diff --git a/infrastructure/nomad/playbooks/deploy.yml b/infrastructure/nomad/playbooks/deploy.yml index e2f662305..735a72192 100644 --- a/infrastructure/nomad/playbooks/deploy.yml +++ b/infrastructure/nomad/playbooks/deploy.yml @@ -51,12 +51,10 @@ register: vault_init become: true become_user: "{{ ansible_user }}" - no_log: true - name: Parse Vault Initialization File ansible.builtin.set_fact: vault_init: "{{ vault_init | combine({'json': (vault_init['content'] | b64decode | from_json) }) }}" - no_log: true - name: Determine Artifacts Build Version ansible.builtin.shell: | @@ -527,7 +525,6 @@ validate_certs: no when: build_artifacts and environments[env].secrets == 'generate' delegate_to: localhost - no_log: true - name: Cleanup Built Artifacts ansible.builtin.file: diff --git a/infrastructure/nomad/playbooks/init.yml b/infrastructure/nomad/playbooks/init.yml index 1ae80bd24..92f604bee 100644 --- a/infrastructure/nomad/playbooks/init.yml +++ b/infrastructure/nomad/playbooks/init.yml @@ -231,7 +231,6 @@ validate_certs: no register: vault_init when: vault_status.json.initialized == false - no_log: true - name: Save Vault Unseal Key and Root Token ansible.builtin.copy: @@ -241,7 +240,6 @@ when: vault_status.json.initialized == false become: true become_user: "{{ ansible_user }}" - no_log: true - name: Determine Vault Seal Status ansible.builtin.uri: @@ -260,7 +258,6 @@ - vault_seal_status.json.sealed == true become: true become_user: "{{ ansible_user }}" - no_log: true - name: Parse Vault Initialization File ansible.builtin.set_fact: @@ -269,7 +266,6 @@ - vault_init_content is defined - vault_status.json.initialized == true - vault_seal_status.json.sealed == true - no_log: true - name: Unseal Vault ansible.builtin.uri: @@ -291,7 +287,6 @@ retries: 5 delay: 10 when: vault_seal_status.json.sealed == true - no_log: true - name: Fetch Secrets ansible.builtin.set_fact: @@ -299,7 +294,6 @@ when: unseal_result.json.sealed == false and environments[env].secrets == "fetch" delegate_to: localhost run_once: true - no_log: true - name: Enable KV Secrets Engine ansible.builtin.uri: @@ -320,7 +314,6 @@ when: - vault_status.json.initialized == false - unseal_result.json.sealed == false - no_log: true - name: Write Retrieved Secret into Vault ansible.builtin.uri: @@ -334,7 +327,6 @@ status_code: [200, 204] validate_certs: no when: unseal_result.json.sealed == false and environments[env].secrets == "fetch" - no_log: true - name: Install Nomad ansible.builtin.apt: @@ -386,7 +378,6 @@ mode: "0644" vars: vault_token: "{{ vault_init.json.root_token }}" - no_log: true - name: Restart and Enable Nomad Service ansible.builtin.systemd: @@ -404,9 +395,9 @@ - name: Enable Nginx Domain Configuration ansible.builtin.file: - src: "/etc/nginx/sites-available/{{ environments[env].domain }}" - dest: "/etc/nginx/sites-enabled/{{ environments[env].domain }}" - state: link + src: "/etc/nginx/sites-available/{{ environments[env].domain }}" + dest: "/etc/nginx/sites-enabled/{{ environments[env].domain }}" + state: link when: env != "devenv" - name: Ensure "{{ openssl_dir }}" Directory Exists @@ -423,27 +414,19 @@ when: env != "devenv" delegate_to: localhost run_once: true - no_log: true tags: - certs - - name: Deploy Retrieved Certificates + - name: Deploy Retrieved Domain Certificates ansible.builtin.shell: | - {% for item in mev_commit_certificates | dict2items %} - {% if item.key.startswith('ca_') %} - echo "{{ item.value }}" > "{{ tls_ca_crt_file }}" - chmod 0644 "{{ tls_ca_crt_file }}" - {% elif item.key.endswith('_crt') %} - echo "{{ item.value }}" > "{{ tls_crt_file }}" - chmod 0644 "{{ tls_crt_file }}" - {% elif item.key.endswith('_key') %} - echo "{{ item.value }}" > "{{ tls_key_file }}" - chmod 0600 "{{ tls_key_file }}" - {% endif %} - {% endfor %} - notify: update ca-certificates + CRT_FILE_PATH="{{ certificates_dir }}/{{ env }}.{{ environments[env].domain }}.crt" + KEY_FILE_PATH="{{ private_keys_dir }}/{{ env }}.{{ environments[env].domain }}.key" + echo "{{ mev_commit_certificates['mev_commit_crt'] }}" > "${CRT_FILE_PATH}" + chmod 0644 "${CRT_FILE_PATH}" + echo "{{ mev_commit_certificates['mev_commit_key'] }}" > "${KEY_FILE_PATH}" + chmod 0600 "${KEY_FILE_PATH}" when: env != "devenv" - no_log: true + notify: update ca-certificates tags: - certs @@ -451,7 +434,6 @@ ansible.builtin.openssl_privatekey: path: "{{ ca_certificates_dir }}/ca-{{ server_common_name }}.key" size: 4096 - when: env == "devenv" tags: - certs @@ -459,7 +441,6 @@ ansible.builtin.command: cmd: "openssl req -x509 -new -nodes -key {{ ca_certificates_dir }}/ca-{{ server_common_name }}.key -days 3650 -out {{ tls_ca_crt_file }} -subj '/C=US/ST=Delaware/L=Delaware City/O=Primev Inc/OU=Certificate Authority/CN={{ ansible_default_ipv4['address'] }}'" notify: update ca-certificates - when: env == "devenv" tags: - certs @@ -467,7 +448,6 @@ ansible.builtin.openssl_privatekey: path: "{{ tls_key_file }}" size: 4096 - when: env == "devenv" tags: - certs @@ -477,7 +457,6 @@ privatekey_path: "{{ tls_key_file }}" common_name: "{{ ansible_default_ipv4['address'] }}" subject_alt_name: "DNS:localhost,IP:127.0.0.1,IP:{{ ansible_default_ipv4['address'] }}" - when: env == "devenv" tags: - certs @@ -491,7 +470,6 @@ ownca_privatekey_path: "{{ ca_certificates_dir }}/ca-{{ server_common_name }}.key" ownca_not_before: "-1d" ownca_not_after: "+365d" - when: env == "devenv" tags: - certs diff --git a/infrastructure/nomad/playbooks/templates/services/mev-commit.xyz.hcl.j2 b/infrastructure/nomad/playbooks/templates/services/mev-commit.xyz.hcl.j2 index 9a46761a9..8083050b1 100644 --- a/infrastructure/nomad/playbooks/templates/services/mev-commit.xyz.hcl.j2 +++ b/infrastructure/nomad/playbooks/templates/services/mev-commit.xyz.hcl.j2 @@ -1,10 +1,10 @@ #jinja2: trim_blocks:True, lstrip_blocks:True server { listen 443 ssl http2; - - ssl_certificate {{ tls_crt_file }}; - ssl_certificate_key {{ tls_key_file }}; - + + ssl_certificate {{ certificates_dir }}/{{ env }}.{{ environments[env].domain }}.crt; + ssl_certificate_key {{ certificates_dir }}/{{ env }}.{{ environments[env].domain }}.key; + server_name bootnode.{{ environments[env].domain }}; location / { @@ -19,8 +19,8 @@ server { server { listen 443 ssl http2; - ssl_certificate {{ tls_crt_file }}; - ssl_certificate_key {{ tls_key_file }}; + ssl_certificate {{ certificates_dir }}/{{ env }}.{{ environments[env].domain }}.crt; + ssl_certificate_key {{ certificates_dir }}/{{ env }}.{{ environments[env].domain }}.key; server_name provider.{{ environments[env].domain }}; @@ -35,10 +35,49 @@ server { server { listen 443 ssl http2; + + ssl_certificate {{ certificates_dir }}/{{ env }}.{{ environments[env].domain }}.crt; + ssl_certificate_key {{ certificates_dir }}/{{ env }}.{{ environments[env].domain }}.key; + server_name chainrpc.{{ environments[env].domain }}; location / { - proxy_pass http://localhost:8545; + proxy_pass http://{{ nomad_server_ip }}:8545; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } +} + +server { + listen 443 ssl http2; + + ssl_certificate {{ certificates_dir }}/{{ env }}.{{ environments[env].domain }}.crt; + ssl_certificate_key {{ certificates_dir }}/{{ env }}.{{ environments[env].domain }}.key; + + server_name faucet.{{ environments[env].domain }}; + + location / { + proxy_pass http://{{ nomad_server_ip }}:80; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } +} + +server { + listen 443 ssl http2; + + ssl_certificate {{ certificates_dir }}/{{ env }}.{{ environments[env].domain }}.crt; + ssl_certificate_key {{ certificates_dir }}/{{ env }}.{{ environments[env].domain }}.key; + + server_name contracts.{{ environments[env].domain }}; + + location / { + rewrite ^/contracts.json$ /contracts.json break; + proxy_pass http://{{ nomad_server_ip }}:1010/contracts.json; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; diff --git a/infrastructure/nomad/playbooks/variables/common.yml b/infrastructure/nomad/playbooks/variables/common.yml index c8fcd4f0c..50ab9b2b4 100644 --- a/infrastructure/nomad/playbooks/variables/common.yml +++ b/infrastructure/nomad/playbooks/variables/common.yml @@ -2,7 +2,7 @@ openssl_dir: "/etc/ssl" private_keys_dir: "{{ openssl_dir }}/private" certificates_dir: "{{ openssl_dir }}/certs" ca_certificates_dir: "/usr/local/share/ca-certificates" -server_common_name: "mev-commit_{{ env }}.mev-commit.primev.xyz" +server_common_name: "mev-commit_{{ env }}.{{ environments[env].domain }}" tls_crt_file: "{{ certificates_dir }}/{{ server_common_name }}.crt" tls_key_file: "{{ private_keys_dir }}/{{ server_common_name }}.key" tls_ca_crt_file: "{{ ca_certificates_dir }}/ca-{{ server_common_name }}.crt" diff --git a/infrastructure/nomad/playbooks/variables/environments.yml b/infrastructure/nomad/playbooks/variables/environments.yml index 37597004d..a6e1adc33 100644 --- a/infrastructure/nomad/playbooks/variables/environments.yml +++ b/infrastructure/nomad/playbooks/variables/environments.yml @@ -4,6 +4,7 @@ environments: profile: "{{ profile }}" version: "{{ version }}" secrets: generate + domain: localhost testenv: chain_id: 17864 profile: "{{ profile }}"