add valid cert to internal communication
Some checks reported errors
continuous-integration/drone/push Build was killed

This commit is contained in:
Torma Kristóf 2023-03-05 18:26:08 +01:00
parent 3c883cdded
commit 4e1833bbbf
12 changed files with 66 additions and 41 deletions

View File

@ -1,3 +1,8 @@
--- ---
ansible_host: drone.intra.tormakris.dev ansible_host: drone.intra.tormakris.dev
webserver:
- domain: "drone.kmlabz.com"
port: 8080
bigrequests: false
https: false
... ...

View File

@ -12,4 +12,9 @@ firewall:
- port: "2222" - port: "2222"
proto: tcp proto: tcp
interface: "eth0" interface: "eth0"
webserver:
- domain: "git.kmlabz.com"
port: 8080
bigrequests: false
https: false
... ...

View File

@ -1,3 +1,8 @@
--- ---
ansible_host: guacamole.intra.tormakris.dev ansible_host: guacamole.intra.tormakris.dev
webserver:
- domain: "guacamole.tormakristof.eu"
port: 8080
bigrequests: false
https: false
... ...

View File

@ -1,21 +0,0 @@
---
ansible_host: jitsi.intra.tormakris.dev
webserver:
- domain: "jitsi.tormakristof.eu"
port: 8080
bigrequests: false
https: true
firewall:
- port: "ssh"
proto: tcp
interface: "eth0"
- port: "https"
proto: tcp
interface: "eth0"
- port: "4443"
proto: tcp
interface: "eth0"
- port: "10000"
proto: tcp
interface: "eth0"
...

View File

@ -1,16 +1,8 @@
--- ---
ansible_host: monitoring.intra.tormakris.dev ansible_host: monitoring.intra.tormakris.dev
webserver: webserver:
- domain: "prometheus.tormakristof.eu"
port: 8080
bigrequests: false
https: false
- domain: "grafana.tormakristof.eu" - domain: "grafana.tormakristof.eu"
port: 8181 port: 8181
bigrequests: false bigrequests: false
https: false https: false
- domain: "alertmanager.tormakristof.eu"
port: 8181
bigrequests: false
https: false
... ...

View File

@ -0,0 +1,14 @@
ARGS="-nginx.scrape-uri http://127.0.0.1:8888/stub_status"
# Prometheus-nginx-exporter supports the following options:
# -nginx.plus
# Start the exporter for NGINX Plus. By default, the exporter is started
# for NGINX.
# -nginx.scrape-uri string
# A URI for scraping NGINX or NGINX Plus metrics.
# For NGINX, the stub_status page must be available through the URI.
# For NGINX Plus -- the API. (default "http://127.0.0.1:8080/stub_status")
# -web.listen-address string
# An address to listen on for web interface and telemetry. (default ":9113")
# -web.telemetry-path string
# A path under which to expose metrics. (default "/metrics"

View File

@ -97,6 +97,14 @@
name: name:
- prometheus-nginx-exporter - prometheus-nginx-exporter
- name: Copy default nginx config
ansible.builtin.copy:
src: prometheus-nginx-exporter
dest: /etc/default/prometheus-nginx-exporter
owner: root
group: root
mode: '0644'
- name: Enable and restart exporter daemon - name: Enable and restart exporter daemon
service: service:
name: prometheus-nginx-exporter name: prometheus-nginx-exporter

View File

@ -66,7 +66,7 @@ http {
return 301 https://$host$request_uri; return 301 https://$host$request_uri;
} }
{%- for proxysite in proxy %} {%- for proxysite in proxy -%}
server { server {
listen 443 ssl http2; listen 443 ssl http2;
listen [::]:443 ssl http2; listen [::]:443 ssl http2;
@ -90,9 +90,9 @@ http {
} }
} }
{%- endfor %} {%- endfor -%}
{%- for staticsite in static %} {%- for staticsite in static -%}
server { server {
listen 443 ssl http2; listen 443 ssl http2;
listen [::]:443 ssl http2; listen [::]:443 ssl http2;
@ -105,9 +105,9 @@ http {
} }
} }
{%- endfor %} {%- endfor -%}
{%- for redirectsite in redirect %} {%- for redirectsite in redirect -%}
server { server {
listen 443 ssl http2; listen 443 ssl http2;
listen [::]:443 ssl http2; listen [::]:443 ssl http2;
@ -117,7 +117,7 @@ http {
return 301 {{ redirectsite.destination }}; return 301 {{ redirectsite.destination }};
} }
{%- endfor %} {%- endfor -%}
server { server {
listen 443 ssl http2; listen 443 ssl http2;

View File

@ -11,11 +11,10 @@ proxy:
- {domain: fs.tormakristof.eu, ip: adfs.intra.tormakris.dev, bigrequests: false} - {domain: fs.tormakristof.eu, ip: adfs.intra.tormakris.dev, bigrequests: false}
- {domain: certauth.fs.tormakristof.eu, ip: adfs.intra.tormakris.dev, bigrequests: false} - {domain: certauth.fs.tormakristof.eu, ip: adfs.intra.tormakris.dev, bigrequests: false}
- {domain: grafana.tormakristof.eu, ip: monitoring.intra.tormakris.dev, bigrequests: false} - {domain: grafana.tormakristof.eu, ip: monitoring.intra.tormakris.dev, bigrequests: false}
- {domain: yt.tormakristof.eu, ip: ytmirror.intra.tormakris.dev, bigrequests: true} - {domain: yt.tormakristof.eu, ip: ytmirror.intra.tormakris.dev, bigrequests: false}
- {domain: mastodon.tormakristof.eu, ip: mastodon.intra.tormakris.dev, bigrequests: true} - {domain: mastodon.tormakristof.eu, ip: mastodon.intra.tormakris.dev, bigrequests: true}
- {domain: speedtest.tormakristof.eu, ip: librespeed.intra.tormakris.dev, bigrequests: true} - {domain: speedtest.tormakristof.eu, ip: librespeed.intra.tormakris.dev, bigrequests: true}
static: static:
[] []

View File

@ -20,6 +20,19 @@
state: restarted state: restarted
enabled: yes enabled: yes
- name: Generate certificate for all server instances
command:
cmd: certbot certonly --non-interactive --agree-tos -m tormakristof@tormakristof.eu --nginx -d {{item.domain}}
with_items: "{{ webserver }}"
- name: "Generate certbot script"
ansible.builtin.template:
src: certbot.sh
dest: /etc/cron.weekly/certbot
owner: root
group: root
mode: '0700'
- name: "Generate nginx configuration" - name: "Generate nginx configuration"
ansible.builtin.template: ansible.builtin.template:
src: nginx.conf src: nginx.conf

View File

@ -0,0 +1,5 @@
#!/bin/bash
# {{ansible_managed}}
{% for server in webserver %}
certbot renew --nginx --cert-name {{ server.domain }}
{% endfor %}

View File

@ -69,9 +69,9 @@ http {
server_name {{ server.domain }}; server_name {{ server.domain }};
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
{% if server.bigrequests %} {% if server.bigrequests -%}
client_max_body_size 8G; client_max_body_size 8G;
{% endif %} {% endif -%}
location /{ location /{
{% if server.https %} {% if server.https %}
proxy_pass https://127.0.0.1:{{ server.port }}; proxy_pass https://127.0.0.1:{{ server.port }};
@ -97,11 +97,11 @@ http {
proxy_pass http://127.0.0.1:{{ location.port }}; proxy_pass http://127.0.0.1:{{ location.port }};
{% endif %} {% endif %}
} }
{% endfor %} {% endfor -%}
{% endif %} {% endif %}
} }
{%- endfor %} {%- endfor -%}
server { server {
listen 8888; listen 8888;