feat: add auth.unkin.net proxying to Kubernetes Traefik ingress

Add static haproxy2 backends for syd1 Kubernetes Traefik ingress
(external 198.18.199.0, internal 198.18.200.4) and route
auth.unkin.net to the internal backend with Let's Encrypt cert.
This commit is contained in:
2026-06-02 17:44:33 +10:00
parent ba35c8907c
commit e88b03a02a
2 changed files with 30 additions and 0 deletions
@@ -1,4 +1,7 @@
--- ---
haproxy_server_k8s_syd1_traefik_internal: 'k8s-traefik-internal 198.18.200.4:443 ssl verify none check inter 2s rise 3 fall 2'
haproxy_server_k8s_syd1_traefik_external: 'k8s-traefik-external 198.18.199.0:443 ssl verify none check inter 2s rise 3 fall 2'
profiles::haproxy::dns::ipaddr: "%{hiera('anycast_ip')}" profiles::haproxy::dns::ipaddr: "%{hiera('anycast_ip')}"
profiles::haproxy::dns::vrrp_cnames: profiles::haproxy::dns::vrrp_cnames:
- sonarr.main.unkin.net - sonarr.main.unkin.net
@@ -16,6 +19,7 @@ profiles::haproxy::dns::vrrp_cnames:
- mail.main.unkin.net - mail.main.unkin.net
- autoconfig.main.unkin.net - autoconfig.main.unkin.net
- autodiscover.main.unkin.net - autodiscover.main.unkin.net
- auth.unkin.net
profiles::haproxy::mappings: profiles::haproxy::mappings:
fe_http: fe_http:
@@ -37,6 +41,7 @@ profiles::haproxy::mappings:
- 'mail-webadmin.main.unkin.net be_stalwart_webadmin' - 'mail-webadmin.main.unkin.net be_stalwart_webadmin'
- 'autoconfig.main.unkin.net be_stalwart_webadmin' - 'autoconfig.main.unkin.net be_stalwart_webadmin'
- 'autodiscovery.main.unkin.net be_stalwart_webadmin' - 'autodiscovery.main.unkin.net be_stalwart_webadmin'
- 'auth.unkin.net be_k8s_kanidm'
fe_https: fe_https:
ensure: present ensure: present
mappings: mappings:
@@ -56,6 +61,7 @@ profiles::haproxy::mappings:
- 'mail-webadmin.main.unkin.net be_stalwart_webadmin' - 'mail-webadmin.main.unkin.net be_stalwart_webadmin'
- 'autoconfig.main.unkin.net be_stalwart_webadmin' - 'autoconfig.main.unkin.net be_stalwart_webadmin'
- 'autodiscovery.main.unkin.net be_stalwart_webadmin' - 'autodiscovery.main.unkin.net be_stalwart_webadmin'
- 'auth.unkin.net be_k8s_kanidm'
profiles::haproxy::frontends: profiles::haproxy::frontends:
fe_http: fe_http:
@@ -80,6 +86,7 @@ profiles::haproxy::frontends:
- 'acl_stalwart_webadmin req.hdr(host) -i mail-webadmin.main.unkin.net' - 'acl_stalwart_webadmin req.hdr(host) -i mail-webadmin.main.unkin.net'
- 'acl_stalwart_webadmin req.hdr(host) -i autoconfig.main.unkin.net' - 'acl_stalwart_webadmin req.hdr(host) -i autoconfig.main.unkin.net'
- 'acl_stalwart_webadmin req.hdr(host) -i autodiscovery.main.unkin.net' - 'acl_stalwart_webadmin req.hdr(host) -i autodiscovery.main.unkin.net'
- 'acl_kanidm req.hdr(host) -i auth.unkin.net'
- 'acl_internalsubnets src 198.18.0.0/16 10.10.12.0/24' - 'acl_internalsubnets src 198.18.0.0/16 10.10.12.0/24'
use_backend: use_backend:
- "%[req.hdr(host),lower,map(/etc/haproxy/fe_https.map,be_default)]" - "%[req.hdr(host),lower,map(/etc/haproxy/fe_https.map,be_default)]"
@@ -99,6 +106,7 @@ profiles::haproxy::frontends:
- 'set-header X-Frame-Options DENY if acl_grafana' - 'set-header X-Frame-Options DENY if acl_grafana'
- 'set-header X-Frame-Options DENY if acl_ceph_dashboard' - 'set-header X-Frame-Options DENY if acl_ceph_dashboard'
- 'set-header X-Frame-Options DENY if acl_stalwart_webadmin' - 'set-header X-Frame-Options DENY if acl_stalwart_webadmin'
- 'set-header X-Frame-Options DENY if acl_kanidm'
- 'set-header X-Content-Type-Options nosniff' - 'set-header X-Content-Type-Options nosniff'
- 'set-header X-XSS-Protection 1;mode=block' - 'set-header X-XSS-Protection 1;mode=block'
@@ -320,6 +328,25 @@ profiles::haproxy::backends:
- add-header X-Forwarded-Proto https if { dst_port 9443 } - add-header X-Forwarded-Proto https if { dst_port 9443 }
redirect: 'scheme https if !{ ssl_fc }' redirect: 'scheme https if !{ ssl_fc }'
stick-table: 'type ip size 200k expire 30m' stick-table: 'type ip size 200k expire 30m'
be_k8s_kanidm:
description: Backend for Kanidm (auth.unkin.net via Kubernetes internal Traefik)
collect_exported: false
options:
balance: roundrobin
option:
- httpchk
- forwardfor
- http-keep-alive
- prefer-last-server
http-check:
- 'send meth GET uri / ver HTTP/1.1 hdr Host auth.unkin.net'
- expect status 200
http-reuse: always
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
server: "%{lookup('haproxy_server_k8s_syd1_traefik_internal')} sni str(auth.unkin.net)"
be_stalwart_imap: be_stalwart_imap:
description: Backend for Stalwart IMAP (STARTTLS) description: Backend for Stalwart IMAP (STARTTLS)
collect_exported: false collect_exported: false
@@ -393,6 +420,7 @@ profiles::haproxy::certlist::certificates:
- /etc/pki/tls/letsencrypt/git.unkin.net/fullchain_combined.pem - /etc/pki/tls/letsencrypt/git.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/grafana.unkin.net/fullchain_combined.pem - /etc/pki/tls/letsencrypt/grafana.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/dashboard.ceph.unkin.net/fullchain_combined.pem - /etc/pki/tls/letsencrypt/dashboard.ceph.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/auth.unkin.net/fullchain_combined.pem
- /etc/pki/tls/vault/certificate.pem - /etc/pki/tls/vault/certificate.pem
# additional altnames # additional altnames
@@ -422,3 +450,4 @@ certbot::client::domains:
- git.unkin.net - git.unkin.net
- grafana.unkin.net - grafana.unkin.net
- dashboard.ceph.unkin.net - dashboard.ceph.unkin.net
- auth.unkin.net
+1
View File
@@ -16,3 +16,4 @@ certbot::domains:
- git.unkin.net - git.unkin.net
- grafana.unkin.net - grafana.unkin.net
- dashboard.ceph.unkin.net - dashboard.ceph.unkin.net
- auth.unkin.net