ch-mon: add certificate for monitoring

1 files changed, 35 insertions, 0 deletions

diff --git a/inventory/host_vars/ch-mon.yml b/inventory/host_vars/ch-mon.yml
index 5d9ddfba..f21bd9b2 100644
--- a/inventory/host_vars/ch-mon.yml
+++ b/inventory/host_vars/ch-mon.yml
@@ -108,6 +108,9 @@ prometheus_job_multitarget_blackbox__probe:
   - instance: "ssh-{{ inventory_hostname }}"
     target: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}:{{ ansible_port | default(22) }}"
     module: ssh_banner
+  - instance: "https-mon.chaos-at-home.org"
+    target: "https://{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}"
+    module: http_tls_2xx
 
 prometheus_job_multitarget_ssl__probe:
   ch-mon:
@@ -204,3 +207,35 @@ grafana_admin_password: "{{ vault_grafana_admin_password }}"
 monitoring_landingpage_hostnames:
   - "mon.chaos-at-home.org"
 monitoring_landingpage_title: "chaos@home Monitoring Host"
+monitoring_landingpage_tls:
+  certificate_provider: ownca
+  certificate_config:
+    mode: "0750"
+    owner: root
+    group: www-data
+    ca:
+      key_content: "{{ chaos_at_home_internal_ca_key }}"
+      cert_content: "{{ chaos_at_home_internal_ca_cert }}"
+    key:
+      mode: "0640"
+      owner: root
+      group: www-data
+      type: RSA
+      size: 4096
+    cert:
+      mode: "0644"
+      owner: root
+      group: www-data
+      common_name: "{{ host_name }}"
+      san_extra: "{{ ['IP:'] | product(ansible_all_ipv4_addresses) | map('join') | list }}"
+      key_usage:
+      - digitalSignature
+      - keyAgreement
+      key_usage_critical: yes
+      extended_key_usage:
+      - serverAuth
+      extended_key_usage_critical: yes
+      create_subject_key_identifier: yes
+      not_before: +0h
+      not_after: +365d
+      renew_margin: +70d