1 Commits

Author SHA1 Message Date
unkinben e20f3bc372 nginx authproxy module 2024-07-05 22:49:22 +10:00
65 changed files with 198 additions and 3410 deletions
-1
View File
@@ -38,7 +38,6 @@ mod 'puppet-extlib', '7.0.0'
mod 'puppet-network', '2.2.0' mod 'puppet-network', '2.2.0'
mod 'puppet-kmod', '4.0.1' mod 'puppet-kmod', '4.0.1'
mod 'puppet-filemapper', '4.0.0' mod 'puppet-filemapper', '4.0.0'
mod 'puppet-letsencrypt', '11.0.0'
# other # other
mod 'ghoneycutt-puppet', '3.3.0' mod 'ghoneycutt-puppet', '3.3.0'
-9
View File
@@ -129,15 +129,6 @@ lookup_options:
profiles::ceph::client::keyrings: profiles::ceph::client::keyrings:
merge: merge:
strategy: deep strategy: deep
profiles::nginx::simpleproxy::locations:
merge:
strategy: deep
certbot::client::domains:
merge:
strategy: deep
profiles::metrics::exportarr:
merge:
strategy: deep
facts_path: '/opt/puppetlabs/facter/facts.d' facts_path: '/opt/puppetlabs/facter/facts.d'
-1
View File
@@ -1,3 +1,2 @@
--- ---
timezone::timezone: 'Australia/Sydney' timezone::timezone: 'Australia/Sydney'
certbot::client::webserver: ausyd1nxvm1021.main.unkin.net
@@ -11,9 +11,7 @@ profiles::haproxy::mappings:
- 'lidarr.main.unkin.net be_lidarr' - 'lidarr.main.unkin.net be_lidarr'
- 'readarr.main.unkin.net be_readarr' - 'readarr.main.unkin.net be_readarr'
- 'prowlarr.main.unkin.net be_prowlarr' - 'prowlarr.main.unkin.net be_prowlarr'
- 'nzbget.main.unkin.net be_nzbget'
- 'jellyfin.main.unkin.net be_jellyfin' - 'jellyfin.main.unkin.net be_jellyfin'
- 'fafflix.unkin.net be_jellyfin'
fe_https: fe_https:
ensure: present ensure: present
mappings: mappings:
@@ -24,9 +22,7 @@ profiles::haproxy::mappings:
- 'lidarr.main.unkin.net be_lidarr' - 'lidarr.main.unkin.net be_lidarr'
- 'readarr.main.unkin.net be_readarr' - 'readarr.main.unkin.net be_readarr'
- 'prowlarr.main.unkin.net be_prowlarr' - 'prowlarr.main.unkin.net be_prowlarr'
- 'nzbget.main.unkin.net be_nzbget'
- 'jellyfin.main.unkin.net be_jellyfin' - 'jellyfin.main.unkin.net be_jellyfin'
- 'fafflix.unkin.net be_jellyfin'
profiles::haproxy::frontends: profiles::haproxy::frontends:
fe_http: fe_http:
@@ -36,15 +32,7 @@ profiles::haproxy::frontends:
fe_https: fe_https:
options: options:
acl: acl:
- 'acl_ausyd1pve req.hdr(host) -i au-syd1-pve.main.unkin.net' - 'acl_ausyd1pve req.hdr(host) -i https://au-syd1-pve.main.unkin.net'
- 'acl_sonarr req.hdr(host) -i sonarr.main.unkin.net'
- 'acl_radarr req.hdr(host) -i radarr.main.unkin.net'
- 'acl_lidarr req.hdr(host) -i lidarr.main.unkin.net'
- 'acl_readarr req.hdr(host) -i readarr.main.unkin.net'
- 'acl_prowlarr req.hdr(host) -i prowlarr.main.unkin.net'
- 'acl_nzbget req.hdr(host) -i nzbget.main.unkin.net'
- 'acl_jellyfin req.hdr(host) -i jellyfin.main.unkin.net'
- 'acl_fafflix req.hdr(host) -i fafflix.unkin.net'
- 'acl_internalsubnets src 198.18.0.0/16 10.10.12.0/24' - 'acl_internalsubnets src 198.18.0.0/16 10.10.12.0/24'
use_backend: use_backend:
- "%[req.hdr(host),lower,map(/etc/haproxy/fe_https.map,be_default)]" - "%[req.hdr(host),lower,map(/etc/haproxy/fe_https.map,be_default)]"
@@ -52,14 +40,6 @@ profiles::haproxy::frontends:
- 'deny if { hdr_dom(host) -i au-syd1-pve.main.unkin.net } !acl_internalsubnets' - 'deny if { hdr_dom(host) -i au-syd1-pve.main.unkin.net } !acl_internalsubnets'
http-response: http-response:
- 'set-header X-Frame-Options DENY if acl_ausyd1pve' - 'set-header X-Frame-Options DENY if acl_ausyd1pve'
- 'set-header X-Frame-Options DENY if acl_sonarr'
- 'set-header X-Frame-Options DENY if acl_radarr'
- 'set-header X-Frame-Options DENY if acl_lidarr'
- 'set-header X-Frame-Options DENY if acl_readarr'
- 'set-header X-Frame-Options DENY if acl_prowlarr'
- 'set-header X-Frame-Options DENY if acl_nzbget'
- 'set-header X-Frame-Options DENY if acl_jellyfin'
- 'set-header X-Frame-Options DENY if acl_fafflix'
- 'set-header X-Content-Type-Options nosniff' - 'set-header X-Content-Type-Options nosniff'
- 'set-header X-XSS-Protection 1;mode=block' - 'set-header X-XSS-Protection 1;mode=block'
@@ -101,7 +81,7 @@ profiles::haproxy::backends:
options: options:
balance: roundrobin balance: roundrobin
option: option:
- httpchk GET /consul/health - httpchk GET /
- forwardfor - forwardfor
- http-keep-alive - http-keep-alive
- prefer-last-server - prefer-last-server
@@ -117,7 +97,7 @@ profiles::haproxy::backends:
options: options:
balance: roundrobin balance: roundrobin
option: option:
- httpchk GET /consul/health - httpchk GET /
- forwardfor - forwardfor
- http-keep-alive - http-keep-alive
- prefer-last-server - prefer-last-server
@@ -133,7 +113,7 @@ profiles::haproxy::backends:
options: options:
balance: roundrobin balance: roundrobin
option: option:
- httpchk GET /consul/health - httpchk GET /
- forwardfor - forwardfor
- http-keep-alive - http-keep-alive
- prefer-last-server - prefer-last-server
@@ -149,7 +129,7 @@ profiles::haproxy::backends:
options: options:
balance: roundrobin balance: roundrobin
option: option:
- httpchk GET /consul/health - httpchk GET /
- forwardfor - forwardfor
- http-keep-alive - http-keep-alive
- prefer-last-server - prefer-last-server
@@ -165,23 +145,7 @@ profiles::haproxy::backends:
options: options:
balance: roundrobin balance: roundrobin
option: option:
- httpchk GET /consul/health - httpchk GET /
- forwardfor
- http-keep-alive
- prefer-last-server
cookie: SRVNAME insert indirect nocache
http-reuse: always
http-request:
- set-header X-Forwarded-Port %[dst_port]
- add-header X-Forwarded-Proto https if { dst_port 443 }
redirect: 'scheme https if !{ ssl_fc }'
be_nzbget:
description: Backend for au-syd1 nzbget
collect_exported: false # handled in custom function
options:
balance: roundrobin
option:
- httpchk GET /consul/health
- forwardfor - forwardfor
- http-keep-alive - http-keep-alive
- prefer-last-server - prefer-last-server
@@ -210,30 +174,10 @@ profiles::haproxy::backends:
profiles::haproxy::certlist::enabled: true profiles::haproxy::certlist::enabled: true
profiles::haproxy::certlist::certificates: profiles::haproxy::certlist::certificates:
- /etc/pki/tls/letsencrypt/au-syd1-pve.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/au-syd1-pve-api.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/sonarr.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/radarr.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/lidarr.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/readarr.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/prowlarr.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/nzbget.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/fafflix.unkin.net/fullchain_combined.pem
- /etc/pki/tls/vault/certificate.pem - /etc/pki/tls/vault/certificate.pem
# additional altnames # additional altnames
profiles::pki::vault::alt_names: profiles::pki::vault::alt_names:
- au-syd1-pve.main.unkin.net
- au-syd1-pve-api.main.unkin.net
- jellyfin.main.unkin.net
# additional cnames
profiles::haproxy::dns::cnames:
- au-syd1-pve.main.unkin.net
- au-syd1-pve-api.main.unkin.net
# letsencrypt certificates
certbot::client::domains:
- au-syd1-pve.main.unkin.net - au-syd1-pve.main.unkin.net
- au-syd1-pve-api.main.unkin.net - au-syd1-pve-api.main.unkin.net
- sonarr.main.unkin.net - sonarr.main.unkin.net
@@ -241,5 +185,9 @@ certbot::client::domains:
- lidarr.main.unkin.net - lidarr.main.unkin.net
- readarr.main.unkin.net - readarr.main.unkin.net
- prowlarr.main.unkin.net - prowlarr.main.unkin.net
- nzbget.main.unkin.net - jellyfin.main.unkin.net
- fafflix.unkin.net
# additional cnames
profiles::haproxy::dns::cnames:
- au-syd1-pve.main.unkin.net
- au-syd1-pve-api.main.unkin.net
@@ -1,14 +0,0 @@
---
networking::interfaces:
eth0:
ipaddress: 198.18.13.58
ens19:
ensure: present
family: inet
method: static
ipaddress: 10.18.15.58
netmask: 255.255.255.0
onboot: true
networking::routes:
default:
gateway: 198.18.13.254
-1
View File
@@ -73,5 +73,4 @@ profiles::yum::global::repos:
target: /etc/yum.repos.d/unkin.repo target: /etc/yum.repos.d/unkin.repo
baseurl: https://git.query.consul/api/packages/unkinben/rpm/el%{facts.os.release.major} baseurl: https://git.query.consul/api/packages/unkinben/rpm/el%{facts.os.release.major}
gpgkey: https://git.query.consul/api/packages/unkinben/rpm/repository.key gpgkey: https://git.query.consul/api/packages/unkinben/rpm/repository.key
gpgcheck: false
mirrorlist: absent mirrorlist: absent
-81
View File
@@ -1,7 +1,4 @@
--- ---
hiera_include:
- profiles::nginx::simpleproxy
profiles::yum::global::repos: profiles::yum::global::repos:
ceph-reef: ceph-reef:
name: ceph-reef name: ceph-reef
@@ -21,81 +18,3 @@ profiles::base::groups::local:
gid: 20000 gid: 20000
allowdupe: false allowdupe: false
forcelocal: true forcelocal: true
ldap_host: 'ldap.service.consul'
ldap_basedn: 'dc=main,dc=unkin,dc=net'
profiles::nginx::simpleproxy::locations:
# authentication proxy
authproxy:
ensure: 'present'
server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
ssl_only: true
internal: true
location: '= /auth-proxy'
proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:8888"
proxy_set_header:
- 'Content-Length ""'
- "X-Ldap-URL ldap://%{lookup('ldap_host')}"
- 'X-Ldap-Starttls "false"'
- "X-Ldap-BaseDN %{lookup('ldap_basedn')}"
- "X-Ldap-BindDN %{lookup('ldap_binddn')}"
- "X-Ldap-BindPass %{lookup('ldap_bindpass')}"
- 'X-CookieName "nginxauth"'
- 'Cookie nginxauth=$cookie_nginxauth'
- "X-Ldap-Template %{lookup('ldap_template')}"
- 'X-Ldap-Realm "Restricted"'
proxy_cache: 'cache'
proxy_cache_valid: '200 10m'
proxy_cache_key: '"$http_authorization$cookie_nginxauth"'
location_cfg_append:
proxy_pass_request_body: 'off'
# health checks by consul/haproxy
arrstack_web_healthcheck:
ensure: 'present'
server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
ssl_only: true
location: '/consul/health'
proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:%{lookup('profiles::nginx::simpleproxy::proxy_port')}"
proxy_set_header:
- 'Host $host'
- 'X-Forwarded-For $proxy_add_x_forwarded_for'
- 'X-Forwarded-Host $host'
- 'X-Forwarded-Proto $scheme'
- 'Upgrade $http_upgrade'
- 'Connection $http_connection'
proxy_redirect: 'off'
proxy_http_version: '1.1'
location_allow:
- 127.0.0.1
- "%{facts.networking.ip}"
- 198.18.13.25
- 198.18.13.26
location_deny:
- all
# authorised access from external
arrstack_web_external:
ensure: 'present'
server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
ssl_only: true
location: '/'
auth_request: '/auth-proxy'
proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:%{lookup('profiles::nginx::simpleproxy::proxy_port')}"
proxy_set_header:
- 'Host $host'
- 'X-Forwarded-For $proxy_add_x_forwarded_for'
- 'X-Forwarded-Host $host'
- 'X-Forwarded-Proto $scheme'
- 'Upgrade $http_upgrade'
- 'Connection $http_connection'
proxy_redirect: 'off'
proxy_http_version: '1.1'
# location for api, which should be accessible without authentication
arrstack_api:
ensure: 'present'
server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
ssl_only: true
location: '~ /api'
proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:%{lookup('profiles::nginx::simpleproxy::proxy_port')}"
location_cfg_append:
client_max_body_size: '20m'
+1 -16
View File
@@ -1,6 +1,7 @@
--- ---
hiera_include: hiera_include:
- jellyfin - jellyfin
- profiles::nginx::simpleproxy
# manage jellyfin # manage jellyfin
jellyfin::params::service_enable: true jellyfin::params::service_enable: true
@@ -45,19 +46,3 @@ profiles::consul::client::node_rules:
- resource: service - resource: service
segment: jellyfin segment: jellyfin
disposition: write disposition: write
profiles::yum::global::repos:
rpmfusion-free:
name: rpmfusion-free
descr: rpmfusion-free repository
target: /etc/yum.repos.d/rpmfusion.repo
baseurl: https://download1.rpmfusion.org/free/el/updates/%{facts.os.release.major}/%{facts.os.architecture}
gpgkey: https://download1.rpmfusion.org/free/el/RPM-GPG-KEY-rpmfusion-free-el-%{facts.os.release.major}
mirrorlist: absent
rpmfusion-nonfree:
name: rpmfusion-nonfree
descr: rpmfusion-nonfree repository
target: /etc/yum.repos.d/rpmfusion.repo
baseurl: https://download1.rpmfusion.org/nonfree/el/updates/%{facts.os.release.major}/%{facts.os.architecture}
gpgkey: https://download1.rpmfusion.org/nonfree/el/RPM-GPG-KEY-rpmfusion-nonfree-el-%{facts.os.release.major}
mirrorlist: absent
-1
View File
@@ -1,3 +1,2 @@
--- ---
lidarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAeIT5i5yJ/KCmEBEgF8r36dl2RK/0/LQWPl6bgth7KOdtfNynhH4bCxembrJwzXasT1KBrPWYmTc2IObBz2tqu7BIHoioI2y+GVs2ulhx63lrfeDI/I4QFs5EOh9fIoyOxlIkvKm+p0WVfaegKOKM63XHHvG2TmBwTypEHB1IXaCMVl87tY+3xmMEaiqVPik3llqLCog1rmRLbIQx+whAFPtlhHur0ozfdYLKiM57YHAsQpGgASYkAAjvZuKabOrRZsIhhsHCb4JQ/evvIrhkviK7nP4xHdeqRSJgdEDmIldr2FW3uHCzuq033K3T7HNc3HbUM/5lC0ygP8sZnnM8rDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAyfQkaBPJJWVsc2FGiyCyMgDAYuYDAwBBAJzfVZ4RFrQyi48VZeS8MTjf2HNAXBYoYgTtdZAk9i+pIV22p9ee+KsU=] lidarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAeIT5i5yJ/KCmEBEgF8r36dl2RK/0/LQWPl6bgth7KOdtfNynhH4bCxembrJwzXasT1KBrPWYmTc2IObBz2tqu7BIHoioI2y+GVs2ulhx63lrfeDI/I4QFs5EOh9fIoyOxlIkvKm+p0WVfaegKOKM63XHHvG2TmBwTypEHB1IXaCMVl87tY+3xmMEaiqVPik3llqLCog1rmRLbIQx+whAFPtlhHur0ozfdYLKiM57YHAsQpGgASYkAAjvZuKabOrRZsIhhsHCb4JQ/evvIrhkviK7nP4xHdeqRSJgdEDmIldr2FW3uHCzuq033K3T7HNc3HbUM/5lC0ygP8sZnnM8rDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAyfQkaBPJJWVsc2FGiyCyMgDAYuYDAwBBAJzfVZ4RFrQyi48VZeS8MTjf2HNAXBYoYgTtdZAk9i+pIV22p9ee+KsU=]
ldap_bindpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAEDEyk6fBBnrjZvfK8MnUVOTWxhFGtgY34/2CuIq55MoVLsk2ZgVrL7Kt+94bqFhwEB67kuNpMGXqTgW5ose2yWs5iVSJLECsf9C+tvGBGwaV35LNwP5S3aQmFagyTpZZz9QlGKC7818jlXz7vZWDtiUhy5TGMHeyS0fdjCveavtZR28A+ZrvWjJeLdN47mmvYwYfFnQBs3kSgkl5KyMVhFWSFOSLeHsuEzCVXHoQ1jQG+2TV5m18wV0RR/sOju2E+vsulqlDgCyifgoiry4GzJeKNrNDI2bifzHCAi6yZqHL/klyqbGTnKLlA4xKoXsHF+xEwcoq4S9JDLAdWeH1SDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCdvh4yn8knozcYhinybRq3gDAwTKv8VakQG7XK/mcEplwtoiKqLnj9IIGdIUh1zPi2Sg48ET5rfZyl0p7ddIYoHjU=]
+3 -16
View File
@@ -1,8 +1,7 @@
--- ---
hiera_include: hiera_include:
- lidarr - lidarr
- profiles::nginx::ldapauth - profiles::nginx::simpleproxy
- profiles::metrics::exportarr
# manage lidarr # manage lidarr
lidarr::params::user: lidarr lidarr::params::user: lidarr
@@ -28,13 +27,9 @@ profiles::nginx::simpleproxy::nginx_aliases:
profiles::nginx::simpleproxy::proxy_port: 8000 profiles::nginx::simpleproxy::proxy_port: 8000
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1 profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
profiles::nginx::simpleproxy::proxy_path: '/' profiles::nginx::simpleproxy::proxy_path: '/'
profiles::nginx::simpleproxy::use_default_location: false
nginx::client_max_body_size: 20M
ldap_binddn: 'cn=svc_lidarr,ou=services,ou=users,dc=main,dc=unkin,dc=net'
ldap_template: '(&(uid=%(username)s)(memberOf=ou=lidarr_access,ou=groups,dc=main,dc=unkin,dc=net))'
# configure consul service # configure consul service
nginx::client_max_body_size: 10M
consul::services: consul::services:
lidarr: lidarr:
service_name: 'lidarr' service_name: 'lidarr'
@@ -46,7 +41,7 @@ consul::services:
checks: checks:
- id: 'lidarr_http_check' - id: 'lidarr_http_check'
name: 'Lidarr HTTP Check' name: 'Lidarr HTTP Check'
http: "https://%{facts.networking.fqdn}:443/consul/health" http: "https://%{facts.networking.fqdn}:443"
method: 'GET' method: 'GET'
tls_skip_verify: true tls_skip_verify: true
interval: '10s' interval: '10s'
@@ -55,11 +50,3 @@ profiles::consul::client::node_rules:
- resource: service - resource: service
segment: lidarr segment: lidarr
disposition: write disposition: write
profiles::metrics::exportarr:
app: 'lidarr'
config_path: '/opt/lidarr/config.xml'
api_key: "%{hiera('lidarr::api_key')}"
version: '2.0.1'
app_port: "%hiera('lidarr::params::port')"
enable_additional_metrics: true
-2
View File
@@ -1,2 +0,0 @@
---
ldap_bindpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAPomn4iZbT0JEysvDo7OgblpoQLFp9DzryY558UfVWQq6HDAkgoSC42cbgZGBPFclCgLaO/LfBrFpRXkafEVV33Vg2AmP/FiS9SmmwREc3t/ZTvENlDIgasY3pDIph0/i5u0S45mjyzzciBK0KY6cMZvPDVRvU+d0SyVnbSBlef6VmyZOhUk6ILpaYTGu+suVR/BAL/DTKsmmY7iTotTWN+IW/1cY3vprvBMJQVftaO1WSqKftmX29/PAsxbQo6AMpuQFx/dMcMe3d5JTB0mgzIhAFaKmSC8vJFqe21Nrr8F+PxJMSEl1saBJTwJc5RyPVm9ejVKfcPhDfWK5stNNvjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAo205Hvo/Z+rhnSGgkTS2YgDB7pTHdgnQz1UOK323DRljWcqx+SnCA7izyF1SNMlzlCck79Fr4zKh0qnbYsMZDWZU=]
-61
View File
@@ -1,61 +0,0 @@
---
hiera_include:
- nzbget
- profiles::media::nzbget
- profiles::nginx::ldapauth
# manage nzbget
nzbget::params::user: nzbget
nzbget::params::group: media
nzbget::params::manage_group: false
# additional altnames
profiles::pki::vault::alt_names:
- nzbget.main.unkin.net
- nzbget.service.consul
- nzbget.query.consul
- "nzbget.service.%{facts.country}-%{facts.region}.consul"
# manage a simple nginx reverse proxy
profiles::nginx::simpleproxy::nginx_vhost: 'nzbget.query.consul'
profiles::nginx::simpleproxy::nginx_aliases:
- nzbget.main.unkin.net
- nzbget.service.consul
- nzbget.query.consul
- "nzbget.service.%{facts.country}-%{facts.region}.consul"
profiles::nginx::simpleproxy::proxy_port: 6789
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
profiles::nginx::simpleproxy::proxy_path: '/'
profiles::nginx::simpleproxy::use_default_location: false
nginx::client_max_body_size: 20M
ldap_binddn: 'cn=svc_nzbget,ou=services,ou=users,dc=main,dc=unkin,dc=net'
ldap_template: '(&(uid=%(username)s)(memberOf=ou=nzbget_access,ou=groups,dc=main,dc=unkin,dc=net))'
profiles::nginx::simpleproxy::locations:
arrstack_web_healthcheck:
location_cfg_append:
rewrite: '/consul/health / break'
# configure consul service
consul::services:
nzbget:
service_name: 'nzbget'
tags:
- 'media'
- 'nzbget'
address: "%{facts.networking.ip}"
port: 443
checks:
- id: 'nzbget_http_check'
name: 'nzbget HTTP Check'
http: "https://%{facts.networking.fqdn}:443/consul/health"
method: 'GET'
tls_skip_verify: true
interval: '10s'
timeout: '1s'
profiles::consul::client::node_rules:
- resource: service
segment: nzbget
disposition: write
@@ -1,3 +1,2 @@
--- ---
prowlarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAdAzvi5Z2cX7KWdMlMfR5N+Jz9Pmh3k9yvPgM1JnTM8ZODs5VyQf/d3goWJ5Fn+jcjVqQ+aBga2CHfbdjgg5dGC19Jr8CmxVkYpMVb+e6Md4LEglUD6g70LK8JHB1FAM0fqW82/zqBL73KFKcu71Hpbf9YylJD4LXCr/k4D7hPX3tgEOzFn1iGl/DqxJFWnorj0btk3/2AmA3AMjvFy4r39PwbMfr2jNFSmAdJa7j7W+ESyE08Cc795VORIa/lbrT0ZfBMGXqzNTIpcdJ7uabcrH0qHNM8FPh4eHBzGMqLvIba487bs2TUb8eIivwT2EAwmGDWX1QkG2o6lGyO8PyqzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBO8BQpHvHYOA2tjyxpjGw4gDATwt1wP0aPFPnbRoqPdwClfOzbWmtbT/rCBmCQH0HkyA8sqr2I2qlOsuJukCjBDHo=] prowlarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAdAzvi5Z2cX7KWdMlMfR5N+Jz9Pmh3k9yvPgM1JnTM8ZODs5VyQf/d3goWJ5Fn+jcjVqQ+aBga2CHfbdjgg5dGC19Jr8CmxVkYpMVb+e6Md4LEglUD6g70LK8JHB1FAM0fqW82/zqBL73KFKcu71Hpbf9YylJD4LXCr/k4D7hPX3tgEOzFn1iGl/DqxJFWnorj0btk3/2AmA3AMjvFy4r39PwbMfr2jNFSmAdJa7j7W+ESyE08Cc795VORIa/lbrT0ZfBMGXqzNTIpcdJ7uabcrH0qHNM8FPh4eHBzGMqLvIba487bs2TUb8eIivwT2EAwmGDWX1QkG2o6lGyO8PyqzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBO8BQpHvHYOA2tjyxpjGw4gDATwt1wP0aPFPnbRoqPdwClfOzbWmtbT/rCBmCQH0HkyA8sqr2I2qlOsuJukCjBDHo=]
ldap_bindpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAhduPAqoZuq/xeRs4f/KX4r88evPMogQX79yofLAB5Qqdr48s2X0BAa1iiw0vMdL6Tf0uc794WJN5MP2Yp365Vk1yhwgqH92rt5hKPI+wBN5uak2iLgLzLWsp0HOx7d1ukDWBbj0lI6G5LiofsL3KJbbTnkovn06L4PRJXgn44+ynfywiCl2tPy2294DhfooeM6/Cy+t9lA6blzHLCOHtt/rBKmk1GT2y3YBCPhRfOumWXQWnv4Q+f6KkQkvpfPyAFYNiQxQYBv5bGwLnwiDk3xQnPM4FfcutVuAOKjsoeMa+K1KShDFyEfBxIER8JSpigj2/khstyihcVW0Xrod3uDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCRqqRwMThwn1F/6byFhTWxgDAfucfkFhmqxBv/u5H+wWnjvK5EH7eU/fECrajYPBW/cmsYjLgXlwrAzFGqWze3AZc=]
+3 -16
View File
@@ -1,8 +1,7 @@
--- ---
hiera_include: hiera_include:
- prowlarr - prowlarr
- profiles::nginx::ldapauth - profiles::nginx::simpleproxy
- profiles::metrics::exportarr
# manage prowlarr # manage prowlarr
prowlarr::params::user: prowlarr prowlarr::params::user: prowlarr
@@ -28,13 +27,9 @@ profiles::nginx::simpleproxy::nginx_aliases:
profiles::nginx::simpleproxy::proxy_port: 8000 profiles::nginx::simpleproxy::proxy_port: 8000
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1 profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
profiles::nginx::simpleproxy::proxy_path: '/' profiles::nginx::simpleproxy::proxy_path: '/'
profiles::nginx::simpleproxy::use_default_location: false
nginx::client_max_body_size: 20M
ldap_binddn: 'cn=svc_prowlarr,ou=services,ou=users,dc=main,dc=unkin,dc=net'
ldap_template: '(&(uid=%(username)s)(memberOf=ou=prowlarr_access,ou=groups,dc=main,dc=unkin,dc=net))'
# configure consul service # configure consul service
nginx::client_max_body_size: 10M
consul::services: consul::services:
prowlarr: prowlarr:
service_name: 'prowlarr' service_name: 'prowlarr'
@@ -46,7 +41,7 @@ consul::services:
checks: checks:
- id: 'prowlarr_http_check' - id: 'prowlarr_http_check'
name: 'Prowlarr HTTP Check' name: 'Prowlarr HTTP Check'
http: "https://%{facts.networking.fqdn}:443/consul/health" http: "https://%{facts.networking.fqdn}:443"
method: 'GET' method: 'GET'
tls_skip_verify: true tls_skip_verify: true
interval: '10s' interval: '10s'
@@ -55,11 +50,3 @@ profiles::consul::client::node_rules:
- resource: service - resource: service
segment: prowlarr segment: prowlarr
disposition: write disposition: write
profiles::metrics::exportarr:
app: 'prowlarr'
config_path: '/opt/prowlarr/config.xml'
api_key: "%{hiera('prowlarr::api_key')}"
version: '2.0.1'
app_port: "%hiera('prowlarr::params::port')"
enable_additional_metrics: true
-1
View File
@@ -1,3 +1,2 @@
--- ---
radarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEALtNnNr2N7DpP9zx5anmQavFmsTLIyPkpJGCkJpUTHMYFSScS/3FOUuufajk4Cmu4FbPswp/N/U1nHO8oLF6xNQ+H77+xXuKPalW/3R1IRqGoczwsAfstJ6nYF+PLjjeK2TDP+KMs3Eg2+nrXB7NOVOP88RvDLyZq93Wn9qR+1VG6Y2gLqGSJArZpNilV5ygUYRgbMeckjqfLynYBXtgDQQLYNhxDO6WGRRv+0X773nmOdrWFAUjqF6/K+Ejjk5ZbaqnGyjljMstSrhg7NWxtMRbCjeMpjUjUS4Hn/Vayg2M2Ag2s87gsE1e4QFa6KP7GVRu3swvyZ3D54Ba/xrebxzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDD6gIEfNGPXA8zv/vysgxJgDADMi7Fx5q+aqTMeqcKLg1AukTlCnJ62zykm6RNGdS0KlpJsvTSmWF4So3v/9BsKdk=] radarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEALtNnNr2N7DpP9zx5anmQavFmsTLIyPkpJGCkJpUTHMYFSScS/3FOUuufajk4Cmu4FbPswp/N/U1nHO8oLF6xNQ+H77+xXuKPalW/3R1IRqGoczwsAfstJ6nYF+PLjjeK2TDP+KMs3Eg2+nrXB7NOVOP88RvDLyZq93Wn9qR+1VG6Y2gLqGSJArZpNilV5ygUYRgbMeckjqfLynYBXtgDQQLYNhxDO6WGRRv+0X773nmOdrWFAUjqF6/K+Ejjk5ZbaqnGyjljMstSrhg7NWxtMRbCjeMpjUjUS4Hn/Vayg2M2Ag2s87gsE1e4QFa6KP7GVRu3swvyZ3D54Ba/xrebxzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDD6gIEfNGPXA8zv/vysgxJgDADMi7Fx5q+aqTMeqcKLg1AukTlCnJ62zykm6RNGdS0KlpJsvTSmWF4So3v/9BsKdk=]
ldap_bindpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAf6LbAXy3EsJqkf4KO8xikpXfSVIVOD2obnwZLPEiCfbC0iJyZ2Uc/RbHM9NnIpg8dgEnYGgaBM9HC+kFKYFP4skLsPQ0mpqOv13WbOAHOphhyBxWc/n4Eg4HqMAiHsC4qA9Sj5j4F29tNiMmpNM0eqDXD6YIrajV5IF+SKQQzZrNSrcDrzjqENaMnJWVc2gj7Zb9kPB1LdM5ZfljpPtfQHXHhh9ShTDKuWMx46nc+UYaRcJqHEns7OExwpsEAtA1SSunD81PTijJ6Bn1Y6cAsZoBot5YgFGaWtgQ4jvEqj7EbG8gDJuHMSwa9RzA9SMsVwEh2g1pko7wYbBR/arV7jBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAhZlVaEdaLNh60gAY0KwEKgDAHPoXfFRq0I2K2J+NFgNFm/A00jYGVRfuPsX6VZfPaJ499dtMiJifrK3Kfk1oXpvk=]
+3 -16
View File
@@ -1,8 +1,7 @@
--- ---
hiera_include: hiera_include:
- radarr - radarr
- profiles::nginx::ldapauth - profiles::nginx::simpleproxy
- profiles::metrics::exportarr
# manage radarr # manage radarr
radarr::params::user: radarr radarr::params::user: radarr
@@ -29,13 +28,9 @@ profiles::nginx::simpleproxy::nginx_aliases:
profiles::nginx::simpleproxy::proxy_port: 8000 profiles::nginx::simpleproxy::proxy_port: 8000
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1 profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
profiles::nginx::simpleproxy::proxy_path: '/' profiles::nginx::simpleproxy::proxy_path: '/'
profiles::nginx::simpleproxy::use_default_location: false
nginx::client_max_body_size: 20M
ldap_binddn: 'cn=svc_radarr,ou=services,ou=users,dc=main,dc=unkin,dc=net'
ldap_template: '(&(uid=%(username)s)(memberOf=ou=radarr_access,ou=groups,dc=main,dc=unkin,dc=net))'
# configure consul service # configure consul service
nginx::client_max_body_size: 10M
consul::services: consul::services:
radarr: radarr:
service_name: 'radarr' service_name: 'radarr'
@@ -47,7 +42,7 @@ consul::services:
checks: checks:
- id: 'radarr_http_check' - id: 'radarr_http_check'
name: 'radarr HTTP Check' name: 'radarr HTTP Check'
http: "https://%{facts.networking.fqdn}:443/consul/health" http: "https://%{facts.networking.fqdn}:443"
method: 'GET' method: 'GET'
tls_skip_verify: true tls_skip_verify: true
interval: '10s' interval: '10s'
@@ -56,11 +51,3 @@ profiles::consul::client::node_rules:
- resource: service - resource: service
segment: radarr segment: radarr
disposition: write disposition: write
profiles::metrics::exportarr:
app: 'radarr'
config_path: '/opt/radarr/config.xml'
api_key: "%{hiera('radarr::api_key')}"
version: '2.0.1'
app_port: "%hiera('radarr::params::port')"
enable_additional_metrics: true
-1
View File
@@ -1,3 +1,2 @@
--- ---
readarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAlJ5RLp6pVTGQgtbzO5cQSrHBMg80S1ImFprHDeWC3GPN2KbheM80b1FKxvN+oVUJ8/kfiV6zstLOoYPUJQfmJNa/Xe95W/5+9hH2IS/oQ0yVdfLOjRq//qp+mVvSJ7JrtOyYSIrU3HjxaD+eXTPYp4UEJKfdSmGyDr7XuCOVIZe0Lu7OHczs8VKrowN99RJZ589HoMqrqCZWPlx14l/uNFjYdK/w6VcUWoo9y/5z1jtsNIObV8kSAYQQLwSr3tmjJdEE3au4sjeMOOJDpGcd5aJRWpKp12+8oHdVR5BV5326aCb13tkp6Td0jq/W9J2Jyv05vUdpP3PnVH9mHPDh6TBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDA+2mMNGwfYM+mRoVTQiZMgDBanhVFmpYe42vZgMBKpNcNRjTnoCl27RpxD3KnjYwkE1zw/NeEOLoSZ1Try3GrlaA=] readarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAlJ5RLp6pVTGQgtbzO5cQSrHBMg80S1ImFprHDeWC3GPN2KbheM80b1FKxvN+oVUJ8/kfiV6zstLOoYPUJQfmJNa/Xe95W/5+9hH2IS/oQ0yVdfLOjRq//qp+mVvSJ7JrtOyYSIrU3HjxaD+eXTPYp4UEJKfdSmGyDr7XuCOVIZe0Lu7OHczs8VKrowN99RJZ589HoMqrqCZWPlx14l/uNFjYdK/w6VcUWoo9y/5z1jtsNIObV8kSAYQQLwSr3tmjJdEE3au4sjeMOOJDpGcd5aJRWpKp12+8oHdVR5BV5326aCb13tkp6Td0jq/W9J2Jyv05vUdpP3PnVH9mHPDh6TBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDA+2mMNGwfYM+mRoVTQiZMgDBanhVFmpYe42vZgMBKpNcNRjTnoCl27RpxD3KnjYwkE1zw/NeEOLoSZ1Try3GrlaA=]
ldap_bindpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAcOegaqGEsivQAlhSYvaiVUij4QJ/kterSg+wX/7P/oWjSN1oSNAFfco6lg5fYUsR7HDKZ4IwYuO1Q/q8hOxYkqzYrH/MIAhZatfQxyxriKuekxqOMuXgwrWCzAexQL0Fb4s5gcHQ4fwy5OxsM1CxFXnSSm1eYNXl5IERd//c0dFoIcshiGlOCFsj8Ne9mookFTJQDZrxM4VMXaVb+Fl9mOyy1ppDBKHTP/1ise/6LIUi+9YngamAWLIrsur5KvR45kvRoxDNLfJZasAqhD/5QLceDdSxqKBDur57QzmoPo2lFdT4WlzphKOdyHZtYOYr7BPdbtCqkXTWdkXvqFlRxjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCXhYe6zoRW7/OxVrZnAEoTgDDPFTz5S4nZWiwzjdT7Yd88Ii6I/v6ckaKTx0gd0pZKsVZkFYQBBhIfqFS2ho0UG3Y=]
+3 -16
View File
@@ -1,8 +1,7 @@
--- ---
hiera_include: hiera_include:
- readarr - readarr
- profiles::nginx::ldapauth - profiles::nginx::simpleproxy
- profiles::metrics::exportarr
# manage readarr # manage readarr
readarr::params::user: readarr readarr::params::user: readarr
@@ -28,13 +27,9 @@ profiles::nginx::simpleproxy::nginx_aliases:
profiles::nginx::simpleproxy::proxy_port: 8000 profiles::nginx::simpleproxy::proxy_port: 8000
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1 profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
profiles::nginx::simpleproxy::proxy_path: '/' profiles::nginx::simpleproxy::proxy_path: '/'
profiles::nginx::simpleproxy::use_default_location: false
nginx::client_max_body_size: 20M
ldap_binddn: 'cn=svc_readarr,ou=services,ou=users,dc=main,dc=unkin,dc=net'
ldap_template: '(&(uid=%(username)s)(memberOf=ou=readarr_access,ou=groups,dc=main,dc=unkin,dc=net))'
# configure consul service # configure consul service
nginx::client_max_body_size: 10M
consul::services: consul::services:
readarr: readarr:
service_name: 'readarr' service_name: 'readarr'
@@ -46,7 +41,7 @@ consul::services:
checks: checks:
- id: 'readarr_http_check' - id: 'readarr_http_check'
name: 'Readarr HTTP Check' name: 'Readarr HTTP Check'
http: "https://%{facts.networking.fqdn}:443/consul/health" http: "https://%{facts.networking.fqdn}:443"
method: 'GET' method: 'GET'
tls_skip_verify: true tls_skip_verify: true
interval: '10s' interval: '10s'
@@ -55,11 +50,3 @@ profiles::consul::client::node_rules:
- resource: service - resource: service
segment: readarr segment: readarr
disposition: write disposition: write
profiles::metrics::exportarr:
app: 'readarr'
config_path: '/opt/readarr/config.xml'
api_key: "%{hiera('readarr::api_key')}"
version: '2.0.1'
app_port: "%hiera('readarr::params::port')"
enable_additional_metrics: true
-1
View File
@@ -1,2 +1 @@
sonarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEANhwc0Vk0htkacwqGA/ZEVR7hpC1V2+nyP3lxyqkVNWERdcIsoMjlfwp2QNoLVirALY10Kon1wKXiRLT+QOqF9aTapS2Vb2YH3ZujR5yT6T1z4e0o4EA3IlNJZemVIziIqrK8+8zZzVafYdOYwMwpbc5EzoJPBtdqNHbDaQu4bRTCp2yMISTOzFjZpOoEJlRyC8YrffNU2xzA5mh5Cw+00MdIfPd8enrCnA4b1ddqP/IsfEYRt91ANQBULwKC5wenKdJAN5qKSKW6KU9TUM5YvGvUPgTvcYgXNf3/INL6G3/HwISTE5A7S6lqwYLyRTT1fMHtgDIqS936DPqCdAZtzjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBZ4e3jAM0zvV43IrCzQOGIgDBwOWgm+wJG+jAU8r1awWDvzQXgF3h65nAKfoOuGEztsjeBEruU4EmZy6llLbfSSb8=] sonarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEANhwc0Vk0htkacwqGA/ZEVR7hpC1V2+nyP3lxyqkVNWERdcIsoMjlfwp2QNoLVirALY10Kon1wKXiRLT+QOqF9aTapS2Vb2YH3ZujR5yT6T1z4e0o4EA3IlNJZemVIziIqrK8+8zZzVafYdOYwMwpbc5EzoJPBtdqNHbDaQu4bRTCp2yMISTOzFjZpOoEJlRyC8YrffNU2xzA5mh5Cw+00MdIfPd8enrCnA4b1ddqP/IsfEYRt91ANQBULwKC5wenKdJAN5qKSKW6KU9TUM5YvGvUPgTvcYgXNf3/INL6G3/HwISTE5A7S6lqwYLyRTT1fMHtgDIqS936DPqCdAZtzjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBZ4e3jAM0zvV43IrCzQOGIgDBwOWgm+wJG+jAU8r1awWDvzQXgF3h65nAKfoOuGEztsjeBEruU4EmZy6llLbfSSb8=]
ldap_bindpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAF5/sP43SJX/FB6cAS0GPqxC78JS7jSNKoUqWB/IXkv8uXYiClqk+Xw4nFx8EtknNn628DHBY3vCLQ59Xk89p0fyimP70m3BM6or5iRGdCqEAOzL399GbYX8WFHjyQRBmGdaLR5h2r5UnmjuPpDtV+fgsqxo4gNpXnuQ+46ZZPQce/dzHzux+4aEK4Q6UbD/ZZSQklD6zEUV+Agj6E9cQlJPBiHtTyUdXOYHYlJN1HhFPXu3C6KIz63YioVCah1n6T/rJtPQ07pVUfizIaJiPpzcUN91+ZWyyjUPo0bRGZtYKVs/uCAYXht4F5ttKQDaGa3wd4a5IdtacmEWQWFqk3TBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDtB/68xkjxK3nrNh0MilACgDDt85aBvSp/Oj9EY67eNPr+JcnQ7WfyuqAYAnmYqfbQI8MDtYAx7br0+inJXvQ1BvI=]
+3 -8
View File
@@ -1,8 +1,7 @@
--- ---
hiera_include: hiera_include:
- sonarr - sonarr
- profiles::nginx::ldapauth - profiles::nginx::simpleproxy
- profiles::metrics::exportarr
# manage sonarr # manage sonarr
sonarr::params::user: sonarr sonarr::params::user: sonarr
@@ -28,13 +27,9 @@ profiles::nginx::simpleproxy::nginx_aliases:
profiles::nginx::simpleproxy::proxy_port: 8000 profiles::nginx::simpleproxy::proxy_port: 8000
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1 profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
profiles::nginx::simpleproxy::proxy_path: '/' profiles::nginx::simpleproxy::proxy_path: '/'
profiles::nginx::simpleproxy::use_default_location: false
nginx::client_max_body_size: 20M
ldap_binddn: 'cn=svc_sonarr,ou=services,ou=users,dc=main,dc=unkin,dc=net'
ldap_template: '(&(uid=%(username)s)(memberOf=ou=sonarr_access,ou=groups,dc=main,dc=unkin,dc=net))'
# configure consul service # configure consul service
nginx::client_max_body_size: 10M
consul::services: consul::services:
sonarr: sonarr:
service_name: 'sonarr' service_name: 'sonarr'
@@ -46,7 +41,7 @@ consul::services:
checks: checks:
- id: 'sonarr_http_check' - id: 'sonarr_http_check'
name: 'Sonarr HTTP Check' name: 'Sonarr HTTP Check'
http: "https://%{facts.networking.fqdn}:443/consul/health" http: "https://%{facts.networking.fqdn}:443"
method: 'GET' method: 'GET'
tls_skip_verify: true tls_skip_verify: true
interval: '10s' interval: '10s'
+2 -30
View File
@@ -48,7 +48,7 @@ glauth::users:
user_name: 'benvin' user_name: 'benvin'
givenname: 'Ben' givenname: 'Ben'
sn: 'Vincent' sn: 'Vincent'
mail: 'benvin@users.main.unkin.net' mail: 'ben@users.main.unkin.net'
uidnumber: 20000 uidnumber: 20000
primarygroup: 20000 primarygroup: 20000
othergroups: othergroups:
@@ -58,30 +58,11 @@ glauth::users:
- 20013 - 20013
- 20014 - 20014
- 20015 - 20015
- 20016
loginshell: '/bin/bash' loginshell: '/bin/bash'
homedir: '/home/benvin' homedir: '/home/benvin'
passsha256: 'd2434f6b4764ef75d5b7b96a876a32deedbd6aa726a109c3f32e823ca66f604a' passsha256: 'd2434f6b4764ef75d5b7b96a876a32deedbd6aa726a109c3f32e823ca66f604a'
sshkeys: sshkeys:
- 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ8SRLlPiDylBpdWR9LpvPg4fDVD+DZst4yRPFwMMhta4mnB1H9XuvZkptDhXywWQ7QIcqa2WbhCen0OQJCtwn3s7EYtacmF5MxmwBYocPoK2AArGuh6NA9rwTdLrPdzhZ+gwe88PAzRLNzjm0ZBR+mA9saMbPJdqpKp0AWeAM8QofRQAWuCzQg9i0Pn1KDMvVDRHCZof4pVlHSTyHNektq4ifovn0zhKC8jD/cYu95mc5ftBbORexpGiQWwQ3HZw1IBe0ZETB1qPIPwsoJpt3suvMrL6T2//fcIIUE3TcyJKb/yhztja4TZs5jT8370G/vhlT70He0YPxqHub8ZfBv0khlkY93VBWYpNGJwM1fVqlw7XbfBNdOuJivJac8eW317ZdiDnKkBTxapThpPG3et9ib1HoPGKRsd/fICzNz16h2R3tddSdihTFL+bmTCa6Lo+5t5uRuFjQvhSLSgO2/gRAprc3scYOB4pY/lxOFfq3pU2VvSJtRgLNEYMUYKk= ben@unkin.net' - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ8SRLlPiDylBpdWR9LpvPg4fDVD+DZst4yRPFwMMhta4mnB1H9XuvZkptDhXywWQ7QIcqa2WbhCen0OQJCtwn3s7EYtacmF5MxmwBYocPoK2AArGuh6NA9rwTdLrPdzhZ+gwe88PAzRLNzjm0ZBR+mA9saMbPJdqpKp0AWeAM8QofRQAWuCzQg9i0Pn1KDMvVDRHCZof4pVlHSTyHNektq4ifovn0zhKC8jD/cYu95mc5ftBbORexpGiQWwQ3HZw1IBe0ZETB1qPIPwsoJpt3suvMrL6T2//fcIIUE3TcyJKb/yhztja4TZs5jT8370G/vhlT70He0YPxqHub8ZfBv0khlkY93VBWYpNGJwM1fVqlw7XbfBNdOuJivJac8eW317ZdiDnKkBTxapThpPG3et9ib1HoPGKRsd/fICzNz16h2R3tddSdihTFL+bmTCa6Lo+5t5uRuFjQvhSLSgO2/gRAprc3scYOB4pY/lxOFfq3pU2VvSJtRgLNEYMUYKk= ben@unkin.net'
matsol:
user_name: 'matsol'
givenname: 'Matt'
sn: 'Solomon'
mail: 'matsol@users.main.unkin.net'
uidnumber: 20001
primarygroup: 20000
othergroups:
- 20010
- 20011
- 20012
- 20013
- 20014
- 20015
- 20016
loginshell: '/bin/bash'
homedir: '/home/matsol'
passsha256: '369263e2455a57c8c21388860c417b640fcf045a303cfc88def18c5197493600'
glauth::services: glauth::services:
svc_jellyfin: svc_jellyfin:
@@ -95,7 +76,7 @@ glauth::services:
mail: 'sonarr@service.main.unkin.net' mail: 'sonarr@service.main.unkin.net'
uidnumber: 30001 uidnumber: 30001
primarygroup: 20001 primarygroup: 20001
passsha256: '2c32d4cb831183cfbef15835cc76f99b401d0159621bc580e852253d4d8f8722' passsha256: 'e4068a02bb930c2c2ccfea6b638df1fb4c29c1b083732b92e91da47d5de4a51d'
svc_radarr: svc_radarr:
service_name: 'svc_radarr' service_name: 'svc_radarr'
mail: 'radarr@service.main.unkin.net' mail: 'radarr@service.main.unkin.net'
@@ -120,12 +101,6 @@ glauth::services:
uidnumber: 30005 uidnumber: 30005
primarygroup: 20001 primarygroup: 20001
passsha256: 'd1e6bcc4a9f2d15b6e3c349155a88e433902dfe765e57bf3c10e6830f151a043' passsha256: 'd1e6bcc4a9f2d15b6e3c349155a88e433902dfe765e57bf3c10e6830f151a043'
svc_nzbget:
service_name: 'svc_nzbget'
mail: 'nzbget@service.main.unkin.net'
uidnumber: 30006
primarygroup: 20001
passsha256: 'c9d38f687fcbea754a9f78675d89276d2347f9d15190fff267c3ae1a75f61be6'
glauth::groups: glauth::groups:
users: users:
@@ -152,6 +127,3 @@ glauth::groups:
prowlarr_access: prowlarr_access:
group_name: 'prowlarr_access' group_name: 'prowlarr_access'
gidnumber: 20015 gidnumber: 20015
nzbget_access:
group_name: 'nzbget_access'
gidnumber: 20016
-4
View File
@@ -53,8 +53,6 @@ profiles::haproxy::frontends:
options: options:
acl: acl:
- 'acl-letsencrypt path_beg /.well-known/acme-challenge/' - 'acl-letsencrypt path_beg /.well-known/acme-challenge/'
use_backend:
- 'be_letsencrypt if acl-letsencrypt'
http-request: http-request:
- 'set-header X-Forwarded-Proto https' - 'set-header X-Forwarded-Proto https'
- 'set-header X-Real-IP %[src]' - 'set-header X-Real-IP %[src]'
@@ -70,8 +68,6 @@ profiles::haproxy::frontends:
options: options:
acl: acl:
- 'acl-letsencrypt path_beg /.well-known/acme-challenge/' - 'acl-letsencrypt path_beg /.well-known/acme-challenge/'
use_backend:
- 'be_letsencrypt if acl-letsencrypt'
http-request: http-request:
- 'set-header X-Forwarded-Proto https' - 'set-header X-Forwarded-Proto https'
- 'set-header X-Real-IP %[src]' - 'set-header X-Real-IP %[src]'
-2
View File
@@ -1,2 +0,0 @@
---
certbot::contact: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJxDjhvXONEm7VoZ74dBxOPxFAw9RrI2WOK1P5YiIWiXUkoOhQpPzy0PUlI4970ActfTi9Kr9fnyZJWr/7TQ/5GQuYvVxMcfWbOmIOA+6CCjR/PWR06lWQuq7eTmwTzQjw7teFZrpXmqutAMNAUEAmPBBKNKfKbOaFz4IWwph1TuXtXDuveu/RE2+8znWukhF92DuFBJSuw6SMDympdbgceq/guQAInMjIXwmCIa7DWCWYDSKw04Ai8yDnYoqaNRs0acbZV6slH49i/cOE6GKTxO8+vR/3TkjEvKH8lY2l37ndH9+pe58arKflm/Inik0zy0TBnHq7/AMmEpRtV0usTA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBUgafckUM981Pb6hn2/9KMgBAblakRJjULF7aZwx/PT09s]
-15
View File
@@ -1,15 +0,0 @@
---
hiera_include:
- certbot
- profiles::pki::puppetcerts
certbot::domains:
- au-syd1-pve.main.unkin.net
- au-syd1-pve-api.main.unkin.net
- sonarr.main.unkin.net
- radarr.main.unkin.net
- lidarr.main.unkin.net
- readarr.main.unkin.net
- prowlarr.main.unkin.net
- nzbget.main.unkin.net
- fafflix.unkin.net
@@ -1,18 +0,0 @@
# frozen_string_literal: true
Facter.add(:certbot_available_certs) do
confine enc_role: 'roles::infra::pki::certbot'
setcode do
certs_dir = '/etc/letsencrypt/live'
available_certs = []
if Dir.exist?(certs_dir)
Dir.children(certs_dir).each do |entry|
fullchain_pem = File.join(certs_dir, entry, 'fullchain.pem')
available_certs << entry if File.exist?(fullchain_pem)
end
end
available_certs.join(',')
end
end
-15
View File
@@ -1,15 +0,0 @@
# certbot::cert
define certbot::cert (
Stdlib::Fqdn $domain,
Array $additional_args = ['--http-01-port=8888'],
Boolean $manage_cron = true,
) {
$location_environment = "${facts['country']}-${facts['region']}-${facts['environment']}"
@@letsencrypt::certonly { $domain:
additional_args => $additional_args,
manage_cron => $manage_cron,
tag => $location_environment,
}
}
-23
View File
@@ -1,23 +0,0 @@
class certbot::client (
Array[Stdlib::Fqdn] $domains,
Stdlib::Fqdn $webserver,
Stdlib::Absolutepath $data_dir = '/etc/pki/tls/letsencrypt/',
) {
mkdir::p {$data_dir:}
file { $data_dir:
ensure => directory,
owner => 'root',
group => 'root',
mode => '0755',
}
$domains.each |$domain| {
certbot::client::cert {"${facts['networking']['fqdn']}_download_${domain}":
domain => $domain,
destination => "${data_dir}/${domain}",
webserver => $webserver,
require => File[$data_dir],
}
}
}
-51
View File
@@ -1,51 +0,0 @@
define certbot::client::cert (
Stdlib::Fqdn $domain,
Stdlib::Fqdn $webserver,
Stdlib::Absolutepath $destination = "/etc/pki/tls/letsencrypt/${domain}",
) {
file { $destination:
ensure => directory,
owner => 'root',
group => 'root',
mode => '0755',
}
$cert_ready_nodes = puppetdb_query("
facts {
name = 'certbot_available_certs' and value ~ '${domain}' and certname = '${webserver}'
}"
)
# Define the certificate files
$cert_files = ['cert.pem', 'chain.pem', 'fullchain.pem', 'privkey.pem']
if !empty($cert_ready_nodes) {
$files_to_create = $cert_files.reduce({}) |$acc, $file| {
$acc + {
"${destination}/${file}" => {
ensure => 'file',
source => "https://${webserver}/${domain}/${file}",
owner => 'root',
group => 'root',
mode => '0644',
notify => Exec["concat_${domain}_certs"],
}
}
}
create_resources(file, $files_to_create)
exec { "concat_${domain}_certs":
command => "cat ${destination}/fullchain.pem ${destination}/privkey.pem > ${destination}/fullchain_combined.pem",
path => ['/bin', '/usr/bin'],
refreshonly => true,
require => [
File["${destination}/fullchain.pem"],
File["${destination}/privkey.pem"],
],
}
} else {
notify { 'Certificates are not yet ready on the generator server.': }
}
}
-9
View File
@@ -1,9 +0,0 @@
# certbot::haproxy
class certbot::haproxy {
# export haproxy balancemember
profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_8888":
service => 'be_letsencrypt',
ports => [8888],
options => []
}
}
-19
View File
@@ -1,19 +0,0 @@
# certbot::init
class certbot (
String $contact,
Array[Stdlib::Fqdn] $domains = [],
Stdlib::Absolutepath $data_root = '/var/www',
Stdlib::Fqdn $nginx_vhost = $facts['networking']['fqdn'],
Array[Stdlib::Host] $nginx_aliases = [],
Stdlib::Port $nginx_port = 80,
Stdlib::Port $nginx_ssl_port = 443,
Enum['http','https','both'] $nginx_listen_mode = 'https',
Enum['puppet', 'vault'] $nginx_cert_type = 'puppet',
) {
include certbot::nginx
include certbot::selinux
include certbot::haproxy
include certbot::letsencrypt
}
-37
View File
@@ -1,37 +0,0 @@
# certbot::letsencrypt
class certbot::letsencrypt (
String $contact = $certbot::contact,
Array[Stdlib::Fqdn] $domains = $certbot::domains,
Stdlib::Absolutepath $data_root = $certbot::data_root,
) {
class { 'letsencrypt':
configure_epel => false,
package_ensure => 'latest',
email => $contact,
}
# set location_environment
$location_environment = "${facts['country']}-${facts['region']}-${facts['environment']}"
# collect exported resources
Letsencrypt::Certonly <<| tag == $location_environment |>>
# statically defined certificate
$domains.each | $domain | {
certbot::cert {$domain:
domain => $domain,
require => Class['letsencrypt'],
}
}
systemd::timer { 'certbot-syncer.timer':
timer_content => epp('certbot/certbot-syncer.timer.epp'),
service_content => epp('certbot/certbot-syncer.service.epp', {
'data_root' => $data_root,
}),
active => true,
enable => true,
require => Class['letsencrypt'],
}
}
-91
View File
@@ -1,91 +0,0 @@
# certbot::nginx
class certbot::nginx (
Stdlib::Absolutepath $data_root = $certbot::data_root,
Stdlib::Fqdn $nginx_vhost = $certbot::nginx_vhost,
Array[Stdlib::Host] $nginx_aliases = $certbot::nginx_aliases,
Stdlib::Port $nginx_port = $certbot::nginx_port,
Stdlib::Port $nginx_ssl_port = $certbot::nginx_ssl_port,
Enum['http','https','both'] $nginx_listen_mode = $certbot::nginx_listen_mode,
Enum['puppet', 'vault'] $nginx_cert_type = $certbot::nginx_cert_type,
) {
# select the certificates to use based on cert type
case $nginx_cert_type {
'puppet': {
$selected_ssl_cert = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt"
$selected_ssl_key = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key"
}
'vault': {
$selected_ssl_cert = '/etc/pki/tls/vault/certificate.crt'
$selected_ssl_key = '/etc/pki/tls/vault/private.key'
}
default: {
# enum param prevents this ever being reached
}
}
# set variables based on the listen_mode
case $nginx_listen_mode {
'http': {
$enable_ssl = false
$ssl_cert = undef
$ssl_key = undef
$listen_port = $nginx_port
$listen_ssl_port = undef
$extras_hash = {}
}
'https': {
$enable_ssl = true
$ssl_cert = $selected_ssl_cert
$ssl_key = $selected_ssl_key
$listen_port = $nginx_ssl_port
$listen_ssl_port = $nginx_ssl_port
$extras_hash = {
'subscribe' => [File[$ssl_cert], File[$ssl_key]],
}
}
'both': {
$enable_ssl = true
$ssl_cert = $selected_ssl_cert
$ssl_key = $selected_ssl_key
$listen_port = $nginx_port
$listen_ssl_port = $nginx_ssl_port
$extras_hash = {
'subscribe' => [File[$ssl_cert], File[$ssl_key]],
}
}
default: {
# enum param prevents this ever being reached
}
}
mkdir::p {"${data_root}/pub":}
# set the server_names
$server_names = unique([$facts['networking']['fqdn'], $nginx_vhost] + $nginx_aliases)
# define the default parameters for the nginx server
$defaults = {
'listen_port' => $listen_port,
'server_name' => $server_names,
'use_default_location' => true,
'access_log' => "/var/log/nginx/${nginx_vhost}_access.log",
'error_log' => "/var/log/nginx/${nginx_vhost}_error.log",
'www_root' => "${data_root}/pub",
'autoindex' => 'on',
'ssl' => $enable_ssl,
'ssl_cert' => $ssl_cert,
'ssl_key' => $ssl_key,
'ssl_port' => $listen_ssl_port,
}
# merge the hashes conditionally
$nginx_parameters = merge($defaults, $extras_hash)
# manage the nginx class
include nginx
# create the nginx vhost with the merged parameters
create_resources('nginx::resource::server', { $nginx_vhost => $nginx_parameters })
}
-40
View File
@@ -1,40 +0,0 @@
# certbot::selinux
class certbot::selinux (
Stdlib::Absolutepath $data_root = $certbot::data_root,
) {
if $::facts['os']['selinux']['config_mode'] == 'enforcing' {
# set httpd_sys_content_t to all files under the www_root
selinux::fcontext { "${data_root}/pub":
ensure => 'present',
seltype => 'httpd_sys_content_t',
pathspec => "${data_root}/pub(/.*)?",
}
# make sure we can connect to other hosts
selboolean { 'httpd_can_network_connect':
persistent => true,
value => 'on',
}
selboolean { 'rsync_client':
persistent => true,
value => 'on',
}
selboolean { 'rsync_export_all_ro':
persistent => true,
value => 'on',
}
selboolean { 'rsync_full_access':
persistent => true,
value => 'on',
}
exec { "restorecon_${data_root}/pub":
path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
command => "restorecon -Rv ${data_root}/pub",
refreshonly => true,
subscribe => Selinux::Fcontext["${data_root}/pub"],
}
}
}
@@ -1,8 +0,0 @@
[Unit]
Description=certbot-syncer service
[Service]
Type=oneshot
ExecStart=/usr/bin/rsync --chmod=755 -aL /etc/letsencrypt/live/ <%= $data_root %>/pub/
User=root
Group=root
@@ -1,9 +0,0 @@
[Unit]
Description=certbot-syncer timer
[Timer]
OnCalendar=hourly
Persistent=true
[Install]
WantedBy=timers.target
@@ -1,9 +0,0 @@
# frozen_string_literal: true
require 'facter'
Facter.add(:jellyfin_migration_done) do
setcode do
File.exist?('/etc/sysconfig/jellyfin_migration_done')
end
end
-18
View File
@@ -9,37 +9,19 @@ class networking (
include network include network
include networking::params include networking::params
# manage interfaces
$interfaces.each | $interface, $data | { $interfaces.each | $interface, $data | {
$merged_data = merge($interface_defaults, $data) $merged_data = merge($interface_defaults, $data)
network_config {$interface: network_config {$interface:
* => $merged_data, * => $merged_data,
notify => Exec['networking_reload_network'],
} }
} }
# manage routes
$routes.each | $route, $data | { $routes.each | $route, $data | {
$merged_data = merge($route_defaults, $data) $merged_data = merge($route_defaults, $data)
network_route {$route: network_route {$route:
* => $merged_data, * => $merged_data,
notify => Exec['networking_reload_network'],
} }
} }
# determine which networking service to restart
$restart_command = $facts['os']['family'] ? {
'RedHat' => '/usr/bin/systemctl restart network',
'Debian' => '/usr/bin/systemctl restart networking',
default => fail('Unsupported OS in networking-restart-command'),
}
# restart network/networking only if $restart_networking boolean is true
exec { 'networking_reload_network':
command => $restart_command,
refreshonly => true,
}
# prevent DNS from being overwritten by networkmanager # prevent DNS from being overwritten by networkmanager
if $networking::params::nwmgr_dns_none { if $networking::params::nwmgr_dns_none {
file {'/etc/NetworkManager/conf.d/dns_none.conf': file {'/etc/NetworkManager/conf.d/dns_none.conf':
+15
View File
@@ -0,0 +1,15 @@
class nginxproxy::authproxy {
file { $nginxproxy::auth_ldap_config:
ensure => file,
content => epp('nginxproxy/auth-ldap.py.epp', {
'params' => $nginxproxy::auth_ldap_params
}
),
mode => '0644',
}
#package { 'nginx-auth-ldap':
# ensure => 'present',
# provider => 'pip',
#}
}
+67
View File
@@ -0,0 +1,67 @@
# manage configuration for nginxproxy
class nginxproxy::config {
$proxyurl = "${nginxproxy::proxy_scheme}://${nginxproxy::proxy_host}:${nginxproxy::proxy_port}${nginxproxy::proxy_path}"
$server_names = unique([$facts['networking']['fqdn'], $nginxproxy::nginx_vhost] + $nginxproxy::nginx_aliases)
case $nginxproxy::nginx_cert_type {
'vault': {
$selected_ssl_cert = '/etc/pki/tls/vault/certificate.crt'
$selected_ssl_key = '/etc/pki/tls/vault/private.key'
}
default: {
$selected_ssl_cert = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt"
$selected_ssl_key = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key"
}
}
case $nginxproxy::nginx_listen_mode {
'http': {
$enable_ssl = false
$ssl_cert = undef
$ssl_key = undef
$listen_port = $nginxproxy::nginx_port
$listen_ssl_port = undef
$extras_hash = {}
}
'https': {
$enable_ssl = true
$ssl_cert = $selected_ssl_cert
$ssl_key = $selected_ssl_key
$listen_port = $nginxproxy::nginx_ssl_port
$listen_ssl_port = $nginxproxy::nginx_ssl_port
$extras_hash = {
'subscribe' => [File[$ssl_cert], File[$ssl_key]],
}
}
default: {
$enable_ssl = true
$ssl_cert = $selected_ssl_cert
$ssl_key = $selected_ssl_key
$listen_port = $nginxproxy::nginx_port
$listen_ssl_port = $nginxproxy::nginx_ssl_port
$extras_hash = {
'subscribe' => [File[$ssl_cert], File[$ssl_key]],
}
}
}
$defaults = {
'listen_port' => $listen_port,
'server_name' => $server_names,
'use_default_location' => true,
'access_log' => "/var/log/nginx/${nginxproxy::nginx_vhost}_access.log",
'error_log' => "/var/log/nginx/${nginxproxy::nginx_vhost}_error.log",
'autoindex' => 'on',
'ssl' => $enable_ssl,
'ssl_cert' => $ssl_cert,
'ssl_key' => $ssl_key,
'ssl_port' => $listen_ssl_port,
'proxy' => $proxyurl,
}
$nginx_parameters = merge($defaults, $extras_hash)
include 'nginx'
create_resources('nginx::resource::server', { $nginxproxy::nginx_vhost => $nginx_parameters })
}
+38
View File
@@ -0,0 +1,38 @@
# manage a nginx proxy with a wraoper module
class nginxproxy (
Stdlib::Fqdn $nginx_vhost = $nginxproxy::params::nginx_vhost,
Array[Stdlib::Host] $nginx_aliases = $nginxproxy::params::nginx_aliases,
Stdlib::Port $nginx_port = $nginxproxy::params::nginx_port,
Stdlib::Port $nginx_ssl_port = $nginxproxy::params::nginx_ssl_port,
Enum['http','https','both'] $nginx_listen_mode = $nginxproxy::params::nginx_listen_mode,
Enum['puppet', 'vault'] $nginx_cert_type = $nginxproxy::params::nginx_cert_type,
Enum['http','https'] $proxy_scheme = $nginxproxy::params::proxy_scheme,
Stdlib::Port $proxy_port = $nginxproxy::params::proxy_port,
Stdlib::Host $proxy_host = $nginxproxy::params::proxy_host,
String $proxy_path = $nginxproxy::params::proxy_path,
Boolean $simple_mode = $nginxproxy::params::simple_mode,
Array[Hash] $locations = $nginxproxy::params::locations,
Boolean $manage_auth_ldap = $nginxproxy::params::manage_auth_ldap,
Stdlib::Absolutepath $auth_ldap_config = $nginxproxy::params::auth_ldap_config,
Hash $auth_ldap_params = $nginxproxy::params::auth_ldap_params,
) {
if ! $facts['nginx_version'] {
package { 'nginx':
ensure => 'present',
}
} else {
include nginxproxy::config
include nginxproxy::selinux
if $manage_auth_ldap {
include nginxproxy::authproxy
}
if ! $simple_mode {
nginxproxy::locations { 'default':
locations => $locations,
}
}
}
}
+10
View File
@@ -0,0 +1,10 @@
define nginxproxy::locations (
Array[Hash] $locations = [],
) {
$locations.each |$location| {
nginx::resource::location { $location['path']:
server => $nginxproxy::nginx_vhost,
proxy => $location['proxy'],
}
}
}
+18
View File
@@ -0,0 +1,18 @@
# nginxproxy params
class nginxproxy::params (
Stdlib::Fqdn $nginx_vhost = 'localhost',
Array[Stdlib::Host] $nginx_aliases = [],
Stdlib::Port $nginx_port = 80,
Stdlib::Port $nginx_ssl_port = 443,
Enum['http','https','both'] $nginx_listen_mode = 'https',
Enum['puppet', 'vault'] $nginx_cert_type = 'vault',
Enum['http','https'] $proxy_scheme = 'http',
Stdlib::Port $proxy_port = 80,
Stdlib::Host $proxy_host = $facts['networking']['ip'],
String $proxy_path = '/',
Boolean $simple_mode = true,
Array[Hash] $locations = [],
Boolean $manage_auth_ldap = false,
Stdlib::Absolutepath $auth_ldap_config = '/etc/nginx/auth-ldap.conf',
Hash $auth_ldap_params = {},
){}
+9
View File
@@ -0,0 +1,9 @@
# manage selinux for nginxproxy
class nginxproxy::selinux {
if $::facts['os']['selinux']['config_mode'] == 'enforcing' {
selboolean { 'httpd_can_network_connect':
persistent => true,
value => 'on',
}
}
}
-6
View File
@@ -1,6 +0,0 @@
class nzbget::config (
$user = $nzbget::params::user,
$group = $nzbget::params::group,
) {
# todo
}
-18
View File
@@ -1,18 +0,0 @@
# manage nzbget
class nzbget (
$packages = $nzbget::params::packages,
$user = $nzbget::params::user,
$group = $nzbget::params::group,
$manage_group = $nzbget::params::manage_group,
$service_enable = $nzbget::params::service_enable,
$service_name = $nzbget::params::service_name,
$bind_address = $sonarr::params::bind_address,
$port = $sonarr::params::port,
) inherits nzbget::params {
include nzbget::install
include nzbget::config
include nzbget::service
Class['nzbget::install'] -> Class['nzbget::config'] -> Class['nzbget::service']
}
-29
View File
@@ -1,29 +0,0 @@
# instsall nzbget
class nzbget::install (
$packages = $nzbget::packages,
$user = $nzbget::user,
$group = $nzbget::group,
$manage_group = $nzbget::manage_group,
) {
$_packages = $packages ? {
Array => true,
default => false,
}
if $_packages {
ensure_packages($packages, {ensure => 'installed'})
}
if $manage_group {
group { $group:
ensure => present,
}
}
user { $user:
ensure => present,
shell => '/sbin/nologin',
groups => $group,
}
}
-11
View File
@@ -1,11 +0,0 @@
# nzbget params
class nzbget::params (
Array[String] $packages = [
'nzbget'
],
String $user = 'nzbget',
String $group = 'nzbget',
Boolean $manage_group = true,
Stdlib::Host $bind_address = '127.0.0.1',
Stdlib::Port $port = 6789,
) { }
-17
View File
@@ -1,17 +0,0 @@
# manage nzbget service
class nzbget::service (
$service_enable = $nzbget::service_enable,
$service_name = $nzbget::service_name,
$user = $nzbget::user,
$group = $nzbget::group,
) {
if $service_enable {
include ::systemd
systemd::unit_file { "${service_name}.service":
content => template('nzbget/nzbget.service.erb'),
enable => true,
active => true,
}
}
}
File diff suppressed because it is too large Load Diff
@@ -1,17 +0,0 @@
[Unit]
Description=<%= @service_name %> Daemon
Documentation=http://nzbget.com/documentation/
After=network.target
[Service]
Type=simple
User=<%= @user %>
Group=<%= @group %>
WorkingDirectory=/var/lib/nzbget
ExecStart=/usr/bin/nzbget -s -c /var/lib/nzbget/nzbget.conf -o OutputMode=log -o WriteLog=none
ExecReload=/usr/bin/nzbget -O -c /var/lib/nzbget/nzbget.conf
ExecStop=/usr/bin/nzbget -Q -c /var/lib/nzbget/nzbget.conf
Restart=on-failure
[Install]
WantedBy=multi-user.target
+1 -1
View File
@@ -16,7 +16,7 @@ class profiles::cobbler::service inherits profiles::cobbler::params {
} }
# ensure tftp is running # ensure tftp is running
service {'tftp.socket': service {'tftp':
ensure => 'running', ensure => 'running',
enable => true, enable => true,
require => Package['cobbler'], require => Package['cobbler'],
@@ -48,7 +48,6 @@ class profiles::haproxy::server (
require => Class['profiles::haproxy::selinux'] require => Class['profiles::haproxy::selinux']
} }
include certbot::client # download certbot certs
include profiles::haproxy::certlist # manage the certificate list file include profiles::haproxy::certlist # manage the certificate list file
include profiles::haproxy::mappings # manage the domain to backend mappings include profiles::haproxy::mappings # manage the domain to backend mappings
include profiles::haproxy::ls_stats # default status listener include profiles::haproxy::ls_stats # default status listener
-85
View File
@@ -1,15 +1,6 @@
# profiles::media::jellyfin # profiles::media::jellyfin
class profiles::media::jellyfin ( class profiles::media::jellyfin (
Stdlib::Absolutepath $media_root = '/shared/media', Stdlib::Absolutepath $media_root = '/shared/media',
Stdlib::Absolutepath $data_dir = '/data/jellyfin',
Stdlib::Absolutepath $lib_dir = '/data/jellyfin/var/lib',
Stdlib::Absolutepath $cache_dir = '/data/jellyfin/var/cache',
Stdlib::Absolutepath $config_dir = '/data/jellyfin/etc',
Stdlib::Absolutepath $log_dir = '/data/jellyfin/var/log',
Stdlib::Absolutepath $sysconfig_file = '/etc/sysconfig/jellyfin',
Stdlib::Absolutepath $migration_flag = '/etc/sysconfig/jellyfin_migration_done',
String $service_name = 'jellyfin',
Boolean $migrate_data = true,
) { ) {
include profiles::ceph::client include profiles::ceph::client
@@ -37,80 +28,4 @@ class profiles::media::jellyfin (
'fall 2', 'fall 2',
] ]
} }
mkdir::p {[$data_dir, $lib_dir, $cache_dir, $config_dir, $log_dir]:}
-> file { [$data_dir, $lib_dir, $cache_dir, $config_dir, $log_dir]:
ensure => directory,
owner => 'jellyfin',
group => 'jellyfin',
mode => '0755',
}
if $migrate_data and ! $facts['jellyfin_migration_done'] {
exec { "stop-${service_name}":
command => "/usr/bin/systemctl stop ${service_name}",
require => File[$sysconfig_file],
}
exec { 'move-jellyfin-lib':
command => "/usr/bin/rsync -av /var/lib/jellyfin/ ${lib_dir}/ && rm -rf /var/lib/jellyfin",
creates => "${lib_dir}/config",
require => [File[$lib_dir], Exec["stop-${service_name}"]],
}
exec { 'move-jellyfin-cache':
command => "/usr/bin/rsync -av /var/cache/jellyfin/ ${cache_dir}/ && rm -rf /var/cache/jellyfin",
creates => "${cache_dir}/config",
require => [File[$cache_dir], Exec["stop-${service_name}"]],
}
exec { 'move-jellyfin-config':
command => "/usr/bin/rsync -av /etc/jellyfin/ ${config_dir}/ && rm -rf /etc/jellyfin",
creates => "${config_dir}/config",
require => [File[$config_dir], Exec["stop-${service_name}"]],
}
exec { 'move-jellyfin-log':
command => "/usr/bin/rsync -av /var/log/jellyfin/ ${log_dir}/ && rm -rf /var/log/jellyfin",
creates => "${log_dir}/config",
require => [File[$log_dir], Exec["stop-${service_name}"]],
}
exec { 'create-migration-flag':
command => "/usr/bin/touch ${migration_flag}",
creates => $migration_flag,
require => [
Exec['move-jellyfin-lib'],
Exec['move-jellyfin-cache'],
Exec['move-jellyfin-config'],
Exec['move-jellyfin-log']
],
}
exec { "start-${service_name}":
command => "/usr/bin/systemctl start ${service_name}",
require => Exec['create-migration-flag'],
}
}
file { $sysconfig_file:
ensure => file,
content => template('profiles/jellyfin/sysconfig.erb'),
notify => [
Systemd::Daemon_reload["${service_name}_service"],
Service[$service_name]
],
}
file { '/etc/systemd/system/jellyfin.service.d/override.conf':
ensure => file,
content => template('profiles/jellyfin/override.conf.erb'),
notify => [
Systemd::Daemon_reload["${service_name}_service"],
Service[$service_name]
],
}
systemd::daemon_reload {"${service_name}_service":}
} }
-31
View File
@@ -1,31 +0,0 @@
# profiles::media::nzbget
class profiles::media::nzbget (
Stdlib::Absolutepath $media_root = '/shared/media',
) {
include profiles::ceph::client
# manage the sharedvol
profiles::storage::cephfsvol {"${::facts['networking']['fqdn']}_media":
mount => $media_root,
keyring => '/etc/ceph/ceph.client.media.keyring',
cephfs_name => 'media',
cephfs_fs => 'mediafs',
require => Profiles::Ceph::Keyring['media'],
}
# export haproxy balancemember
profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_443":
service => 'be_nzbget',
ports => [443],
options => [
"cookie ${facts['networking']['hostname']}",
'ssl',
'verify none',
'check',
'inter 2s',
'rise 3',
'fall 2',
]
}
}
+3 -3
View File
@@ -3,9 +3,9 @@
# these exporters will be setup on all nodes # these exporters will be setup on all nodes
class profiles::metrics::default ( class profiles::metrics::default (
Boolean $node_exporter = true, Boolean $node_exporter = true,
Boolean $systemd_exporter = false, Boolean $systemd_exporter = true,
) { ) {
if $node_exporter { include prometheus::node_exporter } include prometheus::node_exporter
if $systemd_exporter { include prometheus::systemd_exporter } include prometheus::systemd_exporter
} }
@@ -1,239 +0,0 @@
# Class: profiles::metrics::exportarr
#
# This module manages exportarr for Prometheus metrics.
#
# @param arch
# Architecture (amd64 or i386)
#
# @param bin_dir
# Directory where binaries are located
#
# @param config_mode
# The permissions of the configuration files
#
# @param download_extension
# Extension for the release binary archive
#
# @param download_url
# Complete URL where the release binary archive can be downloaded
#
# @param download_url_base
# Base URL for the binary archive
#
# @param extra_groups
# Extra groups to add the binary user to
#
# @param extra_options
# Extra options added to the startup command
#
# @param env_vars
# The environment variables to pass to the daemon
#
# @param group
# Group under which the binary is running
#
# @param init_style
# Service startup scripts style (e.g. rc, upstart or systemd)
#
# @param install_method
# Installation method: url or package (only url is supported currently)
#
# @param manage_group
# Whether to create a group or rely on external code for that
#
# @param manage_service
# Should Puppet manage the service? (default true)
#
# @param manage_user
# Whether to create user or rely on external code for that
#
# @param os
# Operating system (linux is the only one supported)
#
# @param package_ensure
# If package, then use this for package ensure (default 'latest')
#
# @param package_name
# The binary package name - not available yet
#
# @param purge_config_dir
# Purge config files no longer generated by Puppet
#
# @param restart_on_change
# Should Puppet restart the service on configuration change? (default true)
#
# @param service_enable
# Whether to enable the service from Puppet (default true)
#
# @param service_ensure
# State ensured for the service (default 'running')
#
# @param service_name
# Name of the exportarr service (default 'exportarr')
#
# @param user
# User which runs the service
#
# @param version
# The binary release version
#
# @param export_scrape_job
# Whether to export a `prometheus::scrape_job` to PuppetDB for
# collecting on your Prometheus server.
#
# @param scrape_job_name
# The name of the scrape job. When configuring Prometheus with this
# Puppet module, the jobs to be collected are configured with
# `prometheus::collect_scrape_jobs`.
#
# @param scrape_port
# The port to use in the scrape job. This won't normally need to be
# changed unless you run the exporter with a non-default port by
# overriding `extra_options`.
#
# @param scrape_job_labels
# Labels to configure on the scrape job. If not set, the
# `prometheus::daemon` default (`{ 'alias' => $scrape_host }`) will
# be used.
#
# @param proxy_server
# Optional proxy server, with port number if needed, e.g., https://example.com:8080
#
# @param proxy_type
# Optional proxy server type (none|http|https|ftp)
#
# @param app
# Application name (e.g., sonarr, radarr, or lidarr)
#
# @param config_path
# Path to Sonarr, Radarr, or Lidarr's config.xml (advanced)
#
# @param api_key
# API Key for Sonarr, Radarr, or Lidarr
#
# @param api_key_file
# API Key file location for Sonarr, Radarr, or Lidarr
#
# @param interface
# The interface IP Exportarr will listen on
#
# @param enable_additional_metrics
# Set to true to enable gathering of additional metrics (slow)
class profiles::metrics::exportarr (
Optional[Stdlib::HTTPSUrl] $download_url = undef,
Array[String[1]] $extra_groups = [],
String[1] $group = 'exportarr',
String[1] $package_ensure = 'latest',
String[1] $package_name = 'exportarr',
String[1] $user = 'exportarr',
String[1] $version = '2.0.1',
Boolean $purge_config_dir = true,
Boolean $restart_on_change = true,
Boolean $service_enable = true,
String[1] $service_ensure = 'running',
String[1] $service_name = 'exportarr',
Prometheus::Initstyle $init_style = $facts['service_provider'],
Prometheus::Install $install_method = 'url',
Boolean $manage_group = true,
Boolean $manage_service = true,
Boolean $manage_user = true,
String[1] $os = downcase($facts['kernel']),
Optional[String[1]] $extra_options = undef,
Hash[String, Scalar] $env_vars = {},
String $download_extension = 'tar.gz',
Stdlib::HTTPSUrl $download_url_base = 'https://github.com/onedr0p/exportarr/releases',
String[1] $config_mode = '0640',
String[1] $arch = $facts['os']['architecture'],
Stdlib::Absolutepath $bin_dir = '/usr/local/bin',
Boolean $export_scrape_job = false,
Stdlib::Port $scrape_port = 9707,
Stdlib::Port $app_port = 8000,
Stdlib::Host $app_addr = '127.0.0.1',
String[1] $scrape_job_name = 'exportarr',
Optional[Hash] $scrape_job_labels = undef,
Optional[String[1]] $proxy_server = undef,
Optional[Enum['none', 'http', 'https', 'ftp']] $proxy_type = undef,
String[1] $app = 'sonarr',
Optional[Stdlib::Absolutepath] $config_path = undef,
String[1] $api_key = '',
Optional[Stdlib::Absolutepath] $api_key_file = undef,
Optional[Stdlib::IP::Address::V4] $interface = undef,
Boolean $enable_additional_metrics = false,
) {
$real_arch = $arch ? {
'x86_64' => 'amd64',
'i386' => '386',
'aarch64' => 'arm64',
'armv7l' => 'armv7',
'armv6l' => 'armv6',
'armv5l' => 'armv5',
default => $arch,
}
# Construct the real download URL if not provided
$real_download_url = pick(
$download_url,
"${download_url_base}/download/v${version}/${package_name}_${version}_${os}_${real_arch}.${download_extension}"
)
# Determine if the service should be notified
$notify_service = $restart_on_change ? {
true => Service[$service_name],
default => undef,
}
# Define the startup options
$startup_options = [
$app,
"--port ${scrape_port}",
"--url http://${app_addr}:${app_port}",
"--api-key ${api_key}",
$extra_options,
]
# Add advanced options if provided
unless $config_path == undef {
$startup_options = concat($startup_options, ["--config ${config_path}"])
}
unless $api_key_file == undef {
$startup_options = concat($startup_options, ["--api-key-file ${api_key_file}"])
}
unless $interface == undef {
$startup_options = concat($startup_options, ["--interface ${interface}"])
}
if $enable_additional_metrics {
$startup_options = concat($startup_options, ['--enable-additional-metrics'])
}
prometheus::daemon { $service_name:
install_method => $install_method,
version => $version,
download_extension => $download_extension,
os => $os,
arch => $arch,
real_download_url => $real_download_url,
bin_dir => $bin_dir,
notify_service => $notify_service,
package_name => $package_name,
package_ensure => $package_ensure,
manage_user => $manage_user,
user => $user,
extra_groups => $extra_groups,
group => $group,
manage_group => $manage_group,
purge => $purge_config_dir,
options => join($startup_options, ' '),
env_vars => $env_vars,
init_style => $init_style,
service_ensure => $service_ensure,
service_enable => $service_enable,
manage_service => $manage_service,
export_scrape_job => $export_scrape_job,
scrape_port => $scrape_port,
scrape_job_name => $scrape_job_name,
scrape_job_labels => $scrape_job_labels,
proxy_server => $proxy_server,
proxy_type => $proxy_type,
}
}
-72
View File
@@ -1,72 +0,0 @@
class profiles::nginx::ldapauth (
Stdlib::AbsolutePath $bin_path = '/usr/local/bin/nginx-ldap-auth',
Stdlib::AbsolutePath $env_path = '/etc/default/nginx-ldap-auth',
String $user = 'nginx-ldap-auth',
String $group = 'nginx-ldap-auth',
Boolean $systempkgs = false,
String $version = 'system',
Hash $packages = {
'python3.11-ldap' => { ensure => 'present' }
}
){
if $::facts['python3_version'] {
$python_version = $version ? {
'system' => $::facts['python3_version'],
default => $version,
}
ensure_resources('package', $packages)
# Deploy the default configuration file using a template
file { $env_path:
ensure => file,
content => template('profiles/ldapauth/nginx-ldap-auth.default.erb'),
}
# Deploy the daemon script using a template
file { $bin_path:
ensure => file,
content => template('profiles/ldapauth/nginx-ldap-auth-daemon.py.erb'),
mode => '0755',
}
# Manage user and group
group { $group:
ensure => present,
system => true,
}
user { $user:
ensure => present,
comment => 'nginx-ldap-auth helper',
gid => $group,
shell => '/sbin/nologin',
system => true,
require => Group[$group],
}
# Create log directory for nginx-ldap-auth
file { '/var/log/nginx-ldap-auth':
ensure => directory,
owner => $user,
group => $group,
mode => '0755',
require => User[$user],
}
# Ensure the systemd service is enabled and started
systemd::unit_file { 'nginx-ldap-auth.service':
content => template('profiles/ldapauth/nginx-ldap-auth.service.erb'),
enable => true,
active => true,
require => [
File[$bin_path],
File[$env_path],
User[$user],
],
}
}
}
+2 -22
View File
@@ -12,8 +12,6 @@ class profiles::nginx::simpleproxy (
Stdlib::Port $proxy_port = 80, Stdlib::Port $proxy_port = 80,
Stdlib::Host $proxy_host = $facts['networking']['ip'], Stdlib::Host $proxy_host = $facts['networking']['ip'],
String $proxy_path = '/', String $proxy_path = '/',
Boolean $use_default_location = true,
Hash $locations = {},
) { ) {
# if nginx_version isnt set, install nginx # if nginx_version isnt set, install nginx
@@ -85,7 +83,7 @@ class profiles::nginx::simpleproxy (
$defaults = { $defaults = {
'listen_port' => $listen_port, 'listen_port' => $listen_port,
'server_name' => $server_names, 'server_name' => $server_names,
'use_default_location' => $use_default_location, 'use_default_location' => true,
'access_log' => "/var/log/nginx/${nginx_vhost}_access.log", 'access_log' => "/var/log/nginx/${nginx_vhost}_access.log",
'error_log' => "/var/log/nginx/${nginx_vhost}_error.log", 'error_log' => "/var/log/nginx/${nginx_vhost}_error.log",
'autoindex' => 'on', 'autoindex' => 'on',
@@ -99,30 +97,12 @@ class profiles::nginx::simpleproxy (
# merge the hashes conditionally # merge the hashes conditionally
$nginx_parameters = merge($defaults, $extras_hash) $nginx_parameters = merge($defaults, $extras_hash)
mkdir::p {'/var/cache/nginx':
before => Class['nginx'],
}
# manage the nginx class # manage the nginx class
class { 'nginx': include 'nginx'
proxy_cache_path => {
'/var/cache/nginx/cache' => 'cache:128m',
},
proxy_cache_levels => '1:2',
proxy_cache_keys_zone => 'cache:128m',
proxy_cache_max_size => '1024m',
proxy_cache_inactive => '10m',
proxy_temp_path => '/var/cache/nginx/cache_temp',
}
# create the nginx vhost with the merged parameters # create the nginx vhost with the merged parameters
create_resources('nginx::resource::server', { $nginx_vhost => $nginx_parameters }) create_resources('nginx::resource::server', { $nginx_vhost => $nginx_parameters })
# create nginx locations
if $use_default_location == false {
create_resources('nginx::resource::location', $locations)
}
# manage selinux # manage selinux
if $::facts['os']['selinux']['config_mode'] == 'enforcing' { if $::facts['os']['selinux']['config_mode'] == 'enforcing' {
@@ -1,8 +0,0 @@
# Jellyfin systemd configuration options
# Use this file to override the user or environment file location.
[Service]
#User = jellyfin
EnvironmentFile = <%= @environment_file %>
WorkingDirectory = <%= @lib_dir %>
@@ -1,38 +0,0 @@
# Jellyfin default configuration options
# Use this file to override the default configurations; add additional
# options with JELLYFIN_ADD_OPTS.
# To override the user or this config file's location, use
# /etc/systemd/system/jellyfin.service.d/override.conf
#
# This is a POSIX shell fragment
#
#
# General options
#
# Program directories
JELLYFIN_DATA_DIR="<%= @lib_dir %>"
JELLYFIN_CONFIG_DIR="<%= @config_dir %>"
JELLYFIN_LOG_DIR="<%= @log_dir %>"
JELLYFIN_CACHE_DIR="<%= @cache_dir %>"
# web client path, installed by the jellyfin-web package
JELLYFIN_WEB_OPT="--webdir=/usr/share/jellyfin-web"
# [OPTIONAL] ffmpeg binary paths, overriding the UI-configured values
#JELLYFIN_FFMPEG_OPT="--ffmpeg=/usr/bin/ffmpeg"
# [OPTIONAL] run Jellyfin as a headless service
#JELLYFIN_SERVICE_OPT="--service"
# [OPTIONAL] run Jellyfin without the web app
#JELLYFIN_NOWEBAPP_OPT="--noautorunwebapp"
# [OPTIONAL] run Jellyfin with ASP.NET Server Garbage Collection (uses more RAM and less CPU than Workstation GC)
# 0 = Workstation
# 1 = Server
#COMPlus_gcServer=1
@@ -1,351 +0,0 @@
#!/bin/sh
''''[ -z $LOG ] && export LOG=/dev/stdout # '''
''''which python3.11 >/dev/null && exec python3.11 -u "$0" "$@" >> $LOG 2>&1 # '''
# Copyright (C) 2014-2022 Nginx, Inc.
import sys
import os
import signal
import base64
import ldap
from ldap.filter import escape_filter_chars
import argparse
if sys.version_info.major == 2:
from Cookie import BaseCookie
from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler
elif sys.version_info.major == 3:
from http.cookies import BaseCookie
from http.server import HTTPServer, BaseHTTPRequestHandler
if not hasattr(__builtins__, "basestring"): basestring = (str, bytes)
#Listen = ('localhost', 8888)
#Listen = "/tmp/auth.sock" # Also uncomment lines in 'Requests are
# processed with UNIX sockets' section below
# -----------------------------------------------------------------------------
# Different request processing models: select one
# -----------------------------------------------------------------------------
# Requests are processed in separate thread
import threading
if sys.version_info.major == 2:
from SocketServer import ThreadingMixIn
elif sys.version_info.major == 3:
from socketserver import ThreadingMixIn
class AuthHTTPServer(ThreadingMixIn, HTTPServer):
pass
# -----------------------------------------------------------------------------
# Requests are processed in separate process
#from SocketServer import ForkingMixIn
#class AuthHTTPServer(ForkingMixIn, HTTPServer):
# pass
# -----------------------------------------------------------------------------
# Requests are processed with UNIX sockets
#import threading
#from SocketServer import ThreadingUnixStreamServer
#class AuthHTTPServer(ThreadingUnixStreamServer, HTTPServer):
# pass
# -----------------------------------------------------------------------------
class AuthHandler(BaseHTTPRequestHandler):
# Return True if request is processed and response sent, otherwise False
# Set ctx['user'] and ctx['pass'] for authentication
def do_GET(self):
ctx = self.ctx
ctx['action'] = 'input parameters check'
for k, v in self.get_params().items():
ctx[k] = self.headers.get(v[0], v[1])
if ctx[k] == None:
self.auth_failed(ctx, 'required "%s" header was not passed' % k)
return True
ctx['action'] = 'performing authorization'
auth_header = self.headers.get('Authorization')
auth_cookie = self.get_cookie(ctx['cookiename'])
if auth_cookie != None and auth_cookie != '':
auth_header = "Basic " + auth_cookie
self.log_message("using username/password from cookie %s" %
ctx['cookiename'])
else:
self.log_message("using username/password from authorization header")
if auth_header is None or not auth_header.lower().startswith('basic '):
self.send_response(401)
self.send_header('WWW-Authenticate', 'Basic realm="' + ctx['realm'] + '"')
self.send_header('Cache-Control', 'no-cache')
self.end_headers()
return True
ctx['action'] = 'decoding credentials'
try:
auth_decoded = base64.b64decode(auth_header[6:])
if sys.version_info.major == 3: auth_decoded = auth_decoded.decode("utf-8")
user, passwd = auth_decoded.split(':', 1)
except:
self.auth_failed(ctx)
return True
ctx['pass'] = passwd
ctx['user'] = ldap.filter.escape_filter_chars(user)
# Continue request processing
return False
def get_cookie(self, name):
cookies = self.headers.get('Cookie')
if cookies:
authcookie = BaseCookie(cookies).get(name)
if authcookie:
return authcookie.value
else:
return None
else:
return None
# Log the error and complete the request with appropriate status
def auth_failed(self, ctx, errmsg = None):
msg = 'Error while ' + ctx['action']
if errmsg:
msg += ': ' + errmsg
ex, value, trace = sys.exc_info()
if ex != None:
msg += ": " + str(value)
if ctx.get('url'):
msg += ', server="%s"' % ctx['url']
if ctx.get('user'):
msg += ', login="%s"' % ctx['user']
self.log_error(msg)
self.send_response(401)
self.send_header('WWW-Authenticate', 'Basic realm="' + ctx['realm'] + '"')
self.send_header('Cache-Control', 'no-cache')
self.end_headers()
def get_params(self):
return {}
def log_message(self, format, *args):
if len(self.client_address) > 0:
addr = BaseHTTPRequestHandler.address_string(self)
else:
addr = "-"
if not hasattr(self, 'ctx'):
user = '-'
else:
user = self.ctx['user']
sys.stdout.write("%s - %s [%s] %s\n" % (addr, user,
self.log_date_time_string(), format % args))
def log_error(self, format, *args):
self.log_message(format, *args)
# Verify username/password against LDAP server
class LDAPAuthHandler(AuthHandler):
# Parameters to put into self.ctx from the HTTP header of auth request
params = {
# parameter header default
'realm': ('X-Ldap-Realm', 'Restricted'),
'url': ('X-Ldap-URL', None),
'starttls': ('X-Ldap-Starttls', 'false'),
'disable_referrals': ('X-Ldap-DisableReferrals', 'false'),
'basedn': ('X-Ldap-BaseDN', None),
'template': ('X-Ldap-Template', '(cn=%(username)s)'),
'binddn': ('X-Ldap-BindDN', ''),
'bindpasswd': ('X-Ldap-BindPass', ''),
'cookiename': ('X-CookieName', '')
}
@classmethod
def set_params(cls, params):
cls.params = params
def get_params(self):
return self.params
# GET handler for the authentication request
def do_GET(self):
ctx = dict()
self.ctx = ctx
ctx['action'] = 'initializing basic auth handler'
ctx['user'] = '-'
if AuthHandler.do_GET(self):
# request already processed
return
ctx['action'] = 'empty password check'
if not ctx['pass']:
self.auth_failed(ctx, 'attempt to use empty password')
return
try:
# check that uri and baseDn are set
# either from cli or a request
if not ctx['url']:
self.log_message('LDAP URL is not set!')
return
if not ctx['basedn']:
self.log_message('LDAP baseDN is not set!')
return
ctx['action'] = 'initializing LDAP connection'
ldap_obj = ldap.initialize(ctx['url']);
# Python-ldap module documentation advises to always
# explicitely set the LDAP version to use after running
# initialize() and recommends using LDAPv3. (LDAPv2 is
# deprecated since 2003 as per RFC3494)
#
# Also, the STARTTLS extension requires the
# use of LDAPv3 (RFC2830).
ldap_obj.protocol_version=ldap.VERSION3
# Establish a STARTTLS connection if required by the
# headers.
if ctx['starttls'] == 'true':
ldap_obj.start_tls_s()
# See https://www.python-ldap.org/en/latest/faq.html
if ctx['disable_referrals'] == 'true':
ldap_obj.set_option(ldap.OPT_REFERRALS, 0)
ctx['action'] = 'binding as search user'
ldap_obj.bind_s(ctx['binddn'], ctx['bindpasswd'], ldap.AUTH_SIMPLE)
ctx['action'] = 'preparing search filter'
searchfilter = ctx['template'] % {'username': ctx['user']}
self.log_message(('searching on server "%s" with base dn ' + \
'"%s" with filter "%s"') %
(ctx['url'], ctx['basedn'], searchfilter))
ctx['action'] = 'running search query'
results = ldap_obj.search_s(ctx['basedn'], ldap.SCOPE_SUBTREE,
searchfilter, ['objectclass'], 1)
ctx['action'] = 'verifying search query results'
nres = len(results)
if nres < 1:
self.auth_failed(ctx, 'no objects found')
return
if nres > 1:
self.log_message("note: filter match multiple objects: %d, using first" % nres)
user_entry = results[0]
ldap_dn = user_entry[0]
if ldap_dn == None:
self.auth_failed(ctx, 'matched object has no dn')
return
self.log_message('attempting to bind using dn "%s"' % (ldap_dn))
ctx['action'] = 'binding as an existing user "%s"' % ldap_dn
ldap_obj.bind_s(ldap_dn, ctx['pass'], ldap.AUTH_SIMPLE)
self.log_message('Auth OK for user "%s"' % (ctx['user']))
# Successfully authenticated user
self.send_response(200)
self.end_headers()
except:
self.auth_failed(ctx)
def exit_handler(signal, frame):
global Listen
if isinstance(Listen, basestring):
try:
os.unlink(Listen)
except:
ex, value, trace = sys.exc_info()
sys.stderr.write('Failed to remove socket "%s": %s\n' %
(Listen, str(value)))
sys.stderr.flush()
sys.exit(0)
if __name__ == '__main__':
parser = argparse.ArgumentParser(
description="""Simple Nginx LDAP authentication helper.""")
# Group for listen options:
group = parser.add_argument_group("Listen options")
group.add_argument('--host', metavar="hostname",
default="localhost", help="host to bind (Default: localhost)")
group.add_argument('-p', '--port', metavar="port", type=int,
default=8888, help="port to bind (Default: 8888)")
# ldap options:
group = parser.add_argument_group(title="LDAP options")
group.add_argument('-u', '--url', metavar="URL",
default="ldap://localhost:389",
help=("LDAP URI to query (Default: ldap://localhost:389)"))
group.add_argument('-s', '--starttls', metavar="starttls",
default="false",
help=("Establish a STARTTLS protected session (Default: false)"))
group.add_argument('--disable-referrals', metavar="disable_referrals",
default="false",
help=("Sets ldap.OPT_REFERRALS to zero (Default: false)"))
group.add_argument('-b', metavar="baseDn", dest="basedn", default='',
help="LDAP base dn (Default: unset)")
group.add_argument('-D', metavar="bindDn", dest="binddn", default='',
help="LDAP bind DN (Default: anonymous)")
group.add_argument('-w', metavar="passwd", dest="bindpw", default='',
help="LDAP password for the bind DN (Default: unset)")
group.add_argument('-f', '--filter', metavar='filter',
default='(cn=%(username)s)',
help="LDAP filter (Default: cn=%%(username)s)")
# http options:
group = parser.add_argument_group(title="HTTP options")
group.add_argument('-R', '--realm', metavar='"Restricted Area"',
default="Restricted", help='HTTP auth realm (Default: "Restricted")')
group.add_argument('-c', '--cookie', metavar="cookiename",
default="", help="HTTP cookie name to set in (Default: unset)")
args = parser.parse_args()
global Listen
Listen = (args.host, args.port)
auth_params = {
'realm': ('X-Ldap-Realm', args.realm),
'url': ('X-Ldap-URL', args.url),
'starttls': ('X-Ldap-Starttls', args.starttls),
'disable_referrals': ('X-Ldap-DisableReferrals', args.disable_referrals),
'basedn': ('X-Ldap-BaseDN', args.basedn),
'template': ('X-Ldap-Template', args.filter),
'binddn': ('X-Ldap-BindDN', args.binddn),
'bindpasswd': ('X-Ldap-BindPass', args.bindpw),
'cookiename': ('X-CookieName', args.cookie)
}
LDAPAuthHandler.set_params(auth_params)
server = AuthHTTPServer(Listen, LDAPAuthHandler)
signal.signal(signal.SIGINT, exit_handler)
signal.signal(signal.SIGTERM, exit_handler)
sys.stdout.write("Start listening on %s:%d...\n" % Listen)
sys.stdout.flush()
server.serve_forever()
@@ -1,18 +0,0 @@
#
# these are used with systemd too
# so please keep options names inside variables
#
#URL="--url ldap://example.com:389"
#BASE="-b dc=nodomain"
#BIND_DN="-D cn=admin,dc=nodomain"
#BIND_PASS="-w secret"
#COOKIE="-c nginxauth"
#FILTER="-f (cn=%(username)s)"
#REALM="-R 'Restricted Area'"
# these are used with init scripts only
LOG=/var/log/nginx-ldap-auth/daemon.log
RUNDIR=/var/run/nginx-ldap-auth/
PIDFILE=/var/run/nginx-ldap-auth/nginx-ldap-auth.pid
USER=<%= @user %>
GROUP=<%= @group %>
@@ -1,17 +0,0 @@
[Unit]
Description=LDAP authentication helper for Nginx
After=network.target network-online.target
[Service]
Type=simple
User=<%= @user %>
Group=<%= @group %>
WorkingDirectory=/var/run
EnvironmentFile=<%= @env_path %>
ExecStart=<%= @bin_path %> $URL $BASE $BIND_DN $BIND_PASS $COOKIE $FILTER $REALM
KillMode=process
KillSignal=SIGINT
Restart=on-failure
[Install]
WantedBy=multi-user.target
@@ -6,7 +6,6 @@ class roles::apps::media::jellyfin {
}else{ }else{
include profiles::defaults include profiles::defaults
include profiles::base include profiles::base
include profiles::base::datavol
include profiles::media::jellyfin include profiles::media::jellyfin
} }
} }
-10
View File
@@ -1,10 +0,0 @@
# a role to deploy a certbot server
class roles::infra::pki::certbot {
if $facts['firstrun'] {
include profiles::defaults
include profiles::firstrun::init
}else{
include profiles::defaults
include profiles::base
}
}