From aa9aa6f954ebf9a02ab265bf7b1185c8dc72b3e0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jakub=20Soko=C5=82owski?= <jakub@status.im>
Date: Tue, 28 Aug 2018 15:26:09 -0400
Subject: [PATCH] enable https access via 8900 port

---
 ansible/group_vars/all.yml          | 21 +++++++++++++++++++++
 ansible/main.yml                    |  4 +++-
 ansible/roles/swarm/tasks/swarm.yml | 23 ++++++++---------------
 main.tf                             | 16 +++++++++-------
 4 files changed, 41 insertions(+), 23 deletions(-)
 create mode 100644 ansible/group_vars/all.yml

diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml
new file mode 100644
index 0000000..93d1315
--- /dev/null
+++ b/ansible/group_vars/all.yml
@@ -0,0 +1,21 @@
+---
+nginx_configs:
+  upstream:
+    - upstream swarm_http {
+      {% for h in groups['swarm'] %}
+      server {{ hostvars[h].ansible_host }}:{{ swarm_port }};
+      {% endfor %}
+      }
+
+nginx_sites:
+  swarm_lb:
+    - listen 8900 ssl
+
+    - server_name {{ env }}-{{ stage }}.status.im
+
+    - ssl_certificate     /certs/origin.crt
+    - ssl_certificate_key /certs/origin.key
+
+    - location / {
+        proxy_pass http://swarm_http;
+      }
diff --git a/ansible/main.yml b/ansible/main.yml
index 4b2f104..9eb0e0f 100644
--- a/ansible/main.yml
+++ b/ansible/main.yml
@@ -2,4 +2,6 @@
 - name: Configure swarm
   hosts: swarm
   roles:
-    - role: swarm
+    - origin-cert
+    - nginx
+    - swarm
diff --git a/ansible/roles/swarm/tasks/swarm.yml b/ansible/roles/swarm/tasks/swarm.yml
index 175921e..36bb5ca 100644
--- a/ansible/roles/swarm/tasks/swarm.yml
+++ b/ansible/roles/swarm/tasks/swarm.yml
@@ -29,24 +29,17 @@
       - '{{ cont_vol }}/data:/data:rw'
       - '{{ cont_vol }}/store:/store:rw'
 
-- name: Enable swarm port
+- name: Enable swarm ports
   iptables:
-    comment: '{{ cont_name }}'
+    comment: '{{ item.name }}'
     chain: INPUT
     jump: ACCEPT
     source: '0.0.0.0/0'
-    protocol: udp
-    destination_port: '{{ cont_port }}'
-  notify:
-    - Save iptables rules
-
-- name: Enable swarm HTTP port
-  iptables:
-    comment: '{{ cont_name }} HTTP'
-    chain: INPUT
-    jump: ACCEPT
-    source: '0.0.0.0/0'
-    protocol: tcp
-    destination_port: '{{ swarm_port }}'
+    protocol: '{{ item.proto }}'
+    destination_port: '{{ item.port }}'
+  with_items:
+    - { 'name': 'Swarm',       'port': '{{ cont_port }}',  'proto': 'udp' }
+    - { 'name': 'Swarm HTTP',  'port': '{{ swarm_port }}', 'proto': 'udp' }
+    - { 'name': 'Swarm HTTPS', 'port': 8900,               'proto': 'udp' }
   notify:
     - Save iptables rules
diff --git a/main.tf b/main.tf
index 657dd77..12013b5 100644
--- a/main.tf
+++ b/main.tf
@@ -54,17 +54,19 @@ module "swarm" {
   eth_network = "${var.eth_network}"
   /* firewall */
   open_ports  = [
-    "8800-8800", /* http */
+    "8800-8800",   /* http */
+    "8900-8900",   /* https */
     "30303-30303", /* geth */
     "30399-30399", /* swarm */
   ]
 }
 
 resource "cloudflare_record" "swarm" {
-  domain = "${var.domain}"
-  name   = "${var.env}-${terraform.workspace}"
-  value  = "${element(module.swarm.public_ips, count.index)}"
-  count  = "${local.ws["hosts_count"]}"
-  type   = "A"
-  ttl    = 3600
+  domain  = "${var.domain}"
+  name    = "${var.env}-${terraform.workspace}"
+  value   = "${element(module.swarm.public_ips, count.index)}"
+  count   = 3
+  type    = "A"
+  ttl     = 3600
+  proxied = true
 }