dash.nimbus: move nimbus-logs to our own SSL proxy

Signed-off-by: Jakub Sokołowski <jakub@status.im>

ansible/group_vars/dash.nimbus.yml

@@ -21,16 +21,18 @@ kiban_es_lb_addr: '{{ es_lb_cont_name }}'
 kiban_es_lb_port: '{{ es_lb_api_port }}'
 
 # oauth access
-oauth_domain: '{{ kibana_domain }}'
+oauth_service_name: '{{ kibana_service_name }}'
+oauth_service_path: '{{ kibana_service_path }}/oauth'
 oauth_cont_name: '{{ kibana_cont_name }}-oauth'
-oauth_cont_networks: [{name: '{{ kibana_docker_network_name }}'}]
-oauth_upstream_name: '{{ kibana_cont_name }}'
+oauth_cont_networks: ['{{ kibana_docker_network_name }}']
+oauth_domain: '{{ kibana_domain }}'
+oauth_upstream_addr: '{{ kibana_cont_name }}'
 oauth_upstream_port: '{{ kibana_cont_port }}'
-oauth_public_port: 443
-oauth_local_port: 8090
-oauth_cookie_secret: '{{ lookup("bitwarden", "cookie-secret", field="secret") }}'
+oauth_local_port: 4180
+oauth_provider: 'github'
 oauth_id: '{{ lookup("bitwarden", "nimbus/kibana/oauth", field="client-id") }}'
 oauth_secret: '{{ lookup("bitwarden", "nimbus/kibana/oauth", field="secret") }}'
+oauth_cookie_secret: '{{ lookup("bitwarden", "nimbus/kibana/oauth", field="cookie-secret") }}'
 
 # ElasticSearch Load Balancer
 es_lb_service_name: 'elasticsearch'
@@ -52,30 +54,12 @@ logclean_keep_indices: 14
 es_lb_jvm_min_heap: 2g
 es_lb_jvm_max_heap: 2g
 
-# Nginx Proxy config
-nginx_sites:
-  kibana_http:
-    - listen 80
-    - server_name {{ oauth_domain }}
-    - return 302 https://$server_name$request_uri
-  kibana_ssl:
-    - listen 443 ssl
-
-    - server_name {{ oauth_domain }}
-
-    - ssl_certificate     /certs/origin.crt
-    - ssl_certificate_key /certs/origin.key
-
-    - location / {
-        proxy_set_header Host $host;
-        proxy_pass http://127.0.0.1:{{ oauth_local_port }}/;
-      }
-
 # Open Nginx Ports
 open_ports_default_comment: 'ElasticSearch LB'
 open_ports_default_chain: 'VPN'
 open_ports_list:
   - { port: 80,  chain: 'SERVICES', protocol: 'tcp', comment: 'Kiban & Grafana'}
   - { port: 443, chain: 'SERVICES', protocol: 'tcp', comment: 'Kiban & Grafana' }
-  - { port: '{{ es_lb_api_port }}',  ipset: 'logs.nimbus' }
-  - { port: '{{ es_lb_node_port }}', ipset: 'logs.nimbus' }
+  - { port: '{{ es_lb_api_port }}',   ipset: 'logs.nimbus' }
+  - { port: '{{ es_lb_node_port }}',  ipset: 'logs.nimbus' }
+  - { port: '{{ oauth_local_port }}', ipset: 'proxy.misc', comment: 'ElasticSearch HQ' }

ansible/logs.yml

@@ -46,6 +46,8 @@
   roles:
     - role: swap-file
       tags: swap-file
+    - role: open-ports
+      tags: open-ports
     - role: elasticsearch-lb
       tags: elasticsearch-lb
     - role: logclean-job
@@ -54,9 +56,3 @@
       tags: kibana
     - role: oauth-proxy
       tags: oauth-proxy
-    - role: origin-certs
-      tags: origin-certs
-    - role: nginx
-      tags: nginx
-    - role: open-ports
-      tags: open-ports

ansible/requirements.yml

@@ -86,7 +86,7 @@
 
 - name: kibana
   src: git@github.com:status-im/infra-role-kibana.git
-  version: 7ea3e3b48bde0c582abdba59e3e0e418a3d2d89d
+  version: 8e8c89b6999883b7558ce543108882a09b0d51ab
   scm: git
 
 - name: elasticsearch
@@ -96,7 +96,7 @@
 
 - name: elasticsearch-lb
   src: git@github.com:status-im/infra-role-elasticsearch-lb.git
-  version: 18fd708e74fd7a9a390ccba1dd26a1eef0ae8529
+  version: ba77cb2660870eb84f103b30f2f10661b8429cb9
   scm: git
 
 - name: systemd-timer

dash.tf

@@ -27,7 +27,7 @@ module "nimbus_dashboard" {
 resource "cloudflare_record" "nimbus_dashboard" {
   zone_id = local.zones["status.im"]
   name    = "nimbus-logs.infra"
-  value   = module.nimbus_dashboard.public_ips[0]
-  type    = "A"
-  proxied = true
+  value   = "proxy.infra.status.im"
+  type    = "CNAME"
+  proxied = false
 }