stargate-cluster/vm-ansible
stargate-cluster/vm-ansible
1
0
Fork 0
Code Pull Requests Releases Activity

add valid cert to internal communication
Some checks reported errors
continuous-integration/drone/push Build was killed
Details

Browse Source
This commit is contained in:
Torma Kristóf 2023-03-05 18:26:08 +01:00
parent 3c883cdded
commit 4e1833bbbf
12 changed files with 66 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
host_vars/drone.yaml
View File

@ -1,3 +1,8 @@
---
ansible_host: drone.intra.tormakris.dev
webserver:
- domain: "drone.kmlabz.com"
port: 8080
bigrequests: false
https: false
...

5
host_vars/git.yaml
View File

@ -12,4 +12,9 @@ firewall:
- port: "2222"
proto: tcp
interface: "eth0"
webserver:
- domain: "git.kmlabz.com"
port: 8080
bigrequests: false
https: false
...

5
host_vars/guacamole.yaml
View File

@ -1,3 +1,8 @@
---
ansible_host: guacamole.intra.tormakris.dev
webserver:
- domain: "guacamole.tormakristof.eu"
port: 8080
bigrequests: false
https: false
...

21
host_vars/jitsi.yaml
View File

@ -1,21 +0,0 @@
---
ansible_host: jitsi.intra.tormakris.dev
webserver:
- domain: "jitsi.tormakristof.eu"
port: 8080
bigrequests: false
https: true
firewall:
- port: "ssh"
proto: tcp
interface: "eth0"
- port: "https"
proto: tcp
interface: "eth0"
- port: "4443"
proto: tcp
interface: "eth0"
- port: "10000"
proto: tcp
interface: "eth0"
...

8
host_vars/monitoring.yaml
View File

@ -1,16 +1,8 @@
---
ansible_host: monitoring.intra.tormakris.dev
webserver:
- domain: "prometheus.tormakristof.eu"
port: 8080
bigrequests: false
https: false
- domain: "grafana.tormakristof.eu"
port: 8181
bigrequests: false
https: false
- domain: "alertmanager.tormakristof.eu"
port: 8181
bigrequests: false
https: false
...

14
roles/webgateway/files/prometheus-nginx-exporter Normal file
View File

@ -0,0 +1,14 @@
ARGS="-nginx.scrape-uri http://127.0.0.1:8888/stub_status"
# Prometheus-nginx-exporter supports the following options:
# -nginx.plus
# Start the exporter for NGINX Plus. By default, the exporter is started
# for NGINX.
# -nginx.scrape-uri string
# A URI for scraping NGINX or NGINX Plus metrics.
# For NGINX, the stub_status page must be available through the URI.
# For NGINX Plus -- the API. (default "http://127.0.0.1:8080/stub_status")
# -web.listen-address string
# An address to listen on for web interface and telemetry. (default ":9113")
# -web.telemetry-path string
# A path under which to expose metrics. (default "/metrics"

8
roles/webgateway/tasks/main.yaml
View File

@ -97,6 +97,14 @@
name:
- prometheus-nginx-exporter
- name: Copy default nginx config
ansible.builtin.copy:
src: prometheus-nginx-exporter
dest: /etc/default/prometheus-nginx-exporter
owner: root
group: root
mode: '0644'
- name: Enable and restart exporter daemon
service:
name: prometheus-nginx-exporter

12
roles/webgateway/templates/nginx.conf
View File

@ -66,7 +66,7 @@ http {
return 301 https://$host$request_uri;
}
{%- for proxysite in proxy %}
{%- for proxysite in proxy -%}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
@ -90,9 +90,9 @@ http {
}
}
{%- endfor %}
{%- endfor -%}
{%- for staticsite in static %}
{%- for staticsite in static -%}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
@ -105,9 +105,9 @@ http {
}
}
{%- endfor %}
{%- endfor -%}
{%- for redirectsite in redirect %}
{%- for redirectsite in redirect -%}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
@ -117,7 +117,7 @@ http {
return 301 {{ redirectsite.destination }};
}
{%- endfor %}
{%- endfor -%}
server {
listen 443 ssl http2;

3
roles/webgateway/vars/main.yaml
View File

@ -11,11 +11,10 @@ proxy:
- {domain: fs.tormakristof.eu, ip: adfs.intra.tormakris.dev, bigrequests: false}
- {domain: certauth.fs.tormakristof.eu, ip: adfs.intra.tormakris.dev, bigrequests: false}
- {domain: grafana.tormakristof.eu, ip: monitoring.intra.tormakris.dev, bigrequests: false}
- {domain: yt.tormakristof.eu, ip: ytmirror.intra.tormakris.dev, bigrequests: true}
- {domain: yt.tormakristof.eu, ip: ytmirror.intra.tormakris.dev, bigrequests: false}
- {domain: mastodon.tormakristof.eu, ip: mastodon.intra.tormakris.dev, bigrequests: true}
- {domain: speedtest.tormakristof.eu, ip: librespeed.intra.tormakris.dev, bigrequests: true}
static:
[]

13
roles/webserver/tasks/main.yaml
View File

@ -20,6 +20,19 @@
state: restarted
enabled: yes
- name: Generate certificate for all server instances
command:
cmd: certbot certonly --non-interactive --agree-tos -m tormakristof@tormakristof.eu --nginx -d {{item.domain}}
with_items: "{{ webserver }}"
- name: "Generate certbot script"
ansible.builtin.template:
src: certbot.sh
dest: /etc/cron.weekly/certbot
owner: root
group: root
mode: '0700'
- name: "Generate nginx configuration"
ansible.builtin.template:
src: nginx.conf

5
roles/webserver/templates/certbot.sh Normal file
View File

@ -0,0 +1,5 @@
#!/bin/bash
# {{ansible_managed}}
{% for server in webserver %}
certbot renew --nginx --cert-name {{ server.domain }}
{% endfor %}

8
roles/webserver/templates/nginx.conf
View File

@ -69,9 +69,9 @@ http {
server_name {{ server.domain }};
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
{% if server.bigrequests %}
{% if server.bigrequests -%}
client_max_body_size 8G;
{% endif %}
{% endif -%}
location /{
{% if server.https %}
proxy_pass https://127.0.0.1:{{ server.port }};
@ -97,11 +97,11 @@ http {
proxy_pass http://127.0.0.1:{{ location.port }};
{% endif %}
}
{% endfor %}
{% endfor -%}
{% endif %}
}
{%- endfor %}
{%- endfor -%}
server {
listen 8888;