From 6e28abc1e7672ab29d8a9653ba67d831baba854f Mon Sep 17 00:00:00 2001
From: Jean-Marie Mineau <jean-marie.mineau@protonmail.com>
Date: Sat, 25 Sep 2021 00:35:31 +0200
Subject: [PATCH] add mSSL stub with nginx for prometheus

---
 roles/prometheus/meta/main.yml                |  2 ++
 roles/prometheus/tasks/main.yml               | 22 ++++++++++++++++---
 .../prometheus/templates/atrocious_nginx_stub | 13 +++++++++++
 3 files changed, 34 insertions(+), 3 deletions(-)
 create mode 100644 roles/prometheus/meta/main.yml
 create mode 100644 roles/prometheus/templates/atrocious_nginx_stub

diff --git a/roles/prometheus/meta/main.yml b/roles/prometheus/meta/main.yml
new file mode 100644
index 0000000..ff0926f
--- /dev/null
+++ b/roles/prometheus/meta/main.yml
@@ -0,0 +1,2 @@
+dependencies:
+  - role: install_nginx
diff --git a/roles/prometheus/tasks/main.yml b/roles/prometheus/tasks/main.yml
index 41e95fe..e939f9a 100644
--- a/roles/prometheus/tasks/main.yml
+++ b/roles/prometheus/tasks/main.yml
@@ -78,6 +78,22 @@
   vars:
     args:
       - name: web.listen-address
-       value: "{{ lan_address }}:9090"
-      - name: web.config
-        value: /etc/prometheus/web-config.yaml
+        value: "127.0.0.1:9090"
+#        value: "{{ lan_address }}:9090"
+#      - name: web.config.file # Not available before 2.24, and it sucks
+#        value: /etc/prometheus/web-config.yaml
+
+# Here we go, using nginx to add mSSL to prometheus... because who need to authentication on the server with ALL the jucy data?
+# Think prometheus, think!
+- name: Copy the nginx config
+  template:
+    src: atrocious_nginx_stub
+    dest: "/etc/nginx/sites-available/internal-prometheus"
+  notify: Reload nginx
+
+- name: Activate the config
+  file:
+    src: "/etc/nginx/sites-available/internal-prometheus"
+    dest: "/etc/nginx/sites-enabled/internal-prometheus"
+    state: link
+    force: yes
diff --git a/roles/prometheus/templates/atrocious_nginx_stub b/roles/prometheus/templates/atrocious_nginx_stub
new file mode 100644
index 0000000..da2e67b
--- /dev/null
+++ b/roles/prometheus/templates/atrocious_nginx_stub
@@ -0,0 +1,13 @@
+{{ ansible_managed | comment }}
+
+server {
+    listen {{ lan_address }}:9090 ssl;
+    ssl_certificate /etc/prometheus/prometheus-{{ lan_address }}.crt;
+    ssl_certificate_key /etc/prometheus/prometheus-{{ lan_address }}.key;
+    ssl_client_certificate /etc/prometheus/ca.crt;
+    ssl_verify_client on;
+
+    location / {
+        proxy_pass 127.0.0.1:9090;
+    }
+}