diff --git a/abyayala.yml b/abyayala.yml index 6e78f34..2df7be1 100644 --- a/abyayala.yml +++ b/abyayala.yml @@ -60,6 +60,7 @@ matrix: - kaasavi - llavero - deabajo + - testnet - service_name: respaldos domains: @@ -67,11 +68,9 @@ matrix: nodo: respaldos.comun force_https: yes - - service_name: marmite - domains: - - marmite.abyaya.la - nodo: marmite.comun + - nodo: marmite force_https: yes + # Auto-deduced: domains: [marmite.abyaya.la], rap_dn: marmite.comun - service_name: yanapak domains: diff --git a/group_vars/hetzner/vars b/group_vars/hetzner/vars index 87a5c11..579a45e 100644 --- a/group_vars/hetzner/vars +++ b/group_vars/hetzner/vars @@ -1,3 +1,6 @@ host_ip: 5.161.236.18 +main_zone: abyaya.la +vpn_name: comun +vpn_proxy: 10.13.12.1 proxy_scale: 2 domains_default_force_https: yes diff --git a/group_vars/testing/vars b/group_vars/testing/vars index d43597d..cbba201 100644 --- a/group_vars/testing/vars +++ b/group_vars/testing/vars @@ -1 +1,5 @@ host_ip: 157.180.114.62 +main_zone: abyayala.red +vpn_name: comun +vpn_proxy: 10.13.12.159 +proxy_scale: 1 \ No newline at end of file diff --git a/roles/althost/tasks/roles.yml b/roles/althost/tasks/roles.yml index 067ee65..29f4fb8 100644 --- a/roles/althost/tasks/roles.yml +++ b/roles/althost/tasks/roles.yml @@ -1,9 +1,10 @@ - set_fact: current_service: "{{ item }}" - service_name: "{{ item.service_name }}" + # Deducir service_name: usar 'nodo' si existe, sino 'service_name' (retrocompatibilidad) + service_name: "{{ item.nodo | default(item.service_name) }}" service_roles: "{{ item.roles | default([]) }}" -- include_role: +- include_role: name: "{{ current_role_name }}" with_items: "{{ service_roles }}" loop_control: diff --git a/roles/dnsmasq/tasks/main.yml b/roles/dnsmasq/tasks/main.yml index 718b9d5..88eec72 100644 --- a/roles/dnsmasq/tasks/main.yml +++ b/roles/dnsmasq/tasks/main.yml @@ -2,12 +2,14 @@ apt: name: dnsmasq state: present + - name: configuracion de red comun template: src: dnsmasq.conf dest: "/etc/dnsmasq.conf" notify: - restart dnsmasq + - name: activar el servicio systemd_service: name: dnsmasq diff --git a/roles/dnsmasq/templates/dnsmasq.conf b/roles/dnsmasq/templates/dnsmasq.conf index c3c1060..48f41ad 100644 --- a/roles/dnsmasq/templates/dnsmasq.conf +++ b/roles/dnsmasq/templates/dnsmasq.conf @@ -74,8 +74,8 @@ resolv-file=/etc/resolv.local # Add local-only domains here, queries in these domains are answered # from /etc/hosts or DHCP only. -local=/comun/ -domain=comun +local=/{{ vpn_name }}/ +domain={{ vpn_name }} # Add domains which you want to force to an IP address here. # The example below send any host in double-click.net to a local @@ -117,12 +117,12 @@ domain=comun # specified interfaces (and the loopback) give the name of the # interface (eg eth0) here. # Repeat the line for more than one interface. -interface=comun +interface={{ vpn_name }} # Or you can specify which interface _not_ to listen on except-interface=eth0 # Or which to listen on by address (remember to include 127.0.0.1 if # you use this.) -listen-address=10.13.12.1,127.0.0.1 +listen-address={{ vpn_proxy }},127.0.0.1 # If you want dnsmasq to provide only DNS service on an interface, # configure it as shown above, and then use the following line to # disable DHCP and TFTP on it. diff --git a/roles/firewall/templates/rules.v4.j2 b/roles/firewall/templates/rules.v4.j2 index 2a453e6..959def9 100644 --- a/roles/firewall/templates/rules.v4.j2 +++ b/roles/firewall/templates/rules.v4.j2 @@ -6,7 +6,7 @@ -A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT -A INPUT -i lo -j ACCEPT --A INPUT -i comun -j ACCEPT +-A INPUT -i {{ vpn_name }} -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p udp -m udp --dport 53 -j ACCEPT -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT diff --git a/roles/kemal/templates/vhost.conf b/roles/kemal/templates/vhost.conf index 474d4a4..2c7a923 100644 --- a/roles/kemal/templates/vhost.conf +++ b/roles/kemal/templates/vhost.conf @@ -5,6 +5,6 @@ server { client_max_body_size 4k; location / { - proxy_pass http://10.13.12.1:3000; + proxy_pass http://{{ vpn_proxy }}:3000; } } diff --git a/roles/knsupdate/tasks/update_domain.yml b/roles/knsupdate/tasks/update_domain.yml index 841342d..467ade8 100644 --- a/roles/knsupdate/tasks/update_domain.yml +++ b/roles/knsupdate/tasks/update_domain.yml @@ -1,10 +1,10 @@ - set_fact: - is_abyayala_subdomain: "{{ domain.endswith('.abyaya.la') }}" + is_abyayala_subdomain: "{{ domain.endswith('.' ~ main_zone) }}" - - name: extract zone and hostname for abyaya.la subdomains + - name: extract zone and hostname for main zone subdomains set_fact: - zone: "abyaya.la." - hostname: "{{ domain | regex_replace('([a-z0-9-]+)\\.abyaya\\.la', '\\1') }}" + zone: "{{ main_zone ~ '.' }}" + hostname: "{{ domain | regex_replace('([a-z0-9-]+)\\.' ~ main_zone|regex_escape , '\\1') }}" when: is_abyayala_subdomain - name: split domain into parts @@ -30,6 +30,11 @@ hostname: "{{ domain_parts[:-2] | join('.') if domain_parts | length > 2 else '@' }}" when: not is_abyayala_subdomain and not uses_compound_tld + - name: Debug knsupdate for this domain + debug: + msg: "{{ lookup('template', 'templates/commands.j2') }}" + when: is_abyayala_subdomain + - name: knsupdate for this domain shell: knsupdate args: diff --git a/roles/proxy/tasks/main.yml b/roles/proxy/tasks/main.yml index 8ce8c1b..f57c350 100644 --- a/roles/proxy/tasks/main.yml +++ b/roles/proxy/tasks/main.yml @@ -10,14 +10,18 @@ include_role: name=certbot tags: certbot + - name: set main_zone_regex from main_zone + set_fact: + main_zone_regex: "{{ '.' ~ main_zone | replace('.', '\\.') }}" + - name: configuration paths - file: path={{ comun }} state=directory + file: path={{ abc }} state=directory with_items: - "{{ stream_path }}" - "{{ conf_path }}" - "{{ certbot_webroot }}" loop_control: - loop_var: comun + loop_var: abc - name: virtual hosts path file: path={{ vhosts_path }} state=directory @@ -37,34 +41,15 @@ loop_control: loop_var: common - - name: domains' stuff + - name: neo stuff block: - - name: slice matrix with those having domains defined - set_fact: - matrix_loop: "{{ matrix_loop | default([]) | union([ domino ]) }}" - with_items: "{{ matrix }}" - when: "{{ domino.domains is defined and domino.nodo is defined }}" + - name: normalize and build matrix_loop + include_tasks: normalize_node.yml + with_items: "{{ matrix }}" + when: "{{ (domino.domains is defined or domino.nodo is defined or domino.service_name is defined) }}" loop_control: loop_var: domino - - name: ensure abyaya.la subdomain is always first in domains list - set_fact: - matrix_loop_with_defaults: "{{ matrix_loop_with_defaults | default([]) | union([ item_with_default ]) }}" - vars: - existing_abyayala_domains: "{{ item.domains | select('match', '.*\\.abyaya\\.la$') | list }}" - has_abyayala_domain: "{{ existing_abyayala_domains | length > 0 }}" - default_domain: "{{ item.service_name }}.abyaya.la" - other_domains: "{{ item.domains | reject('match', '.*\\.abyaya\\.la$') | list }}" - abyayala_domain_to_use: "{{ existing_abyayala_domains[0] if has_abyayala_domain else default_domain }}" - domains_with_default: "{{ [abyayala_domain_to_use] + other_domains }}" - item_with_default: "{{ item | combine({'domains': domains_with_default}) }}" - with_items: "{{ matrix_loop | default([]) }}" - - - name: update matrix_loop with defaults - set_fact: - matrix_loop: "{{ matrix_loop_with_defaults }}" - when: matrix_loop_with_defaults is defined - - name: certificates loop include_tasks: ../../certbot/tasks/certbot.yml with_items: "{{ matrix_loop | default([]) }}" @@ -78,7 +63,7 @@ with_items: "{{ matrix_loop }}" loop_control: loop_var: vhost - when: (service is undefined) or (service is defined and service == vhost.service_name) + when: ((service is undefined) or (service is defined and service == vhost.service_name)) and not vhost.skip_vhost - name: streams loop include_tasks: stream.yml diff --git a/roles/proxy/tasks/normalize_node.yml b/roles/proxy/tasks/normalize_node.yml new file mode 100644 index 0000000..340cefa --- /dev/null +++ b/roles/proxy/tasks/normalize_node.yml @@ -0,0 +1,21 @@ +- set_fact: + _existing_abyayala_domains: "{{ (domino.domains | default([])) | select('match', '.*' ~ main_zone_regex ~ '$') | list }}" + _other_domains: "{{ (domino.domains | default([])) | reject('match', '.*' ~ main_zone_regex ~ '$') | list }}" + _node_name: "{{ domino.nodo | default(domino.service_name) }}" + _default_domain: "{{ (domino.nodo | default(domino.service_name)) ~ '.' ~ main_zone }}" + _default_rap_dn: "{{ (domino.nodo | default(domino.service_name)) ~ '.' ~ vpn_name }}" + +- set_fact: + domino_normalized: + nodo: "{{ _node_name }}" + rap_dn: "{{ domino.rap_dn | default(_default_rap_dn) }}" + domains: "{{ [(_existing_abyayala_domains[0] if (_existing_abyayala_domains | length > 0) else _default_domain)] + _other_domains }}" + force_https: "{{ domino.force_https | default(domains_default_force_https) }}" + ports: "{{ domino.ports | default([]) }}" + enable_compression: "{{ domino.enable_compression | default(domains_default_enable_compression) }}" + roles: "{{ domino.roles | default([]) }}" + service_name: "{{ domino.service_name | default(_node_name) }}" + skip_vhost: "{{ (domino.roles is defined and (domino.roles | length > 0) and domino.domains is not defined) }}" + +- set_fact: + matrix_loop: "{{ matrix_loop | default([]) | union([ domino_normalized ]) }}" \ No newline at end of file diff --git a/roles/proxy/tasks/stream.yml b/roles/proxy/tasks/stream.yml index f35ff02..0b14835 100644 --- a/roles/proxy/tasks/stream.yml +++ b/roles/proxy/tasks/stream.yml @@ -1,10 +1,10 @@ - set_fact: - vhost_dest: "{{ stream_path }}/{{ vhost.domains[0] }}.conf" + vhost_dest: "{{ stream_path }}/{{ vhost.service_name }}.conf" - name: default stream for ssh template: src: "{{ default_stream }}" dest: "{{ vhost_dest }}" - when: vhost.ports is defined + when: vhost.ports is defined and (vhost.ports | length > 0) notify: - reload proxy diff --git a/roles/proxy/tasks/vhosts.yml b/roles/proxy/tasks/vhosts.yml index 388e480..76c8ace 100644 --- a/roles/proxy/tasks/vhosts.yml +++ b/roles/proxy/tasks/vhosts.yml @@ -1,12 +1,12 @@ - set_fact: vhost_dest: "{{ vhosts_path }}/{{ vhost.domains[0] }}.conf" -- block: +- block: - set_fact: custom_vhost: "roles/{{ vhost.roles[0] }}/templates/vhost.conf" - set_fact: proxy_conf: "roles/{{ vhost.roles[0] }}/templates/proxy.conf" - when: vhost.roles is defined + when: vhost.roles is defined and (vhost.roles | length > 0) - set_fact: proxy_conf_look: "{{ lookup('template', proxy_conf) }}" @@ -16,7 +16,7 @@ template: src: "{{ default_vhost }}" dest: "{{ vhost_dest }}" - when: (vhost.roles is undefined or vhost.roles[0] == 'proxy') or (custom_vhost is undefined or custom_vhost is not is_file) + when: (vhost.roles is undefined or (vhost.roles | length == 0) or vhost.roles[0] == 'proxy') or (custom_vhost is undefined or custom_vhost is not is_file) notify: - reload proxy @@ -24,6 +24,6 @@ template: src: "{{ custom_vhost }}" dest: "{{ vhost_dest }}" - when: (vhost.roles is defined and vhost.roles[0] != 'proxy') and custom_vhost is defined and custom_vhost is is_file + when: (vhost.roles is defined and (vhost.roles | length > 0) and vhost.roles[0] != 'proxy') and custom_vhost is defined and custom_vhost is is_file notify: - reload proxy diff --git a/roles/proxy/templates/default_proxy.conf b/roles/proxy/templates/default_proxy.conf index 1da7fac..4f4bf1e 100644 --- a/roles/proxy/templates/default_proxy.conf +++ b/roles/proxy/templates/default_proxy.conf @@ -19,7 +19,7 @@ proxy_ssl_server_name on; proxy_ssl_name $ssl_server_name; - proxy_pass https://$comun_{{ vhost.nodo | replace(".", "") }}; + proxy_pass https://$comun_{{ vhost.rap_dn | replace(".", "") }}; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; diff --git a/roles/proxy/templates/stream.conf b/roles/proxy/templates/stream.conf index 95ae361..0be5eed 100644 --- a/roles/proxy/templates/stream.conf +++ b/roles/proxy/templates/stream.conf @@ -1,15 +1,11 @@ -upstream ssh_{{ vhost.nodo | replace(".", "") }} { - server {{ vhost.nodo }}:22; +upstream ssh_{{ vhost.rap_dn | replace(".", "") }} { + server {{ vhost.rap_dn }}:22; } server { listen {{ vhost.ports[0] }}; - {% if vhost.root | default(false) %} - server_name {{ vhost.domains | join(' ') }}; - {% else %} - server_name .{{ vhost.domains | join(' .') }}; - {% endif %} + server_name {{ vhost.service_name }}.{{ main_zone }}; - proxy_pass ssh_{{ vhost.nodo | replace(".", "") }}; + proxy_pass ssh_{{ vhost.rap_dn | replace(".", "") }}; } \ No newline at end of file diff --git a/roles/proxy/templates/vhost.conf b/roles/proxy/templates/vhost.conf index 46e1d7d..ae20819 100644 --- a/roles/proxy/templates/vhost.conf +++ b/roles/proxy/templates/vhost.conf @@ -1,10 +1,10 @@ -map $http_host $comun_{{ vhost.nodo | replace(".", "") }} { +map $http_host $comun_{{ vhost.rap_dn | replace(".", "") }} { hostnames; {% for domain in vhost.domains %} {% if vhost.root | default(false) %} - {{ domain }} {{ vhost.nodo }}; + {{ domain }} {{ vhost.rap_dn }}; {% else %} - .{{ domain }} {{ vhost.nodo }}; + .{{ domain }} {{ vhost.rap_dn }}; {% endif %} {% endfor %} } @@ -18,7 +18,7 @@ server { listen 80; - resolver 10.13.12.1 valid=300s; + resolver {{ vpn_proxy }} valid=300s; resolver_timeout 5s; {% if vhost.root | default(false) %} diff --git a/roles/proxy/vars/main.yml b/roles/proxy/vars/main.yml index d541bb7..a87f280 100644 --- a/roles/proxy/vars/main.yml +++ b/roles/proxy/vars/main.yml @@ -1,5 +1,6 @@ domains_default_ssl: no domains_default_force_https: no +domains_default_enable_compression: no # nginx vhosts_path: "{{ compose_path }}/proxy/vhosts" diff --git a/roles/rap/code/rap b/roles/rap/code/rap index ec4cd71..05481cd 160000 --- a/roles/rap/code/rap +++ b/roles/rap/code/rap @@ -1 +1 @@ -Subproject commit ec4cd71e6e2f5159ae08c06123db67e48dc7a5bb +Subproject commit 05481cdbc3b32f139c53cdf7adfaace97db82fac diff --git a/roles/rap/tasks/client.yml b/roles/rap/tasks/client.yml index fed4dc0..9570b7a 100644 --- a/roles/rap/tasks/client.yml +++ b/roles/rap/tasks/client.yml @@ -2,7 +2,7 @@ # https://serverfault.com/questions/1108989/isc-dhcp-client-dhclient-alternative - name: instalar dependecias de la RAP apt: - name: ['tinc', 'rsync', 'dhcp5'] + name: ['tinc', 'rsync', 'dhcpcd5'] state: latest # update_cache: yes tags: installation @@ -11,13 +11,13 @@ - name: copiar el codigo fuente synchronize: - src: ../roles/rap/code/rap + src: ../roles/rap/code/rap/ dest: "{{ rap_path }}" perms: true - name: hacer ejecutable el archivo rap file: - path: "{{ rap_path }}/rap/rap" + path: "{{ rap_path }}/rap" state: touch mode: '774' modification_time: preserve @@ -26,13 +26,13 @@ - name: inicializar el nodo shell: cmd: "./rap init -i {{ nodo }}" - chdir: "{{ rap_path }}/rap" + chdir: "{{ rap_path }}" environment: - NETWORK: comun + NETWORK: "{{ vpn_name }}" - name: instalar el nodo shell: cmd: "./rap install -v {{ nodo }}" - chdir: "{{ rap_path }}/rap" + chdir: "{{ rap_path }}" environment: - NETWORK: comun + NETWORK: "{{ vpn_name }}" diff --git a/roles/rap/tasks/main.yml b/roles/rap/tasks/main.yml index 80df79b..598c3af 100644 --- a/roles/rap/tasks/main.yml +++ b/roles/rap/tasks/main.yml @@ -24,9 +24,9 @@ cmd: "./rap add-host {{ althost }} {{ nod }}" chdir: "{{ rap_path }}" args: - creates: "{{ rap_path }}/networks/comun/abyayala/hosts/{{ nod }}" + creates: "{{ rap_path }}/networks/{{ vpn_name }}/abyayala/hosts/{{ nod }}" environment: - NETWORK: comun + NETWORK: "{{ vpn_name }}" with_items: "{{ item.nodos }}" loop_control: loop_var: nod @@ -36,4 +36,4 @@ cmd: "./rap install -v {{ althost }}" chdir: "{{ rap_path }}" environment: - NETWORK: comun + NETWORK: "{{ vpn_name }}" diff --git a/tasks/rap.yml b/tasks/rap.yml index de88174..d9c0a27 100644 --- a/tasks/rap.yml +++ b/tasks/rap.yml @@ -1,5 +1,6 @@ # Instalacion de la RAP en maquina local # ansible-playbook --become tasks/rap.yml -e "host=localhost nodo=chem" -i hosts.local +# ansible-playbook tasks/rap.yml -e "host=testing nodo=testnet" --- - hosts: "{{ host }}" tasks: diff --git a/testnet.yml b/testnet.yml index f9c621b..beea6a5 100644 --- a/testnet.yml +++ b/testnet.yml @@ -16,8 +16,7 @@ matrix: nodos: - qi - - service_name: qi - domains: - - qi.abyayala.red - nodo: qi.comun + - nodo: qi + ports: + - 531 # force_https: yes \ No newline at end of file