From f6bf58194e19db45090c43f8e8cf248826fded7a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Hugo=20H=C3=B6rnquist?= <hugo@lysator.liu.se>
Date: Tue, 20 Jun 2023 17:44:06 +0200
Subject: fixes

---
 manifests/proxy/nginx.pp | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

(limited to 'manifests/proxy')

diff --git a/manifests/proxy/nginx.pp b/manifests/proxy/nginx.pp
index c5b0132..3f315f0 100644
--- a/manifests/proxy/nginx.pp
+++ b/manifests/proxy/nginx.pp
@@ -3,6 +3,8 @@
 # Rev-proxy, which also gathers all web nodes in a cluster, into a
 # single web endpoint
 #
+# This also manages the TLS certificate for the load balancer.
+#
 # @param server_name
 #   Name of the nginx server, will also be used for rev-proxy routing.
 # @param cluster
@@ -19,19 +21,35 @@ define concourse::proxy::nginx (
   Enum['absent', 'present'] $ensure = 'present',
 ) {
   include concourse
+  include ::letsencrypt
 
   nginx::resource::upstream { "concourse_${cluster}":
     ensure  => $ensure,
     members => $upstream_members,
   }
 
+  letsencrypt::cert { $server_name:
+    include_self  => true,
+    authenticator => 'nginx',
+    config        => {
+      'post-hook' => 'nginx -s reload',
+    },
+  }
+
   nginx::resource::server { $server_name:
     ipv6_enable          => true,
     ipv6_listen_options  => '',
     use_default_location => false,
-    # TODO SSL
+    *                    => letsencrypt::conf::nginx($server_name),
   }
 
+  # TODO the connection from nginx to each web instance is unencrypted.
+  # Concourse's documentation only mentions TLS through letsencrypt,
+  # which works less than ideal with internal nodes.
+  # Running unencrypted is however a bad idea, since web nodes are
+  # assumed to be on different machines. Either figure out how to use
+  # a custom certificate internally, or configure a segregated network.
+
   # TODO proxy to upstream
   nginx::resource::streamhost { "${server_name}-stream":
     listen_port         => 2222,
@@ -44,6 +62,7 @@ define concourse::proxy::nginx (
     server   => $server_name,
     location => '/',
     proxy    => "http://concourse_${cluster}",
+    *        => letsencrypt::conf::nginx::location($server_name),
   }
 
   nginx::resource::location { "${server_name} - ~ /hijack$":
@@ -60,5 +79,6 @@ define concourse::proxy::nginx (
       'Upgrade $http_upgrade',
       'Connection "upgrade"',
     ],
+    *                => letsencrypt::conf::nginx::location($server_name),
   }
 }
-- 
cgit v1.2.3