(gitlab] Configure nginx reverse-proxy to manage multiple certificates

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
2021-02-18 18:49:44 +01:00 · 2021-02-18 18:49:44 +01:00 · e6c4b70efd
parent 7eae75a470
commit e6c4b70efd
2 changed files with 19 additions and 22 deletions
--- a/group_vars/git.yml
+++ b/group_vars/git.yml
@ -10,6 +10,7 @@ glob_gitlab:
    port: 389
    uid: 'uid'
    bind_dn: 'cn=gitlab,ou=service-users,dc=crans,dc=org'
+    bind_password: "{{ vault_gitlab_ldap_password }}"
    base: 'cn=Utilisateurs,dc=crans,dc=org'
    user_filter: '(&(!(shadowExpire=0))(uid=*))'
  cas_name: 'cas3'
@ -18,22 +19,3 @@ glob_gitlab:
  smtp:
    address: "{{ query('ldap', 'ip', 'redisdead', 'adm') | first }}"
    port: 25
-
-glob_nginx:
-  service_name: gitlab-omnibus-ssl-nginx
-  servers:
-    - server_name:
-        - "gitlab.crans.org"
-      root: "/opt/gitlab/embedded/service/gitlab-rails/public"
-      locations:
-        - filter: "/"
-          params:
-            - "include snippets/options-proxypass.conf"
-            - "client_max_body_size 0"
-            - "gzip off"
-            - "proxy_read_timeout 300"
-            - "proxy_connect_timeout 300"
-            - "proxy_pass http://gitlab-workhorse"
-  upstreams:
-    - name: gitlab-workhorse
-      server: "unix:/var/opt/gitlab/gitlab-workhorse/sockets/socket fail_timeout=0"
--- a/host_vars/gitzly.adm.crans.org.yml
+++ b/host_vars/gitzly.adm.crans.org.yml
@ -18,6 +18,21 @@ loc_certbot:
    certname: adm.crans.org
    domains: "*.adm.crans.org"

-loc_gitlab:
-  ldap:
-    bind_password: "{{ vault_gitlab_ldap_password }}"
+loc_nginx:
+  ssl:
+    - name: adm.crans.org
+      cert: /etc/letsencrypt/live/adm.crans.org/fullchain.pem
+      cert_key: /etc/letsencrypt/live/adm.crans.org/privkey.pem
+      trusted_cert: /etc/letsencrypt/live/adm.crans.org/chain.pem
+    - name: crans.org
+      cert: /etc/letsencrypt/live/crans.org/fullchain.pem
+      cert_key: /etc/letsencrypt/live/crans.org/privkey.pem
+      trusted_cert: /etc/letsencrypt/live/crans.org/chain.pem
+  servers: []
+
+loc_reverseproxy:
+  reverseproxy_sites:
+    - {from: gitlab.crans.org, to: "127.0.0.1:8000"}
+    - {from: gitlab.adm.crans.org, to: "127.0.0.1:8000", ssl: adm.crans.corg}
+
+  static_sites: []