From b5057c4064b1b1963728132bc7fea03693d98020 Mon Sep 17 00:00:00 2001
From: Salt <rehashedsalt@cock.li>
Date: Sat, 18 Sep 2021 07:13:33 -0500
Subject: [PATCH] Fix some configuration errors in ingress, make some changes
 to better facilitate disabling TLS

---
 roles/ingress/defaults/main.yml        | 9 +++++++--
 roles/ingress/tasks/main.yml           | 4 +---
 roles/ingress/templates/vhosts.conf.j2 | 2 ++
 3 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/roles/ingress/defaults/main.yml b/roles/ingress/defaults/main.yml
index 82396a2..4338e6d 100644
--- a/roles/ingress/defaults/main.yml
+++ b/roles/ingress/defaults/main.yml
@@ -6,8 +6,9 @@ ingress_container_image: jonasal/nginx-certbot:latest
 ingress_container_name: ingress
 
 # Secondary container configuration
-ingress_container_http_port: "80"
-ingress_container_https_port: "443"
+ingress_container_ports:
+  - 80:80
+  - 443:443
 ingress_container_persist_dir: "/data/nginx-certbot"
 ingress_container_timezone: America/Chicago
 
@@ -21,6 +22,10 @@ ingress_container_certbot_email: rehashedsalt@cock.li
 
 # General Nginx configuration
 ingress_listen_args: "443 ssl"
+# This non-obvious setting controls whether directives for certificates will be added to hosts
+# Set to "no" if you do not plan on terminating TLS at the ingress controller, like when using
+# a custom container that *doesn't* automatically-provision LE certs
+ingress_listen_tls: yes
 
 # Vhost configuration
 # ingress_servers:
diff --git a/roles/ingress/tasks/main.yml b/roles/ingress/tasks/main.yml
index d6457ec..98eaba8 100644
--- a/roles/ingress/tasks/main.yml
+++ b/roles/ingress/tasks/main.yml
@@ -16,9 +16,7 @@
       TZ: "{{ ingress_container_timezone }}"
       CERTBOT_EMAIL: "{{ ingress_container_certbot_email }}"
     networks: "{{ ingress_container_networks }}"
-    ports:
-      - "{{ ingress_container_https_port }}:443"
-      - "{{ ingress_container_http_port }}:80"
+    ports: "{{ ingress_container_ports }}"
     volumes:
       - "{{ ingress_container_persist_dir }}/letsencrypt:/etc/letsencrypt"
       - "{{ ingress_container_persist_dir }}/user_conf.d:/etc/nginx/user_conf.d:ro"
diff --git a/roles/ingress/templates/vhosts.conf.j2 b/roles/ingress/templates/vhosts.conf.j2
index 754eeb1..b038144 100644
--- a/roles/ingress/templates/vhosts.conf.j2
+++ b/roles/ingress/templates/vhosts.conf.j2
@@ -7,11 +7,13 @@ server {
 {% endif %}
 	server_name {{ server.name }};
 
+{% if ingress_listen_tls %}
 	# TLS configuration
 	ssl_certificate /etc/letsencrypt/live/{{ ingress_servers[0].name }}/fullchain.pem;
 	ssl_certificate_key /etc/letsencrypt/live/{{ ingress_servers[0].name }}/privkey.pem;
 	ssl_trusted_certificate /etc/letsencrypt/live/{{ ingress_servers[0].name }}/chain.pem;
 	ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem;
+{% endif %}
 
 {% if server.directives is defined %}
 	# Extra directives