diff --git a/config/roles/provider-frontend/handlers/main.yml b/config/roles/provider-frontend/handlers/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..f50b9f5e18dbc4750b45f0982c70b6a6bd216940
--- /dev/null
+++ b/config/roles/provider-frontend/handlers/main.yml
@@ -0,0 +1,5 @@
+
+- listen: reload NGINX
+ systemd:
+ name: nginx.service
+ state: restarted
diff --git a/config/roles/provider-frontend/tasks/main.yml b/config/roles/provider-frontend/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..95c2b706af9413a2e6d0906fc7a7de2412d2c2f1
--- /dev/null
+++ b/config/roles/provider-frontend/tasks/main.yml
@@ -0,0 +1,38 @@
+# use the sspki role to create the credentials directory:
+# the sspki role should create the api endpont cert, and the full chain bundle
+# (containing the API endpoint CA and the generated cert) and install them
+
+- include_role:
+ name: sspki
+ vars:
+ sspki:
+ name: provider
+ SANs:
+ - "{{ domain_public[0] }}"
+ ca: "{{ credentials_dir }}/common/api_ca.crt"
+ ca_key: "{{ credentials_dir }}/common/api_ca.key"
+
+- name: Restart nginx because certificate has changed
+ systemd:
+ name: nginx.service
+ state: restarted
+ when: sspki_sign.changed
+
+- name: Add the nginx user to the provider-sspki group
+ user:
+ name: nginx
+ groups: provider-sspki
+ append: yes
+
+- name: Install provider nginx configuration
+ template:
+ src: provider.conf.j2
+ dest: /etc/nginx/sites-available/provider.conf
+ notify: reload NGINX
+
+- name: Enable provider nginx configuration
+ file:
+ dest: /etc/nginx/sites-enabled/provider.conf
+ src: ../sites-available/provider.conf
+ state: link
+ notify: reload NGINX
\ No newline at end of file
diff --git a/config/roles/provider-frontend/templates/provider.conf.j2 b/config/roles/provider-frontend/templates/provider.conf.j2
new file mode 100644
index 0000000000000000000000000000000000000000..573469e7cdca3793df32fe5607c26cfb6539ae1e
--- /dev/null
+++ b/config/roles/provider-frontend/templates/provider.conf.j2
@@ -0,0 +1,30 @@
+
+server {
+ listen [::]:4430 ssl http2 ipv6only=off;
+
+ server_name {{ domain_public[0] }};
+ include /etc/nginx/snippets/site-common.conf;
+
+ ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ ssl_ciphers HIGH:!aNULL:!MD5;
+ ssl_prefer_server_ciphers on;
+ ssl_session_cache shared:SSL:10m;
+ ssl_session_timeout 5m;
+ ssl_dhparam /etc/nginx/dhparam;
+ ssl_certificate /etc/credentials/sspki/provider/fullchain.crt;
+ ssl_certificate_key /etc/credentials/sspki/provider/private.key;
+
+ location / {
+ include /etc/nginx/snippets/block.conf;
+ include /etc/nginx/snippets/proxy.conf;
+ proxy_pass http://be_provider_8080_provider;
+ proxy_cache global;
+ }
+
+ # Route cert generation requests to menshen
+ location /ca.cert {
+ include /etc/nginx/snippets/block.conf;
+ include /etc/nginx/snippets/proxy.conf;
+ proxy_pass http://be_api_8000_vpnweb;
+ }
+}
diff --git a/config/roles/vpnweb-frontend/templates/vpnweb.conf.j2 b/config/roles/vpnweb-frontend/templates/vpnweb.conf.j2
index 6d66e6cf8288af3ce88d28cef7a1ebfc24495d86..2585050b3eb41999c86e6078d3afdb433df2c568 100644
--- a/config/roles/vpnweb-frontend/templates/vpnweb.conf.j2
+++ b/config/roles/vpnweb-frontend/templates/vpnweb.conf.j2
@@ -5,7 +5,7 @@ upstream be_vpnweb {
server {
listen [::]:4430 ssl http2 ipv6only=off;
- server_name {{ provider_config.api_domain}} {{ provider_config.provider_domain | default('') }};
+ server_name {{ provider_config.api_domain}};
include /etc/nginx/snippets/site-common.conf;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
diff --git a/config/services.bitmask.yml b/config/services.bitmask.yml
index c810f194175d2fdb9db397f76b6b0c7311b73633..ab5c315cc152d8b84bd6c239e3567beb8a5ccd85 100644
--- a/config/services.bitmask.yml
+++ b/config/services.bitmask.yml
@@ -119,7 +119,7 @@ provider:
port: 8080
scheme: http
domains:
- - "{{ domain_public[0] }}"
+ - "{{ default(['provider.' + domain_public[0]]) }}"
obfsvpn:
scheduling_group: bridge