fix: move primary_datacenter to region/role

- set syd1 as primary consul datacentre
- add consul.service.consul zone
- add nginx reverse proxy for consul webui
- set dns zones/acls/views/keys to be deep merged from hiera
- update default token
- add consul/consul.service.consul/consul.main.unkin.net to vault cert
This commit is contained in:
2024-04-25 00:07:51 +10:00
parent f863d6f6bb
commit a7e9f1590e
10 changed files with 276 additions and 41 deletions
+54 -37
View File
@@ -2,6 +2,7 @@
profiles::dns::resolver::acls:
acl-main.unkin.net:
addresses:
- 10.10.8.1/32
- 198.18.21.160/27
- 198.18.21.192/27
- 198.18.13.0/24
@@ -11,53 +12,62 @@ profiles::dns::resolver::acls:
- 198.18.17.0/24
profiles::dns::resolver::zones:
main.unkin.net-forward:
domain: 'main.unkin.net'
8.10.10.in-addr.arpa-forward:
domain: '8.10.10.in-addr.arpa'
zone_type: 'forward'
forwarders:
- 198.18.17.23
- 198.18.17.24
- 10.10.16.32
- 10.10.16.33
forward: 'only'
16.10.10.in-addr.arpa-forward:
domain: '16.10.10.in-addr.arpa'
zone_type: 'forward'
forwarders:
- 10.10.16.32
- 10.10.16.33
forward: 'only'
20.10.10.in-addr.arpa-forward:
domain: '20.10.10.in-addr.arpa'
zone_type: 'forward'
forwarders:
- 10.10.16.32
- 10.10.16.33
forward: 'only'
unkin.net-forward:
domain: 'unkin.net'
zone_type: 'forward'
forwarders:
- 10.10.16.32
- 10.10.16.33
forward: 'only'
dmz.unkin.net-forward:
domain: 'dmz.unkin.net'
zone_type: 'forward'
forwarders:
- 10.10.16.32
- 10.10.16.33
forward: 'only'
network.unkin.net-forward:
domain: 'network.unkin.net'
zone_type: 'forward'
forwarders:
- 10.10.16.32
- 10.10.16.33
forward: 'only'
prod.unkin.net-forward:
domain: 'prod.unkin.net'
zone_type: 'forward'
forwarders:
- 10.10.8.1
- 10.10.16.32
- 10.10.16.33
forward: 'only'
13.18.198.in-addr.arpa-forward:
domain: '13.18.198.in-addr.arpa'
consul.service.consul-forward:
domain: 'consul.service.consul'
zone_type: 'forward'
forwarders:
- 198.18.17.23
- 198.18.17.24
forward: 'only'
14.18.198.in-addr.arpa-forward:
domain: '14.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders:
- 198.18.17.23
- 198.18.17.24
forward: 'only'
15.18.198.in-addr.arpa-forward:
domain: '15.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders:
- 198.18.17.23
- 198.18.17.24
forward: 'only'
16.18.198.in-addr.arpa-forward:
domain: '16.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders:
- 198.18.17.23
- 198.18.17.24
forward: 'only'
17.18.198.in-addr.arpa-forward:
domain: '17.18.198.in-addr.arpa'
zone_type: 'forward'
forwarders:
- 198.18.17.23
- 198.18.17.24
- 198.18.13.19
- 198.18.13.20
- 198.18.13.21
forward: 'only'
profiles::dns::resolver::views:
@@ -65,11 +75,18 @@ profiles::dns::resolver::views:
recursion: true
zones:
- main.unkin.net-forward
- unkin.net-forward
- dmz.unkin.net-forward
- network.unkin.net-forward
- prod.unkin.net-forward
- consul.service.consul-forward
- 13.18.198.in-addr.arpa-forward
- 14.18.198.in-addr.arpa-forward
- 15.18.198.in-addr.arpa-forward
- 16.18.198.in-addr.arpa-forward
- 17.18.198.in-addr.arpa-forward
- 8.10.10.in-addr.arpa-forward
- 16.10.10.in-addr.arpa-forward
- 20.10.10.in-addr.arpa-forward
match_clients:
- acl-main.unkin.net
+6 -1
View File
@@ -1,7 +1,6 @@
---
profiles::consul::server::members_lookup: true
profiles::consul::server::data_dir: /data/consul
profiles::consul::server::primary_datacenter: 'au-drw1'
profiles::consul::server::addresses:
dns: "%{::networking.ip}"
http: "%{::networking.ip}"
@@ -19,3 +18,9 @@ profiles::consul::server::acl:
tokens:
initial_management: "%{alias('profiles::consul::server::acl_tokens_initial_management')}"
default: "%{alias('profiles::consul::server::acl_tokens_default')}"
# additional altnames
profiles::pki::vault::alt_names:
- consul.main.unkin.net
- consul.service.consul
- consul