feat: add auth.unkin.net proxying to Kubernetes Traefik ingress (#467)
Add static haproxy2 backends for syd1 Kubernetes Traefik ingress (external 198.18.199.0, internal 198.18.200.4) and route auth.unkin.net to the internal backend with Let's Encrypt cert. Reviewed-on: #467
This commit was merged in pull request #467.
This commit is contained in:
@@ -1,4 +1,7 @@
|
||||
---
|
||||
haproxy_server_k8s_syd1_traefik_internal: 'k8s-traefik-internal 198.18.200.4:443 ssl verify none check inter 2s rise 3 fall 2'
|
||||
haproxy_server_k8s_syd1_traefik_external: 'k8s-traefik-external 198.18.199.0:443 ssl verify none check inter 2s rise 3 fall 2'
|
||||
|
||||
profiles::haproxy::dns::ipaddr: "%{hiera('anycast_ip')}"
|
||||
profiles::haproxy::dns::vrrp_cnames:
|
||||
- sonarr.main.unkin.net
|
||||
@@ -16,6 +19,7 @@ profiles::haproxy::dns::vrrp_cnames:
|
||||
- mail.main.unkin.net
|
||||
- autoconfig.main.unkin.net
|
||||
- autodiscover.main.unkin.net
|
||||
- auth.unkin.net
|
||||
|
||||
profiles::haproxy::mappings:
|
||||
fe_http:
|
||||
@@ -37,6 +41,7 @@ profiles::haproxy::mappings:
|
||||
- 'mail-webadmin.main.unkin.net be_stalwart_webadmin'
|
||||
- 'autoconfig.main.unkin.net be_stalwart_webadmin'
|
||||
- 'autodiscovery.main.unkin.net be_stalwart_webadmin'
|
||||
- 'auth.unkin.net be_k8s_kanidm'
|
||||
fe_https:
|
||||
ensure: present
|
||||
mappings:
|
||||
@@ -56,6 +61,7 @@ profiles::haproxy::mappings:
|
||||
- 'mail-webadmin.main.unkin.net be_stalwart_webadmin'
|
||||
- 'autoconfig.main.unkin.net be_stalwart_webadmin'
|
||||
- 'autodiscovery.main.unkin.net be_stalwart_webadmin'
|
||||
- 'auth.unkin.net be_k8s_kanidm'
|
||||
|
||||
profiles::haproxy::frontends:
|
||||
fe_http:
|
||||
@@ -80,6 +86,7 @@ profiles::haproxy::frontends:
|
||||
- 'acl_stalwart_webadmin req.hdr(host) -i mail-webadmin.main.unkin.net'
|
||||
- 'acl_stalwart_webadmin req.hdr(host) -i autoconfig.main.unkin.net'
|
||||
- 'acl_stalwart_webadmin req.hdr(host) -i autodiscovery.main.unkin.net'
|
||||
- 'acl_kanidm req.hdr(host) -i auth.unkin.net'
|
||||
- 'acl_internalsubnets src 198.18.0.0/16 10.10.12.0/24'
|
||||
use_backend:
|
||||
- "%[req.hdr(host),lower,map(/etc/haproxy/fe_https.map,be_default)]"
|
||||
@@ -99,6 +106,7 @@ profiles::haproxy::frontends:
|
||||
- 'set-header X-Frame-Options DENY if acl_grafana'
|
||||
- 'set-header X-Frame-Options DENY if acl_ceph_dashboard'
|
||||
- 'set-header X-Frame-Options DENY if acl_stalwart_webadmin'
|
||||
- 'set-header X-Frame-Options DENY if acl_kanidm'
|
||||
- 'set-header X-Content-Type-Options nosniff'
|
||||
- 'set-header X-XSS-Protection 1;mode=block'
|
||||
|
||||
@@ -320,6 +328,26 @@ profiles::haproxy::backends:
|
||||
- add-header X-Forwarded-Proto https if { dst_port 9443 }
|
||||
redirect: 'scheme https if !{ ssl_fc }'
|
||||
stick-table: 'type ip size 200k expire 30m'
|
||||
be_k8s_kanidm:
|
||||
description: Backend for Kanidm (auth.unkin.net via Kubernetes internal Traefik)
|
||||
collect_exported: false
|
||||
options:
|
||||
balance: roundrobin
|
||||
option:
|
||||
- httpchk
|
||||
- forwardfor
|
||||
- http-keep-alive
|
||||
- prefer-last-server
|
||||
http-check:
|
||||
- 'connect ssl sni auth.unkin.net'
|
||||
- 'send meth GET uri /status ver HTTP/1.1 hdr Host auth.unkin.net'
|
||||
- 'expect status 200'
|
||||
http-reuse: always
|
||||
http-request:
|
||||
- set-header X-Forwarded-Port %[dst_port]
|
||||
- add-header X-Forwarded-Proto https if { dst_port 443 }
|
||||
redirect: 'scheme https if !{ ssl_fc }'
|
||||
server: "%{lookup('haproxy_server_k8s_syd1_traefik_internal')} sni str(auth.unkin.net)"
|
||||
be_stalwart_imap:
|
||||
description: Backend for Stalwart IMAP (STARTTLS)
|
||||
collect_exported: false
|
||||
@@ -393,6 +421,7 @@ profiles::haproxy::certlist::certificates:
|
||||
- /etc/pki/tls/letsencrypt/git.unkin.net/fullchain_combined.pem
|
||||
- /etc/pki/tls/letsencrypt/grafana.unkin.net/fullchain_combined.pem
|
||||
- /etc/pki/tls/letsencrypt/dashboard.ceph.unkin.net/fullchain_combined.pem
|
||||
- /etc/pki/tls/letsencrypt/auth.unkin.net/fullchain_combined.pem
|
||||
- /etc/pki/tls/vault/certificate.pem
|
||||
|
||||
# additional altnames
|
||||
@@ -422,3 +451,4 @@ certbot::client::domains:
|
||||
- git.unkin.net
|
||||
- grafana.unkin.net
|
||||
- dashboard.ceph.unkin.net
|
||||
- auth.unkin.net
|
||||
|
||||
@@ -16,3 +16,4 @@ certbot::domains:
|
||||
- git.unkin.net
|
||||
- grafana.unkin.net
|
||||
- dashboard.ceph.unkin.net
|
||||
- auth.unkin.net
|
||||
|
||||
Reference in New Issue
Block a user