From 2d3756eb4e627d0b5f557afcb8d02cd1a9ea386e Mon Sep 17 00:00:00 2001
From: jaseg <code@jaseg.net>
Date: Fri, 5 Jun 2020 16:28:39 +0200
Subject: deploy: Add dyndns service

---
 .gitignore              |  1 +
 credentials.ini.example |  3 +++
 inventory.yml           |  3 +++
 iptables.rules          |  1 +
 library/inwx-collection |  1 +
 nginx.conf              | 38 ++++++++++++++++++++++++++++++++++++++
 playbook.yml            | 36 ++++++++++++++++++++++++++++++++++--
 setup_webserver.yml     |  1 +
 8 files changed, 82 insertions(+), 2 deletions(-)
 create mode 100644 credentials.ini.example
 create mode 160000 library/inwx-collection

diff --git a/.gitignore b/.gitignore
index e681fba..136f960 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
 *_secret.txt
 *_apikey.txt
 playbook.retry
+credentials.ini
diff --git a/credentials.ini.example b/credentials.ini.example
new file mode 100644
index 0000000..9b87321
--- /dev/null
+++ b/credentials.ini.example
@@ -0,0 +1,3 @@
+[inwx]
+user=...
+pass=...
diff --git a/inventory.yml b/inventory.yml
index ea577e3..913ea5f 100644
--- a/inventory.yml
+++ b/inventory.yml
@@ -6,3 +6,6 @@ all:
       ansible_ssh_identity_file: ~/.ssh/id_ed25519
       ansible_user: root
       ansible_python_interpreter: /usr/bin/python3
+    localhost:
+      ansible_connection: local
+      ansible_python_interpreter: "{{ansible_playbook_python}}"
diff --git a/iptables.rules b/iptables.rules
index db68eb5..620c4d3 100644
--- a/iptables.rules
+++ b/iptables.rules
@@ -20,6 +20,7 @@ COMMIT
 -A INPUT -p tcp -m state --state NEW -m tcp --dport 23 -j ACCEPT
 -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
 -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
+-A INPUT -p udp --dport 53 -j ACCEPT
 -A INPUT -j REJECT --reject-with icmp-host-prohibited
 -A FORWARD -j REJECT --reject-with icmp-host-prohibited
 COMMIT
diff --git a/library/inwx-collection b/library/inwx-collection
new file mode 160000
index 0000000..0ac040d
--- /dev/null
+++ b/library/inwx-collection
@@ -0,0 +1 @@
+Subproject commit 0ac040da14cc9d834098addc03cd8d4d26647df0
diff --git a/nginx.conf b/nginx.conf
index b4245fa..744bd01 100644
--- a/nginx.conf
+++ b/nginx.conf
@@ -370,5 +370,43 @@ http {
             root /usr/share/nginx/html;
         }
     }
+
+    server {
+        listen       443 ssl http2;
+        listen       [::]:443 ssl http2;
+        server_name  dyndns.jaseg.de;
+        root         /usr/share/nginx/html;
+
+        ssl_certificate "/etc/letsencrypt/live/dyndns.jaseg.de/fullchain.pem";
+        ssl_certificate_key "/etc/letsencrypt/live/dyndns.jaseg.de/privkey.pem";
+        ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem";
+        include /etc/letsencrypt/options-ssl-nginx.conf;
+
+        ssl_stapling on;
+        ssl_stapling_verify on;
+
+        resolver 67.207.67.2 67.207.67.3 valid=300s;
+        resolver_timeout 10s;
+
+        add_header Strict-Transport-Security "max-age=86400";
+
+        # Load configuration files for the default server block.
+        include /etc/nginx/default.d/*.conf;
+
+        location / {
+            include uwsgi_params;
+            uwsgi_pass unix:/run/uwsgi/dyndns.socket;
+        }
+
+        error_page 404 /404.html;
+        location = /40x.html {
+            root         /usr/share/nginx/html;
+        }
+
+        error_page 500 502 503 504 /50x.html;
+        location = /50x.html {
+            root         /usr/share/nginx/html;
+        }
+    }
 }
 
diff --git a/playbook.yml b/playbook.yml
index 777d079..6b1f46f 100644
--- a/playbook.yml
+++ b/playbook.yml
@@ -1,4 +1,34 @@
-- name: Gerbolyze container setup playbook
+- name: DNS setup
+  hosts: localhost
+  module_defaults:
+      inwx:
+          username: "{{lookup('ini', 'user section=inwx file=credentials.ini')}}"
+          password: "{{lookup('ini', 'pass section=inwx file=credentials.ini')}}"
+  vars:
+      subdomains:
+        - git.jaseg.net
+        - blog.jaseg.net
+        - kochbuch.jaseg.net
+        - gerbolyze.jaseg.net
+        - tracespace.jaseg.net
+        - openjscad.jaseg.net
+        - pogojig.jaseg.net
+        - automation.jaseg.de
+        - dyndns.jaseg.de
+      fastmail_domains:
+        - jaseg.net
+        - jaseg.de
+  tasks:
+      - name: Gather wendelstein facts
+        setup:
+        delegate_to: wendelstein
+        delegate_facts: True
+
+      - name: Setup DNS
+        include_tasks: dns.yml
+
+
+- name: Wendelstein setup
   hosts: wendelstein
   tasks:
     - name: Set hostname
@@ -12,7 +42,7 @@
 
     - name: Install host requisites
       dnf:
-          name: nginx,uwsgi,python3-flask,python3-flask-wtf,uwsgi-plugin-python3,certbot,python3-certbot-nginx,libselinux-python,git,iptables-services,python3-pycryptodomex,zip,python3-uwsgidecorators
+          name: nginx,uwsgi,python3-flask,python3-flask-wtf,uwsgi-plugin-python3,certbot,python3-certbot-nginx,libselinux-python,git,iptables-services,python3-pycryptodomex,zip,python3-uwsgidecorators,nsd
           state: latest
 
     - name: Disable password-based root login
@@ -77,3 +107,5 @@
     - name: Setup semi-public git server
       include_tasks: setup_git.yml
 
+    - name: Setup private DynDNS service
+      include_tasks: setup_dyndns.yml
diff --git a/setup_webserver.yml b/setup_webserver.yml
index 748bef8..eb34a5b 100644
--- a/setup_webserver.yml
+++ b/setup_webserver.yml
@@ -58,6 +58,7 @@
       - openjscad.jaseg.net
       - pogojig.jaseg.net
       - automation.jaseg.de
+      - dyndns.jaseg.de
 
 - name: Copy final nginx config
   copy:
-- 
cgit