ansible-ffibk/roles/service-prometheus/templates/prometheus_vhost.conf.j2

server {
    listen 80;
    listen [::]:80;
    server_name {{ prometheus_url_external }} {{ prometheus_url_internal }};

    include /etc/nginx/snippets/redirect-to-ssl.conf;
    include /etc/nginx/snippets/letsencrypt-acme-challenge.conf;
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name {{ prometheus_url_external }} {{ prometheus_url_internal }};

    ssl_certificate     /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/privkey.pem;

    include /etc/nginx/snippets/letsencrypt-acme-challenge.conf;

    satisfy  any;

    allow 127.0.0.0/8;
    allow ::1/128;
    allow {{ lookup('dig', inventory_hostname, 'qtype=A') }};
    allow {{ lookup('dig', inventory_hostname, 'qtype=AAAA') }};

    location /alertmanager {
      proxy_pass http://127.0.0.1:9093;
      auth_basic "Prometheus";
      auth_basic_user_file /etc/nginx/htpasswd_prometheus;
    }

    location / {
      proxy_pass http://127.0.0.1:9090;
      auth_basic "Prometheus";
      auth_basic_user_file /etc/nginx/htpasswd_prometheus;
    }
}