From a3e2e4ac4fa83d3af405551ac7cdd4aed37b795c Mon Sep 17 00:00:00 2001
From: Erik Vroon <erik.vroon22@gmail.com>
Date: Wed, 20 Mar 2024 19:01:02 +0100
Subject: [PATCH] Generalize nginx config and proxy prometheus for pis

---
 ansible/provision.yml                         |  3 ++
 .../roles/grafana/templates/prometheus.yml.j2 |  2 +-
 .../tasks/get-certificates.yml                |  2 +-
 ansible/roles/nginx-dmz/tasks/main.yml        | 18 ++++++++++
 .../templates/sites-available/alertmanager.j2 |  0
 .../templates/sites-available/authelia.j2     |  0
 .../templates/sites-available/bracket.j2      |  0
 .../templates/sites-available/dashy.j2        |  0
 .../templates/sites-available/default.j2      |  0
 .../templates/sites-available/drone.j2        |  0
 .../templates/sites-available/gitea.j2        |  0
 .../templates/sites-available/grafana.j2      |  0
 .../templates/sites-available/munin.j2        |  0
 .../templates/sites-available/nomad.j2        |  0
 .../templates/sites-available/prometheus.j2   |  0
 .../templates/sites-available/selfoss.j2      |  0
 .../templates/sites-available/shopware6.j2    |  0
 .../templates/sites-available/umami-admin.j2  |  0
 .../sites-available/umami-bracket.j2          |  0
 .../templates/sites-available/uptime_kuma.j2  |  0
 .../templates/sites-available/web1090-api.j2  |  0
 .../templates/sites-available/web1090.j2      |  0
 .../templates/sites-available/wg_easy_ui.j2   |  0
 .../templates/sites-available/wordpress.j2    |  0
 .../nginx-prometheus-proxy/tasks/main.yml     | 33 +++++++++++++++++++
 .../sites-available/prometheus-proxy.j2       |  7 ++++
 ansible/roles/nginx/tasks/main.yml            | 18 ----------
 27 files changed, 63 insertions(+), 20 deletions(-)
 rename ansible/roles/{nginx => nginx-dmz}/tasks/get-certificates.yml (96%)
 create mode 100644 ansible/roles/nginx-dmz/tasks/main.yml
 rename ansible/roles/{nginx => nginx-dmz}/templates/sites-available/alertmanager.j2 (100%)
 rename ansible/roles/{nginx => nginx-dmz}/templates/sites-available/authelia.j2 (100%)
 rename ansible/roles/{nginx => nginx-dmz}/templates/sites-available/bracket.j2 (100%)
 rename ansible/roles/{nginx => nginx-dmz}/templates/sites-available/dashy.j2 (100%)
 rename ansible/roles/{nginx => nginx-dmz}/templates/sites-available/default.j2 (100%)
 rename ansible/roles/{nginx => nginx-dmz}/templates/sites-available/drone.j2 (100%)
 rename ansible/roles/{nginx => nginx-dmz}/templates/sites-available/gitea.j2 (100%)
 rename ansible/roles/{nginx => nginx-dmz}/templates/sites-available/grafana.j2 (100%)
 rename ansible/roles/{nginx => nginx-dmz}/templates/sites-available/munin.j2 (100%)
 rename ansible/roles/{nginx => nginx-dmz}/templates/sites-available/nomad.j2 (100%)
 rename ansible/roles/{nginx => nginx-dmz}/templates/sites-available/prometheus.j2 (100%)
 rename ansible/roles/{nginx => nginx-dmz}/templates/sites-available/selfoss.j2 (100%)
 rename ansible/roles/{nginx => nginx-dmz}/templates/sites-available/shopware6.j2 (100%)
 rename ansible/roles/{nginx => nginx-dmz}/templates/sites-available/umami-admin.j2 (100%)
 rename ansible/roles/{nginx => nginx-dmz}/templates/sites-available/umami-bracket.j2 (100%)
 rename ansible/roles/{nginx => nginx-dmz}/templates/sites-available/uptime_kuma.j2 (100%)
 rename ansible/roles/{nginx => nginx-dmz}/templates/sites-available/web1090-api.j2 (100%)
 rename ansible/roles/{nginx => nginx-dmz}/templates/sites-available/web1090.j2 (100%)
 rename ansible/roles/{nginx => nginx-dmz}/templates/sites-available/wg_easy_ui.j2 (100%)
 rename ansible/roles/{nginx => nginx-dmz}/templates/sites-available/wordpress.j2 (100%)
 create mode 100644 ansible/roles/nginx-prometheus-proxy/tasks/main.yml
 create mode 100644 ansible/roles/nginx-prometheus-proxy/templates/sites-available/prometheus-proxy.j2

diff --git a/ansible/provision.yml b/ansible/provision.yml
index 51850bf..c0f36dd 100644
--- a/ansible/provision.yml
+++ b/ansible/provision.yml
@@ -18,6 +18,7 @@
     - role: "munin"
     - role: "nomad"
     - role: "nginx"
+    - role: "nginx-dmz"
     - role: "nix"
     - role: "postgres"
     - role: "node-exporter"
@@ -51,6 +52,8 @@
     - role: "homedir"
     - role: "sshd"
     - role: "ufw"
+    - role: "nginx"
+    - role: "nginx-prometheus-proxy"
     - role: "docker"
     - role: "unattended_upgrades"
     - role: "wireguard-client"
diff --git a/ansible/roles/grafana/templates/prometheus.yml.j2 b/ansible/roles/grafana/templates/prometheus.yml.j2
index 49448f7..5b0f823 100644
--- a/ansible/roles/grafana/templates/prometheus.yml.j2
+++ b/ansible/roles/grafana/templates/prometheus.yml.j2
@@ -37,7 +37,7 @@ scrape_configs:
 
   - job_name: esp32
     static_configs:
-      - targets: ["{{ esp32_host }}:4040"]
+      - targets: ["andromeda:4040"]
     relabel_configs: *instance_relabel_config
 
   - job_name: wireguard-exporter
diff --git a/ansible/roles/nginx/tasks/get-certificates.yml b/ansible/roles/nginx-dmz/tasks/get-certificates.yml
similarity index 96%
rename from ansible/roles/nginx/tasks/get-certificates.yml
rename to ansible/roles/nginx-dmz/tasks/get-certificates.yml
index 12aa78a..fd4535d 100644
--- a/ansible/roles/nginx/tasks/get-certificates.yml
+++ b/ansible/roles/nginx-dmz/tasks/get-certificates.yml
@@ -14,7 +14,7 @@
 
 - name: "Disable all site configs"
   ansible.builtin.file:
-    path: "/etc/nginx/sites-available/{{ item }}"
+    path: "/etc/nginx/sites-enabled/{{ item }}"
     state: absent
   with_fileglob:
     - "/etc/nginx/sites-enabled/*"
diff --git a/ansible/roles/nginx-dmz/tasks/main.yml b/ansible/roles/nginx-dmz/tasks/main.yml
new file mode 100644
index 0000000..753cf83
--- /dev/null
+++ b/ansible/roles/nginx-dmz/tasks/main.yml
@@ -0,0 +1,18 @@
+---
+- name: "Install certificates"
+  ansible.builtin.include_tasks: "get-certificates.yml"
+  with_items:
+    - "{{ certs }}"
+  loop_control:
+    loop_var: cert
+
+- ufw:
+    state: enabled
+    rule: allow
+    port: '{{ item }}'
+    proto: tcp
+  with_items:
+    - '80'
+    - '443'
+    - '22'
+  become: true
diff --git a/ansible/roles/nginx/templates/sites-available/alertmanager.j2 b/ansible/roles/nginx-dmz/templates/sites-available/alertmanager.j2
similarity index 100%
rename from ansible/roles/nginx/templates/sites-available/alertmanager.j2
rename to ansible/roles/nginx-dmz/templates/sites-available/alertmanager.j2
diff --git a/ansible/roles/nginx/templates/sites-available/authelia.j2 b/ansible/roles/nginx-dmz/templates/sites-available/authelia.j2
similarity index 100%
rename from ansible/roles/nginx/templates/sites-available/authelia.j2
rename to ansible/roles/nginx-dmz/templates/sites-available/authelia.j2
diff --git a/ansible/roles/nginx/templates/sites-available/bracket.j2 b/ansible/roles/nginx-dmz/templates/sites-available/bracket.j2
similarity index 100%
rename from ansible/roles/nginx/templates/sites-available/bracket.j2
rename to ansible/roles/nginx-dmz/templates/sites-available/bracket.j2
diff --git a/ansible/roles/nginx/templates/sites-available/dashy.j2 b/ansible/roles/nginx-dmz/templates/sites-available/dashy.j2
similarity index 100%
rename from ansible/roles/nginx/templates/sites-available/dashy.j2
rename to ansible/roles/nginx-dmz/templates/sites-available/dashy.j2
diff --git a/ansible/roles/nginx/templates/sites-available/default.j2 b/ansible/roles/nginx-dmz/templates/sites-available/default.j2
similarity index 100%
rename from ansible/roles/nginx/templates/sites-available/default.j2
rename to ansible/roles/nginx-dmz/templates/sites-available/default.j2
diff --git a/ansible/roles/nginx/templates/sites-available/drone.j2 b/ansible/roles/nginx-dmz/templates/sites-available/drone.j2
similarity index 100%
rename from ansible/roles/nginx/templates/sites-available/drone.j2
rename to ansible/roles/nginx-dmz/templates/sites-available/drone.j2
diff --git a/ansible/roles/nginx/templates/sites-available/gitea.j2 b/ansible/roles/nginx-dmz/templates/sites-available/gitea.j2
similarity index 100%
rename from ansible/roles/nginx/templates/sites-available/gitea.j2
rename to ansible/roles/nginx-dmz/templates/sites-available/gitea.j2
diff --git a/ansible/roles/nginx/templates/sites-available/grafana.j2 b/ansible/roles/nginx-dmz/templates/sites-available/grafana.j2
similarity index 100%
rename from ansible/roles/nginx/templates/sites-available/grafana.j2
rename to ansible/roles/nginx-dmz/templates/sites-available/grafana.j2
diff --git a/ansible/roles/nginx/templates/sites-available/munin.j2 b/ansible/roles/nginx-dmz/templates/sites-available/munin.j2
similarity index 100%
rename from ansible/roles/nginx/templates/sites-available/munin.j2
rename to ansible/roles/nginx-dmz/templates/sites-available/munin.j2
diff --git a/ansible/roles/nginx/templates/sites-available/nomad.j2 b/ansible/roles/nginx-dmz/templates/sites-available/nomad.j2
similarity index 100%
rename from ansible/roles/nginx/templates/sites-available/nomad.j2
rename to ansible/roles/nginx-dmz/templates/sites-available/nomad.j2
diff --git a/ansible/roles/nginx/templates/sites-available/prometheus.j2 b/ansible/roles/nginx-dmz/templates/sites-available/prometheus.j2
similarity index 100%
rename from ansible/roles/nginx/templates/sites-available/prometheus.j2
rename to ansible/roles/nginx-dmz/templates/sites-available/prometheus.j2
diff --git a/ansible/roles/nginx/templates/sites-available/selfoss.j2 b/ansible/roles/nginx-dmz/templates/sites-available/selfoss.j2
similarity index 100%
rename from ansible/roles/nginx/templates/sites-available/selfoss.j2
rename to ansible/roles/nginx-dmz/templates/sites-available/selfoss.j2
diff --git a/ansible/roles/nginx/templates/sites-available/shopware6.j2 b/ansible/roles/nginx-dmz/templates/sites-available/shopware6.j2
similarity index 100%
rename from ansible/roles/nginx/templates/sites-available/shopware6.j2
rename to ansible/roles/nginx-dmz/templates/sites-available/shopware6.j2
diff --git a/ansible/roles/nginx/templates/sites-available/umami-admin.j2 b/ansible/roles/nginx-dmz/templates/sites-available/umami-admin.j2
similarity index 100%
rename from ansible/roles/nginx/templates/sites-available/umami-admin.j2
rename to ansible/roles/nginx-dmz/templates/sites-available/umami-admin.j2
diff --git a/ansible/roles/nginx/templates/sites-available/umami-bracket.j2 b/ansible/roles/nginx-dmz/templates/sites-available/umami-bracket.j2
similarity index 100%
rename from ansible/roles/nginx/templates/sites-available/umami-bracket.j2
rename to ansible/roles/nginx-dmz/templates/sites-available/umami-bracket.j2
diff --git a/ansible/roles/nginx/templates/sites-available/uptime_kuma.j2 b/ansible/roles/nginx-dmz/templates/sites-available/uptime_kuma.j2
similarity index 100%
rename from ansible/roles/nginx/templates/sites-available/uptime_kuma.j2
rename to ansible/roles/nginx-dmz/templates/sites-available/uptime_kuma.j2
diff --git a/ansible/roles/nginx/templates/sites-available/web1090-api.j2 b/ansible/roles/nginx-dmz/templates/sites-available/web1090-api.j2
similarity index 100%
rename from ansible/roles/nginx/templates/sites-available/web1090-api.j2
rename to ansible/roles/nginx-dmz/templates/sites-available/web1090-api.j2
diff --git a/ansible/roles/nginx/templates/sites-available/web1090.j2 b/ansible/roles/nginx-dmz/templates/sites-available/web1090.j2
similarity index 100%
rename from ansible/roles/nginx/templates/sites-available/web1090.j2
rename to ansible/roles/nginx-dmz/templates/sites-available/web1090.j2
diff --git a/ansible/roles/nginx/templates/sites-available/wg_easy_ui.j2 b/ansible/roles/nginx-dmz/templates/sites-available/wg_easy_ui.j2
similarity index 100%
rename from ansible/roles/nginx/templates/sites-available/wg_easy_ui.j2
rename to ansible/roles/nginx-dmz/templates/sites-available/wg_easy_ui.j2
diff --git a/ansible/roles/nginx/templates/sites-available/wordpress.j2 b/ansible/roles/nginx-dmz/templates/sites-available/wordpress.j2
similarity index 100%
rename from ansible/roles/nginx/templates/sites-available/wordpress.j2
rename to ansible/roles/nginx-dmz/templates/sites-available/wordpress.j2
diff --git a/ansible/roles/nginx-prometheus-proxy/tasks/main.yml b/ansible/roles/nginx-prometheus-proxy/tasks/main.yml
new file mode 100644
index 0000000..7ceb459
--- /dev/null
+++ b/ansible/roles/nginx-prometheus-proxy/tasks/main.yml
@@ -0,0 +1,33 @@
+---
+- ufw:
+    state: enabled
+    rule: allow
+    port: '{{ item }}'
+    proto: tcp
+  with_items:
+    - '4040'
+  become: true
+
+- name: "Copy site configs"
+  ansible.builtin.template:
+    src: "sites-available/{{ item }}.j2"
+    dest: "/etc/nginx/sites-available/{{ item }}"
+    owner: "www-data"
+    group: "www-data"
+    mode: '0644'
+  with_items:
+    - "prometheus-proxy"
+  become: true
+
+- name: "Enable site configs"
+  ansible.builtin.file:
+    src: "/etc/nginx/sites-available/{{ item }}"
+    dest: "/etc/nginx/sites-enabled/{{ item }}"
+    owner: "www-data"
+    group: "www-data"
+    mode: '0644'
+    state: link
+  with_items:
+    - "prometheus-proxy"
+  become: true
+  notify: "reload nginx"
diff --git a/ansible/roles/nginx-prometheus-proxy/templates/sites-available/prometheus-proxy.j2 b/ansible/roles/nginx-prometheus-proxy/templates/sites-available/prometheus-proxy.j2
new file mode 100644
index 0000000..3dbf413
--- /dev/null
+++ b/ansible/roles/nginx-prometheus-proxy/templates/sites-available/prometheus-proxy.j2
@@ -0,0 +1,7 @@
+server {
+    listen 4040;
+
+    location / {
+        proxy_pass {{ esp32_host_addr }};
+    }
+}
diff --git a/ansible/roles/nginx/tasks/main.yml b/ansible/roles/nginx/tasks/main.yml
index d7e4ebd..179b32c 100644
--- a/ansible/roles/nginx/tasks/main.yml
+++ b/ansible/roles/nginx/tasks/main.yml
@@ -6,17 +6,6 @@
       - nginx
   become: true
 
-- ufw:
-    state: enabled
-    rule: allow
-    port: '{{ item }}'
-    proto: tcp
-  with_items:
-    - '80'
-    - '443'
-    - '22'
-  become: true
-
 - name: Uninstall apache2
   apt:
     state: absent
@@ -30,10 +19,3 @@
     dest: /etc/nginx/nginx.conf
   become: true
   notify: "reload nginx"
-
-- name: "Install certificates"
-  ansible.builtin.include_tasks: "get-certificates.yml"
-  with_items:
-    - "{{ certs }}"
-  loop_control:
-    loop_var: cert