ansible/host_vars/lovelace/nginx.yml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

nginx_default_cert_name: lovelace.box.pydis.wtf

nginx_configs:
  prometheus.lovelace.box.wtf.conf: |
    server {
      listen      443;
      server_name prometheus.lovelace.box.pydis.wtf;

      ssl_certificate         /etc/letsencrypt/live/prometheus.lovelace.box.pydis.wtf/fullchain.pem;
      ssl_certificate_key     /etc/letsencrypt/live/prometheus.lovelace.box.pydis.wtf/privkey.pem;

      ssl_client_certificate  /opt/pydis/ca.pem;
      ssl_verify_client       on;

      location / {
        if ($reject) { return 403; }

        proxy_pass http://localhost:9090;
      }
    }

    map $ssl_client_s_dn $reject {
      default 1;
      CN=sudo.access.tls.pydis.wtf 0;
      CN=prometheus.access.tls.pydis.wtf 0;
    }