From e5a20758490096e9da702fd877c707be8cb4f29c Mon Sep 17 00:00:00 2001
From: Francesco Antognazza <francesco.antognazza@polimi.it>
Date: Wed, 15 Feb 2023 14:01:28 +0100
Subject: [PATCH] Fix cockpit instance

---
 containers/traefik/templates/conf/cockpit.yml.j2 | 12 +++++++++++-
 roles/cockpit/tasks/main.yml                     |  9 +++++++++
 roles/cockpit/templates/cockpit.conf.j2          |  3 +--
 3 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/containers/traefik/templates/conf/cockpit.yml.j2 b/containers/traefik/templates/conf/cockpit.yml.j2
index 0ab8880..2c483a9 100644
--- a/containers/traefik/templates/conf/cockpit.yml.j2
+++ b/containers/traefik/templates/conf/cockpit.yml.j2
@@ -5,6 +5,7 @@ http:
       entryPoints: https
       middlewares:
         - force-trailing-slash
+        - drop-xforwarded-proto
       service: cockpit
       tls:
         certresolver: wildcard
@@ -14,9 +15,18 @@ http:
       stripPrefix:
         prefixes:
           - "/cockpit"
+    drop-xforwarded-proto:
+      headers:
+        customrequestheaders:
+          X-Forwarded-Proto: ""
 
   services:
     cockpit:
       loadBalancer:
+        serversTransport: nocertverify
         servers:
-          - url: "http://127.0.0.1:9090"
+          - url: "https://{{ vault_domain }}:9090"
+
+  serversTransports:
+    nocertverify:
+      insecureSkipVerify: true
\ No newline at end of file
diff --git a/roles/cockpit/tasks/main.yml b/roles/cockpit/tasks/main.yml
index 052f5d0..4abaaa8 100644
--- a/roles/cockpit/tasks/main.yml
+++ b/roles/cockpit/tasks/main.yml
@@ -30,6 +30,15 @@
     group: root
     mode: 0644
 
+- name: Permit traffic from any IP to cockpit socket
+  become: true
+  community.general.ufw:
+    direction: in
+    from_ip: any
+    proto: tcp
+    to_port: 9090
+    rule: allow
+
 # - name: Reboot
 #   become: true
 #   ansible.builtin.reboot:
diff --git a/roles/cockpit/templates/cockpit.conf.j2 b/roles/cockpit/templates/cockpit.conf.j2
index c42dc90..01409e5 100644
--- a/roles/cockpit/templates/cockpit.conf.j2
+++ b/roles/cockpit/templates/cockpit.conf.j2
@@ -1,4 +1,3 @@
 [WebService]
-Origins = http://{{ inventory_hostname }} ws://{{ inventory_hostname }} https://{{ inventory_hostname }} wss://{{ inventory_hostname }} http://{{ ansible_host }} ws://{{ ansible_host }} https://{{ ansible_host }} wss://{{ ansible_host }}
+Origins = http://{{ inventory_hostname }} ws://{{ inventory_hostname }} https://{{ inventory_hostname }} wss://{{ inventory_hostname }} http://{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}:9090 ws://{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}:9090 https://{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}:9090 wss://{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}:9090
 ProtocolHeader = X-Forwarded-Proto
-AllowUnencrypted=true
\ No newline at end of file