alertmanager: configure receiver secrets

2024-04-14 18:22:41 -05:00
parent 00ce1a8a26
commit 6ee8d3372a
3 changed files with 900 additions and 741 deletions
--- a/host_vars/jump0.kill0.net/all.yaml
+++ b/host_vars/jump0.kill0.net/all.yaml
@@ -39,21 +39,83 @@ wireguard_interfaces:

 restic_tidy_enabled: true

+nginx_htpasswd_files: "{{ vault_nginx_htpasswd_files }}"
+
 nginx_vhosts:
  cavicc:
-    - server_name: cavi.cc
-      root: /var/www/cavicc
-      listen:
-        - 80
-        - "[::]:80"
-      raw: |
-        location / {
-            return 301 https://$server_name$request_uri;
-        }
-    - server_name: cavi.cc
-      root: /var/www/cavicc
-      listen:
-        - 443 ssl http2
-        - "[::]:443 ssl http2"
-      ssl_certificate: /etc/letsencrypt/live/cavi.cc/fullchain.pem
-      ssl_certificate_key: /etc/letsencrypt/live/cavi.cc/privkey.pem
+    server:
+      - server_name: cavi.cc
+        root: /var/www/cavicc
+        listen:
+          - 80
+          - "[::]:80"
+        raw: |
+          location / {
+              return 301 https://$server_name$request_uri;
+          }
+      - server_name: cavi.cc
+        root: /var/www/cavicc
+        listen:
+          - 443 ssl
+          - "[::]:443 ssl"
+        ssl_certificate: /var/lib/lego/certificates/cavi.cc.crt
+        ssl_certificate_key: /var/lib/lego/certificates/cavi.cc.key
+        # ssl_certificate: /etc/letsencrypt/live/cavi.cc/fullchain.pem
+        # ssl_certificate_key: /etc/letsencrypt/live/cavi.cc/privkey.pem
+        raw: |
+          location / {
+            add_header Alt-Svc 'h3=":$server_port"; ma=86400'; 
+          }
+
+  proxy:
+    upstream:
+      - name: loki_backend
+        server:
+          - localhost:3100
+      #- name: prometheus_backend
+      #  server:
+      #    - localhost:9090
+    map:
+      - name: $http_upgrade
+        variable: $connection_upgrade
+        content:
+          default: upgrade
+          '': close
+    server:
+      - server_name: proxy.kill0.net
+        root: /var/empty
+        listen:
+          - 80
+          - "[::]:80"
+        raw: |
+          location / {
+              return 301 https://$server_name$request_uri;
+          }
+      - server_name: proxy.kill0.net
+        root: /var/empty
+        listen:
+          - 443 ssl
+          - "[::]:443 ssl"
+        # ssl_certificate: /etc/letsencrypt/live/proxy.kill0.net/fullchain.pem
+        # ssl_certificate_key: /etc/letsencrypt/live/proxy.kill0.net/privkey.pem
+        ssl_certificate: /var/lib/lego/certificates/proxy.kill0.net.crt
+        ssl_certificate_key: /var/lib/lego/certificates/proxy.kill0.net.key
+        raw: |
+          auth_basic "Proxy";
+          auth_basic_user_file /etc/nginx/proxy.htpasswd;
+
+          location / {
+            add_header Alt-Svc 'h3=":$server_port"; ma=86400'; 
+          }
+
+          location /loki {
+            proxy_http_version 1.1;
+            proxy_pass http://loki_backend;
+            proxy_set_header Connection $connection_upgrade;
+            proxy_set_header Host $http_host;
+            proxy_set_header Upgrade $http_upgrade;
+          }
+
+          location /prometheus/ {
+            proxy_pass http://prometheus_backend/;
+          }