add mSSL stub with nginx for prometheus

roles/prometheus/meta/main.yml

@@ -0,0 +1,2 @@
+dependencies:
+  - role: install_nginx

roles/prometheus/tasks/main.yml

@@ -78,6 +78,22 @@
   vars:
     args:
       - name: web.listen-address
-       value: "{{ lan_address }}:9090"
+        value: "127.0.0.1:9090"
-      - name: web.config
+#        value: "{{ lan_address }}:9090"
-        value: /etc/prometheus/web-config.yaml
+#      - name: web.config.file # Not available before 2.24, and it sucks
+#        value: /etc/prometheus/web-config.yaml
+
+# Here we go, using nginx to add mSSL to prometheus... because who need to authentication on the server with ALL the jucy data?
+# Think prometheus, think!
+- name: Copy the nginx config
+  template:
+    src: atrocious_nginx_stub
+    dest: "/etc/nginx/sites-available/internal-prometheus"
+  notify: Reload nginx
+
+- name: Activate the config
+  file:
+    src: "/etc/nginx/sites-available/internal-prometheus"
+    dest: "/etc/nginx/sites-enabled/internal-prometheus"
+    state: link
+    force: yes

roles/prometheus/templates/atrocious_nginx_stub

@@ -0,0 +1,13 @@
+{{ ansible_managed | comment }}
+
+server {
+    listen {{ lan_address }}:9090 ssl;
+    ssl_certificate /etc/prometheus/prometheus-{{ lan_address }}.crt;
+    ssl_certificate_key /etc/prometheus/prometheus-{{ lan_address }}.key;
+    ssl_client_certificate /etc/prometheus/ca.crt;
+    ssl_verify_client on;
+
+    location / {
+        proxy_pass 127.0.0.1:9090;
+    }
+}