add valid cert to internal communication

host_vars/drone.yaml

@@ -1,3 +1,8 @@
 ---
 ansible_host: drone.intra.tormakris.dev
+webserver:
+  - domain: "drone.kmlabz.com"
+    port: 8080
+    bigrequests: false
+    https: false
 ...

host_vars/git.yaml

@@ -12,4 +12,9 @@ firewall:
   - port: "2222"
     proto: tcp
     interface: "eth0"
+webserver:
+  - domain: "git.kmlabz.com"
+    port: 8080
+    bigrequests: false
+    https: false
 ...

host_vars/guacamole.yaml

@@ -1,3 +1,8 @@
 ---
 ansible_host: guacamole.intra.tormakris.dev
+webserver:
+  - domain: "guacamole.tormakristof.eu"
+    port: 8080
+    bigrequests: false
+    https: false
 ...

host_vars/jitsi.yaml

@@ -1,21 +0,0 @@
----
-ansible_host: jitsi.intra.tormakris.dev
-webserver:
-  - domain: "jitsi.tormakristof.eu"
-    port: 8080
-    bigrequests: false
-    https: true
-firewall:
-  - port: "ssh"
-    proto: tcp
-    interface: "eth0"
-  - port: "https"
-    proto: tcp
-    interface: "eth0"
-  - port: "4443"
-    proto: tcp
-    interface: "eth0"
-  - port: "10000"
-    proto: tcp
-    interface: "eth0"
-...

host_vars/monitoring.yaml

@@ -1,16 +1,8 @@
 ---
 ansible_host: monitoring.intra.tormakris.dev
 webserver:
-  - domain: "prometheus.tormakristof.eu"
-    port: 8080
-    bigrequests: false
-    https: false
   - domain: "grafana.tormakristof.eu"
     port: 8181
     bigrequests: false
     https: false
-  - domain: "alertmanager.tormakristof.eu"
-    port: 8181
-    bigrequests: false
-    https: false
 ...

roles/webgateway/files/prometheus-nginx-exporter

@@ -0,0 +1,14 @@
+ARGS="-nginx.scrape-uri http://127.0.0.1:8888/stub_status"
+
+# Prometheus-nginx-exporter supports the following options:
+#  -nginx.plus
+#        Start the exporter for NGINX Plus. By default, the exporter is started
+#        for NGINX.
+#  -nginx.scrape-uri string
+#        A URI for scraping NGINX or NGINX Plus metrics.
+#        For NGINX, the stub_status page must be available through the URI.
+#        For NGINX Plus -- the API. (default "http://127.0.0.1:8080/stub_status")
+#  -web.listen-address string
+#        An address to listen on for web interface and telemetry. (default ":9113")
+#  -web.telemetry-path string
+#        A path under which to expose metrics. (default "/metrics"

roles/webgateway/tasks/main.yaml

@@ -97,6 +97,14 @@
     name:
      - prometheus-nginx-exporter
 
+- name: Copy default nginx config
+  ansible.builtin.copy:
+    src: prometheus-nginx-exporter
+    dest: /etc/default/prometheus-nginx-exporter
+    owner: root
+    group: root
+    mode: '0644'
+
 - name: Enable and restart exporter daemon
   service:
     name: prometheus-nginx-exporter

roles/webgateway/templates/nginx.conf

@@ -66,7 +66,7 @@ http {
             return 301 https://$host$request_uri;
         }
 
-        {%- for proxysite in proxy %}
+        {%- for proxysite in proxy -%}
         server {
             listen 443 ssl http2;
             listen [::]:443 ssl http2;
@@ -90,9 +90,9 @@ http {
             }
         }
 
-        {%- endfor %}
+        {%- endfor -%}
 
-        {%- for staticsite in static %}
+        {%- for staticsite in static -%}
         server {
             listen 443 ssl http2;
             listen [::]:443 ssl http2;
@@ -105,9 +105,9 @@ http {
             }
         }
 
-        {%- endfor %}
+        {%- endfor -%}
 
-        {%- for redirectsite in redirect %}
+        {%- for redirectsite in redirect -%}
         server {
             listen 443 ssl http2;
             listen [::]:443 ssl http2;
@@ -117,7 +117,7 @@ http {
             return 301 {{ redirectsite.destination }};
         }
 
-        {%- endfor %}
+        {%- endfor -%}
 
         server {
             listen 443 ssl http2;

roles/webgateway/vars/main.yaml

@@ -11,11 +11,10 @@ proxy:
   - {domain: fs.tormakristof.eu, ip: adfs.intra.tormakris.dev, bigrequests: false}
   - {domain: certauth.fs.tormakristof.eu, ip: adfs.intra.tormakris.dev, bigrequests: false}
   - {domain: grafana.tormakristof.eu, ip: monitoring.intra.tormakris.dev, bigrequests: false}
-  - {domain: yt.tormakristof.eu, ip: ytmirror.intra.tormakris.dev, bigrequests: true}
+  - {domain: yt.tormakristof.eu, ip: ytmirror.intra.tormakris.dev, bigrequests: false}
   - {domain: mastodon.tormakristof.eu, ip: mastodon.intra.tormakris.dev, bigrequests: true}
   - {domain: speedtest.tormakristof.eu, ip: librespeed.intra.tormakris.dev, bigrequests: true}
 
-
 static:
   []
 

roles/webserver/tasks/main.yaml

@@ -20,6 +20,19 @@
     state: restarted
     enabled: yes
 
+- name: Generate certificate for all server instances
+  command:
+    cmd: certbot certonly --non-interactive --agree-tos -m tormakristof@tormakristof.eu --nginx -d {{item.domain}}
+  with_items: "{{ webserver }}"
+
+- name: "Generate certbot script"
+  ansible.builtin.template:
+    src: certbot.sh
+    dest: /etc/cron.weekly/certbot
+    owner: root
+    group: root
+    mode: '0700'
+
 - name: "Generate nginx configuration"
   ansible.builtin.template:
     src: nginx.conf

roles/webserver/templates/certbot.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+# {{ansible_managed}}
+{% for server in webserver %}
+certbot renew --nginx --cert-name {{ server.domain }}
+{% endfor %}

roles/webserver/templates/nginx.conf

@@ -69,9 +69,9 @@ http {
             server_name {{ server.domain }};
             ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
             ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
-            {% if server.bigrequests %}
+            {% if server.bigrequests -%}
             client_max_body_size    8G;
-            {% endif %}
+            {% endif -%}
             location /{
                 {% if server.https %}
                 proxy_pass  https://127.0.0.1:{{ server.port }};
@@ -97,11 +97,11 @@ http {
                 proxy_pass  http://127.0.0.1:{{ location.port }};
                 {% endif %}
             }
-            {% endfor %}
+            {% endfor -%}
             {% endif %}
         }
 
-        {%- endfor %}
+        {%- endfor -%}
 
         server {
             listen 8888;