From d07751a1514c1b377572724a4c05b0365df84003 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Fri, 28 Jun 2024 22:46:50 +1000 Subject: [PATCH] feat: haproxy for *arr stack - add additional backends - set *arr's to export as a backend - add *arr.main.unkin.net certificates --- .../au/region/syd1/infra/halb/haproxy.yaml | 95 +++++++++++++++++++ site/profiles/manifests/media/lidarr.pp | 15 +++ site/profiles/manifests/media/prowlarr.pp | 15 +++ site/profiles/manifests/media/radarr.pp | 15 +++ site/profiles/manifests/media/readarr.pp | 15 +++ site/profiles/manifests/media/sonarr.pp | 15 +++ 6 files changed, 170 insertions(+) diff --git a/hieradata/country/au/region/syd1/infra/halb/haproxy.yaml b/hieradata/country/au/region/syd1/infra/halb/haproxy.yaml index c7877aa..2bf808a 100644 --- a/hieradata/country/au/region/syd1/infra/halb/haproxy.yaml +++ b/hieradata/country/au/region/syd1/infra/halb/haproxy.yaml @@ -6,11 +6,21 @@ profiles::haproxy::mappings: mappings: - 'au-syd1-pve.main.unkin.net be_ausyd1pve_web' - 'au-syd1-pve-api.main.unkin.net be_ausyd1pve_api' + - 'sonarr.main.unkin.net be_sonarr' + - 'radarr.main.unkin.net be_radarr' + - 'lidarr.main.unkin.net be_lidarr' + - 'readarr.main.unkin.net be_readarr' + - 'prowlarr.main.unkin.net be_prowlarr' fe_https: ensure: present mappings: - 'au-syd1-pve.main.unkin.net be_ausyd1pve_web' - 'au-syd1-pve-api.main.unkin.net be_ausyd1pve_api' + - 'sonarr.main.unkin.net be_sonarr' + - 'radarr.main.unkin.net be_radarr' + - 'lidarr.main.unkin.net be_lidarr' + - 'readarr.main.unkin.net be_readarr' + - 'prowlarr.main.unkin.net be_prowlarr' profiles::haproxy::frontends: fe_http: @@ -63,6 +73,86 @@ profiles::haproxy::backends: - set-header X-Forwarded-Port %[dst_port] - add-header X-Forwarded-Proto https if { dst_port 443 } redirect: 'scheme https if !{ ssl_fc }' + be_sonarr: + description: Backend for au-syd1 sonarr + collect_exported: false # handled in custom function + options: + balance: roundrobin + option: + - httpchk GET / + - forwardfor + - http-keep-alive + - prefer-last-server + cookie: SRVNAME insert indirect nocache + http-reuse: always + http-request: + - set-header X-Forwarded-Port %[dst_port] + - add-header X-Forwarded-Proto https if { dst_port 443 } + redirect: 'scheme https if !{ ssl_fc }' + be_radarr: + description: Backend for au-syd1 radarr + collect_exported: false # handled in custom function + options: + balance: roundrobin + option: + - httpchk GET / + - forwardfor + - http-keep-alive + - prefer-last-server + cookie: SRVNAME insert indirect nocache + http-reuse: always + http-request: + - set-header X-Forwarded-Port %[dst_port] + - add-header X-Forwarded-Proto https if { dst_port 443 } + redirect: 'scheme https if !{ ssl_fc }' + be_lidarr: + description: Backend for au-syd1 lidarr + collect_exported: false # handled in custom function + options: + balance: roundrobin + option: + - httpchk GET / + - forwardfor + - http-keep-alive + - prefer-last-server + cookie: SRVNAME insert indirect nocache + http-reuse: always + http-request: + - set-header X-Forwarded-Port %[dst_port] + - add-header X-Forwarded-Proto https if { dst_port 443 } + redirect: 'scheme https if !{ ssl_fc }' + be_readarr: + description: Backend for au-syd1 readarr + collect_exported: false # handled in custom function + options: + balance: roundrobin + option: + - httpchk GET / + - forwardfor + - http-keep-alive + - prefer-last-server + cookie: SRVNAME insert indirect nocache + http-reuse: always + http-request: + - set-header X-Forwarded-Port %[dst_port] + - add-header X-Forwarded-Proto https if { dst_port 443 } + redirect: 'scheme https if !{ ssl_fc }' + be_prowlarr: + description: Backend for au-syd1 prowlarr + collect_exported: false # handled in custom function + options: + balance: roundrobin + option: + - httpchk GET / + - forwardfor + - http-keep-alive + - prefer-last-server + cookie: SRVNAME insert indirect nocache + http-reuse: always + http-request: + - set-header X-Forwarded-Port %[dst_port] + - add-header X-Forwarded-Proto https if { dst_port 443 } + redirect: 'scheme https if !{ ssl_fc }' profiles::haproxy::certlist::enabled: true profiles::haproxy::certlist::certificates: @@ -72,6 +162,11 @@ profiles::haproxy::certlist::certificates: profiles::pki::vault::alt_names: - au-syd1-pve.main.unkin.net - au-syd1-pve-api.main.unkin.net + - sonarr.main.unkin.net + - radarr.main.unkin.net + - lidarr.main.unkin.net + - readarr.main.unkin.net + - prowlarr.main.unkin.net # additional cnames profiles::haproxy::dns::cnames: diff --git a/site/profiles/manifests/media/lidarr.pp b/site/profiles/manifests/media/lidarr.pp index 953b132..6c6a0b9 100644 --- a/site/profiles/manifests/media/lidarr.pp +++ b/site/profiles/manifests/media/lidarr.pp @@ -13,4 +13,19 @@ class profiles::media::lidarr ( cephfs_fs => 'mediafs', require => Profiles::Ceph::Keyring['media'], } + + # export haproxy balancemember + profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_443": + service => 'be_lidarr', + ports => [443], + options => [ + "cookie ${facts['networking']['hostname']}", + 'ssl', + 'verify none', + 'check', + 'inter 2s', + 'rise 3', + 'fall 2', + ] + } } diff --git a/site/profiles/manifests/media/prowlarr.pp b/site/profiles/manifests/media/prowlarr.pp index 6f80fbe..87d266d 100644 --- a/site/profiles/manifests/media/prowlarr.pp +++ b/site/profiles/manifests/media/prowlarr.pp @@ -13,4 +13,19 @@ class profiles::media::prowlarr ( cephfs_fs => 'mediafs', require => Profiles::Ceph::Keyring['media'], } + + # export haproxy balancemember + profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_443": + service => 'be_prowlarr', + ports => [443], + options => [ + "cookie ${facts['networking']['hostname']}", + 'ssl', + 'verify none', + 'check', + 'inter 2s', + 'rise 3', + 'fall 2', + ] + } } diff --git a/site/profiles/manifests/media/radarr.pp b/site/profiles/manifests/media/radarr.pp index 3b7aa67..c28560f 100644 --- a/site/profiles/manifests/media/radarr.pp +++ b/site/profiles/manifests/media/radarr.pp @@ -13,4 +13,19 @@ class profiles::media::radarr ( cephfs_fs => 'mediafs', require => Profiles::Ceph::Keyring['media'], } + + # export haproxy balancemember + profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_443": + service => 'be_radarr', + ports => [443], + options => [ + "cookie ${facts['networking']['hostname']}", + 'ssl', + 'verify none', + 'check', + 'inter 2s', + 'rise 3', + 'fall 2', + ] + } } diff --git a/site/profiles/manifests/media/readarr.pp b/site/profiles/manifests/media/readarr.pp index f2bf24f..a788855 100644 --- a/site/profiles/manifests/media/readarr.pp +++ b/site/profiles/manifests/media/readarr.pp @@ -13,4 +13,19 @@ class profiles::media::readarr ( cephfs_fs => 'mediafs', require => Profiles::Ceph::Keyring['media'], } + + # export haproxy balancemember + profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_443": + service => 'be_readarr', + ports => [443], + options => [ + "cookie ${facts['networking']['hostname']}", + 'ssl', + 'verify none', + 'check', + 'inter 2s', + 'rise 3', + 'fall 2', + ] + } } diff --git a/site/profiles/manifests/media/sonarr.pp b/site/profiles/manifests/media/sonarr.pp index 1eaa82a..2c271bc 100644 --- a/site/profiles/manifests/media/sonarr.pp +++ b/site/profiles/manifests/media/sonarr.pp @@ -13,4 +13,19 @@ class profiles::media::sonarr ( cephfs_fs => 'mediafs', require => Profiles::Ceph::Keyring['media'], } + + # export haproxy balancemember + profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_443": + service => 'be_sonarr', + ports => [443], + options => [ + "cookie ${facts['networking']['hostname']}", + 'ssl', + 'verify none', + 'check', + 'inter 2s', + 'rise 3', + 'fall 2', + ] + } }