feat: deploy ldap-auth to all *arrs

- refactor sonarr locations to generalised locations
- set locations to be deep merged
- updated hiera_include statements for media and media subroles
- added eyaml entries for all ldap credentials
This commit is contained in:
2024-07-06 22:50:10 +10:00
parent 8b01ddba9c
commit 2ab2cd1399
12 changed files with 115 additions and 89 deletions
-76
View File
@@ -1,7 +1,6 @@
---
hiera_include:
- sonarr
- profiles::nginx::simpleproxy
- profiles::nginx::ldapauth
# manage sonarr
@@ -31,84 +30,9 @@ profiles::nginx::simpleproxy::proxy_path: '/'
profiles::nginx::simpleproxy::use_default_location: false
nginx::client_max_body_size: 20M
ldap_host: 'ldap.service.consul'
ldap_basedn: 'dc=main,dc=unkin,dc=net'
ldap_binddn: 'cn=svc_sonarr,ou=services,ou=users,dc=main,dc=unkin,dc=net'
ldap_template: '(memberOf=ou=sonarr_access,ou=groups,dc=main,dc=unkin,dc=net)'
profiles::nginx::simpleproxy::locations:
# authentication proxy
authproxy:
ensure: 'present'
server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
ssl_only: true
internal: true
location: '= /auth-proxy'
proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:8888"
proxy_set_header:
- 'Content-Length ""'
- "X-Ldap-URL ldap://%{lookup('ldap_host')}"
- 'X-Ldap-Starttls "false"'
- "X-Ldap-BaseDN %{lookup('ldap_basedn')}"
- "X-Ldap-BindDN %{lookup('ldap_binddn')}"
- "X-Ldap-BindPass %{lookup('ldap_bindpass')}"
- 'X-CookieName "nginxauth"'
- 'Cookie nginxauth=$cookie_nginxauth'
- "X-Ldap-Template %{lookup('ldap_template')}"
- 'X-Ldap-Realm "Restricted"'
proxy_cache: 'cache'
proxy_cache_valid: '200 10m'
proxy_cache_key: '"$http_authorization$cookie_nginxauth"'
location_cfg_append:
proxy_pass_request_body: 'off'
# sonarr health checks by consul
sonarr_web_consul:
ensure: 'present'
server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
ssl_only: true
location: '/consul/health'
proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:%{lookup('profiles::nginx::simpleproxy::proxy_port')}"
proxy_set_header:
- 'Host $host'
- 'X-Forwarded-For $proxy_add_x_forwarded_for'
- 'X-Forwarded-Host $host'
- 'X-Forwarded-Proto $scheme'
- 'Upgrade $http_upgrade'
- 'Connection $http_connection'
proxy_redirect: 'off'
proxy_http_version: '1.1'
location_allow:
- 127.0.0.1
- "%{facts.networking.ip}"
location_deny:
- all
# authorised sonarr access from external
sonarr_web_external:
ensure: 'present'
server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
ssl_only: true
location: '/'
auth_request: '/auth-proxy'
proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:%{lookup('profiles::nginx::simpleproxy::proxy_port')}"
proxy_set_header:
- 'Host $host'
- 'X-Forwarded-For $proxy_add_x_forwarded_for'
- 'X-Forwarded-Host $host'
- 'X-Forwarded-Proto $scheme'
- 'Upgrade $http_upgrade'
- 'Connection $http_connection'
proxy_redirect: 'off'
proxy_http_version: '1.1'
# location for sonarr api, which should be accessible without authentication
sonarr_api:
ensure: 'present'
server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
ssl_only: true
location: '~ /api'
proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:%{lookup('profiles::nginx::simpleproxy::proxy_port')}"
location_cfg_append:
client_max_body_size: '10m'
# configure consul service
consul::services:
sonarr: