (con wildcard): para subdominios (`when: not is_root_domain`)
+  - Modo sin wildcard: para dominios raíz (`when: is_root_domain`)
+
+### 2. `roles/proxy/templates/vhost.conf`
+- Agregado condicional para manejar flag `root`
+- Cuando `root: yes`: genera `server_name` sin punto prefijo (exacto)
+- Cuando `root: no` (default): genera `server_name .domain` (con wildcard)
+
+### 3. `abyayala.yml`
+- Agregado servicio `abyaya_root` con:
+  - Dominios: `abyaya.la` y `www.abyaya.la`
+  - Enrutamiento a: `sutty.comun`
+  - Flag: `root: yes`
+  - HTTPS forzado y compresión habilitada
+
+## Comandos de Despliegue
+
+### Despliegue completo
+```bash
+ansible-playbook deploy.yml -e "alt=abyayala host=hetzner"
+```
+
+### Despliegue solo del servicio nuevo (para testing)
+```bash
+ansible-playbook deploy.yml -e "alt=abyayala host=hetzner service=abyaya_root"
+```
+
+## Verificación Post-Despliegue
+
+### 1. Verificar certificado
+```bash
+ssh root@hetzner
+ls -la /var/lib/docker/volumes/abyayala_certs_data/_data/live/abyaya.la/
+docker run --rm -v abyayala_certs_data:/etc/letsencrypt certbot/certbot certificates | grep abyaya.la
+```
+
+Debe contener: `abyaya.la`, `www.abyaya.la` (SIN `*.abyaya.la`)
+
+### 2. Verificar nginx
+```bash
+cat /opt/abyayala/proxy/vhosts/abyaya.la.conf
+docker exec abyayala_proxy nginx -t
+```
+
+### 3. Verificar enrutamiento
+```bash
+curl -I http://abyaya.la        # Debe redirigir a HTTPS
+curl -I https://abyaya.la       # Debe devolver 200 OK
+curl -I https://www.abyaya.la   # Debe devolver 200 OK
+```
+
+### 4. Verificar subdominios siguen funcionando
+```bash
+curl -I https://sutty.abyaya.la
+curl -I https://marmite.abyaya.la
+```
+
+## Requisitos DNS
+
+Antes del despliegue, configurar:
+```
+abyaya.la       A     <IP-del-proxy>
+www.abyaya.la   A     <IP-del-proxy>
+```
+
+## Extensibilidad Futura
+
+Este patrón `root: yes` puede reutilizarse para otros dominios raíz:
+1. Agregar entrada en `abyayala.yml` con `root: yes`
+2. Desplegar con ansible-playbook
+3. Configurar DNS

abyayala.yml

@@ -14,7 +14,6 @@ matrix:
     roles:
       - rap
     nodos:
-      - llavero
       - marmite
       - nodochasqui
       - yanapak
@@ -59,6 +58,8 @@ matrix:
       - carabobolibre
       - samatuun
       - kaasavi
+      - llavero
+      - deabajo
 
   - service_name: respaldos
     domains:
@@ -165,6 +166,15 @@ matrix:
     force_https: yes
     enable_compression: yes
 
+  - service_name: abyaya_root
+    domains:
+      - abyaya.la
+      - www.abyaya.la
+    nodo: sutty.comun
+    force_https: yes
+    enable_compression: yes
+    root: yes
+
   - service_name: mexe
     domains:
       - mexe.abyaya.la
@@ -204,11 +214,14 @@ matrix:
 
   - service_name: kipu
     domains:
+#      - abyaya.la
+#      - www.abyaya.la
       - kipu.latina.red
     nodo: kipu.comun
-    ssl: no
     ports:
       - 223
+    ssl: yes
+#    root: yes
 
   - service_name: carabobolibre
     domains:
@@ -227,3 +240,15 @@ matrix:
       - kaasavi.abyaya.la
     nodo: kaasavi.comun
     force_https: yes
+
+  - service_name: llavero
+    domains:
+      - llavero.abyaya.la
+    nodo: llavero.comun
+    force_https: yes
+
+  - service_name: deabajo
+    domains:
+      - deabajo.abyaya.la
+    nodo: deabajo.comun
+    force_https: yes

group_vars/testing/vars

@@ -0,0 +1 @@
+host_ip: 157.180.114.62

hosts.production

@@ -1,5 +1,5 @@
 [localhost]
-127.0.0.1
+127.0.0.1 ansible_connection=local
 
 [hetzner]
 5.161.236.18
@@ -11,3 +11,9 @@ ansible_ssh_user=root
 sutty.nl
 
 [sutty:vars]
+
+[testing]
+157.180.114.62
+
+[testing:vars]
+ansible_ssh_user=root

roles/althost/tasks/compose.yml

@@ -1,13 +1,13 @@
     - name: check if service volumes exists
-      local_action:
-        module: stat
+      stat:
         path: "{{ playbook_dir }}/roles/{{ item.roles[0] | default('proxy') }}/templates/volumes.yml"
+      delegate_to: localhost
       register: volumes_def
 
     - name: check if service networks exists
-      local_action:
-        module: stat
+      stat:
         path: "{{ playbook_dir }}/roles/{{ item.roles[0] | default('proxy') }}/templates/networks.yml"
+      delegate_to: localhost
       register: networks_def
 
     - set_fact:
@@ -22,53 +22,53 @@
       when: networks_def.stat.exists
 
     - name: define services in local composition
-      local_action:
-        module: blockinfile
+      blockinfile:
         path: "{{ local_compose_path }}/docker-compose.yml"
         insertafter: "services:"
         marker: "# {mark} {{ service_name|upper }}"
         block: "{{ services_content }}"
+      delegate_to: localhost
       changed_when: false
 
     - name: define volumes in local composition
-      local_action:
-        module: lineinfile
+      lineinfile:
         path: "{{ local_compose_path }}/docker-compose.yml"
         insertafter: "# volumenes compartidos"
         line: "volumes: #"
         state: present
         regexp: "volumes: #"
+      delegate_to: localhost
       when: volumes_def.stat.exists
       changed_when: false
 
     - name: define volumes content in local composition
-      local_action:
-        module: lineinfile
+      lineinfile:
         path: "{{ local_compose_path }}/docker-compose.yml"
         insertafter: "volumes: #"
         line: "{{ volumes_content }}"
         state: present
         regexp: "{{ volumes_content }}"
+      delegate_to: localhost
       when: volumes_content is defined
       changed_when: false
 
     - name: define networks in local composition
-      local_action:
-        module: lineinfile
+      lineinfile:
         path: "{{ local_compose_path }}/docker-compose.yml"
         insertafter: "# redes compartidas"
         line: "networks: #"
         state: present
         regexp: "networks: #"
+      delegate_to: localhost
       when: networks_def.stat.exists
       changed_when: false
 
     - name: define networks content in local composition
-      local_action:
-        module: lineinfile
+      lineinfile:
         path: "{{ local_compose_path }}/docker-compose.yml"
         insertafter: "networks: #"
         line: "{{ networks_content }}"
         state: present
+      delegate_to: localhost
       when: networks_content is defined
       changed_when: false

roles/althost/tasks/main.yml

@@ -1,28 +1,56 @@
     # DOCKER CE this is specific for Debian
     # https://docs.docker.com/install/linux/docker-ce/debian/
+    # Soporta Debian 12 (bookworm) y Debian 13 (trixie)
+
+    # Clean up conflicting Docker repositories first (always runs, even with --skip-tags=installation)
+    - name: remove old docker repository files to avoid APT conflicts
+      file:
+        path: "{{ item }}"
+        state: absent
+      loop:
+        - /etc/apt/sources.list.d/docker.list
+        - /etc/apt/sources.list.d/download_docker_com_linux_debian.list
+
     - block:
       - name: "unattended upgrades"
         apt:
           name: "unattended-upgrades"
           state: "present"
-              
+
       - name: required packages
         apt:
-          name: ['apt-transport-https', 'ca-certificates', 'curl', 'gnupg2', 'software-properties-common', 'python3-pip']
+          name: ['ca-certificates', 'curl', 'python3-pip']
           state: present
 
-      - name: docker signing key
-        apt_key:
+      - name: create keyrings directory
+        file:
+          path: /etc/apt/keyrings
+          state: directory
+          mode: '0755'
+
+      - name: download docker gpg key
+        get_url:
           url: https://download.docker.com/linux/debian/gpg
-          state: present
-        
-      - name: docker apt repository
-        apt_repository:
-          repo: deb [arch=amd64] https://download.docker.com/linux/debian bookworm stable
+          dest: /etc/apt/keyrings/docker.asc
+          mode: '0644'
 
-      - name: install docker community edition
+      - name: add docker repository with deb822 format
+        deb822_repository:
+          name: docker
+          types: [deb]
+          uris: https://download.docker.com/linux/debian
+          suites: ["{{ ansible_distribution_release }}"]
+          components: [stable]
+          architectures: [amd64]
+          signed_by: /etc/apt/keyrings/docker.asc
+
+      - name: install docker community edition and compose plugin
         apt:
-          name: docker-ce
+          name:
+            - docker-ce
+            - docker-ce-cli
+            - containerd.io
+            - docker-compose-plugin
           update_cache: yes
 
       - name: is node already in swarm mode
@@ -48,23 +76,11 @@
           state: present
 
       # ansible-docker requirements
-      - name: python package docker-py is deprecated
-        pip:
-          name: docker-py
-          state: absent
-          break_system_packages: true
-
-      - name: ensure python package docker is present
-        pip:
-          name: docker
+      # Use system packages instead of pip to avoid break_system_packages
+      - name: ensure python3-docker package is present
+        apt:
+          name: python3-docker
           state: present
-          break_system_packages: true
-
-      - name: ensure python package docker-compose is present
-        pip:
-          name: docker-compose
-          state: present
-          break_system_packages: true
 
       tags: installation
 
@@ -74,16 +90,16 @@
         file: path={{ compose_path }} state=directory
       
       - name: make sure local compose path exists
-        local_action:
-          module: file
-          path: "{{ local_compose_path }}" 
+        file:
+          path: "{{ local_compose_path }}"
           state: directory
+        delegate_to: localhost
 
       - name: clean docker-compose.yml
-        local_action:
-          module: template
+        template:
           dest: "{{ local_compose_path }}/docker-compose.yml"
           src: roles/althost/templates/docker-compose.yml
+        delegate_to: localhost
         changed_when: false
 
       - name: execute roles per domain mapping

roles/certbot/tasks/certbot.yml

@@ -10,33 +10,55 @@
       register: vhost_stat
 
     - set_fact:
-        needs_cert: (loop.ssl | default(domains_default_ssl) ) or (loop.force_https | default(domains_default_force_https))
-        needs_vhost: needs_cert and not vhost_stat.stat.exists
-        obtain_cert: needs_cert and not ssl_cert.stat.exists
+        needs_cert: "{{ ((loop.ssl | default(domains_default_ssl) | bool) or (loop.force_https | default(domains_default_force_https) | bool)) | bool }}"
+
+    - set_fact:
+        needs_vhost: "{{ (needs_cert | bool and not vhost_stat.stat.exists) | bool }}"
+        obtain_cert: "{{ (needs_cert | bool and not ssl_cert.stat.exists) | bool }}"
 
     - name: certificate obtention
       block:
         - set_fact:
             vhost: "{{ loop }}"
 
-        - name: fetch certificate with certbot container
+        - set_fact:
+            is_root_domain: "{{ loop.root | default(false) | bool }}"
+
+        - name: fetch certificate with certbot container (with wildcard)
           docker_container:
             name: chencriptemos
             image: "{{ CERTBOT_image }}"
             state: started
             volumes:
               - "{{ althost }}_certs_data:/etc/letsencrypt"
-            command: "--non-interactive --agree-tos --email {{ webmaster_email }} certonly --preferred-challenges dns --authenticator dns-standalone --dns-standalone-address={{ host_ip }} --dns-standalone-port=53 --dns-standalone-propagation-seconds=10 {% for domain in loop.domains %} -d {{ domain }} -d *.{{ domain }} {% endfor %}"
+            command: "--non-interactive --agree-tos --expand --email {{ webmaster_email }} certonly --preferred-challenges dns --authenticator dns-standalone --dns-standalone-address={{ host_ip }} --dns-standalone-port=53 --dns-standalone-propagation-seconds=10 {% for domain in loop.domains %} -d {{ domain }} -d *.{{ domain }} {% endfor %}"
             detach: no
             cleanup: yes
-            ports: 
+            ports:
               - "{{ host_ip }}:53:53/tcp"
               - "{{ host_ip }}:53:53/udp"
           notify:
             - reload proxy
           register: cert_result
+          when: not is_root_domain | bool
 
-      when: obtain_cert
+        - name: fetch certificate with certbot container (without wildcard, root domain - using webroot)
+          docker_container:
+            name: chencriptemos
+            image: certbot/certbot:latest
+            state: started
+            volumes:
+              - "{{ althost }}_certs_data:/etc/letsencrypt"
+              - "{{ althost }}_certbot_webroot:{{ certbot_webroot }}"
+            command: "--non-interactive --agree-tos --expand --email {{ webmaster_email }} certonly --webroot --webroot-path {{ certbot_webroot }} {% for domain in loop.domains %} -d {{ domain }} {% endfor %}"
+            detach: no
+            cleanup: yes
+          notify:
+            - reload proxy
+          register: cert_result
+          when: is_root_domain | bool
+
+      when: obtain_cert | bool
 
     # RESET
     - set_fact:

roles/certbot/tasks/main.yml

@@ -36,7 +36,7 @@
         day: 4,18
         hour: 0
         minute: 0
-        job: "docker run --rm -v {{ althost }}_certs_data:/etc/letsencrypt --network host {{ CERTBOT_image }} renew --dns-standalone-address={{ host_ip }} --dns-standalone-port=53 >> /var/log/renewal.log 2>&1"
+        job: "docker run --rm -v {{ althost }}_certs_data:/etc/letsencrypt --network host {{ CERTBOT_image }} renew --dns-standalone-address={{ host_ip }} --dns-standalone-port=53 --log-driver=journald"
 
     - name: proxy update, after certs renewal
       cron:

roles/knsupdate/files/dns_extras/pilmaiken.abyaya.la

@@ -0,0 +1,8 @@
+del pilmaiken mx
+del pilmaiken txt
+del pilmaiken spf
+add pilmaiken mx 10 correspondencia.latina.red.
+add pilmaiken txt "v=spf1 mx a:correspondencia.latina.red -all"
+add pilmaiken spf "v=spf1 mx a:correspondencia.latina.red -all"
+add dkim._domainkey.pilmaiken txt "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDQ6JwPaawDzMXuscSgDpvipRFLGXSqgmvvI6jk18lcg0kK2lfxsvXGJ/6U7oCtKa35IEVzdigxD0o7DzklKxAsNIVbcExPJkFWzQuKuP6ATBESo7YUn7Z5qjfxBiNPS0FJp8XpbpUzN+zg/NTgmkggnwwC0tKgcEQ6HnI9AOa1LQIDAQAB"
+add _dmarc.pilmaiken txt "v=DMARC1; p=reject; rua=mailto:postmaster@correspondencia.latina.red; ruf=mailto:postmaster@correspondencia.latina.red; adkim=s; aspf=s"

roles/knsupdate/tasks/main.yml

@@ -2,5 +2,6 @@
       apt:
         name: "knot-dnsutils"
         state: "present"
-    
+      tags: installation
+
     - include_tasks: loop.yml

roles/knsupdate/tasks/templates/commands.j2

@@ -1,24 +1,31 @@
 {% for dns_server in dns_servers %}
+
 server {{ dns_server }}
 zone {{ zone }}
 origin {{ zone }}
 ttl 60
+
 del {{ hostname }} a
 del {{ hostname }} ns
 add {{ hostname }} a {{ host_ip }}
-{% if is_abyayala_subdomain %}
+
+{% if hostname != '@' and hostname != 'www' %}
 add *.{{ hostname }} a {{ host_ip }}
 {% else %}
 add {{ domain }} a {{ host_ip }}
 add *.{{ domain }} a {{ host_ip }}
 {% endif %}
+
+{% if hostname == '@' %}
+add _acme-challenge a {{ host_ip }}
+add _acme-challenge ns _acme-challenge
+{% else %}
 add _acme-challenge.{{ hostname }} a {{ host_ip }}
 add _acme-challenge.{{ hostname }} ns _acme-challenge
-{% if vhost.dns_extras is defined %}
-{% for dns_extra in vhost.dns_extras %}
-{{ dns_extra }}
-{% endfor %}
 {% endif %}
+
+{% include "files/dns_extras/" ~ vhost.domains[0] ignore missing %}
+
 send
 {% endfor %}
 quit

roles/knsupdate/tasks/templates/dns_info.j2

@@ -0,0 +1,21 @@
+
+========================================
+Configuracion de DNS requerida: {{ domain }}
+========================================
+Por favor configue los siguiente registros DNS en su proveedor:
+
+{% if hostname == '@' %}
+{{ zone | regex_replace('\\.$', '') }}     IN A     {{ host_ip }}
+*.{{ zone | regex_replace('\\.$', '') }}   IN A     {{ host_ip }}
+
+_acme-challenge.{{ zone | regex_replace('\\.$', '') }} IN NS ns-acme.{{ zone | regex_replace('\\.$', '') }}.
+ns-acme.{{ zone | regex_replace('\\.$', '') }}         IN A  {{ host_ip }}
+{% else %}
+{{ hostname }}.{{ zone | regex_replace('\\.$', '') }}     IN A     {{ host_ip }}
+*.{{ hostname }}.{{ zone | regex_replace('\\.$', '') }}   IN A     {{ host_ip }}
+
+_acme-challenge.{{ hostname }}.{{ zone | regex_replace('\\.$', '') }} IN NS ns-acme.{{ hostname }}.{{ zone | regex_replace('\\.$', '') }}.
+ns-acme.{{ hostname }}.{{ zone | regex_replace('\\.$', '') }}         IN A  {{ host_ip }}
+{% endif %}
+
+========================================

roles/knsupdate/tasks/update.yml

@@ -2,4 +2,4 @@
       include_tasks: update_domain.yml
       with_items: "{{ vhost.domains }}"
       loop_control:
-        loop_var: domain
+        loop_var: domain

roles/knsupdate/tasks/update_domain.yml

@@ -34,3 +34,9 @@
       shell: knsupdate
       args:
         stdin: "{{ lookup('template', 'templates/commands.j2') }}"
+      when: is_abyayala_subdomain
+
+    - name: display DNS configuration instructions for external domains
+      debug:
+        msg: "{{ lookup('template', 'templates/dns_info.j2') }}"
+      when: not is_abyayala_subdomain

roles/knsupdate/vars/main.yml

@@ -7,14 +7,6 @@ dns_servers:
 compound_tlds:
   - com.ar
   - com.mx
-  - co.uk
   - com.br
-  - gov.ar
   - org.ar
-  - gob.ar
-  - net.ar
-  - mil.ar
-  - edu.ar
-  - co.nz
-  - net.nz
-  - org.nz
+  - edu.ar

roles/proxy/files/custom_proxy_includes/sutty.abyaya.la

@@ -1,11 +0,0 @@
-proxy_buffering off;
-proxy_request_buffering off;
-proxy_redirect off;
-proxy_connect_timeout 3m;
-proxy_send_timeout 3m;
-proxy_read_timeout 3m;
-
-limit_conn connection_limit 50;
-limit_req zone=request_limit nodelay burst=20;
-
-add_header Retry-After $retry_after always;

roles/proxy/files/custom_server_includes/sutty.abyaya.la

@@ -1,4 +0,0 @@
-add_header X-Frame-Options "sameorigin";
-add_header X-XSS-Protection "1; mode=block";
-add_header X-Content-Type-Options "nosniff";
-add_header Referrer-Policy "strict-origin-when-cross-origin";

roles/proxy/tasks/main.yml

@@ -15,6 +15,7 @@
       with_items:
         - "{{ stream_path }}"
         - "{{ conf_path }}"
+        - "{{ certbot_webroot }}"
       loop_control:
         loop_var: comun
 
@@ -32,6 +33,7 @@
         - common.conf
         - common_ssl.conf
         - nginx.conf
+        - acme_challenge.conf
       loop_control:
         loop_var: common
 
@@ -45,13 +47,16 @@
           loop_control:
             loop_var: domino
 
-        - name: add default abyaya.la subdomain if not present
+        - name: ensure abyaya.la subdomain is always first in domains list
           set_fact:
             matrix_loop_with_defaults: "{{ matrix_loop_with_defaults | default([]) | union([ item_with_default ]) }}"
           vars:
-            has_abyayala_domain: "{{ item.domains | select('match', '.*\\.abyaya\\.la$') | list | length > 0 }}"
+            existing_abyayala_domains: "{{ item.domains | select('match', '.*\\.abyaya\\.la$') | list }}"
+            has_abyayala_domain: "{{ existing_abyayala_domains | length > 0 }}"
             default_domain: "{{ item.service_name }}.abyaya.la"
-            domains_with_default: "{{ item.domains + [default_domain] if not has_abyayala_domain else item.domains }}"
+            other_domains: "{{ item.domains | reject('match', '.*\\.abyaya\\.la$') | list }}"
+            abyayala_domain_to_use: "{{ existing_abyayala_domains[0] if has_abyayala_domain else default_domain }}"
+            domains_with_default: "{{ [abyayala_domain_to_use] + other_domains }}"
             item_with_default: "{{ item | combine({'domains': domains_with_default}) }}"
           with_items: "{{ matrix_loop | default([]) }}"
 

roles/proxy/templates/acme_challenge.conf

@@ -0,0 +1,25 @@
+# Let's Encrypt ACME challenge configuration
+# This configuration serves the .well-known/acme-challenge directory
+# for HTTP-01 validation when using webroot method
+
+location ^~ /.well-known/acme-challenge/ {
+    # Serve files from the certbot webroot
+    root {{ certbot_webroot }};
+
+    # Allow access to challenge files
+    allow all;
+
+    # Ensure plain text content type
+    default_type "text/plain";
+
+    # Disable any authentication
+    auth_basic off;
+
+    # Serve the challenge file directly
+    try_files $uri =404;
+}
+
+# Deny access to other .well-known paths for security
+location ~ /\.well-known/ {
+    deny all;
+}

roles/proxy/templates/common.conf

@@ -0,0 +1,4 @@
+    add_header X-Frame-Options "sameorigin";
+    add_header X-XSS-Protection "1; mode=block";
+    add_header X-Content-Type-Options "nosniff";
+    add_header Referrer-Policy "strict-origin-when-cross-origin";

roles/proxy/templates/default_proxy.conf

@@ -12,10 +12,12 @@
 
         gzip_disable "msie6";
         {% endif %}
+
         client_max_body_size 1G;
+
         proxy_ssl_verify off;
         proxy_ssl_server_name on;
-        proxy_ssl_name $host;
+        proxy_ssl_name $ssl_server_name;
 
         proxy_pass https://$comun_{{ vhost.nodo | replace(".", "") }};
 
@@ -27,6 +29,18 @@
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection upgrade;
 
+        proxy_buffering off;
+        proxy_request_buffering off;
+        proxy_redirect off;
+        proxy_connect_timeout 3m;
+        proxy_send_timeout 3m;
+        proxy_read_timeout 3m;
+
+        limit_conn connection_limit 50;
+        limit_req zone=request_limit nodelay burst=20;
+
+        add_header Retry-After $retry_after always;
+
         {% include "files/custom_proxy_includes/" ~ vhost.domains[0] ignore missing %}
 }
       # END PROXY

roles/proxy/templates/services.yml

@@ -19,3 +19,4 @@
       - "certs_data:{{ nginx_certs_path }}:ro"
       - "{{ conf_path }}/nginx.conf:/etc/nginx/nginx.conf:ro"
       - "{{ stream_path }}:/etc/nginx/stream.d/"
+      - "certbot_webroot:{{ certbot_webroot }}"

roles/proxy/templates/stream.conf

@@ -5,7 +5,11 @@ upstream ssh_{{ vhost.nodo | replace(".", "") }} {
 server {
     listen {{ vhost.ports[0] }};
 
-    server_name  {{ vhost.service_name }}.abyaya.la;
+    {% if vhost.root | default(false) %}
+    server_name {{ vhost.domains | join(' ') }};
+    {% else %}
+    server_name .{{ vhost.domains | join(' .') }};
+    {% endif %}
 
     proxy_pass ssh_{{ vhost.nodo | replace(".", "") }};
 }

roles/proxy/templates/vhost.conf

@@ -1,18 +1,31 @@
 map $http_host $comun_{{ vhost.nodo | replace(".", "") }} {
     hostnames;
     {% for domain in vhost.domains %}
+    {% if vhost.root | default(false) %}
+    {{ domain }} {{ vhost.nodo }};
+    {% else %}
     .{{ domain }} {{ vhost.nodo }};
+    {% endif %}
     {% endfor %}
 }
 
 server {
+    {% if vhost.root | default(false) %}
+    server_name {{ vhost.domains | join(' ') }};
+    {% else %}
     server_name .{{ vhost.domains | join(' .') }};
+    {% endif %}
 
     listen 80;
 
     resolver 10.13.12.1 valid=300s;
     resolver_timeout 5s;
 
+{% if vhost.root | default(false) %}
+    # ACME challenge for HTTP-01 validation (webroot method for root domains)
+    include conf/acme_challenge.conf;
+{% endif %}
+
 {% if not needs_vhost and ((vhost.ssl | default(domains_default_ssl) ) or (vhost.force_https | default(domains_default_force_https))) %}
     listen 443 ssl;
 

roles/proxy/templates/volumes.yml

@@ -1 +1,2 @@
   certs_data:
+  certbot_webroot:

roles/proxy/vars/main.yml

@@ -15,3 +15,4 @@ default_stream: roles/proxy/templates/stream.conf
 # certbot
 webmaster_email: webmaster@numerica.cl
 CERTBOT_image: numericalatina/certbot-wildcard
+certbot_webroot: /var/www/certbot

testnet.yml

@@ -0,0 +1,23 @@
+althost: testnet
+matrix:
+  - service_name: comun
+    roles:
+      - kemal
+    domains:
+      - comun.abyayala.red
+
+  - service_name: dns
+    roles:
+      - knsupdate
+
+  - service_name: vpn
+    roles:
+      - rap
+    nodos:
+      - qi
+
+  - service_name: qi
+    domains:
+      - qi.abyayala.red
+    nodo: qi.comun
+#    force_https: yes