moved fulfillr w/ddns to https

ansible/roles/podman/tasks/configuration-nginx-https.yml

@@ -37,6 +37,7 @@
     - "{{ bookstack_server_name }}.https.conf"
     - "{{ ci_server_name }}.https.conf"
     - "{{ cloud_server_name }}.https.conf"
+    - "{{ fulfillr_server_name }}.https.conf"
     - "{{ parts_server_name }}.https.conf"
     - "{{ photos_server_name }}.https.conf"
   notify:
@@ -56,6 +57,7 @@
     - "{{ bookstack_server_name }}.https.conf"
     - "{{ ci_server_name }}.https.conf"
     - "{{ cloud_server_name }}.https.conf"
+    - "{{ fulfillr_server_name }}.https.conf"
     - "{{ parts_server_name }}.https.conf"
     - "{{ photos_server_name }}.https.conf"
   notify:

ansible/roles/podman/tasks/container-awsddns.yml

@@ -52,3 +52,30 @@
   include_tasks: podman/systemd-generate.yml
   vars:
     container_name: awsddns-skudak
+
+- import_tasks: podman/podman-check.yml
+  vars:
+    container_name: awsddns-fulfillr
+    container_image: "{{ image }}"
+
+- name: create fulfillr.debyltech.com awsddns server container
+  become: true
+  become_user: "{{ podman_user }}"
+  diff: false
+  containers.podman.podman_container:
+    name: awsddns-fulfillr
+    image: "{{ image }}"
+    restart_policy: on-failure:3
+    log_driver: journald
+    env:
+      AWS_ZONE_TTL: 60
+      AWS_ZONE_ID: "{{ fulfillr_zone_id }}"
+      AWS_ZONE_HOSTNAME: "{{ fulfillr_server_name }}"
+      AWS_ACCESS_KEY_ID: "{{ fulfillr_access_key }}"
+      AWS_SECRET_ACCESS_KEY: "{{ fulfillr_secret_key }}"
+      AWS_DEFAULT_REGION: "{{ fulfillr_region }}"
+
+- name: create systemd startup job for awsddns-fulfillr
+  include_tasks: podman/systemd-generate.yml
+  vars:
+    container_name: awsddns-fulfillr

ansible/roles/podman/tasks/main.yml

@@ -51,7 +51,7 @@
 
 - import_tasks: container-fulfillr.yml
   vars:
-    image: "{{ aws_ecr_endpoint }}/fulfillr:20230811.1904"
+    image: "{{ aws_ecr_endpoint }}/fulfillr:20230811.2059"
   tags: fulfillr
 
 - import_tasks: configuration-nginx.yml

ansible/roles/podman/templates/nginx/sites/fulfillr.debyltech.com.conf.j2

@@ -1,24 +1,21 @@
-upstream fulfillr {
-  server 127.0.0.1:9054;
+geo $whitelisted {
+  default 0;
+  192.168.0.0/16 1;
 }
+
 server {
-  resolver 192.168.1.10 ipv6=off;
   modsecurity on;
   modsecurity_rules_file /etc/nginx/modsec_includes.conf;
 
   listen 80;
   server_name {{ fulfillr_server_name }};
 
+  location '/.well-known/acme-challenge' {
+   default_type "text/plain";
+   root /srv/http/letsencrypt;
+  }
+
   location / {
-    allow 192.168.0.0/16;
-    allow 127.0.0.1;
-    deny all;
-
-    proxy_set_header X-Forwarded-For $remote_addr;
-    proxy_set_header Upgrade         $http_upgrade;
-    proxy_set_header Connection      $connection_upgrade;
-
-    proxy_buffering off;
-    proxy_pass http://fulfillr;
+   return 302 https://$host$request_uri;
   }
 }

ansible/roles/podman/templates/nginx/sites/fulfillr.debyltech.com.https.conf.j2

@@ -0,0 +1,57 @@
+geo $whitelisted {
+  default 0;
+  192.168.0.0/16 1;
+}
+
+upstream fulfillr {
+  server 127.0.0.1:9054;
+}
+
+server {
+  modsecurity on;
+  modsecurity_rules_file /etc/nginx/modsec_includes.conf;
+
+  resolver 127.0.0.1 127.0.0.53 9.9.9.9 valid=60s;
+
+  listen 443 ssl http2;
+  server_name {{ fulfillr_server_name }};
+
+  ssl_certificate         /etc/letsencrypt/live/{{ fulfillr_server_name }}/fullchain.pem;
+  ssl_certificate_key     /etc/letsencrypt/live/{{ fulfillr_server_name }}/privkey.pem;
+  ssl_trusted_certificate /etc/letsencrypt/live/{{ fulfillr_server_name }}/fullchain.pem;
+  ssl_dhparam             /etc/nginx/ssl/dhparam.pem;
+
+  ssl_ciphers               ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+  ssl_prefer_server_ciphers off;
+  ssl_protocols             TLSv1.2 TLSv1.3;
+  ssl_session_cache         shared:SSL:10m;
+  ssl_session_tickets       off;
+  ssl_session_timeout       1d;
+  ssl_stapling              on;
+  ssl_stapling_verify       on;
+
+  if ($whitelisted = 0) {
+    return 302 $scheme://bdebyl.net$request_uri;
+  }
+
+  location / {
+    add_header Referrer-Policy           "same-origin"                                                                                                                                                                            always;
+    # add_header Strict-Transport-Security "max-age=630720000; includeSubDomains"                                                                                                                                                   always;
+    add_header X-Content-Type-Options    "nosniff"                                                                                                                                                                                always;
+
+    # Sent from upstream:
+    # add_header X-Frame-Options           "SAMEORIGIN";
+    # add_header X-XSS-Protection          "1; mode=block";
+
+    proxy_set_header Host              $http_host;
+    proxy_set_header X-Forwarded-For   $remote_addr;
+    proxy_set_header X-Forwarded-Proto $scheme;
+
+    proxy_buffering    off;
+    proxy_http_version 1.1;
+    proxy_pass         http://fulfillr;
+    proxy_redirect     off;
+
+    chunked_transfer_encoding off;
+  }
+}

ansible/roles/ssl/tasks/certbot.yml

@@ -11,9 +11,9 @@
     - "{{ bookstack_server_name }}"
     - "{{ ci_server_name }}"
     - "{{ cloud_server_name }}"
+    - "{{ fulfillr_server_name }}"
     - "{{ parts_server_name }}"
     - "{{ photos_server_name }}"
-    - "{{ api_debyltech_server_name }}"
   tags: ssl
 
 - name: set group ownership for /etc/letsencrypt/