Fix cockpit instance

containers/traefik/templates/conf/cockpit.yml.j2

@@ -5,6 +5,7 @@ http:
       entryPoints: https
       middlewares:
         - force-trailing-slash
+        - drop-xforwarded-proto
       service: cockpit
       tls:
         certresolver: wildcard
@@ -14,9 +15,18 @@ http:
       stripPrefix:
         prefixes:
           - "/cockpit"
+    drop-xforwarded-proto:
+      headers:
+        customrequestheaders:
+          X-Forwarded-Proto: ""
 
   services:
     cockpit:
       loadBalancer:
+        serversTransport: nocertverify
         servers:
-          - url: "http://127.0.0.1:9090"
+          - url: "https://{{ vault_domain }}:9090"
+
+  serversTransports:
+    nocertverify:
+      insecureSkipVerify: true

roles/cockpit/tasks/main.yml

@@ -30,6 +30,15 @@
     group: root
     mode: 0644
 
+- name: Permit traffic from any IP to cockpit socket
+  become: true
+  community.general.ufw:
+    direction: in
+    from_ip: any
+    proto: tcp
+    to_port: 9090
+    rule: allow
+
 # - name: Reboot
 #   become: true
 #   ansible.builtin.reboot:

roles/cockpit/templates/cockpit.conf.j2

@@ -1,4 +1,3 @@
 [WebService]
-Origins = http://{{ inventory_hostname }} ws://{{ inventory_hostname }} https://{{ inventory_hostname }} wss://{{ inventory_hostname }} http://{{ ansible_host }} ws://{{ ansible_host }} https://{{ ansible_host }} wss://{{ ansible_host }}
+Origins = http://{{ inventory_hostname }} ws://{{ inventory_hostname }} https://{{ inventory_hostname }} wss://{{ inventory_hostname }} http://{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}:9090 ws://{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}:9090 https://{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}:9090 wss://{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}:9090
 ProtocolHeader = X-Forwarded-Proto
-AllowUnencrypted=true