From cbded220bb0d5a1f8f4adf959716fc3846694c20 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Fri, 5 Jul 2024 23:15:06 +1000 Subject: [PATCH] feat: add sonarr locations - add authproxy - add api and web - add /consul/health for unauth access from consul - update sonarr/consul check to use /consul/health - change client body side to 20mb --- hieradata/roles/apps/media/sonarr.eyaml | 1 + hieradata/roles/apps/media/sonarr.yaml | 84 ++++++++++++++++++++++++- 2 files changed, 83 insertions(+), 2 deletions(-) diff --git a/hieradata/roles/apps/media/sonarr.eyaml b/hieradata/roles/apps/media/sonarr.eyaml index 18be20a..79f024e 100644 --- a/hieradata/roles/apps/media/sonarr.eyaml +++ b/hieradata/roles/apps/media/sonarr.eyaml @@ -1 +1,2 @@ sonarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEANhwc0Vk0htkacwqGA/ZEVR7hpC1V2+nyP3lxyqkVNWERdcIsoMjlfwp2QNoLVirALY10Kon1wKXiRLT+QOqF9aTapS2Vb2YH3ZujR5yT6T1z4e0o4EA3IlNJZemVIziIqrK8+8zZzVafYdOYwMwpbc5EzoJPBtdqNHbDaQu4bRTCp2yMISTOzFjZpOoEJlRyC8YrffNU2xzA5mh5Cw+00MdIfPd8enrCnA4b1ddqP/IsfEYRt91ANQBULwKC5wenKdJAN5qKSKW6KU9TUM5YvGvUPgTvcYgXNf3/INL6G3/HwISTE5A7S6lqwYLyRTT1fMHtgDIqS936DPqCdAZtzjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBZ4e3jAM0zvV43IrCzQOGIgDBwOWgm+wJG+jAU8r1awWDvzQXgF3h65nAKfoOuGEztsjeBEruU4EmZy6llLbfSSb8=] +ldap_bindpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAF5/sP43SJX/FB6cAS0GPqxC78JS7jSNKoUqWB/IXkv8uXYiClqk+Xw4nFx8EtknNn628DHBY3vCLQ59Xk89p0fyimP70m3BM6or5iRGdCqEAOzL399GbYX8WFHjyQRBmGdaLR5h2r5UnmjuPpDtV+fgsqxo4gNpXnuQ+46ZZPQce/dzHzux+4aEK4Q6UbD/ZZSQklD6zEUV+Agj6E9cQlJPBiHtTyUdXOYHYlJN1HhFPXu3C6KIz63YioVCah1n6T/rJtPQ07pVUfizIaJiPpzcUN91+ZWyyjUPo0bRGZtYKVs/uCAYXht4F5ttKQDaGa3wd4a5IdtacmEWQWFqk3TBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDtB/68xkjxK3nrNh0MilACgDDt85aBvSp/Oj9EY67eNPr+JcnQ7WfyuqAYAnmYqfbQI8MDtYAx7br0+inJXvQ1BvI=] diff --git a/hieradata/roles/apps/media/sonarr.yaml b/hieradata/roles/apps/media/sonarr.yaml index 09ab30c..3bca555 100644 --- a/hieradata/roles/apps/media/sonarr.yaml +++ b/hieradata/roles/apps/media/sonarr.yaml @@ -2,6 +2,7 @@ hiera_include: - sonarr - profiles::nginx::simpleproxy + - profiles::nginx::ldapauth # manage sonarr sonarr::params::user: sonarr @@ -27,9 +28,88 @@ profiles::nginx::simpleproxy::nginx_aliases: profiles::nginx::simpleproxy::proxy_port: 8000 profiles::nginx::simpleproxy::proxy_host: 127.0.0.1 profiles::nginx::simpleproxy::proxy_path: '/' +profiles::nginx::simpleproxy::use_default_location: false +nginx::client_max_body_size: 20M + +ldap_host: 'ldap.service.consul' +ldap_basedn: 'dc=main,dc=unkin,dc=net' +ldap_binddn: 'cn=svc_sonarr,ou=services,ou=users,dc=main,dc=unkin,dc=net' +ldap_template: '(memberOf=ou=sonarr_access,ou=groups,dc=main,dc=unkin,dc=net)' + +profiles::nginx::simpleproxy::locations: + # authentication proxy + authproxy: + ensure: 'present' + server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}" + ssl_only: true + internal: true + location: '= /auth-proxy' + proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:8888" + proxy_set_header: + - 'Content-Length ""' + - "X-Ldap-URL ldap://%{lookup('ldap_host')}" + - 'X-Ldap-Starttls "false"' + - "X-Ldap-BaseDN %{lookup('ldap_basedn')}" + - "X-Ldap-BindDN %{lookup('ldap_binddn')}" + - "X-Ldap-BindPass %{lookup('ldap_bindpass')}" + - 'X-CookieName "nginxauth"' + - 'Cookie nginxauth=$cookie_nginxauth' + - "X-Ldap-Template %{lookup('ldap_template')}" + - 'X-Ldap-Realm "Restricted"' + proxy_cache: 'cache' + proxy_cache_valid: '200 10m' + proxy_cache_key: '"$http_authorization$cookie_nginxauth"' + location_cfg_append: + proxy_pass_request_body: 'off' + # sonarr health checks by consul + sonarr_web_consul: + ensure: 'present' + server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}" + ssl_only: true + location: '/consul/health' + proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:%{lookup('profiles::nginx::simpleproxy::proxy_port')}" + proxy_set_header: + - 'Host $host' + - 'X-Forwarded-For $proxy_add_x_forwarded_for' + - 'X-Forwarded-Host $host' + - 'X-Forwarded-Proto $scheme' + - 'Upgrade $http_upgrade' + - 'Connection $http_connection' + proxy_redirect: 'off' + proxy_http_version: '1.1' + location_allow: + - 127.0.0.1 + - "%{facts.networking.ip}" + location_deny: + - all + # authorised sonarr access from external + sonarr_web_external: + ensure: 'present' + server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}" + ssl_only: true + location: '/' + auth_request: '/auth-proxy' + proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:%{lookup('profiles::nginx::simpleproxy::proxy_port')}" + proxy_set_header: + - 'Host $host' + - 'X-Forwarded-For $proxy_add_x_forwarded_for' + - 'X-Forwarded-Host $host' + - 'X-Forwarded-Proto $scheme' + - 'Upgrade $http_upgrade' + - 'Connection $http_connection' + proxy_redirect: 'off' + proxy_http_version: '1.1' + # location for sonarr api, which should be accessible without authentication + sonarr_api: + ensure: 'present' + server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}" + ssl_only: true + location: '~ /api' + proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:%{lookup('profiles::nginx::simpleproxy::proxy_port')}" + location_cfg_append: + client_max_body_size: '10m' # configure consul service -nginx::client_max_body_size: 10M consul::services: sonarr: service_name: 'sonarr' @@ -41,7 +121,7 @@ consul::services: checks: - id: 'sonarr_http_check' name: 'Sonarr HTTP Check' - http: "https://%{facts.networking.fqdn}:443" + http: "https://%{facts.networking.fqdn}:443/consul/health" method: 'GET' tls_skip_verify: true interval: '10s'