feat: restore gitea proxy functionality with conditional support

Recupera la funcionalidad de proxy para repositorios git (gitea) que se perdió
al integrar el proxy SSH con stream.conf. Los servicios ahora pueden habilitar
opcionalmente el acceso a gitea agregando el atributo gitea_port.

Cambios:
- Agregado soporte condicional de upstream y servidor gitea en stream.conf
- El puerto gitea se agrega dinámicamente a matrix_ports cuando está definido
- Usa el mismo server_name que SSH, diferenciado solo por puerto
- Respeta la configuración root para dominios raíz

Uso: Agregar gitea_port: 2222 a cualquier servicio en abyayala.yml

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

README-root-domain.md

@@ -0,0 +1,99 @@
+# Plan: Añadir Soporte para Dominio Principal www.abyaya.la
+
+## Objetivo
+Habilitar que el dominio raíz `abyaya.la` y `www.abyaya.la` apunten al servidor `sutty.comun`, mientras se mantienen funcionando todos los subdominios existentes (ej: `sutty.abyaya.la`, `marmite.abyaya.la`).
+
+## Estrategia de Desarrollo
+
+### Rama Tópica
+Los cambios se implementarán en esta rama tópica:
+- **Nombre de rama**: `root-domain`
+- **Bifurcada desde**: `master`
+
+## Contexto Técnico
+
+### Arquitectura Actual
+- **Certificados**: Cada servicio en `abyayala.yml` con `domains` + `nodo` genera un certificado con certbot: `-d DOMAIN -d *.DOMAIN`
+- **Patron actual**: Todos los dominios siguen el patrón `subdomain.abyaya.la` (ej: `sutty.abyaya.la`)
+
+### Decisión de Diseño
+Crear un **servicio separado** para el dominio raíz con un nuevo flag `root: yes` que indica a certbot que NO solicite el certificado wildcard. Esto mantiene limpia la separación de responsabilidades:
+- Servicio `sutty`: maneja `sutty.abyaya.la` y `*.sutty.abyaya.la`
+- Servicio `abyaya_root`: maneja únicamente `abyaya.la` y `www.abyaya.la` (sin wildcard)
+
+## Cambios Implementados
+
+### 1. `roles/certbot/tasks/certbot.yml`
+- Lee el flag `root` del servicio y lo mapea a variable `is_root_domain`
+- Dividido el bloque de certificados en dos tareas condicionales:
+  - Modo estándar (con wildcard): para subdominios (`when: not is_root_domain`)
+  - Modo sin wildcard: para dominios raíz (`when: is_root_domain`)
+
+### 2. `roles/proxy/templates/vhost.conf`
+- Agregado condicional para manejar flag `root`
+- Cuando `root: yes`: genera `server_name` sin punto prefijo (exacto)
+- Cuando `root: no` (default): genera `server_name .domain` (con wildcard)
+
+### 3. `abyayala.yml`
+- Agregado servicio `abyaya_root` con:
+  - Dominios: `abyaya.la` y `www.abyaya.la`
+  - Enrutamiento a: `sutty.comun`
+  - Flag: `root: yes`
+  - HTTPS forzado y compresión habilitada
+
+## Comandos de Despliegue
+
+### Despliegue completo
+```bash
+ansible-playbook deploy.yml -e "alt=abyayala host=hetzner"
+```
+
+### Despliegue solo del servicio nuevo (para testing)
+```bash
+ansible-playbook deploy.yml -e "alt=abyayala host=hetzner service=abyaya_root"
+```
+
+## Verificación Post-Despliegue
+
+### 1. Verificar certificado
+```bash
+ssh root@hetzner
+ls -la /var/lib/docker/volumes/abyayala_certs_data/_data/live/abyaya.la/
+docker run --rm -v abyayala_certs_data:/etc/letsencrypt certbot/certbot certificates | grep abyaya.la
+```
+
+Debe contener: `abyaya.la`, `www.abyaya.la` (SIN `*.abyaya.la`)
+
+### 2. Verificar nginx
+```bash
+cat /opt/abyayala/proxy/vhosts/abyaya.la.conf
+docker exec abyayala_proxy nginx -t
+```
+
+### 3. Verificar enrutamiento
+```bash
+curl -I http://abyaya.la        # Debe redirigir a HTTPS
+curl -I https://abyaya.la       # Debe devolver 200 OK
+curl -I https://www.abyaya.la   # Debe devolver 200 OK
+```
+
+### 4. Verificar subdominios siguen funcionando
+```bash
+curl -I https://sutty.abyaya.la
+curl -I https://marmite.abyaya.la
+```
+
+## Requisitos DNS
+
+Antes del despliegue, configurar:
+```
+abyaya.la       A     <IP-del-proxy>
+www.abyaya.la   A     <IP-del-proxy>
+```
+
+## Extensibilidad Futura
+
+Este patrón `root: yes` puede reutilizarse para otros dominios raíz:
+1. Agregar entrada en `abyayala.yml` con `root: yes`
+2. Desplegar con ansible-playbook
+3. Configurar DNS

abyayala.yml

@@ -14,7 +14,6 @@ matrix:
     roles:
       - rap
     nodos:
-      - llavero
       - marmite
       - nodochasqui
       - yanapak
@@ -59,6 +58,8 @@ matrix:
       - carabobolibre
       - samatuun
       - kaasavi
+      - llavero
+      - deabajo
 
   - service_name: respaldos
     domains:
@@ -165,6 +166,15 @@ matrix:
     force_https: yes
     enable_compression: yes
 
+  - service_name: abyaya_root
+    domains:
+      - abyaya.la
+      - www.abyaya.la
+    nodo: sutty.comun
+    force_https: yes
+    enable_compression: yes
+    root: yes
+
   - service_name: mexe
     domains:
       - mexe.abyaya.la
@@ -204,11 +214,14 @@ matrix:
 
   - service_name: kipu
     domains:
+#      - abyaya.la
+#      - www.abyaya.la
       - kipu.latina.red
     nodo: kipu.comun
-    ssl: no
     ports:
       - 223
+    ssl: yes
+#    root: yes
 
   - service_name: carabobolibre
     domains:
@@ -227,3 +240,15 @@ matrix:
       - kaasavi.abyaya.la
     nodo: kaasavi.comun
     force_https: yes
+
+  - service_name: llavero
+    domains:
+      - llavero.abyaya.la
+    nodo: llavero.comun
+    force_https: yes
+
+  - service_name: deabajo
+    domains:
+      - deabajo.abyaya.la
+    nodo: deabajo.comun
+    force_https: yes

group_vars/testing/vars

@@ -0,0 +1 @@
+host_ip: 157.180.114.62

hosts.production

@@ -1,5 +1,5 @@
 [localhost]
-127.0.0.1
+127.0.0.1 ansible_connection=local
 
 [hetzner]
 5.161.236.18
@@ -11,3 +11,9 @@ ansible_ssh_user=root
 sutty.nl
 
 [sutty:vars]
+
+[testing]
+157.180.114.62
+
+[testing:vars]
+ansible_ssh_user=root

roles/althost/tasks/compose.yml

@@ -1,13 +1,13 @@
     - name: check if service volumes exists
-      local_action:
-        module: stat
+      stat:
         path: "{{ playbook_dir }}/roles/{{ item.roles[0] | default('proxy') }}/templates/volumes.yml"
+      delegate_to: localhost
       register: volumes_def
 
     - name: check if service networks exists
-      local_action:
-        module: stat
+      stat:
         path: "{{ playbook_dir }}/roles/{{ item.roles[0] | default('proxy') }}/templates/networks.yml"
+      delegate_to: localhost
       register: networks_def
 
     - set_fact:
@@ -22,53 +22,53 @@
       when: networks_def.stat.exists
 
     - name: define services in local composition
-      local_action:
-        module: blockinfile
+      blockinfile:
         path: "{{ local_compose_path }}/docker-compose.yml"
         insertafter: "services:"
         marker: "# {mark} {{ service_name|upper }}"
         block: "{{ services_content }}"
+      delegate_to: localhost
       changed_when: false
 
     - name: define volumes in local composition
-      local_action:
-        module: lineinfile
+      lineinfile:
         path: "{{ local_compose_path }}/docker-compose.yml"
         insertafter: "# volumenes compartidos"
         line: "volumes: #"
         state: present
         regexp: "volumes: #"
+      delegate_to: localhost
       when: volumes_def.stat.exists
       changed_when: false
 
     - name: define volumes content in local composition
-      local_action:
-        module: lineinfile
+      lineinfile:
         path: "{{ local_compose_path }}/docker-compose.yml"
         insertafter: "volumes: #"
         line: "{{ volumes_content }}"
         state: present
         regexp: "{{ volumes_content }}"
+      delegate_to: localhost
       when: volumes_content is defined
       changed_when: false
 
     - name: define networks in local composition
-      local_action:
-        module: lineinfile
+      lineinfile:
         path: "{{ local_compose_path }}/docker-compose.yml"
         insertafter: "# redes compartidas"
         line: "networks: #"
         state: present
         regexp: "networks: #"
+      delegate_to: localhost
       when: networks_def.stat.exists
       changed_when: false
 
     - name: define networks content in local composition
-      local_action:
-        module: lineinfile
+      lineinfile:
         path: "{{ local_compose_path }}/docker-compose.yml"
         insertafter: "networks: #"
         line: "{{ networks_content }}"
         state: present
+      delegate_to: localhost
       when: networks_content is defined
       changed_when: false

roles/althost/tasks/main.yml

@@ -1,28 +1,56 @@
     # DOCKER CE this is specific for Debian
     # https://docs.docker.com/install/linux/docker-ce/debian/
+    # Soporta Debian 12 (bookworm) y Debian 13 (trixie)
+
+    # Clean up conflicting Docker repositories first (always runs, even with --skip-tags=installation)
+    - name: remove old docker repository files to avoid APT conflicts
+      file:
+        path: "{{ item }}"
+        state: absent
+      loop:
+        - /etc/apt/sources.list.d/docker.list
+        - /etc/apt/sources.list.d/download_docker_com_linux_debian.list
+
     - block:
       - name: "unattended upgrades"
         apt:
           name: "unattended-upgrades"
           state: "present"
-              
+
       - name: required packages
         apt:
-          name: ['apt-transport-https', 'ca-certificates', 'curl', 'gnupg2', 'software-properties-common', 'python3-pip']
+          name: ['ca-certificates', 'curl', 'python3-pip']
           state: present
 
-      - name: docker signing key
-        apt_key:
+      - name: create keyrings directory
+        file:
+          path: /etc/apt/keyrings
+          state: directory
+          mode: '0755'
+
+      - name: download docker gpg key
+        get_url:
           url: https://download.docker.com/linux/debian/gpg
-          state: present
-        
-      - name: docker apt repository
-        apt_repository:
-          repo: deb [arch=amd64] https://download.docker.com/linux/debian bookworm stable
+          dest: /etc/apt/keyrings/docker.asc
+          mode: '0644'
 
-      - name: install docker community edition
+      - name: add docker repository with deb822 format
+        deb822_repository:
+          name: docker
+          types: [deb]
+          uris: https://download.docker.com/linux/debian
+          suites: ["{{ ansible_distribution_release }}"]
+          components: [stable]
+          architectures: [amd64]
+          signed_by: /etc/apt/keyrings/docker.asc
+
+      - name: install docker community edition and compose plugin
         apt:
-          name: docker-ce
+          name:
+            - docker-ce
+            - docker-ce-cli
+            - containerd.io
+            - docker-compose-plugin
           update_cache: yes
 
       - name: is node already in swarm mode
@@ -48,23 +76,11 @@
           state: present
 
       # ansible-docker requirements
-      - name: python package docker-py is deprecated
-        pip:
-          name: docker-py
-          state: absent
-          break_system_packages: true
-
-      - name: ensure python package docker is present
-        pip:
-          name: docker
+      # Use system packages instead of pip to avoid break_system_packages
+      - name: ensure python3-docker package is present
+        apt:
+          name: python3-docker
           state: present
-          break_system_packages: true
-
-      - name: ensure python package docker-compose is present
-        pip:
-          name: docker-compose
-          state: present
-          break_system_packages: true
 
       tags: installation
 
@@ -74,16 +90,16 @@
         file: path={{ compose_path }} state=directory
       
       - name: make sure local compose path exists
-        local_action:
-          module: file
-          path: "{{ local_compose_path }}" 
+        file:
+          path: "{{ local_compose_path }}"
           state: directory
+        delegate_to: localhost
 
       - name: clean docker-compose.yml
-        local_action:
-          module: template
+        template:
           dest: "{{ local_compose_path }}/docker-compose.yml"
           src: roles/althost/templates/docker-compose.yml
+        delegate_to: localhost
         changed_when: false
 
       - name: execute roles per domain mapping

roles/certbot/tasks/certbot.yml

@@ -10,33 +10,55 @@
       register: vhost_stat
 
     - set_fact:
-        needs_cert: (loop.ssl | default(domains_default_ssl) ) or (loop.force_https | default(domains_default_force_https))
-        needs_vhost: needs_cert and not vhost_stat.stat.exists
-        obtain_cert: needs_cert and not ssl_cert.stat.exists
+        needs_cert: "{{ ((loop.ssl | default(domains_default_ssl) | bool) or (loop.force_https | default(domains_default_force_https) | bool)) | bool }}"
+
+    - set_fact:
+        needs_vhost: "{{ (needs_cert | bool and not vhost_stat.stat.exists) | bool }}"
+        obtain_cert: "{{ (needs_cert | bool and not ssl_cert.stat.exists) | bool }}"
 
     - name: certificate obtention
       block:
         - set_fact:
             vhost: "{{ loop }}"
 
-        - name: fetch certificate with certbot container
+        - set_fact:
+            is_root_domain: "{{ loop.root | default(false) | bool }}"
+
+        - name: fetch certificate with certbot container (with wildcard)
           docker_container:
             name: chencriptemos
             image: "{{ CERTBOT_image }}"
             state: started
             volumes:
               - "{{ althost }}_certs_data:/etc/letsencrypt"
-            command: "--non-interactive --agree-tos --email {{ webmaster_email }} certonly --preferred-challenges dns --authenticator dns-standalone --dns-standalone-address={{ host_ip }} --dns-standalone-port=53 --dns-standalone-propagation-seconds=10 {% for domain in loop.domains %} -d {{ domain }} -d *.{{ domain }} {% endfor %}"
+            command: "--non-interactive --agree-tos --expand --email {{ webmaster_email }} certonly --preferred-challenges dns --authenticator dns-standalone --dns-standalone-address={{ host_ip }} --dns-standalone-port=53 --dns-standalone-propagation-seconds=10 {% for domain in loop.domains %} -d {{ domain }} -d *.{{ domain }} {% endfor %}"
             detach: no
             cleanup: yes
-            ports: 
+            ports:
               - "{{ host_ip }}:53:53/tcp"
               - "{{ host_ip }}:53:53/udp"
           notify:
             - reload proxy
           register: cert_result
+          when: not is_root_domain | bool
 
-      when: obtain_cert
+        - name: fetch certificate with certbot container (without wildcard, root domain - using webroot)
+          docker_container:
+            name: chencriptemos
+            image: certbot/certbot:latest
+            state: started
+            volumes:
+              - "{{ althost }}_certs_data:/etc/letsencrypt"
+              - "{{ althost }}_certbot_webroot:{{ certbot_webroot }}"
+            command: "--non-interactive --agree-tos --expand --email {{ webmaster_email }} certonly --webroot --webroot-path {{ certbot_webroot }} {% for domain in loop.domains %} -d {{ domain }} {% endfor %}"
+            detach: no
+            cleanup: yes
+          notify:
+            - reload proxy
+          register: cert_result
+          when: is_root_domain | bool
+
+      when: obtain_cert | bool
 
     # RESET
     - set_fact:

roles/certbot/tasks/main.yml

@@ -36,7 +36,7 @@
         day: 4,18
         hour: 0
         minute: 0
-        job: "docker run --rm -v {{ althost }}_certs_data:/etc/letsencrypt --network host {{ CERTBOT_image }} renew --dns-standalone-address={{ host_ip }} --dns-standalone-port=53 >> /var/log/renewal.log 2>&1"
+        job: "docker run --rm -v {{ althost }}_certs_data:/etc/letsencrypt --network host {{ CERTBOT_image }} renew --dns-standalone-address={{ host_ip }} --dns-standalone-port=53 --log-driver=journald"
 
     - name: proxy update, after certs renewal
       cron:
@@ -44,12 +44,4 @@
         day: 4,18
         hour: 6
         minute: 10
-        job: "docker service update --force {{ althost }}_proxy"
-
-    - name: mail proxy update, after certs renewal
-      cron:
-        name: mail proxy update
-        day: 4,18
-        hour: 6
-        minute: 20
-        job: "docker service update {{ althost }}_correspondencia_front"
+        job: "docker service update --force {{ althost }}_proxy"

roles/knsupdate/files/dns_extras/pilmaiken.abyaya.la

@@ -0,0 +1,8 @@
+del pilmaiken mx
+del pilmaiken txt
+del pilmaiken spf
+add pilmaiken mx 10 correspondencia.latina.red.
+add pilmaiken txt "v=spf1 mx a:correspondencia.latina.red -all"
+add pilmaiken spf "v=spf1 mx a:correspondencia.latina.red -all"
+add dkim._domainkey.pilmaiken txt "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDQ6JwPaawDzMXuscSgDpvipRFLGXSqgmvvI6jk18lcg0kK2lfxsvXGJ/6U7oCtKa35IEVzdigxD0o7DzklKxAsNIVbcExPJkFWzQuKuP6ATBESo7YUn7Z5qjfxBiNPS0FJp8XpbpUzN+zg/NTgmkggnwwC0tKgcEQ6HnI9AOa1LQIDAQAB"
+add _dmarc.pilmaiken txt "v=DMARC1; p=reject; rua=mailto:postmaster@correspondencia.latina.red; ruf=mailto:postmaster@correspondencia.latina.red; adkim=s; aspf=s"

roles/knsupdate/tasks/main.yml

@@ -2,5 +2,6 @@
       apt:
         name: "knot-dnsutils"
         state: "present"
-    
+      tags: installation
+
     - include_tasks: loop.yml

roles/knsupdate/tasks/templates/commands.j2

@@ -1,24 +1,31 @@
 {% for dns_server in dns_servers %}
+
 server {{ dns_server }}
 zone {{ zone }}
 origin {{ zone }}
 ttl 60
+
 del {{ hostname }} a
 del {{ hostname }} ns
 add {{ hostname }} a {{ host_ip }}
-{% if is_abyayala_subdomain %}
+
+{% if hostname != '@' and hostname != 'www' %}
 add *.{{ hostname }} a {{ host_ip }}
 {% else %}
 add {{ domain }} a {{ host_ip }}
 add *.{{ domain }} a {{ host_ip }}
 {% endif %}
+
+{% if hostname == '@' %}
+add _acme-challenge a {{ host_ip }}
+add _acme-challenge ns _acme-challenge
+{% else %}
 add _acme-challenge.{{ hostname }} a {{ host_ip }}
 add _acme-challenge.{{ hostname }} ns _acme-challenge
-{% if vhost.dns_extras is defined %}
-{% for dns_extra in vhost.dns_extras %}
-{{ dns_extra }}
-{% endfor %}
 {% endif %}
+
+{% include "files/dns_extras/" ~ vhost.domains[0] ignore missing %}
+
 send
 {% endfor %}
 quit

roles/knsupdate/tasks/templates/dns_info.j2

@@ -0,0 +1,21 @@
+
+========================================
+Configuracion de DNS requerida: {{ domain }}
+========================================
+Por favor configue los siguiente registros DNS en su proveedor:
+
+{% if hostname == '@' %}
+{{ zone | regex_replace('\\.$', '') }}     IN A     {{ host_ip }}
+*.{{ zone | regex_replace('\\.$', '') }}   IN A     {{ host_ip }}
+
+_acme-challenge.{{ zone | regex_replace('\\.$', '') }} IN NS ns-acme.{{ zone | regex_replace('\\.$', '') }}.
+ns-acme.{{ zone | regex_replace('\\.$', '') }}         IN A  {{ host_ip }}
+{% else %}
+{{ hostname }}.{{ zone | regex_replace('\\.$', '') }}     IN A     {{ host_ip }}
+*.{{ hostname }}.{{ zone | regex_replace('\\.$', '') }}   IN A     {{ host_ip }}
+
+_acme-challenge.{{ hostname }}.{{ zone | regex_replace('\\.$', '') }} IN NS ns-acme.{{ hostname }}.{{ zone | regex_replace('\\.$', '') }}.
+ns-acme.{{ hostname }}.{{ zone | regex_replace('\\.$', '') }}         IN A  {{ host_ip }}
+{% endif %}
+
+========================================

roles/knsupdate/tasks/update.yml

@@ -2,4 +2,4 @@
       include_tasks: update_domain.yml
       with_items: "{{ vhost.domains }}"
       loop_control:
-        loop_var: domain
+        loop_var: domain

roles/knsupdate/tasks/update_domain.yml

@@ -34,3 +34,9 @@
       shell: knsupdate
       args:
         stdin: "{{ lookup('template', 'templates/commands.j2') }}"
+      when: is_abyayala_subdomain
+
+    - name: display DNS configuration instructions for external domains
+      debug:
+        msg: "{{ lookup('template', 'templates/dns_info.j2') }}"
+      when: not is_abyayala_subdomain

roles/knsupdate/vars/main.yml

@@ -7,14 +7,6 @@ dns_servers:
 compound_tlds:
   - com.ar
   - com.mx
-  - co.uk
   - com.br
-  - gov.ar
   - org.ar
-  - gob.ar
-  - net.ar
-  - mil.ar
-  - edu.ar
-  - co.nz
-  - net.nz
-  - org.nz
+  - edu.ar

roles/proxy/files/custom_proxy_includes/sutty.abyaya.la

@@ -1,11 +0,0 @@
-proxy_buffering off;
-proxy_request_buffering off;
-proxy_redirect off;
-proxy_connect_timeout 3m;
-proxy_send_timeout 3m;
-proxy_read_timeout 3m;
-
-limit_conn connection_limit 50;
-limit_req zone=request_limit nodelay burst=20;
-
-add_header Retry-After $retry_after always;

roles/proxy/files/custom_server_includes/sutty.abyaya.la

@@ -1,4 +0,0 @@
-add_header X-Frame-Options "sameorigin";
-add_header X-XSS-Protection "1; mode=block";
-add_header X-Content-Type-Options "nosniff";
-add_header Referrer-Policy "strict-origin-when-cross-origin";

roles/proxy/tasks/main.yml

@@ -15,6 +15,7 @@
       with_items:
         - "{{ stream_path }}"
         - "{{ conf_path }}"
+        - "{{ certbot_webroot }}"
       loop_control:
         loop_var: comun
 
@@ -32,6 +33,7 @@
         - common.conf
         - common_ssl.conf
         - nginx.conf
+        - acme_challenge.conf
       loop_control:
         loop_var: common
 
@@ -45,13 +47,16 @@
           loop_control:
             loop_var: domino
 
-        - name: add default abyaya.la subdomain if not present
+        - name: ensure abyaya.la subdomain is always first in domains list
           set_fact:
             matrix_loop_with_defaults: "{{ matrix_loop_with_defaults | default([]) | union([ item_with_default ]) }}"
           vars:
-            has_abyayala_domain: "{{ item.domains | select('match', '.*\\.abyaya\\.la$') | list | length > 0 }}"
+            existing_abyayala_domains: "{{ item.domains | select('match', '.*\\.abyaya\\.la$') | list }}"
+            has_abyayala_domain: "{{ existing_abyayala_domains | length > 0 }}"
             default_domain: "{{ item.service_name }}.abyaya.la"
-            domains_with_default: "{{ item.domains + [default_domain] if not has_abyayala_domain else item.domains }}"
+            other_domains: "{{ item.domains | reject('match', '.*\\.abyaya\\.la$') | list }}"
+            abyayala_domain_to_use: "{{ existing_abyayala_domains[0] if has_abyayala_domain else default_domain }}"
+            domains_with_default: "{{ [abyayala_domain_to_use] + other_domains }}"
             item_with_default: "{{ item | combine({'domains': domains_with_default}) }}"
           with_items: "{{ matrix_loop | default([]) }}"
 
@@ -89,6 +94,14 @@
           when: (ma.ports is defined)
           loop_control:
             loop_var: ma
+
+        - name: add gitea port if any service has gitea_port defined
+          set_fact:
+            matrix_ports: "{{ matrix_ports | default([]) | union([ma.gitea_port]) }}"
+          with_items: "{{ matrix }}"
+          when: (ma.gitea_port is defined)
+          loop_control:
+            loop_var: ma
     
     - include_tasks: ../../althost/tasks/compose.yml
       vars: # forcing since this role is included statically

roles/proxy/templates/acme_challenge.conf

@@ -0,0 +1,25 @@
+# Let's Encrypt ACME challenge configuration
+# This configuration serves the .well-known/acme-challenge directory
+# for HTTP-01 validation when using webroot method
+
+location ^~ /.well-known/acme-challenge/ {
+    # Serve files from the certbot webroot
+    root {{ certbot_webroot }};
+
+    # Allow access to challenge files
+    allow all;
+
+    # Ensure plain text content type
+    default_type "text/plain";
+
+    # Disable any authentication
+    auth_basic off;
+
+    # Serve the challenge file directly
+    try_files $uri =404;
+}
+
+# Deny access to other .well-known paths for security
+location ~ /\.well-known/ {
+    deny all;
+}

roles/proxy/templates/common.conf

@@ -0,0 +1,4 @@
+    add_header X-Frame-Options "sameorigin";
+    add_header X-XSS-Protection "1; mode=block";
+    add_header X-Content-Type-Options "nosniff";
+    add_header Referrer-Policy "strict-origin-when-cross-origin";

roles/proxy/templates/default_proxy.conf

@@ -12,10 +12,12 @@
 
         gzip_disable "msie6";
         {% endif %}
+
         client_max_body_size 1G;
+
         proxy_ssl_verify off;
         proxy_ssl_server_name on;
-        proxy_ssl_name $host;
+        proxy_ssl_name $ssl_server_name;
 
         proxy_pass https://$comun_{{ vhost.nodo | replace(".", "") }};
 
@@ -27,6 +29,18 @@
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection upgrade;
 
+        proxy_buffering off;
+        proxy_request_buffering off;
+        proxy_redirect off;
+        proxy_connect_timeout 3m;
+        proxy_send_timeout 3m;
+        proxy_read_timeout 3m;
+
+        limit_conn connection_limit 50;
+        limit_req zone=request_limit nodelay burst=20;
+
+        add_header Retry-After $retry_after always;
+
         {% include "files/custom_proxy_includes/" ~ vhost.domains[0] ignore missing %}
 }
       # END PROXY

roles/proxy/templates/services.yml

@@ -19,3 +19,4 @@
       - "certs_data:{{ nginx_certs_path }}:ro"
       - "{{ conf_path }}/nginx.conf:/etc/nginx/nginx.conf:ro"
       - "{{ stream_path }}:/etc/nginx/stream.d/"
+      - "certbot_webroot:{{ certbot_webroot }}"

roles/proxy/templates/stream.conf

@@ -2,10 +2,34 @@ upstream ssh_{{ vhost.nodo | replace(".", "") }} {
     server {{ vhost.nodo }}:22;
 }
 
+{% if vhost.gitea_port is defined %}
+upstream gitea_{{ vhost.nodo | replace(".", "") }} {
+    server {{ vhost.nodo }}:{{ vhost.gitea_port }};
+}
+{% endif %}
+
 server {
     listen {{ vhost.ports[0] }};
 
-    server_name  {{ vhost.service_name }}.abyaya.la;
+    {% if vhost.root | default(false) %}
+    server_name {{ vhost.domains | join(' ') }};
+    {% else %}
+    server_name .{{ vhost.domains | join(' .') }};
+    {% endif %}
 
     proxy_pass ssh_{{ vhost.nodo | replace(".", "") }};
-}
+}
+
+{% if vhost.gitea_port is defined %}
+server {
+    listen {{ vhost.gitea_port }};
+
+    {% if vhost.root | default(false) %}
+    server_name {{ vhost.domains | join(' ') }};
+    {% else %}
+    server_name .{{ vhost.domains | join(' .') }};
+    {% endif %}
+
+    proxy_pass gitea_{{ vhost.nodo | replace(".", "") }};
+}
+{% endif %}

roles/proxy/templates/vhost.conf

@@ -1,18 +1,31 @@
 map $http_host $comun_{{ vhost.nodo | replace(".", "") }} {
     hostnames;
     {% for domain in vhost.domains %}
+    {% if vhost.root | default(false) %}
+    {{ domain }} {{ vhost.nodo }};
+    {% else %}
     .{{ domain }} {{ vhost.nodo }};
+    {% endif %}
     {% endfor %}
 }
 
 server {
+    {% if vhost.root | default(false) %}
+    server_name {{ vhost.domains | join(' ') }};
+    {% else %}
     server_name .{{ vhost.domains | join(' .') }};
+    {% endif %}
 
     listen 80;
 
     resolver 10.13.12.1 valid=300s;
     resolver_timeout 5s;
 
+{% if vhost.root | default(false) %}
+    # ACME challenge for HTTP-01 validation (webroot method for root domains)
+    include conf/acme_challenge.conf;
+{% endif %}
+
 {% if not needs_vhost and ((vhost.ssl | default(domains_default_ssl) ) or (vhost.force_https | default(domains_default_force_https))) %}
     listen 443 ssl;
 

roles/proxy/templates/volumes.yml

@@ -1 +1,2 @@
   certs_data:
+  certbot_webroot:

roles/proxy/vars/main.yml

@@ -15,3 +15,4 @@ default_stream: roles/proxy/templates/stream.conf
 # certbot
 webmaster_email: webmaster@numerica.cl
 CERTBOT_image: numericalatina/certbot-wildcard
+certbot_webroot: /var/www/certbot

testnet.yml

@@ -0,0 +1,23 @@
+althost: testnet
+matrix:
+  - service_name: comun
+    roles:
+      - kemal
+    domains:
+      - comun.abyayala.red
+
+  - service_name: dns
+    roles:
+      - knsupdate
+
+  - service_name: vpn
+    roles:
+      - rap
+    nodos:
+      - qi
+
+  - service_name: qi
+    domains:
+      - qi.abyayala.red
+    nodo: qi.comun
+#    force_https: yes