feat: add auth.unkin.net proxying to Kubernetes Traefik ingress
ci/woodpecker/pr/ruby-validate Pipeline was successful
ci/woodpecker/pr/puppet-lint Pipeline was successful
ci/woodpecker/pr/bolt-validate Pipeline was successful
ci/woodpecker/pr/yamllint Pipeline was successful
ci/woodpecker/pr/erb-validate Pipeline was successful
ci/woodpecker/pr/epp-validate Pipeline was successful
ci/woodpecker/pr/puppet-validate Pipeline was successful
ci/woodpecker/pr/ruby-check Pipeline was successful
ci/woodpecker/pr/ruby-validate Pipeline was successful
ci/woodpecker/pr/puppet-lint Pipeline was successful
ci/woodpecker/pr/bolt-validate Pipeline was successful
ci/woodpecker/pr/yamllint Pipeline was successful
ci/woodpecker/pr/erb-validate Pipeline was successful
ci/woodpecker/pr/epp-validate Pipeline was successful
ci/woodpecker/pr/puppet-validate Pipeline was successful
ci/woodpecker/pr/ruby-check Pipeline was successful
Add static haproxy2 backends for syd1 Kubernetes Traefik ingress (external 198.18.199.0, internal 198.18.200.4) and route auth.unkin.net to the internal backend with Let's Encrypt cert.
This commit is contained in:
@@ -1,4 +1,7 @@
|
||||
---
|
||||
haproxy_server_k8s_syd1_traefik_internal: 'k8s-traefik-internal 198.18.200.4:443 ssl verify none check inter 2s rise 3 fall 2'
|
||||
haproxy_server_k8s_syd1_traefik_external: 'k8s-traefik-external 198.18.199.0:443 ssl verify none check inter 2s rise 3 fall 2'
|
||||
|
||||
profiles::haproxy::dns::ipaddr: "%{hiera('anycast_ip')}"
|
||||
profiles::haproxy::dns::vrrp_cnames:
|
||||
- sonarr.main.unkin.net
|
||||
@@ -16,6 +19,7 @@ profiles::haproxy::dns::vrrp_cnames:
|
||||
- mail.main.unkin.net
|
||||
- autoconfig.main.unkin.net
|
||||
- autodiscover.main.unkin.net
|
||||
- auth.unkin.net
|
||||
|
||||
profiles::haproxy::mappings:
|
||||
fe_http:
|
||||
@@ -37,6 +41,7 @@ profiles::haproxy::mappings:
|
||||
- 'mail-webadmin.main.unkin.net be_stalwart_webadmin'
|
||||
- 'autoconfig.main.unkin.net be_stalwart_webadmin'
|
||||
- 'autodiscovery.main.unkin.net be_stalwart_webadmin'
|
||||
- 'auth.unkin.net be_k8s_kanidm'
|
||||
fe_https:
|
||||
ensure: present
|
||||
mappings:
|
||||
@@ -56,6 +61,7 @@ profiles::haproxy::mappings:
|
||||
- 'mail-webadmin.main.unkin.net be_stalwart_webadmin'
|
||||
- 'autoconfig.main.unkin.net be_stalwart_webadmin'
|
||||
- 'autodiscovery.main.unkin.net be_stalwart_webadmin'
|
||||
- 'auth.unkin.net be_k8s_kanidm'
|
||||
|
||||
profiles::haproxy::frontends:
|
||||
fe_http:
|
||||
@@ -80,6 +86,7 @@ profiles::haproxy::frontends:
|
||||
- 'acl_stalwart_webadmin req.hdr(host) -i mail-webadmin.main.unkin.net'
|
||||
- 'acl_stalwart_webadmin req.hdr(host) -i autoconfig.main.unkin.net'
|
||||
- 'acl_stalwart_webadmin req.hdr(host) -i autodiscovery.main.unkin.net'
|
||||
- 'acl_kanidm req.hdr(host) -i auth.unkin.net'
|
||||
- 'acl_internalsubnets src 198.18.0.0/16 10.10.12.0/24'
|
||||
use_backend:
|
||||
- "%[req.hdr(host),lower,map(/etc/haproxy/fe_https.map,be_default)]"
|
||||
@@ -99,6 +106,7 @@ profiles::haproxy::frontends:
|
||||
- 'set-header X-Frame-Options DENY if acl_grafana'
|
||||
- 'set-header X-Frame-Options DENY if acl_ceph_dashboard'
|
||||
- 'set-header X-Frame-Options DENY if acl_stalwart_webadmin'
|
||||
- 'set-header X-Frame-Options DENY if acl_kanidm'
|
||||
- 'set-header X-Content-Type-Options nosniff'
|
||||
- 'set-header X-XSS-Protection 1;mode=block'
|
||||
|
||||
@@ -320,6 +328,26 @@ profiles::haproxy::backends:
|
||||
- add-header X-Forwarded-Proto https if { dst_port 9443 }
|
||||
redirect: 'scheme https if !{ ssl_fc }'
|
||||
stick-table: 'type ip size 200k expire 30m'
|
||||
be_k8s_kanidm:
|
||||
description: Backend for Kanidm (auth.unkin.net via Kubernetes internal Traefik)
|
||||
collect_exported: false
|
||||
options:
|
||||
balance: roundrobin
|
||||
option:
|
||||
- httpchk
|
||||
- forwardfor
|
||||
- http-keep-alive
|
||||
- prefer-last-server
|
||||
http-check:
|
||||
- 'connect ssl sni auth.unkin.net'
|
||||
- 'send meth GET uri /status ver HTTP/1.1 hdr Host auth.unkin.net'
|
||||
- 'expect status 200'
|
||||
http-reuse: always
|
||||
http-request:
|
||||
- set-header X-Forwarded-Port %[dst_port]
|
||||
- add-header X-Forwarded-Proto https if { dst_port 443 }
|
||||
redirect: 'scheme https if !{ ssl_fc }'
|
||||
server: "%{lookup('haproxy_server_k8s_syd1_traefik_internal')} sni str(auth.unkin.net)"
|
||||
be_stalwart_imap:
|
||||
description: Backend for Stalwart IMAP (STARTTLS)
|
||||
collect_exported: false
|
||||
@@ -393,6 +421,7 @@ profiles::haproxy::certlist::certificates:
|
||||
- /etc/pki/tls/letsencrypt/git.unkin.net/fullchain_combined.pem
|
||||
- /etc/pki/tls/letsencrypt/grafana.unkin.net/fullchain_combined.pem
|
||||
- /etc/pki/tls/letsencrypt/dashboard.ceph.unkin.net/fullchain_combined.pem
|
||||
- /etc/pki/tls/letsencrypt/auth.unkin.net/fullchain_combined.pem
|
||||
- /etc/pki/tls/vault/certificate.pem
|
||||
|
||||
# additional altnames
|
||||
@@ -422,3 +451,4 @@ certbot::client::domains:
|
||||
- git.unkin.net
|
||||
- grafana.unkin.net
|
||||
- dashboard.ceph.unkin.net
|
||||
- auth.unkin.net
|
||||
|
||||
@@ -16,3 +16,4 @@ certbot::domains:
|
||||
- git.unkin.net
|
||||
- grafana.unkin.net
|
||||
- dashboard.ceph.unkin.net
|
||||
- auth.unkin.net
|
||||
|
||||
Reference in New Issue
Block a user