feat: servidor de testing

bifurca de #issue42 en que ya estan parametrizadas zones y asi

DNS_ARCHITECTURE.md

@@ -1,162 +0,0 @@
-# Arquitectura DNS y Validación ACME
-
-Este documento explica cómo funciona el sistema DNS distribuido y la validación de certificados SSL para dominios FQDN.
-
-## Componentes DNS
-
-### 1. Servidores Knot (Autoritativos Remotos)
-
-**Ubicación:** `anarres.sutty.nl`, `athshe.sutty.nl`, `gethen.sutty.nl`, `ganam.sutty.nl`
-
-**Función:** DNS autoritativo real para:
-- Zona `abyaya.la`
-- Zonas FQDN (ej: `latina.red`, `example.com.ar`)
-
-**Actualización:** Via `knsupdate` ejecutado desde el proxy
-
-### 2. Proxy (Hetzner: 5.161.236.18)
-
-**Servicios DNS en diferentes IPs:**
-
-| Servicio | IP | Puerto | Función |
-|----------|-------|--------|---------|
-| **dnsmasq** | `10.13.12.1` + `127.0.0.1` | 53 | DNS cache/resolver para VPN interna |
-| **certbot dns-standalone** | `5.161.236.18` | 53 | DNS temporal para validación ACME |
-
-**No hay conflicto de puertos** porque usan IPs diferentes en la misma máquina.
-
-## Flujo de Validación ACME para Dominios FQDN
-
-### Ejemplo: Certificado para `kipu.latina.red`
-
-#### Paso 1: knsupdate configura delegación en Knot
-
-Cuando se despliega un servicio con FQDN, `knsupdate` crea estos registros en los servidores Knot:
-
-```dns
-; En zona latina.red
-kipu.latina.red                    IN A     5.161.236.18
-*.kipu.latina.red                  IN A     5.161.236.18
-_acme-challenge.kipu.latina.red    IN CNAME abyaya.la.
-_acme-challenge.kipu.latina.red    IN NS    _acme-challenge.abyaya.la.
-
-; En zona abyaya.la
-_acme-challenge.abyaya.la          IN A     5.161.236.18
-_acme-challenge                    IN NS    _acme-challenge.abyaya.la.
-```
-
-**Propósito de la delegación:**
-- El CNAME redirige la validación a `abyaya.la`
-- El NS delega la autoridad a `_acme-challenge.abyaya.la`
-- Que apunta al proxy donde certbot corre
-
-#### Paso 2: Certbot obtiene/renueva certificado
-
-```bash
-docker run --rm \
-  -v abyayala_certs_data:/etc/letsencrypt \
-  --network host \
-  numericalatina/certbot-wildcard \
-  certonly --dns-standalone-address=5.161.236.18 --dns-standalone-port=53 \
-  -d kipu.latina.red -d *.kipu.latina.red
-```
-
-**Certbot:**
-1. Levanta un servidor DNS temporal en `5.161.236.18:53`
-2. Crea el registro TXT con el token de validación
-3. Notifica a Let's Encrypt que está listo
-
-#### Paso 3: Let's Encrypt valida
-
-```
-Let's Encrypt consulta: _acme-challenge.kipu.latina.red
-   ↓ Consulta a nameservers de latina.red (Knot)
-   ↓ Knot responde con CNAME
-
-Redirigido a: _acme-challenge.abyaya.la
-   ↓ Consulta delegación NS
-   ↓ Knot indica: usar nameserver _acme-challenge.abyaya.la
-
-Consulta directa a: 5.161.236.18:53
-   ↓ certbot dns-standalone responde
-   ↓ Proporciona el token TXT
-
-✓ Validación exitosa
-```
-
-## Configuración Requerida en DNS Externo
-
-Para que un dominio FQDN externo (no `.abyaya.la`) pueda delegar la validación ACME al proxy, es necesario agregar estos registros en el DNS del dominio:
-
-```dns
-_acme-challenge IN CNAME abyaya.la.
-_acme-challenge IN NS _acme-challenge.abyaya.la.
-```
-
-**Ejemplo para `kipu.latina.red`:**
-```dns
-; En el DNS de latina.red
-_acme-challenge.kipu IN CNAME abyaya.la.
-_acme-challenge.kipu IN NS _acme-challenge.abyaya.la.
-```
-
-Esto se hace **una sola vez por dominio** y permite que todos los subdominios deleguen automáticamente.
-
-## Renovación Automática
-
-La renovación de certificados funciona automáticamente porque:
-
-1. ✅ **Delegación persistente**: Los registros `_acme-challenge` ya están en Knot
-2. ✅ **Cron configurado**: Se ejecuta los días 4 y 18 de cada mes
-3. ✅ **Sin conflictos**: dnsmasq y certbot usan IPs diferentes
-4. ✅ **Mismo método**: `certbot renew` usa dns-standalone automáticamente
-
-```yaml
-# Configurado en roles/certbot/tasks/main.yml
-- name: automatic letsencrypt certs renewal
-  cron:
-    name: certificate renewal
-    day: 4,18
-    hour: 0
-    minute: 0
-    job: "docker run --rm -v abyayala_certs_data:/etc/letsencrypt --network host numericalatina/certbot-wildcard renew --dns-standalone-address=5.161.236.18 --dns-standalone-port=53 >> /var/log/renewal.log 2>&1"
-```
-
-## Ventajas de esta Arquitectura
-
-1. **Centralizada**: Un solo proxy maneja validación ACME para todos los dominios
-2. **Segura**: No requiere credenciales API de proveedores DNS externos
-3. **Flexible**: Soporta dominios `.abyaya.la` y FQDN externos
-4. **Automatizada**: Renovación sin intervención manual
-5. **Escalable**: Agregar nuevos dominios solo requiere actualizar `abyayala.yml`
-
-## Troubleshooting
-
-### Verificar delegación DNS
-
-```bash
-# Verificar CNAME
-dig _acme-challenge.kipu.latina.red CNAME
-
-# Verificar NS delegation
-dig _acme-challenge.kipu.latina.red NS
-
-# Probar resolución completa
-dig @5.161.236.18 _acme-challenge.kipu.latina.red TXT
-```
-
-### Ver logs de renovación
-
-```bash
-tail -f /var/log/renewal.log
-```
-
-### Probar renovación manualmente
-
-```bash
-docker run --rm \
-  -v abyayala_certs_data:/etc/letsencrypt \
-  --network host \
-  numericalatina/certbot-wildcard \
-  renew --dns-standalone-address=5.161.236.18 --dns-standalone-port=53 --dry-run
-```

TESTING.md

@@ -1,401 +0,0 @@
-# Testing en Abyaya.la
-
-Esta guía documenta las estrategias y herramientas de testing para infraestructura como código (IaC) basada en Ansible.
-
-## Índice
-
-1. [Testing de Ansible](#testing-de-ansible)
-2. [Validación y Sintaxis](#validación-y-sintaxis)
-3. [Testing de Infraestructura](#testing-de-infraestructura)
-4. [CI/CD para Ansible](#cicd-para-ansible)
-5. [Recursos Adicionales](#recursos-adicionales)
-
----
-
-## Testing de Ansible
-
-### Molecule (Framework oficial - RECOMENDADO)
-
-Molecule es el framework oficial para testing de roles de Ansible. Permite ejecutar tests unitarios, de integración y verificar idempotencia.
-
-**Documentación Oficial:**
-- Documentación principal: https://ansible.readthedocs.io/projects/molecule/
-- Getting Started: https://ansible.readthedocs.io/projects/molecule/getting-started/
-- Guía de escenarios: https://ansible.readthedocs.io/projects/molecule/configuration/
-
-**Características:**
-- Tests unitarios de roles individuales
-- Tests de integración
-- Tests de idempotencia (verificar que ejecutar dos veces da el mismo resultado)
-- Soporte para Docker/Podman para simular entornos
-
-**Instalación:**
-```bash
-pip install molecule molecule-docker
-```
-
-**Uso básico:**
-```bash
-cd roles/rap
-molecule init scenario
-molecule test
-```
-
----
-
-### Ansible Lint
-
-Herramienta de análisis estático que verifica mejores prácticas y patrones comunes en playbooks y roles de Ansible.
-
-**Documentación:**
-- Documentación principal: https://ansible-lint.readthedocs.io/
-- Catálogo de reglas: https://ansible-lint.readthedocs.io/rules/
-
-**Instalación:**
-```bash
-pip install ansible-lint
-```
-
-**Uso:**
-```bash
-# Verificar un playbook específico
-ansible-lint deploy.yml
-
-# Verificar todos los archivos del proyecto
-ansible-lint
-
-# Verificar un rol específico
-ansible-lint roles/proxy/
-```
-
----
-
-### Testinfra
-
-Framework de testing de infraestructura escrito en Python. Permite verificar el estado real de los servidores después del despliegue.
-
-**Documentación:**
-- Documentación principal: https://testinfra.readthedocs.io/
-- Ejemplos: https://testinfra.readthedocs.io/en/latest/examples.html
-
-**Instalación:**
-```bash
-pip install testinfra
-```
-
-**Ejemplo de test:**
-```python
-# tests/test_vpn.py
-def test_tinc_is_running(host):
-    """Verificar que el servicio Tinc está corriendo"""
-    tinc = host.service("tinc@comun")
-    assert tinc.is_running
-    assert tinc.is_enabled
-
-def test_vpn_interface_exists(host):
-    """Verificar que la interfaz VPN existe"""
-    assert host.interface("comun").exists
-
-def test_vpn_ip_assigned(host):
-    """Verificar que la IP VPN está asignada"""
-    comun = host.interface("comun")
-    assert comun.addresses[0].startswith("10.13.12.")
-
-def test_nginx_is_running(host):
-    """Verificar que Nginx está corriendo"""
-    nginx = host.service("nginx")
-    assert nginx.is_running
-
-def test_port_443_listening(host):
-    """Verificar que el puerto 443 está escuchando"""
-    assert host.socket("tcp://0.0.0.0:443").is_listening
-```
-
-**Ejecución:**
-```bash
-# Ejecutar tests contra un host
-testinfra --hosts=ssh://root@hetzner tests/test_vpn.py
-
-# Ejecutar con Ansible inventory
-testinfra --ansible-inventory=hosts.production tests/
-```
-
----
-
-## Validación y Sintaxis
-
-### YAML Lint
-
-Validador de sintaxis YAML con verificación de estilos y buenas prácticas.
-
-**Documentación:**
-- Repositorio: https://github.com/adrienverge/yamllint
-- Configuración: https://yamllint.readthedocs.io/en/stable/configuration.html
-
-**Instalación:**
-```bash
-pip install yamllint
-```
-
-**Uso:**
-```bash
-# Validar archivos específicos
-yamllint deploy.yml abyayala.yml
-
-# Validar todos los YAML del proyecto
-yamllint *.yml roles/*/tasks/*.yml roles/*/templates/*.yml
-```
-
-**Configuración (.yamllint):**
-```yaml
-extends: default
-
-rules:
-  line-length:
-    max: 120
-  indentation:
-    spaces: 2
-```
-
----
-
-### Ansible Syntax Check (Built-in)
-
-Verificación de sintaxis integrada en Ansible.
-
-**Documentación:**
-- Testing strategies: https://docs.ansible.com/ansible/latest/reference_appendices/test_strategies.html
-- Syntax check: https://docs.ansible.com/ansible/latest/cli/ansible-playbook.html#cmdoption-ansible-playbook-syntax-check
-
-**Uso:**
-```bash
-# Verificar sintaxis de un playbook
-ansible-playbook deploy.yml --syntax-check
-
-# Dry-run (simular sin ejecutar)
-ansible-playbook deploy.yml --check
-
-# Dry-run con diff de cambios
-ansible-playbook deploy.yml --check --diff
-```
-
----
-
-## Testing de Infraestructura
-
-### InSpec (Chef)
-
-Framework de testing de infraestructura enterprise. Alternativa más robusta a Testinfra.
-
-**Documentación:**
-- Documentación principal: https://docs.chef.io/inspec/
-
-**Características:**
-- Lenguaje DSL específico para infraestructura
-- Compliance as Code
-- Perfiles de seguridad predefinidos
-
----
-
-## CI/CD para Ansible
-
-### GitHub Actions
-
-**Documentación:**
-- GitHub Actions para Ansible: https://github.com/marketplace/actions/run-ansible-playbook
-
-**Ejemplo de workflow:**
-```yaml
-# .github/workflows/test.yml
-name: Test Ansible Playbooks
-
-on: [push, pull_request]
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-
-      - name: Set up Python
-        uses: actions/setup-python@v2
-        with:
-          python-version: '3.x'
-
-      - name: Install dependencies
-        run: |
-          pip install ansible ansible-lint yamllint molecule molecule-docker
-
-      - name: Run YAML Lint
-        run: yamllint .
-
-      - name: Run Ansible Lint
-        run: ansible-lint
-
-      - name: Syntax check
-        run: ansible-playbook deploy.yml --syntax-check
-
-      - name: Run Molecule tests
-        run: |
-          cd roles/rap
-          molecule test
-```
-
----
-
-### GitLab CI
-
-**Documentación:**
-- GitLab CI para Ansible: https://docs.gitlab.com/ee/ci/examples/ansible/
-
-**Ejemplo de pipeline:**
-```yaml
-# .gitlab-ci.yml
-stages:
-  - lint
-  - test
-
-lint:yaml:
-  stage: lint
-  image: python:3.9
-  script:
-    - pip install yamllint
-    - yamllint .
-
-lint:ansible:
-  stage: lint
-  image: python:3.9
-  script:
-    - pip install ansible-lint
-    - ansible-lint
-
-test:syntax:
-  stage: test
-  image: python:3.9
-  script:
-    - pip install ansible
-    - ansible-playbook deploy.yml --syntax-check
-
-test:molecule:
-  stage: test
-  image: python:3.9
-  services:
-    - docker:dind
-  script:
-    - pip install molecule molecule-docker
-    - cd roles/rap && molecule test
-```
-
----
-
-## Recursos Adicionales
-
-### Guías y Tutoriales
-
-- **Testing Ansible Roles with Molecule**: https://www.digitalocean.com/community/tutorials/how-to-test-ansible-roles-with-molecule-on-ubuntu-20-04
-- **Developing and Testing Ansible Roles with Molecule and Podman** (Serie de artículos): https://www.ansible.com/blog/developing-and-testing-ansible-roles-with-molecule-and-podman-part-1
-
-### Best Practices
-
-- **Ansible Best Practices**: https://docs.ansible.com/ansible/latest/tips_tricks/ansible_tips_tricks.html
-- **Ansible Style Guide**: https://docs.ansible.com/ansible/latest/dev_guide/style_guide/
-
-### Libros
-
-- **Ansible for DevOps** (Jeff Geerling): https://www.ansiblefordevops.com/
-  - Capítulos relevantes sobre testing y CI/CD
-
----
-
-## Estrategia de Testing Recomendada para Abyaya.la
-
-### Fase 1: Inmediato (Quick Wins)
-
-1. **Validación de sintaxis**
-   ```bash
-   ansible-playbook deploy.yml --syntax-check
-   ```
-
-2. **YAML Lint**
-   ```bash
-   pip install yamllint
-   yamllint .
-   ```
-
-3. **Ansible Lint**
-   ```bash
-   pip install ansible-lint
-   ansible-lint
-   ```
-
-### Fase 2: Corto Plazo (1-2 semanas)
-
-1. **Molecule para roles críticos**
-   - Empezar con `roles/rap` (VPN es crítico)
-   - Continuar con `roles/proxy` (punto de entrada público)
-   - Agregar `roles/certbot` (seguridad SSL)
-
-2. **Pre-commit hooks**
-   ```bash
-   pip install pre-commit
-   # Crear .pre-commit-config.yaml
-   pre-commit install
-   ```
-
-### Fase 3: Largo Plazo (1-2 meses)
-
-1. **Testinfra para verificación post-despliegue**
-   - Tests de conectividad VPN
-   - Tests de disponibilidad de servicios
-   - Tests de configuración de firewall
-   - Tests de certificados SSL
-
-2. **CI/CD Pipeline**
-   - GitHub Actions o GitLab CI
-   - Tests automáticos en cada push
-   - Tests de integración en staging
-
-3. **Tests de integración end-to-end**
-   - Despliegue completo en entorno de prueba
-   - Verificación de flujo completo: VPN → Proxy → Servicio
-
----
-
-## Comandos Útiles de Testing
-
-```bash
-# Testing rápido de sintaxis
-ansible-playbook deploy.yml --syntax-check
-
-# Dry-run (ver qué cambiaría sin aplicar)
-ansible-playbook deploy.yml --check --diff -e "host=hetzner alt=abyayala"
-
-# Verificar sintaxis YAML
-yamllint *.yml roles/
-
-# Análisis estático con ansible-lint
-ansible-lint deploy.yml
-
-# Test de un rol específico con Molecule
-cd roles/rap && molecule test
-
-# Verificación post-despliegue con Testinfra
-testinfra --hosts=ssh://root@hetzner tests/
-
-# Ver qué tareas se ejecutarían
-ansible-playbook deploy.yml --list-tasks -e "host=hetzner alt=abyayala"
-
-# Ejecutar solo con tags específicos en check mode
-ansible-playbook deploy.yml --check --tags=vpn -e "host=hetzner alt=abyayala"
-```
-
----
-
-## Contribuir
-
-Al agregar nuevos roles o modificar existentes:
-
-1. Ejecutar ansible-lint antes de commit
-2. Verificar sintaxis con --syntax-check
-3. Si es un rol crítico, agregar tests de Molecule
-4. Documentar casos de prueba en este archivo

abyayala.yml

@@ -14,7 +14,6 @@ matrix:
     roles:
       - rap
     nodos:
-      - llavero
       - marmite
       - nodochasqui
       - yanapak
@@ -59,6 +58,7 @@ matrix:
       - carabobolibre
       - samatuun
       - kaasavi
+      - llavero
 
   - service_name: respaldos
     domains:
@@ -206,7 +206,6 @@ matrix:
     domains:
       - kipu.latina.red
     nodo: kipu.comun
-    ssl: no
     ports:
       - 223
 
@@ -227,3 +226,9 @@ matrix:
       - kaasavi.abyaya.la
     nodo: kaasavi.comun
     force_https: yes
+
+  - service_name: llavero
+    domains:
+      - llavero.abyaya.la
+    nodo: llavero.comun
+    force_https: yes

group_vars/hetzner/vars

@@ -1,3 +1,5 @@
 host_ip: 5.161.236.18
+main_zone: abyaya.la
+vpn_name: comun
 proxy_scale: 2
 domains_default_force_https: yes

group_vars/testing/vars

@@ -0,0 +1,2 @@
+host_ip: 157.180.114.62
+main_zone: abyayala.red

hosts.production

@@ -1,5 +1,5 @@
 [localhost]
-127.0.0.1
+127.0.0.1 ansible_connection=local
 
 [hetzner]
 5.161.236.18
@@ -11,3 +11,9 @@ ansible_ssh_user=root
 sutty.nl
 
 [sutty:vars]
+
+[testing]
+157.180.114.62
+
+[testing:vars]
+ansible_ssh_user=root

roles/althost/tasks/compose.yml

@@ -1,13 +1,13 @@
     - name: check if service volumes exists
-      local_action:
-        module: stat
+      stat:
         path: "{{ playbook_dir }}/roles/{{ item.roles[0] | default('proxy') }}/templates/volumes.yml"
+      delegate_to: localhost
       register: volumes_def
 
     - name: check if service networks exists
-      local_action:
-        module: stat
+      stat:
         path: "{{ playbook_dir }}/roles/{{ item.roles[0] | default('proxy') }}/templates/networks.yml"
+      delegate_to: localhost
       register: networks_def
 
     - set_fact:
@@ -22,53 +22,53 @@
       when: networks_def.stat.exists
 
     - name: define services in local composition
-      local_action:
-        module: blockinfile
+      blockinfile:
         path: "{{ local_compose_path }}/docker-compose.yml"
         insertafter: "services:"
         marker: "# {mark} {{ service_name|upper }}"
         block: "{{ services_content }}"
+      delegate_to: localhost
       changed_when: false
 
     - name: define volumes in local composition
-      local_action:
-        module: lineinfile
+      lineinfile:
         path: "{{ local_compose_path }}/docker-compose.yml"
         insertafter: "# volumenes compartidos"
         line: "volumes: #"
         state: present
         regexp: "volumes: #"
+      delegate_to: localhost
       when: volumes_def.stat.exists
       changed_when: false
 
     - name: define volumes content in local composition
-      local_action:
-        module: lineinfile
+      lineinfile:
         path: "{{ local_compose_path }}/docker-compose.yml"
         insertafter: "volumes: #"
         line: "{{ volumes_content }}"
         state: present
         regexp: "{{ volumes_content }}"
+      delegate_to: localhost
       when: volumes_content is defined
       changed_when: false
 
     - name: define networks in local composition
-      local_action:
-        module: lineinfile
+      lineinfile:
         path: "{{ local_compose_path }}/docker-compose.yml"
         insertafter: "# redes compartidas"
         line: "networks: #"
         state: present
         regexp: "networks: #"
+      delegate_to: localhost
       when: networks_def.stat.exists
       changed_when: false
 
     - name: define networks content in local composition
-      local_action:
-        module: lineinfile
+      lineinfile:
         path: "{{ local_compose_path }}/docker-compose.yml"
         insertafter: "networks: #"
         line: "{{ networks_content }}"
         state: present
+      delegate_to: localhost
       when: networks_content is defined
       changed_when: false

roles/althost/tasks/main.yml

@@ -1,28 +1,46 @@
     # DOCKER CE this is specific for Debian
     # https://docs.docker.com/install/linux/docker-ce/debian/
+    # Soporta Debian 12 (bookworm) y Debian 13 (trixie)
     - block:
       - name: "unattended upgrades"
         apt:
           name: "unattended-upgrades"
           state: "present"
-              
+
       - name: required packages
         apt:
-          name: ['apt-transport-https', 'ca-certificates', 'curl', 'gnupg2', 'software-properties-common', 'python3-pip']
+          name: ['ca-certificates', 'curl', 'python3-pip']
           state: present
 
-      - name: docker signing key
-        apt_key:
+      - name: create keyrings directory
+        file:
+          path: /etc/apt/keyrings
+          state: directory
+          mode: '0755'
+
+      - name: download docker gpg key
+        get_url:
           url: https://download.docker.com/linux/debian/gpg
-          state: present
-        
-      - name: docker apt repository
-        apt_repository:
-          repo: deb [arch=amd64] https://download.docker.com/linux/debian bookworm stable
+          dest: /etc/apt/keyrings/docker.asc
+          mode: '0644'
 
-      - name: install docker community edition
+      - name: add docker repository with deb822 format
+        deb822_repository:
+          name: docker
+          types: [deb]
+          uris: https://download.docker.com/linux/debian
+          suites: ["{{ ansible_distribution_release }}"]
+          components: [stable]
+          architectures: [amd64]
+          signed_by: /etc/apt/keyrings/docker.asc
+
+      - name: install docker community edition and compose plugin
         apt:
-          name: docker-ce
+          name:
+            - docker-ce
+            - docker-ce-cli
+            - containerd.io
+            - docker-compose-plugin
           update_cache: yes
 
       - name: is node already in swarm mode
@@ -48,23 +66,11 @@
           state: present
 
       # ansible-docker requirements
-      - name: python package docker-py is deprecated
-        pip:
-          name: docker-py
-          state: absent
-          break_system_packages: true
-
-      - name: ensure python package docker is present
-        pip:
-          name: docker
+      # Use system packages instead of pip to avoid break_system_packages
+      - name: ensure python3-docker package is present
+        apt:
+          name: python3-docker
           state: present
-          break_system_packages: true
-
-      - name: ensure python package docker-compose is present
-        pip:
-          name: docker-compose
-          state: present
-          break_system_packages: true
 
       tags: installation
 
@@ -74,16 +80,16 @@
         file: path={{ compose_path }} state=directory
       
       - name: make sure local compose path exists
-        local_action:
-          module: file
-          path: "{{ local_compose_path }}" 
+        file:
+          path: "{{ local_compose_path }}"
           state: directory
+        delegate_to: localhost
 
       - name: clean docker-compose.yml
-        local_action:
-          module: template
+        template:
           dest: "{{ local_compose_path }}/docker-compose.yml"
           src: roles/althost/templates/docker-compose.yml
+        delegate_to: localhost
         changed_when: false
 
       - name: execute roles per domain mapping

roles/certbot/tasks/main.yml

@@ -30,13 +30,14 @@
         env: yes
         value: /bin/bash
 
-    - name: automatic letsencrypt certs renewal
-      cron:
-        name: certificate renewal
-        day: 4,18
-        hour: 0
-        minute: 0
-        job: "docker run --rm -v {{ althost }}_certs_data:/etc/letsencrypt --network host {{ CERTBOT_image }} renew --dns-standalone-address={{ host_ip }} --dns-standalone-port=53 >> /var/log/renewal.log 2>&1"
+# TODO
+#    - name: automatic letsencrypt certs renewal
+#      cron:
+#        name: certificate renewal
+#        day: 4,18
+#        hour: 0
+#        minute: 0
+#        job: "docker run --rm -v {{ althost }}_certs_data:/etc/letsencrypt -v {{ althost }}_certs_www:/var/www/letsencrypt certbot/certbot renew >> /var/log/renewal.log 2>&1"
 
     - name: proxy update, after certs renewal
       cron:

roles/dnsmasq/tasks/main.yml

@@ -2,12 +2,14 @@
       apt:
         name: dnsmasq
         state: present
+
     - name: configuracion de red comun
       template:
         src: dnsmasq.conf
         dest: "/etc/dnsmasq.conf"
       notify:
         - restart dnsmasq
+
     - name: activar el servicio
       systemd_service:
         name: dnsmasq

roles/dnsmasq/templates/dnsmasq.conf

@@ -74,8 +74,8 @@ resolv-file=/etc/resolv.local
 
 # Add local-only domains here, queries in these domains are answered
 # from /etc/hosts or DHCP only.
-local=/comun/
-domain=comun
+local=/{{ vpn_name }}/
+domain={{ vpn_name }}
 
 # Add domains which you want to force to an IP address here.
 # The example below send any host in double-click.net to a local
@@ -117,7 +117,7 @@ domain=comun
 # specified interfaces (and the loopback) give the name of the
 # interface (eg eth0) here.
 # Repeat the line for more than one interface.
-interface=comun
+interface={{ vpn_name }}
 # Or you can specify which interface _not_ to listen on
 except-interface=eth0
 # Or which to listen on by address (remember to include 127.0.0.1 if

roles/firewall/templates/rules.v4.j2

@@ -6,7 +6,7 @@
 -A INPUT -m conntrack --ctstate INVALID -j DROP
 -A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
 -A INPUT -i lo -j ACCEPT
--A INPUT -i comun -j ACCEPT
+-A INPUT -i {{ vpn_name }} -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
 -A INPUT -p udp -m udp --dport 53 -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT

roles/knsupdate/tasks/update_domain.yml

@@ -1,10 +1,10 @@
     - set_fact:
-        is_abyayala_subdomain: "{{ domain.endswith('.abyaya.la') }}"
+        is_abyayala_subdomain: "{{ domain.endswith('.' ~ main_zone) }}"
 
-    - name: extract zone and hostname for abyaya.la subdomains
+    - name: extract zone and hostname for main zone subdomains
       set_fact:
-        zone: "abyaya.la."
-        hostname: "{{ domain | regex_replace('([a-z0-9-]+)\\.abyaya\\.la', '\\1') }}"
+        zone: "{{ main_zone ~ '.' }}"
+        hostname: "{{ domain | regex_replace('([a-z0-9-]+)\\.' ~ main_zone|regex_escape , '\\1') }}"
       when: is_abyayala_subdomain
 
     - name: split domain into parts
@@ -29,6 +29,8 @@
         zone: "{{ domain_parts[-2:] | join('.') }}."
         hostname: "{{ domain_parts[:-2] | join('.') if domain_parts | length > 2 else '@' }}"
       when: not is_abyayala_subdomain and not uses_compound_tld
+    - debug:
+        msg: "{{ lookup('template', 'templates/commands.j2') }}"
 
     - name: knsupdate for this domain
       shell: knsupdate

roles/knsupdate/vars/main.yml

@@ -7,14 +7,6 @@ dns_servers:
 compound_tlds:
   - com.ar
   - com.mx
-  - co.uk
   - com.br
-  - gov.ar
   - org.ar
-  - gob.ar
-  - net.ar
-  - mil.ar
-  - edu.ar
-  - co.nz
-  - net.nz
-  - org.nz
+  - edu.ar

roles/proxy/files/custom_proxy_includes/sutty.abyaya.la

@@ -1,11 +0,0 @@
-proxy_buffering off;
-proxy_request_buffering off;
-proxy_redirect off;
-proxy_connect_timeout 3m;
-proxy_send_timeout 3m;
-proxy_read_timeout 3m;
-
-limit_conn connection_limit 50;
-limit_req zone=request_limit nodelay burst=20;
-
-add_header Retry-After $retry_after always;

roles/proxy/files/custom_server_includes/sutty.abyaya.la

@@ -1,4 +0,0 @@
-add_header X-Frame-Options "sameorigin";
-add_header X-XSS-Protection "1; mode=block";
-add_header X-Content-Type-Options "nosniff";
-add_header Referrer-Policy "strict-origin-when-cross-origin";

roles/proxy/tasks/main.yml

@@ -11,12 +11,12 @@
       tags: certbot
 
     - name: configuration paths
-      file: path={{ comun }} state=directory
+      file: path={{ abc }} state=directory
       with_items:
         - "{{ stream_path }}"
         - "{{ conf_path }}"
       loop_control:
-        loop_var: comun
+        loop_var: abc
 
     - name: virtual hosts path
       file: path={{ vhosts_path }} state=directory
@@ -45,12 +45,12 @@
           loop_control:
             loop_var: domino
 
-        - name: add default abyaya.la subdomain if not present
+        - name: add default main zone subdomain if not present
           set_fact:
             matrix_loop_with_defaults: "{{ matrix_loop_with_defaults | default([]) | union([ item_with_default ]) }}"
           vars:
-            has_abyayala_domain: "{{ item.domains | select('match', '.*\\.abyaya\\.la$') | list | length > 0 }}"
-            default_domain: "{{ item.service_name }}.abyaya.la"
+            has_abyayala_domain: "{{ item.domains | select('match', '.*\\.' ~ (main_zone | regex_escape) ~ '$') | list | length > 0 }}"
+            default_domain: "{{ item.service_name ~ '.' ~ main_zone }}"
             domains_with_default: "{{ item.domains + [default_domain] if not has_abyayala_domain else item.domains }}"
             item_with_default: "{{ item | combine({'domains': domains_with_default}) }}"
           with_items: "{{ matrix_loop | default([]) }}"

roles/proxy/templates/common.conf

@@ -0,0 +1,4 @@
+    add_header X-Frame-Options "sameorigin";
+    add_header X-XSS-Protection "1; mode=block";
+    add_header X-Content-Type-Options "nosniff";
+    add_header Referrer-Policy "strict-origin-when-cross-origin";

roles/proxy/templates/default_proxy.conf

@@ -12,10 +12,12 @@
 
         gzip_disable "msie6";
         {% endif %}
+
         client_max_body_size 1G;
+
         proxy_ssl_verify off;
         proxy_ssl_server_name on;
-        proxy_ssl_name $host;
+        proxy_ssl_name $ssl_server_name;
 
         proxy_pass https://$comun_{{ vhost.nodo | replace(".", "") }};
 
@@ -27,6 +29,18 @@
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection upgrade;
 
+        proxy_buffering off;
+        proxy_request_buffering off;
+        proxy_redirect off;
+        proxy_connect_timeout 3m;
+        proxy_send_timeout 3m;
+        proxy_read_timeout 3m;
+
+        limit_conn connection_limit 50;
+        limit_req zone=request_limit nodelay burst=20;
+
+        add_header Retry-After $retry_after always;
+
         {% include "files/custom_proxy_includes/" ~ vhost.domains[0] ignore missing %}
 }
       # END PROXY

roles/proxy/templates/stream.conf

@@ -5,7 +5,7 @@ upstream ssh_{{ vhost.nodo | replace(".", "") }} {
 server {
     listen {{ vhost.ports[0] }};
 
-    server_name  {{ vhost.service_name }}.abyaya.la;
+    server_name  {{ vhost.service_name }}.{{ main_zone }};
 
     proxy_pass ssh_{{ vhost.nodo | replace(".", "") }};
 }

roles/rap/tasks/client.yml

@@ -28,11 +28,11 @@
         cmd: "./rap init -i {{ nodo }}"
         chdir: "{{ rap_path }}/rap"
       environment:
-        NETWORK: comun
+        NETWORK: "{{ vpn_name }}"
 
     - name: instalar el nodo
       shell: 
         cmd: "./rap install -v {{ nodo }}"
         chdir: "{{ rap_path }}/rap"
       environment:
-        NETWORK: comun
+        NETWORK: "{{ vpn_name }}"

roles/rap/tasks/main.yml

@@ -24,9 +24,9 @@
         cmd: "./rap add-host {{ althost }} {{ nod }}"
         chdir: "{{ rap_path }}"
       args:
-        creates: "{{ rap_path }}/networks/comun/abyayala/hosts/{{ nod }}"
+        creates: "{{ rap_path }}/networks/{{ vpn_name }}/abyayala/hosts/{{ nod }}"
       environment:
-        NETWORK: comun
+        NETWORK: "{{ vpn_name }}"
       with_items: "{{ item.nodos }}"
       loop_control:
         loop_var: nod
@@ -36,4 +36,4 @@
         cmd: "./rap install -v {{ althost }}"
         chdir: "{{ rap_path }}"
       environment:
-        NETWORK: comun
+        NETWORK: "{{ vpn_name }}"

testnet.yml

@@ -0,0 +1,23 @@
+althost: testnet
+matrix:
+  - service_name: comun
+    roles:
+      - kemal
+    domains:
+      - comun.abyayala.red
+
+  - service_name: dns
+    roles:
+      - knsupdate
+
+  - service_name: vpn
+    roles:
+      - rap
+    nodos:
+      - qi
+
+  - service_name: qi
+    domains:
+      - qi.abyayala.red
+    nodo: qi.comun
+#    force_https: yes