configure Nginx proxy for use with ssl-proxy

Otherwise we can't block access to certain sensitive paths like `/metrics`.

https://github.com/status-im/infra-hq/issues/73

Signed-off-by: Jakub Sokołowski <jakub@status.im>

defaults/main.yml

@@ -7,11 +7,12 @@ grafana_version: '8.4.3'
 grafana_image: 'grafana/grafana:{{ grafana_version }}'
 grafana_cont_name: '{{ grafana_service_name }}'
 grafana_cont_vol: '{{ grafana_service_path }}/data'
-grafana_port: 9400
 # see: http://docs.grafana.org/installation/docker/#migration-from-a-previous-version-of-the-docker-container-to-5-1-or-later
 grafana_cont_uid: 472
 # Permission adjust for dockremap.
 grafana_host_uid: '{{ 100000 + grafana_cont_uid | int }}'
+grafana_cont_port: 9400
+grafana_proxy_port: 8780
 
 # Public domain
 grafana_domain: ~

tasks/consul.yml

@@ -4,11 +4,26 @@
   vars:
     consul_config_name: '{{ grafana_service_name }}'
     consul_services:
-      - name: '{{ grafana_service_name }}'
+      - id:   '{{ grafana_service_name }}:{{ grafana_domain }}'
-        tags: ['monitor', 'grafana']
+        name: '{{ grafana_service_name }}'
-        port: '{{ grafana_port }}'
+        tags: ['grafana', 'monitor']
+        port: '{{ grafana_cont_port }}'
+        address: '{{ ansible_local.wireguard.vpn_ip }}'
         checks:
           - id: '{{ grafana_service_name }}-health'
-            name: 'Grafana current health'
+            name: 'Grafana Health'
             type: 'http'
-            http: 'http://localhost:{{ grafana_port }}/api/health'
+            http: 'http://localhost:{{ grafana_cont_port }}/api/health'
+
+      - id:   '{{ grafana_service_name }}-proxy:{{ grafana_domain }}'
+        name: '{{ grafana_service_name }}-proxy'
+        tags: ['grafana', 'monitor', 'ssl-proxy-backend']
+        port: '{{ grafana_proxy_port }}'
+        address: '{{ ansible_local.wireguard.vpn_ip }}'
+        meta:
+          proxy_fqdn: '{{ grafana_domain | mandatory }}'
+        checks:
+          - id: '{{ grafana_service_name }}-proxy-health'
+            name: 'Grafana Proxy Health'
+            type: 'http'
+            http: 'http://localhost:{{ grafana_proxy_port }}/health'

tasks/main.yml

@@ -1,4 +1,5 @@
 ---
 - import_tasks: config.yml
 - import_tasks: docker.yml
+- import_tasks: proxy.yml
 - import_tasks: consul.yml

tasks/proxy.yml

@@ -0,0 +1,18 @@
+---
+# Necessary to hide a few sensitive paths
+- name: Configure Nginx proxy
+  include_role: name=nginx
+  vars:
+    nginx_sites:
+      grafana_ssl_backend:
+        - listen {{ grafana_proxy_port }}
+
+        - location /health { return 200; }
+        - location /avatar { return 401; }
+        - location /metrics { return 401; }
+        - location /api/health { return 401; }
+
+        - location / {
+            proxy_set_header Host $http_host;
+            proxy_pass http://127.0.0.1:{{ grafana_cont_port }}/;
+          }

templates/docker-compose.yml.j2

@@ -6,12 +6,12 @@ services:
     image: '{{ grafana_image }}'
     restart: always
     ports:
-      - '127.0.0.1:{{ grafana_port }}:{{ grafana_port }}'
+      - '127.0.0.1:{{ grafana_cont_port }}:{{ grafana_cont_port }}'
     volumes:
       - '{{ grafana_cont_vol }}/lib:/var/lib/grafana'
       - '{{ grafana_cont_vol }}/etc:/etc/grafana'
     healthcheck:
-      test: ["CMD", "wget", "-qO-", "http://localhost:{{ grafana_port }}/api/health"]
+      test: ["CMD", "wget", "-qO-", "http://localhost:{{ grafana_cont_port }}/api/health"]
       interval: 30s
       timeout: 10s
       retries: 3

templates/grafana.ini.j2

@@ -1,5 +1,5 @@
 [server]
-http_port = {{ grafana_port }}
+http_port = {{ grafana_cont_port }}
 domain = {{ grafana_domain | mandatory }}/
 root_url = https://{{ grafana_domain | mandatory }}/