feat: add external grafana access
All checks were successful
Build / precommit (pull_request) Successful in 4m56s
All checks were successful
Build / precommit (pull_request) Successful in 4m56s
- enable access to grafana through haproxy - ensure grafana cert created from letsencrypt - enable user access to grafana
This commit is contained in:
parent
7fbb87b4b6
commit
1e44577045
@ -9,6 +9,7 @@ profiles::haproxy::dns::vrrp_cnames:
|
||||
- nzbget.main.unkin.net
|
||||
- git.unkin.net
|
||||
- fafflix.unkin.net
|
||||
- grafana.unkin.net
|
||||
|
||||
profiles::haproxy::mappings:
|
||||
fe_http:
|
||||
@ -25,6 +26,7 @@ profiles::haproxy::mappings:
|
||||
- 'jellyfin.main.unkin.net be_jellyfin'
|
||||
- 'fafflix.unkin.net be_jellyfin'
|
||||
- 'git.unkin.net be_gitea'
|
||||
- 'grafana.unkin.net be_grafana'
|
||||
fe_https:
|
||||
ensure: present
|
||||
mappings:
|
||||
@ -39,6 +41,7 @@ profiles::haproxy::mappings:
|
||||
- 'jellyfin.main.unkin.net be_jellyfin'
|
||||
- 'fafflix.unkin.net be_jellyfin'
|
||||
- 'git.unkin.net be_gitea'
|
||||
- 'grafana.unkin.net be_grafana'
|
||||
|
||||
profiles::haproxy::frontends:
|
||||
fe_http:
|
||||
@ -58,6 +61,7 @@ profiles::haproxy::frontends:
|
||||
- 'acl_jellyfin req.hdr(host) -i jellyfin.main.unkin.net'
|
||||
- 'acl_fafflix req.hdr(host) -i fafflix.unkin.net'
|
||||
- 'acl_gitea req.hdr(host) -i git.unkin.net'
|
||||
- 'acl_grafana req.hdr(host) -i grafana.unkin.net'
|
||||
- 'acl_internalsubnets src 198.18.0.0/16 10.10.12.0/24'
|
||||
use_backend:
|
||||
- "%[req.hdr(host),lower,map(/etc/haproxy/fe_https.map,be_default)]"
|
||||
@ -74,6 +78,7 @@ profiles::haproxy::frontends:
|
||||
- 'set-header X-Frame-Options DENY if acl_jellyfin'
|
||||
- 'set-header X-Frame-Options DENY if acl_fafflix'
|
||||
- 'set-header X-Frame-Options DENY if acl_gitea'
|
||||
- 'set-header X-Frame-Options DENY if acl_grafana'
|
||||
- 'set-header X-Content-Type-Options nosniff'
|
||||
- 'set-header X-XSS-Protection 1;mode=block'
|
||||
|
||||
@ -239,6 +244,24 @@ profiles::haproxy::backends:
|
||||
redirect: 'scheme https if !{ ssl_fc }'
|
||||
stick-table: 'type ip size 200k expire 30m'
|
||||
stick: 'on src'
|
||||
be_grafana:
|
||||
description: Backend for grafana nodes
|
||||
collect_exported: false # handled in custom function
|
||||
options:
|
||||
balance: roundrobin
|
||||
option:
|
||||
- httpchk GET /
|
||||
- forwardfor
|
||||
- http-keep-alive
|
||||
- prefer-last-server
|
||||
cookie: SRVNAME insert indirect nocache
|
||||
http-reuse: always
|
||||
http-request:
|
||||
- set-header X-Forwarded-Port %[dst_port]
|
||||
- add-header X-Forwarded-Proto https if { dst_port 443 }
|
||||
redirect: 'scheme https if !{ ssl_fc }'
|
||||
stick-table: 'type ip size 200k expire 30m'
|
||||
stick: 'on src'
|
||||
|
||||
profiles::haproxy::certlist::enabled: true
|
||||
profiles::haproxy::certlist::certificates:
|
||||
@ -252,6 +275,7 @@ profiles::haproxy::certlist::certificates:
|
||||
- /etc/pki/tls/letsencrypt/nzbget.main.unkin.net/fullchain_combined.pem
|
||||
- /etc/pki/tls/letsencrypt/fafflix.unkin.net/fullchain_combined.pem
|
||||
- /etc/pki/tls/letsencrypt/git.unkin.net/fullchain_combined.pem
|
||||
- /etc/pki/tls/letsencrypt/grafana.unkin.net/fullchain_combined.pem
|
||||
- /etc/pki/tls/vault/certificate.pem
|
||||
|
||||
# additional altnames
|
||||
@ -278,3 +302,4 @@ certbot::client::domains:
|
||||
- nzbget.main.unkin.net
|
||||
- fafflix.unkin.net
|
||||
- git.unkin.net
|
||||
- grafana.unkin.net
|
||||
|
||||
@ -104,6 +104,7 @@ glauth::users:
|
||||
- 20013 # lidarr
|
||||
- 20014 # readarr
|
||||
- 20016 # nzbget
|
||||
- 20027 # grafana user
|
||||
loginshell: '/bin/bash'
|
||||
homedir: '/home/seablo'
|
||||
passsha256: '2db12484b2b5fdae7f3a1f9f870143c363af14bf2c31a415a9a7afcb02520df2'
|
||||
@ -121,6 +122,7 @@ glauth::users:
|
||||
- 20013 # lidarr
|
||||
- 20014 # readarr
|
||||
- 20016 # nzbget
|
||||
- 20027 # grafana user
|
||||
loginshell: '/bin/bash'
|
||||
homedir: '/home/marbal'
|
||||
passsha256: 'cc20cee6269b9970a76549c66b51d0c543352796180d4122260a47f0f7a442a9'
|
||||
@ -138,6 +140,7 @@ glauth::users:
|
||||
- 20013 # lidarr
|
||||
- 20014 # readarr
|
||||
- 20016 # nzbget
|
||||
- 20027 # grafana user
|
||||
loginshell: '/bin/bash'
|
||||
homedir: '/home/kelren'
|
||||
passsha256: '5b01659bca1ecb27847d2f746fab03eb169879ebcc86547024753dac7cb184c4'
|
||||
@ -155,6 +158,7 @@ glauth::users:
|
||||
- 20013 # lidarr
|
||||
- 20014 # readarr
|
||||
- 20016 # nzbget
|
||||
- 20027 # grafana user
|
||||
loginshell: '/bin/bash'
|
||||
homedir: '/home/ryadun'
|
||||
passsha256: 'ee17174d49545f6f7257ae79eb173de4acf2b2edf55e181de90decd0e4b4e617'
|
||||
@ -172,6 +176,7 @@ glauth::users:
|
||||
- 20013 # lidarr
|
||||
- 20014 # readarr
|
||||
- 20016 # nzbget
|
||||
- 20027 # grafana user
|
||||
loginshell: '/bin/bash'
|
||||
homedir: '/home/margol'
|
||||
passsha256: '31a66085fb7eaeb059e51d1376233db72b54f96a6c45947aafbb350c83e618ef'
|
||||
@ -190,6 +195,7 @@ glauth::users:
|
||||
- 20014 # readarr
|
||||
- 20016 # nzbget
|
||||
- 20026 # jupyterhub_user
|
||||
- 20027 # grafana user
|
||||
loginshell: '/bin/bash'
|
||||
homedir: '/home/sudobo'
|
||||
passsha256: 'a326e049c2a615226877946220a978a0a8247c569be1adcd73539b09b14136d0'
|
||||
|
||||
@ -14,13 +14,13 @@ profiles::metrics::grafana::pgsql_backend: true
|
||||
|
||||
# additional altnames
|
||||
profiles::pki::vault::alt_names:
|
||||
- grafana.main.unkin.net
|
||||
- grafana.unkin.net
|
||||
- grafana.service.consul
|
||||
- grafana.query.consul
|
||||
- "grafana.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
profiles::ssh::sign::principals:
|
||||
- grafana.main.unkin.net
|
||||
- grafana.unkin.net
|
||||
- grafana.service.consul
|
||||
- grafana.query.consul
|
||||
|
||||
@ -47,7 +47,7 @@ profiles::consul::client::node_rules:
|
||||
# manage a simple nginx reverse proxy
|
||||
profiles::nginx::simpleproxy::nginx_vhost: 'grafana.query.consul'
|
||||
profiles::nginx::simpleproxy::nginx_aliases:
|
||||
- grafana.main.unkin.net
|
||||
- grafana.unkin.net
|
||||
- grafana.service.consul
|
||||
- grafana.query.consul
|
||||
- "grafana.service.%{facts.country}-%{facts.region}.consul"
|
||||
|
||||
@ -14,3 +14,4 @@ certbot::domains:
|
||||
- nzbget.main.unkin.net
|
||||
- fafflix.unkin.net
|
||||
- git.unkin.net
|
||||
- grafana.unkin.net
|
||||
|
||||
@ -116,4 +116,19 @@ class profiles::metrics::grafana (
|
||||
require => Package['grafana'],
|
||||
before => Service['grafana'],
|
||||
}
|
||||
|
||||
# export haproxy balancemember
|
||||
profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_443":
|
||||
service => 'be_grafana',
|
||||
ports => [443],
|
||||
options => [
|
||||
"cookie ${facts['networking']['hostname']}",
|
||||
'ssl',
|
||||
'verify none',
|
||||
'check',
|
||||
'inter 2s',
|
||||
'rise 3',
|
||||
'fall 2',
|
||||
]
|
||||
}
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user