faucet-api: switch to our own ssl-proxy

Dropping Nginx proxy setup and using `ssl-proxy` service. Also removing variables from playbook as it's just one node now. Signed-off-by: Jakub Sokołowski <jakub@status.im>
2025-02-21 15:18:47 +00:00 · 2022-10-20 23:08:34 +02:00 · 2022-10-20 23:08:34 +02:00 · 678fe96239
commit 678fe96239
parent 5da8134f27
10 changed files with 30 additions and 69 deletions
--- a/ansible/group_vars/faucet-master.yml
+++ b/ansible/group_vars/faucet-master.yml
@ -1,15 +1,19 @@
 ---
-# WARNING: this needs to be set
-faucet_network: '{{ faucet_network | mandatory }}'
-
 # Geth necessary for Faucet to work
 geth_network_name: '{{ faucet_network }}'
 geth_service_name: 'faucet-{{ faucet_network }}'
-geth_rpc_port: '{{ faucet_geth_cont_rpc_port }}'
 geth_rpc_vhosts: ['*']
 geth_sync_mode: 'light'
 geth_websocket_enabled: false
 geth_log_level_name: info
+geth_sync_mode: 'snap'
+# Ports
+geth_port: 30305
+geth_rpc_port: 8549
+geth_metrics_port: 6062
+geth_websocket_port: 8550
+geth_expo_cont_port: 9202
+geth_cont_mem_ratio: 0.4

 # Credentials for the wallet
 geth_account_pass: '{{lookup("bitwarden", "faucet/account", field="pass")}}'
@ -23,15 +27,15 @@ geth_expo_source_data_path: '{{ geth_cont_vol }}/data'

 # Faucet API settings
 faucet_service_name: '{{ geth_service_name }}'
+faucet_network: 'goerli' 
 faucet_domain: 'faucet-{{ faucet_network }}.status.im'
 faucet_cors_rule: '^https?://.*\.infura\.status.im'
 faucet_account_pass: '{{lookup("bitwarden", "faucet/account", field="pass")}}'
 faucet_geth_rpc_port: '{{ geth_rpc_port }}'
+faucet_cont_port: 3002

 # Open Nginx Ports
-open_ports_default_comment: 'HTTP & HTTPS'
-open_ports_default_chain: 'SERVICES'
+open_ports_default_chain: 'VPN'
 open_ports_list:
-  - { port: 80  }
-  - { port: 443 }
-  - { port: '9200:9202', ipset: 'metrics.hq', chain: 'VPN', comment: 'geth-exporter' }
+  - { port: '{{ faucet_cont_port }}',    ipset: 'proxy.misc', comment: 'faucet-api' }
+  - { port: '{{ geth_expo_cont_port }}', ipset: 'metrics.hq', comment: 'geth-exporter' }
--- a/ansible/main.yml
+++ b/ansible/main.yml
@ -12,23 +12,9 @@
 - name: Install certs, open ports, add SWAP
  hosts: faucet-master
  roles:
-    - { role: origin-certs, tags: origin-certs }
-    - { role: open-ports,   tags: open-ports }
-    - { role: swap-file,    tags: swap-file }
-
- name: Configure Goerli faucet
-  hosts: faucet-master
-  roles:
+    - { role: origin-certs,             tags: origin-certs }
+    - { role: open-ports,               tags: open-ports }
+    - { role: swap-file,                tags: swap-file }
    - { role: infra-role-geth,          tags: infra-role-geth }
    - { role: infra-role-geth-exporter, tags: infra-role-geth-exporter }
    - { role: faucet-api,               tags: faucet-api }
-  vars:
-    faucet_network: 'goerli' 
-    faucet_cont_port: 3002
-    geth_sync_mode: 'snap'
-    geth_port: 30305
-    geth_rpc_port: 8549
-    geth_metrics_port: 6062
-    geth_websocket_port: 8550
-    geth_expo_cont_port: 9202
-    geth_cont_mem_ratio: 0.4
--- a/ansible/requirements.yml
+++ b/ansible/requirements.yml
@ -16,22 +16,22 @@

 - name: infra-role-bootstrap-linux
  src: git@github.com:status-im/infra-role-bootstrap-linux.git
-  version: 4fda60dc6873801eadda3a5baab3f721a4110beb
+  version: 484143ba5105f531009e4cb4f902c6fe44716362
  scm: git

 - name: infra-role-wireguard
  src: git@github.com:status-im/infra-role-wireguard.git
-  version: 544b1f0435d5ca47168236c42b6a077c44d5eb4a
+  version: 6c83e0bdcecba772e5c652c89e1995865d14c662
  scm: git

 - name: consul-service
  src: git@github.com:status-im/infra-role-consul-service.git
-  version: 7653d06cfc4d2613ee14bf637d38d98b0201864f
+  version: 4849a3c9d7f2045669880e4e17eeb71980b2e4d0
  scm: git

 - name: infra-role-geth
  src: git@github.com:status-im/infra-role-geth.git
-  version: 773c384dccbe0e8ada5ed4fc2af8f474f69cf944
+  version: 4583821179ffb32bbd235279e2efb53ce2f66703
  scm: git

 - name: infra-role-geth-exporter
--- a/ansible/roles/faucet-api/tasks/consul.yml
+++ b/ansible/roles/faucet-api/tasks/consul.yml
@ -5,8 +5,11 @@
    consul_config_name: '{{ faucet_cont_name | replace("-", "_") }}'
    consul_services:
      - name: '{{ faucet_cont_name }}'
-        tags: ['{{ env }}.{{ stage }}', 'faucet', 'api']
+        tags: ['{{ env }}.{{ stage }}', 'faucet', 'api', 'ssl-proxy-backend']
        port: '{{ faucet_cont_port }}'
+        address: '{{ ansible_local.wireguard.address }}'
+        meta:
+          proxy_fqdn: '{{ faucet_domain }}'
        checks:
          - id: '{{ faucet_cont_name }}-health'
            name: Faucet HTTP API
--- a/ansible/roles/faucet-api/tasks/container.yml
+++ b/ansible/roles/faucet-api/tasks/container.yml
--- a/ansible/roles/faucet-api/tasks/main.yml
+++ b/ansible/roles/faucet-api/tasks/main.yml
@ -1,4 +1,3 @@
 ---
- import_tasks: container.yml
- import_tasks: proxy.yml
+- import_tasks: docker.yml
 - import_tasks: consul.yml
--- a/ansible/roles/faucet-api/templates/cors-setup.conf.j2
+++ b/ansible/roles/faucet-api/templates/cors-setup.conf.j2
@ -1,10 +0,0 @@
-        # This enables CORS for all status.im subdomains
-        if ($http_origin ~* '{{ faucet_cors_rule | mandatory }}') {
-            add_header 'Access-Control-Allow-Origin' "$http_origin";
-            add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, DELETE, PUT';
-            add_header 'Access-Control-Allow-Headers' 'User-Agent,Keep-Alive,Content-Type';
-            add_header 'Access-Control-Allow-Credentials' 'true';
-        }
-        if ($request_method = OPTIONS) {
-            return 204;
-        }
--- a/ansible/roles/faucet-api/templates/docker-compose.yml.j2
+++ b/ansible/roles/faucet-api/templates/docker-compose.yml.j2
@ -10,7 +10,7 @@ services:
    labels:
      com.centurylinklabs.watchtower.enable: 'true'
    ports:
-      - '127.0.0.1:{{ faucet_cont_port }}:{{ faucet_cont_port }}'
+      - '0.0.0.0:{{ faucet_cont_port }}:{{ faucet_cont_port }}'
    command: |
      -endpoint=':{{ faucet_cont_port }}'
      -network={{ faucet_network | mandatory }}
--- a/ansible/roles/faucet-api/templates/faucet-proxy.conf.j2
+++ b/ansible/roles/faucet-api/templates/faucet-proxy.conf.j2
@ -1,20 +0,0 @@
-server {
-    listen 80;
-    server_name {{ faucet_domain | mandatory }};
-    return 302 https://$host$request_uri;
-}
-
-server {
-    listen 443 ssl;
-    server_name {{ faucet_domain | mandatory }};
-
-    ssl_certificate     /certs/origin.crt;
-    ssl_certificate_key /certs/origin.key;
-
-    location / {
-        proxy_pass http://127.0.0.1:{{ faucet_cont_port }}/;
-
-        {% include "cors-setup.conf.j2" %}
-
-    }
-}
--- a/dns.tf
+++ b/dns.tf
@ -1,9 +1,8 @@
 /* DNS Entries for faucet APIs */
-resource "cloudflare_record" "main-goerli" {
+resource "cloudflare_record" "faucet-goerli" {
  zone_id = data.cloudflare_zones.active.zones[0].id
  name    = "faucet-goerli"
-  type    = "A"
-  proxied = true
-  value   = module.main.public_ips[count.index]
-  count   = length(module.main.public_ips)
+  type    = "CNAME"
+  proxied = false
+  value   = "proxy.infra.status.im"
 }