feat: manage haproxy for stalwart (#420)
- add frontends for imap, imaps and smtp - add backends for webadmin, imap, imaps and smtp Reviewed-on: #420
This commit was merged in pull request #420.
This commit is contained in:
@@ -11,6 +11,12 @@ profiles::haproxy::dns::vrrp_cnames:
|
||||
- fafflix.unkin.net
|
||||
- grafana.unkin.net
|
||||
- dashboard.ceph.unkin.net
|
||||
- mail-webadmin.main.unkin.net
|
||||
- mail-in.main.unkin.net
|
||||
- imap.main.unkin.net
|
||||
- imaps.main.unkin.net
|
||||
- autoconfig.main.unkin.net.
|
||||
- autodiscover.main.unkin.net.
|
||||
|
||||
profiles::haproxy::mappings:
|
||||
fe_http:
|
||||
@@ -29,6 +35,9 @@ profiles::haproxy::mappings:
|
||||
- 'git.unkin.net be_gitea'
|
||||
- 'grafana.unkin.net be_grafana'
|
||||
- 'dashboard.ceph.unkin.net be_ceph_dashboard'
|
||||
- 'mail-webadmin.main.unkin.net be_stalwart_webadmin'
|
||||
- 'autoconfig.main.unkin.net be_stalwart_webadmin'
|
||||
- 'autodiscovery.main.unkin.net be_stalwart_webadmin'
|
||||
fe_https:
|
||||
ensure: present
|
||||
mappings:
|
||||
@@ -45,6 +54,9 @@ profiles::haproxy::mappings:
|
||||
- 'git.unkin.net be_gitea'
|
||||
- 'grafana.unkin.net be_grafana'
|
||||
- 'dashboard.ceph.unkin.net be_ceph_dashboard'
|
||||
- 'mail-webadmin.main.unkin.net be_stalwart_webadmin'
|
||||
- 'autoconfig.main.unkin.net be_stalwart_webadmin'
|
||||
- 'autodiscovery.main.unkin.net be_stalwart_webadmin'
|
||||
|
||||
profiles::haproxy::frontends:
|
||||
fe_http:
|
||||
@@ -66,6 +78,9 @@ profiles::haproxy::frontends:
|
||||
- 'acl_gitea req.hdr(host) -i git.unkin.net'
|
||||
- 'acl_grafana req.hdr(host) -i grafana.unkin.net'
|
||||
- 'acl_ceph_dashboard req.hdr(host) -i dashboard.ceph.unkin.net'
|
||||
- 'acl_stalwart_webadmin req.hdr(host) -i mail-webadmin.main.unkin.net'
|
||||
- 'acl_stalwart_webadmin req.hdr(host) -i autoconfig.main.unkin.net'
|
||||
- 'acl_stalwart_webadmin req.hdr(host) -i autodiscovery.main.unkin.net'
|
||||
- 'acl_internalsubnets src 198.18.0.0/16 10.10.12.0/24'
|
||||
use_backend:
|
||||
- "%[req.hdr(host),lower,map(/etc/haproxy/fe_https.map,be_default)]"
|
||||
@@ -84,6 +99,7 @@ profiles::haproxy::frontends:
|
||||
- 'set-header X-Frame-Options DENY if acl_gitea'
|
||||
- 'set-header X-Frame-Options DENY if acl_grafana'
|
||||
- 'set-header X-Frame-Options DENY if acl_ceph_dashboard'
|
||||
- 'set-header X-Frame-Options DENY if acl_stalwart_webadmin'
|
||||
- 'set-header X-Content-Type-Options nosniff'
|
||||
- 'set-header X-XSS-Protection 1;mode=block'
|
||||
|
||||
@@ -286,7 +302,69 @@ profiles::haproxy::backends:
|
||||
- add-header X-Forwarded-Proto https if { dst_port 9443 }
|
||||
redirect: 'scheme https if !{ ssl_fc }'
|
||||
stick-table: 'type ip size 200k expire 30m'
|
||||
be_stalwart_webadmin:
|
||||
description: Backend for Stalwart Webadmin
|
||||
collect_exported: false # handled in custom function
|
||||
options:
|
||||
balance: roundrobin
|
||||
option:
|
||||
- httpchk GET /
|
||||
- forwardfor
|
||||
- http-keep-alive
|
||||
- prefer-last-server
|
||||
cookie: SRVNAME insert indirect nocache
|
||||
http-reuse: always
|
||||
http-check:
|
||||
- expect status 200
|
||||
http-request:
|
||||
- set-header X-Forwarded-Port %[dst_port]
|
||||
- add-header X-Forwarded-Proto https if { dst_port 9443 }
|
||||
redirect: 'scheme https if !{ ssl_fc }'
|
||||
stick-table: 'type ip size 200k expire 30m'
|
||||
be_stalwart_imap:
|
||||
description: Backend for Stalwart IMAP (STARTTLS)
|
||||
collect_exported: false
|
||||
options:
|
||||
mode: tcp
|
||||
balance: roundrobin
|
||||
option:
|
||||
- tcp-check
|
||||
- prefer-last-server
|
||||
stick-table: 'type ip size 200k expire 30m'
|
||||
stick: 'on src'
|
||||
tcp-check:
|
||||
- connect port 143
|
||||
- expect string "* OK"
|
||||
- send "A001 STARTTLS\r\n"
|
||||
- expect rstring "A001 (OK|2.0.0)"
|
||||
be_stalwart_imaps:
|
||||
description: Backend for Stalwart IMAPS (implicit TLS)
|
||||
collect_exported: false
|
||||
options:
|
||||
mode: tcp
|
||||
balance: roundrobin
|
||||
option:
|
||||
- tcp-check
|
||||
- prefer-last-server
|
||||
stick-table: 'type ip size 200k expire 30m'
|
||||
stick: 'on src'
|
||||
tcp-check:
|
||||
- connect ssl
|
||||
- expect string "* OK"
|
||||
be_stalwart_smtp:
|
||||
description: Backend for Stalwart SMTP
|
||||
collect_exported: false
|
||||
options:
|
||||
mode: tcp
|
||||
balance: roundrobin
|
||||
option:
|
||||
- tcp-check
|
||||
- prefer-last-server
|
||||
stick-table: 'type ip size 200k expire 30m'
|
||||
stick: 'on src'
|
||||
tcp-check:
|
||||
- connect port 25
|
||||
- expect string "220 "
|
||||
|
||||
profiles::haproxy::certlist::enabled: true
|
||||
profiles::haproxy::certlist::certificates:
|
||||
@@ -309,6 +387,7 @@ profiles::pki::vault::alt_names:
|
||||
- au-syd1-pve.main.unkin.net
|
||||
- au-syd1-pve-api.main.unkin.net
|
||||
- jellyfin.main.unkin.net
|
||||
- mail-webadmin.main.unkin.net
|
||||
|
||||
# additional cnames
|
||||
profiles::haproxy::dns::cnames:
|
||||
|
||||
Reference in New Issue
Block a user