From 678fe9623934e00a70ded2d4a17842adbb97a394 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jakub=20Soko=C5=82owski?= <jakub@status.im>
Date: Thu, 20 Oct 2022 23:08:34 +0200
Subject: [PATCH] faucet-api: switch to our own ssl-proxy
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Dropping Nginx proxy setup and using `ssl-proxy` service.

Also removing variables from playbook as it's just one node now.

Signed-off-by: Jakub Sokołowski <jakub@status.im>
---
 ansible/group_vars/faucet-master.yml          | 22 +++++++++++--------
 ansible/main.yml                              | 20 +++--------------
 ansible/requirements.yml                      |  8 +++----
 ansible/roles/faucet-api/tasks/consul.yml     |  5 ++++-
 .../tasks/{container.yml => docker.yml}       |  0
 ansible/roles/faucet-api/tasks/main.yml       |  3 +--
 .../faucet-api/templates/cors-setup.conf.j2   | 10 ---------
 .../templates/docker-compose.yml.j2           |  2 +-
 .../faucet-api/templates/faucet-proxy.conf.j2 | 20 -----------------
 dns.tf                                        |  9 ++++----
 10 files changed, 30 insertions(+), 69 deletions(-)
 rename ansible/roles/faucet-api/tasks/{container.yml => docker.yml} (100%)
 delete mode 100644 ansible/roles/faucet-api/templates/cors-setup.conf.j2
 delete mode 100644 ansible/roles/faucet-api/templates/faucet-proxy.conf.j2

diff --git a/ansible/group_vars/faucet-master.yml b/ansible/group_vars/faucet-master.yml
index 0533544..5510aec 100644
--- a/ansible/group_vars/faucet-master.yml
+++ b/ansible/group_vars/faucet-master.yml
@@ -1,15 +1,19 @@
 ---
-# WARNING: this needs to be set
-faucet_network: '{{ faucet_network | mandatory }}'
-
 # Geth necessary for Faucet to work
 geth_network_name: '{{ faucet_network }}'
 geth_service_name: 'faucet-{{ faucet_network }}'
-geth_rpc_port: '{{ faucet_geth_cont_rpc_port }}'
 geth_rpc_vhosts: ['*']
 geth_sync_mode: 'light'
 geth_websocket_enabled: false
 geth_log_level_name: info
+geth_sync_mode: 'snap'
+# Ports
+geth_port: 30305
+geth_rpc_port: 8549
+geth_metrics_port: 6062
+geth_websocket_port: 8550
+geth_expo_cont_port: 9202
+geth_cont_mem_ratio: 0.4
 
 # Credentials for the wallet
 geth_account_pass: '{{lookup("bitwarden", "faucet/account", field="pass")}}'
@@ -23,15 +27,15 @@ geth_expo_source_data_path: '{{ geth_cont_vol }}/data'
 
 # Faucet API settings
 faucet_service_name: '{{ geth_service_name }}'
+faucet_network: 'goerli' 
 faucet_domain: 'faucet-{{ faucet_network }}.status.im'
 faucet_cors_rule: '^https?://.*\.infura\.status.im'
 faucet_account_pass: '{{lookup("bitwarden", "faucet/account", field="pass")}}'
 faucet_geth_rpc_port: '{{ geth_rpc_port }}'
+faucet_cont_port: 3002
 
 # Open Nginx Ports
-open_ports_default_comment: 'HTTP & HTTPS'
-open_ports_default_chain: 'SERVICES'
+open_ports_default_chain: 'VPN'
 open_ports_list:
-  - { port: 80  }
-  - { port: 443 }
-  - { port: '9200:9202', ipset: 'metrics.hq', chain: 'VPN', comment: 'geth-exporter' }
+  - { port: '{{ faucet_cont_port }}',    ipset: 'proxy.misc', comment: 'faucet-api' }
+  - { port: '{{ geth_expo_cont_port }}', ipset: 'metrics.hq', comment: 'geth-exporter' }
diff --git a/ansible/main.yml b/ansible/main.yml
index 01ac34c..ea0a4b4 100644
--- a/ansible/main.yml
+++ b/ansible/main.yml
@@ -12,23 +12,9 @@
 - name: Install certs, open ports, add SWAP
   hosts: faucet-master
   roles:
-    - { role: origin-certs, tags: origin-certs }
-    - { role: open-ports,   tags: open-ports }
-    - { role: swap-file,    tags: swap-file }
-
-- name: Configure Goerli faucet
-  hosts: faucet-master
-  roles:
+    - { role: origin-certs,             tags: origin-certs }
+    - { role: open-ports,               tags: open-ports }
+    - { role: swap-file,                tags: swap-file }
     - { role: infra-role-geth,          tags: infra-role-geth }
     - { role: infra-role-geth-exporter, tags: infra-role-geth-exporter }
     - { role: faucet-api,               tags: faucet-api }
-  vars:
-    faucet_network: 'goerli' 
-    faucet_cont_port: 3002
-    geth_sync_mode: 'snap'
-    geth_port: 30305
-    geth_rpc_port: 8549
-    geth_metrics_port: 6062
-    geth_websocket_port: 8550
-    geth_expo_cont_port: 9202
-    geth_cont_mem_ratio: 0.4
diff --git a/ansible/requirements.yml b/ansible/requirements.yml
index afbf34c..58b31c7 100644
--- a/ansible/requirements.yml
+++ b/ansible/requirements.yml
@@ -16,22 +16,22 @@
 
 - name: infra-role-bootstrap-linux
   src: git@github.com:status-im/infra-role-bootstrap-linux.git
-  version: 4fda60dc6873801eadda3a5baab3f721a4110beb
+  version: 484143ba5105f531009e4cb4f902c6fe44716362
   scm: git
 
 - name: infra-role-wireguard
   src: git@github.com:status-im/infra-role-wireguard.git
-  version: 544b1f0435d5ca47168236c42b6a077c44d5eb4a
+  version: 6c83e0bdcecba772e5c652c89e1995865d14c662
   scm: git
 
 - name: consul-service
   src: git@github.com:status-im/infra-role-consul-service.git
-  version: 7653d06cfc4d2613ee14bf637d38d98b0201864f
+  version: 4849a3c9d7f2045669880e4e17eeb71980b2e4d0
   scm: git
 
 - name: infra-role-geth
   src: git@github.com:status-im/infra-role-geth.git
-  version: 773c384dccbe0e8ada5ed4fc2af8f474f69cf944
+  version: 4583821179ffb32bbd235279e2efb53ce2f66703
   scm: git
 
 - name: infra-role-geth-exporter
diff --git a/ansible/roles/faucet-api/tasks/consul.yml b/ansible/roles/faucet-api/tasks/consul.yml
index bd05060..b390b45 100644
--- a/ansible/roles/faucet-api/tasks/consul.yml
+++ b/ansible/roles/faucet-api/tasks/consul.yml
@@ -5,8 +5,11 @@
     consul_config_name: '{{ faucet_cont_name | replace("-", "_") }}'
     consul_services:
       - name: '{{ faucet_cont_name }}'
-        tags: ['{{ env }}.{{ stage }}', 'faucet', 'api']
+        tags: ['{{ env }}.{{ stage }}', 'faucet', 'api', 'ssl-proxy-backend']
         port: '{{ faucet_cont_port }}'
+        address: '{{ ansible_local.wireguard.address }}'
+        meta:
+          proxy_fqdn: '{{ faucet_domain }}'
         checks:
           - id: '{{ faucet_cont_name }}-health'
             name: Faucet HTTP API
diff --git a/ansible/roles/faucet-api/tasks/container.yml b/ansible/roles/faucet-api/tasks/docker.yml
similarity index 100%
rename from ansible/roles/faucet-api/tasks/container.yml
rename to ansible/roles/faucet-api/tasks/docker.yml
diff --git a/ansible/roles/faucet-api/tasks/main.yml b/ansible/roles/faucet-api/tasks/main.yml
index 8489916..b91bd64 100644
--- a/ansible/roles/faucet-api/tasks/main.yml
+++ b/ansible/roles/faucet-api/tasks/main.yml
@@ -1,4 +1,3 @@
 ---
-- import_tasks: container.yml
-- import_tasks: proxy.yml
+- import_tasks: docker.yml
 - import_tasks: consul.yml
diff --git a/ansible/roles/faucet-api/templates/cors-setup.conf.j2 b/ansible/roles/faucet-api/templates/cors-setup.conf.j2
deleted file mode 100644
index 06453c1..0000000
--- a/ansible/roles/faucet-api/templates/cors-setup.conf.j2
+++ /dev/null
@@ -1,10 +0,0 @@
-        # This enables CORS for all status.im subdomains
-        if ($http_origin ~* '{{ faucet_cors_rule | mandatory }}') {
-            add_header 'Access-Control-Allow-Origin' "$http_origin";
-            add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, DELETE, PUT';
-            add_header 'Access-Control-Allow-Headers' 'User-Agent,Keep-Alive,Content-Type';
-            add_header 'Access-Control-Allow-Credentials' 'true';
-        }
-        if ($request_method = OPTIONS) {
-            return 204;
-        }
diff --git a/ansible/roles/faucet-api/templates/docker-compose.yml.j2 b/ansible/roles/faucet-api/templates/docker-compose.yml.j2
index 5c8ae8b..81b7591 100644
--- a/ansible/roles/faucet-api/templates/docker-compose.yml.j2
+++ b/ansible/roles/faucet-api/templates/docker-compose.yml.j2
@@ -10,7 +10,7 @@ services:
     labels:
       com.centurylinklabs.watchtower.enable: 'true'
     ports:
-      - '127.0.0.1:{{ faucet_cont_port }}:{{ faucet_cont_port }}'
+      - '0.0.0.0:{{ faucet_cont_port }}:{{ faucet_cont_port }}'
     command: |
       -endpoint=':{{ faucet_cont_port }}'
       -network={{ faucet_network | mandatory }}
diff --git a/ansible/roles/faucet-api/templates/faucet-proxy.conf.j2 b/ansible/roles/faucet-api/templates/faucet-proxy.conf.j2
deleted file mode 100644
index 0d874e5..0000000
--- a/ansible/roles/faucet-api/templates/faucet-proxy.conf.j2
+++ /dev/null
@@ -1,20 +0,0 @@
-server {
-    listen 80;
-    server_name {{ faucet_domain | mandatory }};
-    return 302 https://$host$request_uri;
-}
-
-server {
-    listen 443 ssl;
-    server_name {{ faucet_domain | mandatory }};
-
-    ssl_certificate     /certs/origin.crt;
-    ssl_certificate_key /certs/origin.key;
-
-    location / {
-        proxy_pass http://127.0.0.1:{{ faucet_cont_port }}/;
-
-        {% include "cors-setup.conf.j2" %}
-
-    }
-}
diff --git a/dns.tf b/dns.tf
index a218dd8..7ad6af4 100644
--- a/dns.tf
+++ b/dns.tf
@@ -1,9 +1,8 @@
 /* DNS Entries for faucet APIs */
-resource "cloudflare_record" "main-goerli" {
+resource "cloudflare_record" "faucet-goerli" {
   zone_id = data.cloudflare_zones.active.zones[0].id
   name    = "faucet-goerli"
-  type    = "A"
-  proxied = true
-  value   = module.main.public_ips[count.index]
-  count   = length(module.main.public_ips)
+  type    = "CNAME"
+  proxied = false
+  value   = "proxy.infra.status.im"
 }