feat: add nzbget to media platform

- add haproxy rules - generate/distribute letsencrypt certificates - manage access to cephfs
2024-07-09 22:32:54 +10:00 · 2024-07-09 22:32:54 +10:00 · 1532641640
commit 1532641640
parent abb4a47703
4 changed files with 24 additions and 0 deletions
--- a/hieradata/country/au/region/syd1/infra/halb/haproxy.yaml
+++ b/hieradata/country/au/region/syd1/infra/halb/haproxy.yaml
@ -11,6 +11,7 @@ profiles::haproxy::mappings:
      - 'lidarr.main.unkin.net be_lidarr'
      - 'readarr.main.unkin.net be_readarr'
      - 'prowlarr.main.unkin.net be_prowlarr'
      - 'nzbget.main.unkin.net be_nzbget'
      - 'jellyfin.main.unkin.net be_jellyfin'
      - 'fafflix.unkin.net be_jellyfin'
  fe_https:
@ -23,6 +24,7 @@ profiles::haproxy::mappings:
      - 'lidarr.main.unkin.net be_lidarr'
      - 'readarr.main.unkin.net be_readarr'
      - 'prowlarr.main.unkin.net be_prowlarr'
      - 'nzbget.main.unkin.net be_nzbget'
      - 'jellyfin.main.unkin.net be_jellyfin'
      - 'fafflix.unkin.net be_jellyfin'
@ -40,6 +42,7 @@ profiles::haproxy::frontends:
        - 'acl_lidarr req.hdr(host) -i lidarr.main.unkin.net'
        - 'acl_readarr req.hdr(host) -i readarr.main.unkin.net'
        - 'acl_prowlarr req.hdr(host) -i prowlarr.main.unkin.net'
        - 'acl_nzbget req.hdr(host) -i nzbget.main.unkin.net'
        - 'acl_jellyfin req.hdr(host) -i jellyfin.main.unkin.net'
        - 'acl_fafflix req.hdr(host) -i fafflix.unkin.net'
        - 'acl_internalsubnets src 198.18.0.0/16 10.10.12.0/24'
@ -54,6 +57,7 @@ profiles::haproxy::frontends:
        - 'set-header X-Frame-Options DENY if acl_lidarr'
        - 'set-header X-Frame-Options DENY if acl_readarr'
        - 'set-header X-Frame-Options DENY if acl_prowlarr'
        - 'set-header X-Frame-Options DENY if acl_nzbget'
        - 'set-header X-Frame-Options DENY if acl_jellyfin'
        - 'set-header X-Frame-Options DENY if acl_fafflix'
        - 'set-header X-Content-Type-Options nosniff'
@ -171,6 +175,22 @@ profiles::haproxy::backends:
        - set-header X-Forwarded-Port %[dst_port]
        - add-header X-Forwarded-Proto https if { dst_port 443 }
      redirect: 'scheme https if !{ ssl_fc }'
  be_nzbget:
    description: Backend for au-syd1 nzbget
    collect_exported: false # handled in custom function
    options:
      balance: roundrobin
      option:
        - httpchk GET /consul/health
        - forwardfor
        - http-keep-alive
        - prefer-last-server
      cookie: SRVNAME insert indirect nocache
      http-reuse: always
      http-request:
        - set-header X-Forwarded-Port %[dst_port]
        - add-header X-Forwarded-Proto https if { dst_port 443 }
      redirect: 'scheme https if !{ ssl_fc }'
  be_jellyfin:
    description: Backend for au-syd1 jellyfin
    collect_exported: false # handled in custom function
@ -197,6 +217,7 @@ profiles::haproxy::certlist::certificates:
  - /etc/pki/tls/letsencrypt/lidarr.main.unkin.net/fullchain_combined.pem
  - /etc/pki/tls/letsencrypt/readarr.main.unkin.net/fullchain_combined.pem
  - /etc/pki/tls/letsencrypt/prowlarr.main.unkin.net/fullchain_combined.pem
  - /etc/pki/tls/letsencrypt/nzbget.main.unkin.net/fullchain_combined.pem
  - /etc/pki/tls/letsencrypt/fafflix.unkin.net/fullchain_combined.pem
  - /etc/pki/tls/vault/certificate.pem
@ -220,4 +241,5 @@ certbot::client::domains:
  - lidarr.main.unkin.net
  - readarr.main.unkin.net
  - prowlarr.main.unkin.net
  - nzbget.main.unkin.net
  - fafflix.unkin.net
--- a/hieradata/roles/apps/media/nzbget.yaml
+++ b/hieradata/roles/apps/media/nzbget.yaml
@ -2,6 +2,7 @@
 hiera_include:
  - nzbget
  - profiles::media::nzbget
  - profiles::nginx::ldapauth
 # manage nzbget
--- a/hieradata/roles/infra/pki/certbot.yaml
+++ b/hieradata/roles/infra/pki/certbot.yaml
@ -11,4 +11,5 @@ certbot::domains:
  - lidarr.main.unkin.net
  - readarr.main.unkin.net
  - prowlarr.main.unkin.net
  - nzbget.main.unkin.net
  - fafflix.unkin.net
--- a/site/profiles/manifests/media/nzbget.pp
+++ b/site/profiles/manifests/media/nzbget.pp