SSL on Kodi.

Both host01 and kodi are behind the ns1 router. For completely secure
connections, SSL termination should be done on each host. So use HAProxy
on ns1 to route HTTPS traffic using the SNI extension and HTTP traffic
using the Host header (default to host01). Add tasks to the renew-hosts
playbook to issue (or renew) Let's Encrypt certificates on kodi.

.gitignore

@@ -47,8 +47,7 @@ dist/
 *.env
 .bundle/
 !Pipfile.lock
-site.*
-mail.*
-account.*
-host.*
+*.crt
+*.csr
+*.key
 .vault-password

renew-certs.yaml

@@ -20,6 +20,10 @@
       delegate_to: ns4
       command: docker restart web-proxy_proxy_1
 
+    - name: Restart Nginx on kodi
+      delegate_to: kodi
+      command: docker restart web-proxy_proxy_1
+
     - name: Reload Exim
       delegate_to: host01
       command: docker kill --signal SIGHUP mail_smtp_1
@@ -425,6 +429,126 @@
       tags:
         - mail
 
+    - name: Generate kodi key
+      community.crypto.openssl_privatekey:
+        mode: *mode
+        path: &kodi_key_src |-
+            {{ playbook_dir }}/kodi.key
+        size: *size
+        state: present
+        type: *type
+      tags:
+        - kodi
+
+    - name: Generate kodi certificate signing request
+      community.crypto.openssl_csr:
+        common_name: kodi.shore.co.il
+        country_name: *country_name
+        digest: *digest
+        email_address: |-
+            {{ email }}
+        locality_name: *locality_name
+        organization_name: *organization_name
+        path: &kodi_csr_src kodi.csr
+        privatekey_path: *kodi_key_src
+        state: present
+        subject_alt_name: |-
+            DNS:kodi.shore.co.il,DNS:library.shore.co.il,DNS:jellyfin.shore.co.il
+      register: acme_kodi_csr
+      tags:
+        - kodi
+
+    - name: Create kodi challenge
+      community.crypto.acme_certificate:
+        account_email: |-
+            {{ email }}
+        account_key_src: *account_key_src
+        acme_directory: |-
+            {{ acme_directory }}
+        acme_version: |
+            {{ acme_version }}
+        csr: *kodi_csr_src
+        fullchain_dest: &kodi_cert_src |-
+            {{ playbook_dir }}/kodi.crt
+        modify_account: false
+        remaining_days: 35
+        select_crypto_backend: *crypto_backend
+      register: acme_kodi_challenge
+      tags:
+        - kodi
+
+    - name: Debug kodi challenge
+      debug:
+        var: acme_kodi_challenge
+        verbosity: 1
+      tags:
+        - kodi
+
+    - name: Renew kodi cert
+      when: acme_kodi_challenge is changed
+      tags:
+        - kodi
+      block:
+
+        - name: Create ACME challenge directory
+          delegate_to: kodi
+          file:
+            path: /var/www/www.shore.co.il/.well-known/acme-challenge
+            state: directory
+
+        - name: Copy http-01 kodi challenge
+          delegate_to: kodi
+          with_dict: |
+              {{ acme_kodi_challenge['challenge_data'] }}
+          copy:
+            content: |-
+                {{ item.value['http-01']['resource_value'] }}
+            # yamllint disable-line rule:line-length
+            dest: /var/www/www.shore.co.il/{{ item.value['http-01']['resource'] }}
+            group: www-data
+            mode: 0o0644
+            owner: root
+
+        - name: Validate kodi challenge
+          community.crypto.acme_certificate:
+            account_email: |-
+                {{ email }}
+            account_key_src: *account_key_src
+            acme_directory: |-
+                {{ acme_directory }}
+            acme_version: |
+                {{ acme_version }}
+            challenge: http-01
+            csr: *kodi_csr_src
+            data: "{{ acme_kodi_challenge }}"
+            fullchain_dest: *kodi_cert_src
+            modify_account: false
+            remaining_days: 35
+            select_crypto_backend: *crypto_backend
+
+    - name: Copy kodi key, certificate to server
+      delegate_to: kodi
+      with_items:
+        - src: *kodi_key_src
+          dest: /var/ssl/site.key
+          mode: 0o0444
+        - src: *kodi_cert_src
+          dest: /var/ssl/site.crt
+          mode: 0o0444
+      copy:
+        src: |-
+            {{ item.src }}
+        dest: |-
+            {{ item.dest }}
+        mode: |-
+            {{ item.mode }}
+        owner: root
+        group: root
+      notify:
+        - Restart Nginx on kodi
+      tags:
+        - kodi
+
     - name: Generate Diffie-Hellman parameters on host01
       become: true
       delegate_to: host01
@@ -456,3 +580,18 @@
       tags:
         - ns4
         - dhparams
+
+    - name: Generate Diffie-Hellman parameters on kodi
+      become: true
+      delegate_to: kodi
+      community.crypto.openssl_dhparam:
+        force: true
+        mode: 0o0644
+        path: /var/ssl/dhparams
+        size: 4096
+        state: present
+      notify:
+        - Restart Nginx on kodi
+      tags:
+        - kodi
+        - dhparams

roles/router/files/haproxy.cfg

+global
+        log 127.0.0.1   local0 debug
+        log-send-hostname
+        maxconn 1024
+        chroot /var/haproxy
+        uid 604
+        gid 604
+        daemon
+        pidfile /var/run/haproxy.pid
+
+defaults
+        log     global
+        mode    http
+        option  httplog
+        option  dontlognull
+        option  redispatch
+        retries 3
+        maxconn 2000
+        timeout client 30s
+        timeout server 30s
+        timeout connect 5s
+
+frontend http
+        bind 62.219.131.121:80
+        mode http
+        acl kodi hdr(host) -i kodi.shore.co.il
+        acl kodi hdr(host) -i library.shore.co.il
+        acl kodi hdr(host) -i jellyfin.shore.co.il
+        use_backend kodi_http if kodi
+        default_backend host01_http
+
+frontend https
+        bind 62.219.131.121:443
+        mode tcp
+        option tcplog
+        tcp-request inspect-delay 5s
+        tcp-request content accept if { req_ssl_hello_type 1 }
+        acl kodi req_ssl_sni -i kodi.shore.co.il
+        acl kodi req_ssl_sni -i library.shore.co.il
+        acl kodi req_ssl_sni -i jellyfin.shore.co.il
+        use_backend kodi_https if kodi
+        default_backend host01_https
+
+backend host01_http
+        mode http
+        option forwardfor
+        server host01 host01.shore.co.il:80 check
+
+backend host01_https
+        mode tcp
+        option ssl-hello-chk
+        server host01 host01.shore.co.il:443 check
+
+backend kodi_http
+        mode http
+        option forwardfor
+        server kodi kodi.shore.co.il:80 check
+
+backend kodi_https
+        mode tcp
+        option ssl-hello-chk
+        server kodi kodi.shore.co.il:443 check

roles/router/files/nsd/shore.co.il

 $TTL 1h
 $ORIGIN shore.co.il.
 @               IN      SOA     ns1     hostmaster (
-        2021012601
+        2021012701
         1h
         5m
         4w
@@ -51,15 +51,18 @@ _caldavs._tcp    IN  SRV  0 1 443 nextcloud
                     IN  TXT "v=spf1 -all"
                     IN  SPF "v=spf1 -all"
 
-www         IN  CNAME   ns4
 autoconfig  IN  CNAME   ns4
-nextcloud   IN  CNAME   ns1
 code        IN  CNAME   ns1
 git         IN  CNAME   ns1
-lam         IN  CNAME   ns1
-registry    IN  CNAME   ns4
 imap        IN  CNAME   smtp
+jellyfin    IN  CNAME   ns1
+kodi        IN  CNAME   ns1
+lam         IN  CNAME   ns1
+library     IN  CNAME   ns1
 mta-sts     IN  CNAME   smtp
+nextcloud   IN  CNAME   ns1
+registry    IN  CNAME   ns4
+www         IN  CNAME   ns4
 
 host01._domainkey IN    TXT     ("v=DKIM1\; k=rsa\;"
 "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw9EM6TzCofz004vL+aBV"

roles/router/files/pf.conf

@@ -39,13 +39,11 @@ pass quick inet proto icmp icmp-type { echoreq, unreach }
 # Allowed local services
 pass in quick on ingress proto { tcp, udp } to (ingress:0) port { bootps, bootpc } set prio ( 4, 6 )
 pass in quick proto { tcp, udp } to port domain set queue services set prio ( 4, 6 )
-#pass in quick proto tcp to (egress:0) port { www, https } set prio ( 4, 6 )
+pass in quick proto tcp to (egress:0) port { www, https } set prio ( 4, 6 )
 
 # Port redirection
-pass in quick proto tcp to (egress:0) port { smtp, submission, imaps, www, https } rdr-to host01.shore.co.il set queue critical set prio ( 4, 6 )
-pass out quick proto tcp to host01.shore.co.il port { submission, smtp, imaps, www, https } received-on ingress nat-to ingress set prio ( 4, 6 )
-#pass in quick proto tcp to (egress:0) port { smtp, submission, imaps } rdr-to host01.shore.co.il set queue critical set prio ( 4, 6 )
-#pass out quick proto tcp to host01.shore.co.il port { submission, smtp, imaps } received-on ingress nat-to ingress set prio ( 4, 6 )
+pass in quick proto tcp to (egress:0) port { smtp, submission, imaps } rdr-to host01.shore.co.il set queue critical set prio ( 4, 6 )
+pass out quick proto tcp to host01.shore.co.il port { submission, smtp, imaps } received-on ingress nat-to ingress set prio ( 4, 6 )
 pass in quick proto { tcp, udp } to (egress:0) port bittorrent rdr-to kodi.shore.co.il set queue bulk set prio 1
 
 # Allowd NAT and proxying

roles/router/handlers/main.yaml

@@ -11,6 +11,11 @@
   command:
     cmd: newaliases
 
+- name: Restart HAProxy
+  service:
+    name: haproxy
+    state: restarted
+
 - name: Restart NSD
   service:
     name: nsd

roles/router/tasks/main.yaml

@@ -135,6 +135,30 @@
     - dns
     - network
 
+- name: Configure HAProxy
+  copy:
+    backup: true
+    dest: /etc/haproxy/haproxy.cfg
+    mode: preserve
+    src: haproxy.cfg
+    validate: haproxy -c -f %s
+  notify:
+    - Restart HAProxy
+  tags:
+    - haproxy
+    - web
+    - network
+
+- name: Enable HAProxy
+  service:
+    enabled: true
+    name: haproxy
+    state: started
+  tags:
+    - haproxy
+    - web
+    - network
+
 - name: Configure PF
   copy:
     dest: /etc/pf.conf
@@ -169,6 +193,7 @@
     - curl
     - git
     - go
+    - haproxy
   community.general.openbsd_pkg:
     name: '{{ item }}'
     state: present