From 325be7f5bf588449f964b07f3950e843ebf9690d Mon Sep 17 00:00:00 2001
From: sgk <sgk@riseup.net>
Date: Sat, 18 May 2024 18:46:40 +0530
Subject: [PATCH] config/services.bitmask.yml, config/roles - move provider
 endpoint config to seperate role, rename provider endpoint on
 services.bitmask.yml

---
 .../roles/provider-frontend/handlers/main.yml |  5 +++
 config/roles/provider-frontend/tasks/main.yml | 38 +++++++++++++++++++
 .../templates/provider.conf.j2                | 30 +++++++++++++++
 .../vpnweb-frontend/templates/vpnweb.conf.j2  |  2 +-
 config/services.bitmask.yml                   |  2 +-
 5 files changed, 75 insertions(+), 2 deletions(-)
 create mode 100644 config/roles/provider-frontend/handlers/main.yml
 create mode 100644 config/roles/provider-frontend/tasks/main.yml
 create mode 100644 config/roles/provider-frontend/templates/provider.conf.j2

diff --git a/config/roles/provider-frontend/handlers/main.yml b/config/roles/provider-frontend/handlers/main.yml
new file mode 100644
index 00000000..f50b9f5e
--- /dev/null
+++ b/config/roles/provider-frontend/handlers/main.yml
@@ -0,0 +1,5 @@
+
+- listen: reload NGINX
+  systemd:
+    name: nginx.service
+    state: restarted
diff --git a/config/roles/provider-frontend/tasks/main.yml b/config/roles/provider-frontend/tasks/main.yml
new file mode 100644
index 00000000..95c2b706
--- /dev/null
+++ b/config/roles/provider-frontend/tasks/main.yml
@@ -0,0 +1,38 @@
+# use the sspki role to create the credentials directory:
+# the sspki role should create the api endpont cert, and the full chain bundle
+# (containing the API endpoint CA and the generated cert) and install them
+
+- include_role:
+    name: sspki
+  vars:
+    sspki:
+      name: provider
+      SANs:
+        - "{{ domain_public[0] }}"
+      ca: "{{ credentials_dir }}/common/api_ca.crt"
+      ca_key: "{{ credentials_dir }}/common/api_ca.key"
+
+- name: Restart nginx because certificate has changed
+  systemd:
+    name: nginx.service
+    state: restarted
+  when: sspki_sign.changed
+
+- name: Add the nginx user to the provider-sspki group
+  user:
+    name: nginx
+    groups: provider-sspki
+    append: yes
+
+- name: Install provider nginx configuration
+  template:
+    src: provider.conf.j2
+    dest: /etc/nginx/sites-available/provider.conf
+  notify: reload NGINX
+
+- name: Enable provider nginx configuration
+  file:
+    dest: /etc/nginx/sites-enabled/provider.conf
+    src: ../sites-available/provider.conf
+    state: link
+  notify: reload NGINX
\ No newline at end of file
diff --git a/config/roles/provider-frontend/templates/provider.conf.j2 b/config/roles/provider-frontend/templates/provider.conf.j2
new file mode 100644
index 00000000..573469e7
--- /dev/null
+++ b/config/roles/provider-frontend/templates/provider.conf.j2
@@ -0,0 +1,30 @@
+
+server {
+  listen [::]:4430 ssl http2 ipv6only=off;
+
+  server_name {{ domain_public[0] }};
+  include /etc/nginx/snippets/site-common.conf;
+
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+  ssl_ciphers HIGH:!aNULL:!MD5;
+  ssl_prefer_server_ciphers on;
+  ssl_session_cache shared:SSL:10m;
+  ssl_session_timeout 5m;
+  ssl_dhparam /etc/nginx/dhparam;
+  ssl_certificate /etc/credentials/sspki/provider/fullchain.crt;
+  ssl_certificate_key /etc/credentials/sspki/provider/private.key;
+
+  location / {
+          include /etc/nginx/snippets/block.conf;
+          include /etc/nginx/snippets/proxy.conf;
+          proxy_pass http://be_provider_8080_provider;
+          proxy_cache global;
+  }
+
+  # Route cert generation requests to menshen
+  location /ca.cert {
+          include /etc/nginx/snippets/block.conf;
+          include /etc/nginx/snippets/proxy.conf;
+          proxy_pass http://be_api_8000_vpnweb;
+  }
+}
diff --git a/config/roles/vpnweb-frontend/templates/vpnweb.conf.j2 b/config/roles/vpnweb-frontend/templates/vpnweb.conf.j2
index 6d66e6cf..2585050b 100644
--- a/config/roles/vpnweb-frontend/templates/vpnweb.conf.j2
+++ b/config/roles/vpnweb-frontend/templates/vpnweb.conf.j2
@@ -5,7 +5,7 @@ upstream be_vpnweb {
 server {
   listen [::]:4430 ssl http2 ipv6only=off;
 
-  server_name {{ provider_config.api_domain}} {{ provider_config.provider_domain | default('') }};
+  server_name {{ provider_config.api_domain}};
   include /etc/nginx/snippets/site-common.conf;
 
   ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
diff --git a/config/services.bitmask.yml b/config/services.bitmask.yml
index c810f194..ab5c315c 100644
--- a/config/services.bitmask.yml
+++ b/config/services.bitmask.yml
@@ -119,7 +119,7 @@ provider:
       port: 8080
       scheme: http
       domains:
-        - "{{ domain_public[0] }}"
+        - "{{ default(['provider.' + domain_public[0]]) }}"
 
 obfsvpn:
   scheduling_group: bridge
-- 
GitLab