Fix some configuration errors in ingress, make some changes to better facilitate disabling TLS

2021-09-18 07:13:33 -05:00 · 2021-09-18 07:13:33 -05:00 · b5057c4064
commit b5057c4064
parent 13149f2cb9
3 changed files with 10 additions and 5 deletions
--- a/roles/ingress/defaults/main.yml
+++ b/roles/ingress/defaults/main.yml
@ -6,8 +6,9 @@ ingress_container_image: jonasal/nginx-certbot:latest
 ingress_container_name: ingress

 # Secondary container configuration
-ingress_container_http_port: "80"
-ingress_container_https_port: "443"
+ingress_container_ports:
+  - 80:80
+  - 443:443
 ingress_container_persist_dir: "/data/nginx-certbot"
 ingress_container_timezone: America/Chicago

@ -21,6 +22,10 @@ ingress_container_certbot_email: rehashedsalt@cock.li

 # General Nginx configuration
 ingress_listen_args: "443 ssl"
+# This non-obvious setting controls whether directives for certificates will be added to hosts
+# Set to "no" if you do not plan on terminating TLS at the ingress controller, like when using
+# a custom container that *doesn't* automatically-provision LE certs
+ingress_listen_tls: yes

 # Vhost configuration
 # ingress_servers:
--- a/roles/ingress/tasks/main.yml
+++ b/roles/ingress/tasks/main.yml
@ -16,9 +16,7 @@
      TZ: "{{ ingress_container_timezone }}"
      CERTBOT_EMAIL: "{{ ingress_container_certbot_email }}"
    networks: "{{ ingress_container_networks }}"
-    ports:
-      - "{{ ingress_container_https_port }}:443"
-      - "{{ ingress_container_http_port }}:80"
+    ports: "{{ ingress_container_ports }}"
    volumes:
      - "{{ ingress_container_persist_dir }}/letsencrypt:/etc/letsencrypt"
      - "{{ ingress_container_persist_dir }}/user_conf.d:/etc/nginx/user_conf.d:ro"
--- a/roles/ingress/templates/vhosts.conf.j2
+++ b/roles/ingress/templates/vhosts.conf.j2
@ -7,11 +7,13 @@ server {
 {% endif %}
 	server_name {{ server.name }};

+{% if ingress_listen_tls %}
 	# TLS configuration
 	ssl_certificate /etc/letsencrypt/live/{{ ingress_servers[0].name }}/fullchain.pem;
 	ssl_certificate_key /etc/letsencrypt/live/{{ ingress_servers[0].name }}/privkey.pem;
 	ssl_trusted_certificate /etc/letsencrypt/live/{{ ingress_servers[0].name }}/chain.pem;
 	ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem;
+{% endif %}

 {% if server.directives is defined %}
 	# Extra directives