From 27213e690c9e64bdc6084bb4daa3e1589b01f4d0 Mon Sep 17 00:00:00 2001
From: Elizabeth Hunt <elizabeth.hunt@simponic.xyz>
Date: Mon, 14 Oct 2024 22:16:04 -0400
Subject: [PATCH] woah

---
 group_vars/vpn.yml                            |  1 +
 inventory                                     |  4 +--
 .../nameservers/templates/db.simponic.xyz.j2  |  1 +
 roles/vpn/files/config/acl.json               |  5 ++--
 .../files/levi/http.rainrain.xyz.conf         |  5 ++++
 .../files/levi/http.rainrainra.in.conf        | 13 ----------
 ...ttps.ntfy.simponic.hatecomputers.club.conf |  2 +-
 .../files/levi/https.party.simponic.xyz.conf  |  2 +-
 .../files/levi/https.rainrain.xyz.servconf    | 19 ++++++++++++++
 .../files/levi/https.rainrainra.in.conf       | 25 -------------------
 .../https.secure.tunnel.simponic.xyz.conf     |  2 +-
 .../https.simponic.hatecomputers.club.conf    |  2 +-
 .../files/levi/https.simponic.xyz.conf        |  2 +-
 .../files/levi/https.static.simponic.xyz.conf |  2 +-
 .../files/levi/https.tunnel.simponic.xyz.conf |  2 +-
 roles/webservers/files/nginx.conf             |  7 +++---
 roles/webservers/tasks/main.yml               |  7 +++---
 17 files changed, 44 insertions(+), 57 deletions(-)
 create mode 100644 roles/webservers/files/levi/http.rainrain.xyz.conf
 delete mode 100644 roles/webservers/files/levi/http.rainrainra.in.conf
 create mode 100644 roles/webservers/files/levi/https.rainrain.xyz.servconf
 delete mode 100644 roles/webservers/files/levi/https.rainrainra.in.conf

diff --git a/group_vars/vpn.yml b/group_vars/vpn.yml
index 0a62dd1..40a5003 100644
--- a/group_vars/vpn.yml
+++ b/group_vars/vpn.yml
@@ -3,3 +3,4 @@ headscale_oidc_secret: "{{ lookup('env', 'HEADSCALE_OIDC_SECRET') }}"
 headscale_allowed_users:
   - "elizabeth@simponic.xyz"
   - "riley@simponic.xyz"
+  - "rain@simponic.xyz"
diff --git a/inventory b/inventory
index 591871a..67c83c9 100644
--- a/inventory
+++ b/inventory
@@ -5,6 +5,7 @@ levi  ansible_user=root ansible_connection=ssh
 mail.simponic.xyz ansible_user=root ansible_connection=ssh
 europa  ansible_user=root ansible_connection=ssh
 johan  ansible_user=root ansible_connection=ssh
+raspberrypi ansible_user=root ansible_connection=ssh
 
 [prod]
 nijika  ansible_user=root ansible_connection=ssh
@@ -80,6 +81,3 @@ johan  ansible_user=root ansible_connection=ssh
 
 [backup-notifications]
 johan  ansible_user=root ansible_connection=ssh
-
-[rainrainrain]
-levi  ansible_user=root ansible_connection=ssh
diff --git a/roles/nameservers/templates/db.simponic.xyz.j2 b/roles/nameservers/templates/db.simponic.xyz.j2
index c0d619c..d4f22e3 100644
--- a/roles/nameservers/templates/db.simponic.xyz.j2
+++ b/roles/nameservers/templates/db.simponic.xyz.j2
@@ -37,6 +37,7 @@ s2._domainkey.simponic.xyz.	1	IN	CNAME	s2.domainkey.u25709709.wl210.sendgrid.net
 headscale.simponic.xyz.	1	IN	CNAME	nijika.simponic.xyz.
 authelia.simponic.xyz.	1	IN	CNAME	nijika.simponic.xyz.
 git.simponic.xyz. 1 IN  CNAME nijika.simponic.xyz.
+frens.simponic.xyz. 1 IN  CNAME europa.simponic.endpoints.hatecomputers.club.
 
 lab.simponic.xyz.	1	IN	CNAME	simponic.tplinkdns.com.
 
diff --git a/roles/vpn/files/config/acl.json b/roles/vpn/files/config/acl.json
index b6a6145..9e54bd5 100644
--- a/roles/vpn/files/config/acl.json
+++ b/roles/vpn/files/config/acl.json
@@ -2,7 +2,8 @@
   "groups": {
     "group:admin": ["elizabeth"],
     "group:roomates": ["riley"],
-    "group:friends": ["riley"],
+    "group:friends": ["riley", "rain"],
+    "group:rain": ["rain"],
     "group:sys": ["sys"]
   },
   "tagOwners": {
@@ -24,7 +25,7 @@
     {
       "action": "accept",
       "src": ["group:sys"],
-      "dst": ["group:sys:*", "10.128.0.0/9:*"]
+      "dst": ["group:sys:*", "10.128.0.0/9:*", "group:rain:*"]
     },
     {
       "action": "accept",
diff --git a/roles/webservers/files/levi/http.rainrain.xyz.conf b/roles/webservers/files/levi/http.rainrain.xyz.conf
new file mode 100644
index 0000000..de7a872
--- /dev/null
+++ b/roles/webservers/files/levi/http.rainrain.xyz.conf
@@ -0,0 +1,5 @@
+server {
+  listen 80;
+  server_name *.rainrain.xyz;
+  return 301 https://$server_name$request_uri?;
+}
diff --git a/roles/webservers/files/levi/http.rainrainra.in.conf b/roles/webservers/files/levi/http.rainrainra.in.conf
deleted file mode 100644
index 5681819..0000000
--- a/roles/webservers/files/levi/http.rainrainra.in.conf
+++ /dev/null
@@ -1,13 +0,0 @@
-server {
-  listen 80;
-  server_name rainrainra.in;
-
-  location /.well-known/acme-challenge {
-    root /var/www/letsencrypt;
-    try_files $uri $uri/ =404;
-  }
-
-  location / {
-    rewrite ^ https://rainrainra.in$request_uri? permanent;
-  }
-}
diff --git a/roles/webservers/files/levi/https.ntfy.simponic.hatecomputers.club.conf b/roles/webservers/files/levi/https.ntfy.simponic.hatecomputers.club.conf
index 9a0c818..d532ee1 100644
--- a/roles/webservers/files/levi/https.ntfy.simponic.hatecomputers.club.conf
+++ b/roles/webservers/files/levi/https.ntfy.simponic.hatecomputers.club.conf
@@ -1,5 +1,5 @@
 server {
-  listen 443 ssl;
+  listen 4443 ssl;
 
   allow  10.0.0.0/8;
   allow  100.64.0.0/12;
diff --git a/roles/webservers/files/levi/https.party.simponic.xyz.conf b/roles/webservers/files/levi/https.party.simponic.xyz.conf
index 1896024..b0f85d7 100644
--- a/roles/webservers/files/levi/https.party.simponic.xyz.conf
+++ b/roles/webservers/files/levi/https.party.simponic.xyz.conf
@@ -1,5 +1,5 @@
 server {
-  listen 443 ssl;
+  listen 4443 ssl;
   server_name party.simponic.xyz;
 
   ssl_certificate         /etc/letsencrypt/live/party.simponic.xyz/fullchain.pem;
diff --git a/roles/webservers/files/levi/https.rainrain.xyz.servconf b/roles/webservers/files/levi/https.rainrain.xyz.servconf
new file mode 100644
index 0000000..5485af1
--- /dev/null
+++ b/roles/webservers/files/levi/https.rainrain.xyz.servconf
@@ -0,0 +1,19 @@
+stream {
+  map $ssl_preread_server_name $name {
+    *.rainrain.xyz  rainrainxyz;
+    default proxy;
+  }
+
+  upstream rainrainxyz {
+    server tailscale.rain.internal.simponic.xyz:443;
+  }
+  upstream proxy {
+    server 127.0.0.1:4443;
+  }
+
+  server {
+    listen 443;
+    proxy_pass $name;
+    ssl_preread on;
+  }
+}
diff --git a/roles/webservers/files/levi/https.rainrainra.in.conf b/roles/webservers/files/levi/https.rainrainra.in.conf
deleted file mode 100644
index 84249dc..0000000
--- a/roles/webservers/files/levi/https.rainrainra.in.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-server {
-  listen 443 ssl;
-  server_name rainrainra.in;
-
-  ssl_certificate         /etc/letsencrypt/live/rainrainra.in/fullchain.pem;
-  ssl_certificate_key     /etc/letsencrypt/live/rainrainra.in/privkey.pem;
-  ssl_trusted_certificate /etc/letsencrypt/live/rainrainra.in/fullchain.pem;
-
-  ssl_session_cache shared:SSL:50m;
-  ssl_session_timeout 5m;
-  ssl_stapling on;
-  ssl_stapling_verify on;
-
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
-
-  ssl_dhparam /etc/nginx/dhparams.pem;
-  ssl_prefer_server_ciphers on;
-
-  root /var/www/html/rainrainra.in;
-
-  location / {
-    try_files $uri $uri/ $uri.html =404;
-  }
-}
diff --git a/roles/webservers/files/levi/https.secure.tunnel.simponic.xyz.conf b/roles/webservers/files/levi/https.secure.tunnel.simponic.xyz.conf
index 2b8b350..707f12f 100644
--- a/roles/webservers/files/levi/https.secure.tunnel.simponic.xyz.conf
+++ b/roles/webservers/files/levi/https.secure.tunnel.simponic.xyz.conf
@@ -1,5 +1,5 @@
 server {
-  listen 443 ssl;
+  listen 4443 ssl;
   server_name secure.tunnel.simponic.xyz;
 
   ssl_certificate         /etc/letsencrypt/live/secure.tunnel.simponic.xyz/fullchain.pem;
diff --git a/roles/webservers/files/levi/https.simponic.hatecomputers.club.conf b/roles/webservers/files/levi/https.simponic.hatecomputers.club.conf
index fa0f6ab..16f31ed 100644
--- a/roles/webservers/files/levi/https.simponic.hatecomputers.club.conf
+++ b/roles/webservers/files/levi/https.simponic.hatecomputers.club.conf
@@ -1,5 +1,5 @@
 server {
-  listen 443 ssl;
+  listen 4443 ssl;
   server_name simponic.hatecomputers.club;
 
   ssl_certificate         /etc/letsencrypt/live/simponic.hatecomputers.club/fullchain.pem;
diff --git a/roles/webservers/files/levi/https.simponic.xyz.conf b/roles/webservers/files/levi/https.simponic.xyz.conf
index 8930168..e9b32e7 100644
--- a/roles/webservers/files/levi/https.simponic.xyz.conf
+++ b/roles/webservers/files/levi/https.simponic.xyz.conf
@@ -1,5 +1,5 @@
 server {
-  listen 443 ssl;
+  listen 4443 ssl;
   server_name simponic.xyz;
 
   ssl_certificate         /etc/letsencrypt/live/simponic.xyz/fullchain.pem;
diff --git a/roles/webservers/files/levi/https.static.simponic.xyz.conf b/roles/webservers/files/levi/https.static.simponic.xyz.conf
index ca72805..01719c0 100644
--- a/roles/webservers/files/levi/https.static.simponic.xyz.conf
+++ b/roles/webservers/files/levi/https.static.simponic.xyz.conf
@@ -1,5 +1,5 @@
 server {
-  listen 443 ssl;
+  listen 4443 ssl;
   server_name static.simponic.xyz;
 
   ssl_certificate         /etc/letsencrypt/live/static.simponic.xyz/fullchain.pem;
diff --git a/roles/webservers/files/levi/https.tunnel.simponic.xyz.conf b/roles/webservers/files/levi/https.tunnel.simponic.xyz.conf
index 5660f29..deee0b7 100644
--- a/roles/webservers/files/levi/https.tunnel.simponic.xyz.conf
+++ b/roles/webservers/files/levi/https.tunnel.simponic.xyz.conf
@@ -1,5 +1,5 @@
 server {
-  listen 443 ssl;
+  listen 4443 ssl;
   server_name tunnel.simponic.xyz;
 
   ssl_certificate         /etc/letsencrypt/live/tunnel.simponic.xyz/fullchain.pem;
diff --git a/roles/webservers/files/nginx.conf b/roles/webservers/files/nginx.conf
index 2e36cdd..e4f4987 100644
--- a/roles/webservers/files/nginx.conf
+++ b/roles/webservers/files/nginx.conf
@@ -1,8 +1,8 @@
 user www-data;
 worker_processes 4;
 pid /run/nginx.pid;
-load_module modules/ndk_http_module.so;
-load_module modules/ngx_http_set_misc_module.so;
+# load_module modules/ndk_http_module.so;
+# load_module modules/ngx_http_set_misc_module.so;
 
 events {
   worker_connections 768;
@@ -25,5 +25,6 @@ http {
   gzip_disable "msie6";
 
   include /etc/nginx/conf.d/*.conf;
-  include /etc/nginx/sites-enabled/*;
+  include /etc/nginx/sites-enabled/*.conf;
 }
+include /etc/nginx/sites-enabled/*.servconf;
diff --git a/roles/webservers/tasks/main.yml b/roles/webservers/tasks/main.yml
index 7047baf..6c6fef4 100644
--- a/roles/webservers/tasks/main.yml
+++ b/roles/webservers/tasks/main.yml
@@ -17,9 +17,6 @@
 - name: install nginx
   apt: name=nginx state=latest
 
-- name: install libnginx-mod-http-set-misc
-  apt: name=libnginx-mod-http-set-misc state=latest
-
 - name: install letsencrypt
   apt: name=letsencrypt state=latest
 
@@ -45,6 +42,7 @@
     dest: "/etc/nginx/sites-enabled/"
   with_fileglob:
     - "files/{{ inventory_hostname }}/http.*.conf"
+    - "files/{{ inventory_hostname }}/https.*.conf"
 
 - name: restart nginx to get letsencrypt certificate
   service: name=nginx state=restarted enabled=yes
@@ -70,7 +68,7 @@
   args:
     creates: "/etc/letsencrypt/live/{{ item.stdout }}"
   loop: "{{ extracted_domains.results }}"
-  when: 'not "hatecomputers.club" in item.stdout'
+  when: 'not "hatecomputers.club" in item.stdout and not "rainrain" in item.stdout'
 
 # hatecomputers.club
 - name: build plugin template
@@ -106,6 +104,7 @@
     dest: "/etc/nginx/sites-enabled/"
   with_fileglob:
     - "files/{{ inventory_hostname }}/https.*.conf"
+    - "files/{{ inventory_hostname }}/https.*.servconf"
 
 - name: reload nginx to activate sites
   service: name=nginx state=restarted