From 4e1833bbbfa3ba6c2c0091ea354ae34c361eaa7b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Krist=C3=B3f=20Torma?= Date: Sun, 5 Mar 2023 18:26:08 +0100 Subject: [PATCH] add valid cert to internal communication --- host_vars/drone.yaml | 5 +++++ host_vars/git.yaml | 5 +++++ host_vars/guacamole.yaml | 5 +++++ host_vars/jitsi.yaml | 21 ------------------- host_vars/monitoring.yaml | 8 ------- .../files/prometheus-nginx-exporter | 14 +++++++++++++ roles/webgateway/tasks/main.yaml | 8 +++++++ roles/webgateway/templates/nginx.conf | 12 +++++------ roles/webgateway/vars/main.yaml | 3 +-- roles/webserver/tasks/main.yaml | 13 ++++++++++++ roles/webserver/templates/certbot.sh | 5 +++++ roles/webserver/templates/nginx.conf | 8 +++---- 12 files changed, 66 insertions(+), 41 deletions(-) delete mode 100644 host_vars/jitsi.yaml create mode 100644 roles/webgateway/files/prometheus-nginx-exporter create mode 100644 roles/webserver/templates/certbot.sh diff --git a/host_vars/drone.yaml b/host_vars/drone.yaml index 4df18b4..7da6191 100644 --- a/host_vars/drone.yaml +++ b/host_vars/drone.yaml @@ -1,3 +1,8 @@ --- ansible_host: drone.intra.tormakris.dev +webserver: + - domain: "drone.kmlabz.com" + port: 8080 + bigrequests: false + https: false ... diff --git a/host_vars/git.yaml b/host_vars/git.yaml index 69aa5f5..d5dd3e5 100644 --- a/host_vars/git.yaml +++ b/host_vars/git.yaml @@ -12,4 +12,9 @@ firewall: - port: "2222" proto: tcp interface: "eth0" +webserver: + - domain: "git.kmlabz.com" + port: 8080 + bigrequests: false + https: false ... diff --git a/host_vars/guacamole.yaml b/host_vars/guacamole.yaml index 37b792f..e23bf77 100644 --- a/host_vars/guacamole.yaml +++ b/host_vars/guacamole.yaml @@ -1,3 +1,8 @@ --- ansible_host: guacamole.intra.tormakris.dev +webserver: + - domain: "guacamole.tormakristof.eu" + port: 8080 + bigrequests: false + https: false ... diff --git a/host_vars/jitsi.yaml b/host_vars/jitsi.yaml deleted file mode 100644 index c829b3a..0000000 --- a/host_vars/jitsi.yaml +++ /dev/null @@ -1,21 +0,0 @@ ---- -ansible_host: jitsi.intra.tormakris.dev -webserver: - - domain: "jitsi.tormakristof.eu" - port: 8080 - bigrequests: false - https: true -firewall: - - port: "ssh" - proto: tcp - interface: "eth0" - - port: "https" - proto: tcp - interface: "eth0" - - port: "4443" - proto: tcp - interface: "eth0" - - port: "10000" - proto: tcp - interface: "eth0" -... diff --git a/host_vars/monitoring.yaml b/host_vars/monitoring.yaml index 055f9aa..2f5fcc7 100644 --- a/host_vars/monitoring.yaml +++ b/host_vars/monitoring.yaml @@ -1,16 +1,8 @@ --- ansible_host: monitoring.intra.tormakris.dev webserver: - - domain: "prometheus.tormakristof.eu" - port: 8080 - bigrequests: false - https: false - domain: "grafana.tormakristof.eu" port: 8181 bigrequests: false https: false - - domain: "alertmanager.tormakristof.eu" - port: 8181 - bigrequests: false - https: false ... diff --git a/roles/webgateway/files/prometheus-nginx-exporter b/roles/webgateway/files/prometheus-nginx-exporter new file mode 100644 index 0000000..c5f9e91 --- /dev/null +++ b/roles/webgateway/files/prometheus-nginx-exporter @@ -0,0 +1,14 @@ +ARGS="-nginx.scrape-uri http://127.0.0.1:8888/stub_status" + +# Prometheus-nginx-exporter supports the following options: +# -nginx.plus +# Start the exporter for NGINX Plus. By default, the exporter is started +# for NGINX. +# -nginx.scrape-uri string +# A URI for scraping NGINX or NGINX Plus metrics. +# For NGINX, the stub_status page must be available through the URI. +# For NGINX Plus -- the API. (default "http://127.0.0.1:8080/stub_status") +# -web.listen-address string +# An address to listen on for web interface and telemetry. (default ":9113") +# -web.telemetry-path string +# A path under which to expose metrics. (default "/metrics" diff --git a/roles/webgateway/tasks/main.yaml b/roles/webgateway/tasks/main.yaml index 5309b33..ea9fe15 100644 --- a/roles/webgateway/tasks/main.yaml +++ b/roles/webgateway/tasks/main.yaml @@ -97,6 +97,14 @@ name: - prometheus-nginx-exporter +- name: Copy default nginx config + ansible.builtin.copy: + src: prometheus-nginx-exporter + dest: /etc/default/prometheus-nginx-exporter + owner: root + group: root + mode: '0644' + - name: Enable and restart exporter daemon service: name: prometheus-nginx-exporter diff --git a/roles/webgateway/templates/nginx.conf b/roles/webgateway/templates/nginx.conf index 5065994..903761a 100644 --- a/roles/webgateway/templates/nginx.conf +++ b/roles/webgateway/templates/nginx.conf @@ -66,7 +66,7 @@ http { return 301 https://$host$request_uri; } - {%- for proxysite in proxy %} + {%- for proxysite in proxy -%} server { listen 443 ssl http2; listen [::]:443 ssl http2; @@ -90,9 +90,9 @@ http { } } - {%- endfor %} + {%- endfor -%} - {%- for staticsite in static %} + {%- for staticsite in static -%} server { listen 443 ssl http2; listen [::]:443 ssl http2; @@ -105,9 +105,9 @@ http { } } - {%- endfor %} + {%- endfor -%} - {%- for redirectsite in redirect %} + {%- for redirectsite in redirect -%} server { listen 443 ssl http2; listen [::]:443 ssl http2; @@ -117,7 +117,7 @@ http { return 301 {{ redirectsite.destination }}; } - {%- endfor %} + {%- endfor -%} server { listen 443 ssl http2; diff --git a/roles/webgateway/vars/main.yaml b/roles/webgateway/vars/main.yaml index 9e17093..d080820 100644 --- a/roles/webgateway/vars/main.yaml +++ b/roles/webgateway/vars/main.yaml @@ -11,11 +11,10 @@ proxy: - {domain: fs.tormakristof.eu, ip: adfs.intra.tormakris.dev, bigrequests: false} - {domain: certauth.fs.tormakristof.eu, ip: adfs.intra.tormakris.dev, bigrequests: false} - {domain: grafana.tormakristof.eu, ip: monitoring.intra.tormakris.dev, bigrequests: false} - - {domain: yt.tormakristof.eu, ip: ytmirror.intra.tormakris.dev, bigrequests: true} + - {domain: yt.tormakristof.eu, ip: ytmirror.intra.tormakris.dev, bigrequests: false} - {domain: mastodon.tormakristof.eu, ip: mastodon.intra.tormakris.dev, bigrequests: true} - {domain: speedtest.tormakristof.eu, ip: librespeed.intra.tormakris.dev, bigrequests: true} - static: [] diff --git a/roles/webserver/tasks/main.yaml b/roles/webserver/tasks/main.yaml index 026ca61..e260dfe 100644 --- a/roles/webserver/tasks/main.yaml +++ b/roles/webserver/tasks/main.yaml @@ -20,6 +20,19 @@ state: restarted enabled: yes +- name: Generate certificate for all server instances + command: + cmd: certbot certonly --non-interactive --agree-tos -m tormakristof@tormakristof.eu --nginx -d {{item.domain}} + with_items: "{{ webserver }}" + +- name: "Generate certbot script" + ansible.builtin.template: + src: certbot.sh + dest: /etc/cron.weekly/certbot + owner: root + group: root + mode: '0700' + - name: "Generate nginx configuration" ansible.builtin.template: src: nginx.conf diff --git a/roles/webserver/templates/certbot.sh b/roles/webserver/templates/certbot.sh new file mode 100644 index 0000000..a7ac395 --- /dev/null +++ b/roles/webserver/templates/certbot.sh @@ -0,0 +1,5 @@ +#!/bin/bash +# {{ansible_managed}} +{% for server in webserver %} +certbot renew --nginx --cert-name {{ server.domain }} +{% endfor %} diff --git a/roles/webserver/templates/nginx.conf b/roles/webserver/templates/nginx.conf index 9f80180..0b0b49a 100644 --- a/roles/webserver/templates/nginx.conf +++ b/roles/webserver/templates/nginx.conf @@ -69,9 +69,9 @@ http { server_name {{ server.domain }}; ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; - {% if server.bigrequests %} + {% if server.bigrequests -%} client_max_body_size 8G; - {% endif %} + {% endif -%} location /{ {% if server.https %} proxy_pass https://127.0.0.1:{{ server.port }}; @@ -97,11 +97,11 @@ http { proxy_pass http://127.0.0.1:{{ location.port }}; {% endif %} } - {% endfor %} + {% endfor -%} {% endif %} } - {%- endfor %} + {%- endfor -%} server { listen 8888;