From e6c4b70efdfb8699518dad9ec9c408223ab9ff76 Mon Sep 17 00:00:00 2001
From: Yohann D'ANELLO <ynerant@crans.org>
Date: Thu, 18 Feb 2021 18:49:44 +0100
Subject: [PATCH] (gitlab] Configure nginx reverse-proxy to manage multiple
 certificates

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
---
 group_vars/git.yml                 | 20 +-------------------
 host_vars/gitzly.adm.crans.org.yml | 21 ++++++++++++++++++---
 2 files changed, 19 insertions(+), 22 deletions(-)

diff --git a/group_vars/git.yml b/group_vars/git.yml
index ad11520d..cd1a75ed 100644
--- a/group_vars/git.yml
+++ b/group_vars/git.yml
@@ -10,6 +10,7 @@ glob_gitlab:
     port: 389
     uid: 'uid'
     bind_dn: 'cn=gitlab,ou=service-users,dc=crans,dc=org'
+    bind_password: "{{ vault_gitlab_ldap_password }}"
     base: 'cn=Utilisateurs,dc=crans,dc=org'
     user_filter: '(&(!(shadowExpire=0))(uid=*))'
   cas_name: 'cas3'
@@ -18,22 +19,3 @@ glob_gitlab:
   smtp:
     address: "{{ query('ldap', 'ip', 'redisdead', 'adm') | first }}"
     port: 25
-
-glob_nginx:
-  service_name: gitlab-omnibus-ssl-nginx
-  servers:
-    - server_name:
-        - "gitlab.crans.org"
-      root: "/opt/gitlab/embedded/service/gitlab-rails/public"
-      locations:
-        - filter: "/"
-          params:
-            - "include snippets/options-proxypass.conf"
-            - "client_max_body_size 0"
-            - "gzip off"
-            - "proxy_read_timeout 300"
-            - "proxy_connect_timeout 300"
-            - "proxy_pass http://gitlab-workhorse"
-  upstreams:
-    - name: gitlab-workhorse
-      server: "unix:/var/opt/gitlab/gitlab-workhorse/sockets/socket fail_timeout=0"
diff --git a/host_vars/gitzly.adm.crans.org.yml b/host_vars/gitzly.adm.crans.org.yml
index 65032e0c..731dc921 100644
--- a/host_vars/gitzly.adm.crans.org.yml
+++ b/host_vars/gitzly.adm.crans.org.yml
@@ -18,6 +18,21 @@ loc_certbot:
     certname: adm.crans.org
     domains: "*.adm.crans.org"
 
-loc_gitlab:
-  ldap:
-    bind_password: "{{ vault_gitlab_ldap_password }}"
+loc_nginx:
+  ssl:
+    - name: adm.crans.org
+      cert: /etc/letsencrypt/live/adm.crans.org/fullchain.pem
+      cert_key: /etc/letsencrypt/live/adm.crans.org/privkey.pem
+      trusted_cert: /etc/letsencrypt/live/adm.crans.org/chain.pem
+    - name: crans.org
+      cert: /etc/letsencrypt/live/crans.org/fullchain.pem
+      cert_key: /etc/letsencrypt/live/crans.org/privkey.pem
+      trusted_cert: /etc/letsencrypt/live/crans.org/chain.pem
+  servers: []
+
+loc_reverseproxy:
+  reverseproxy_sites:
+    - {from: gitlab.crans.org, to: "127.0.0.1:8000"}
+    - {from: gitlab.adm.crans.org, to: "127.0.0.1:8000", ssl: adm.crans.corg}
+
+  static_sites: []
-- 
GitLab