roles: Add pf and relayd roles for domain controller

3 files changed, 99 insertions, 0 deletions

diff --git a/roles/relayd/defaults/main.yml b/roles/relayd/defaults/main.yml
new file mode 100644
index 0000000..174a889
--- /dev/null
+++ b/roles/relayd/defaults/main.yml
@@ -0,0 +1,4 @@
+relayd_configuration_file: /etc/relayd.conf
+relayd_domain_name: example.com
+relayd_transparent: true
+relayd_block_msg: aah!
diff --git a/roles/relayd/tasks/main.yml b/roles/relayd/tasks/main.yml
new file mode 100644
index 0000000..14df192
--- /dev/null
+++ b/roles/relayd/tasks/main.yml
@@ -0,0 +1,13 @@
+- name: generate relayd configuration
+  template:
+    src: relayd.conf.j2
+    dest: "{{ relayd_configuration_file }}"
+
+- name: verify relayd configuration
+  command: "relayd -nf {{ relayd_configuration_file }}"
+
+- name: enable and restart relayd
+  service:
+    name: relayd
+    state: restarted
+    enabled: true
diff --git a/roles/relayd/templates/relayd.conf.j2 b/roles/relayd/templates/relayd.conf.j2
new file mode 100644
index 0000000..c97e9da
--- /dev/null
+++ b/roles/relayd/templates/relayd.conf.j2
@@ -0,0 +1,82 @@
+# managed by Ansible
+{% import 'macros.j2' as macros with context %}
+
+# general
+log connection errors
+
+# hosts
+table <local> { 127.0.0.1 }
+{% call(h) macros.loop_valid_hosts("servers") -%}
+table <{{ h.inventory_hostname }}> { {{ h.__ip.internal }} }
+{% for service in h.__services if service.domain is defined %}
+table <{{ h.inventory_hostname }}_{{ service.domain }}> { {{ h.__ip.internal }} }
+{% endfor %}
+{%- endcall %}
+
+# protocols
+
+http protocol "https" {
+	
+	tls ciphers "HIGH:!AES128:!kRSA:!aNULL"
+	tls ecdhe "P-384,P-256,X25519"
+
+	tcp { sack, backlog 128 }
+
+	match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
+	match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"
+	match request header set "Connection" value "close"
+	match request header set "X-Forwarded-Proto" value "https"
+	match request header set "X-Forwarded-Port" value "443"
+	match response header set "Content-Security-Policy" value "upgrade-insecure-requests"
+	match response header set "Referrer-Policy" value "no-referrer"
+	match response header set "X-XSS-Protection" value "1; mode=block"
+
+	tls keypair "{{ relayd_domain_name }}"
+	pass request quick header "Host" value "{{ relayd_domain_name }}" forward to <local>
+{% call(h) macros.loop_valid_hosts("servers") -%}
+{% for service in h.__services if service.domain is defined %}
+	{% set domain_name = service.domain ~ "." ~ relayd_domain_name -%}
+	tls keypair "{{ domain_name }}"
+	pass request quick header "Host" value "{{ domain_name }}" forward to <{{ h.inventory_hostname }}_{{ service.domain }}>
+{% endfor %}
+{%- endcall %}
+
+	block label "{{ relayd_block_msg }}"
+	return error
+}
+
+http protocol "http" {
+	
+	# acme
+	pass request quick path "/.well-known/acme-challenge/*" forward to <local>
+
+	pass request quick header "Host" value "{{ relayd_domain_name }}" forward to <local>
+{% call(h) macros.loop_valid_hosts("servers") -%}
+{% for service in h.__services if service.domain is defined %}
+	{% set domain_name = service.domain ~ "." ~ relayd_domain_name -%}
+	pass request quick header "Host" value "{{ domain_name }}" forward to <{{ h.inventory_hostname }}_{{ service.domain }}>
+{% endfor %}
+{%- endcall %}
+
+	return error
+}
+
+# relays
+
+relay "www" {
+	listen on egress port 80
+	protocol "http"
+	# assume httpd reverse proxy is running for https redirection
+	forward to <local> port 8888 check icmp
+}
+
+relay "wwwtls" {
+	listen on egress port 443 tls
+	protocol "https"
+	forward to <local> port 80 check http "/" code 200
+{% call(h) macros.loop_valid_hosts("servers") -%}
+{% for service in h.__services if service.domain is defined %}
+	forward to <{{ h.inventory_hostname }}_{{ service.domain }}> port {{ service.port }} check tcp
+{% endfor %}
+{%- endcall %}
+}