hieradata/roles/apps/media/sonarr.eyaml

@@ -1 +1,2 @@
 sonarr::api_key: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEANhwc0Vk0htkacwqGA/ZEVR7hpC1V2+nyP3lxyqkVNWERdcIsoMjlfwp2QNoLVirALY10Kon1wKXiRLT+QOqF9aTapS2Vb2YH3ZujR5yT6T1z4e0o4EA3IlNJZemVIziIqrK8+8zZzVafYdOYwMwpbc5EzoJPBtdqNHbDaQu4bRTCp2yMISTOzFjZpOoEJlRyC8YrffNU2xzA5mh5Cw+00MdIfPd8enrCnA4b1ddqP/IsfEYRt91ANQBULwKC5wenKdJAN5qKSKW6KU9TUM5YvGvUPgTvcYgXNf3/INL6G3/HwISTE5A7S6lqwYLyRTT1fMHtgDIqS936DPqCdAZtzjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBZ4e3jAM0zvV43IrCzQOGIgDBwOWgm+wJG+jAU8r1awWDvzQXgF3h65nAKfoOuGEztsjeBEruU4EmZy6llLbfSSb8=]
+ldap_bindpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAF5/sP43SJX/FB6cAS0GPqxC78JS7jSNKoUqWB/IXkv8uXYiClqk+Xw4nFx8EtknNn628DHBY3vCLQ59Xk89p0fyimP70m3BM6or5iRGdCqEAOzL399GbYX8WFHjyQRBmGdaLR5h2r5UnmjuPpDtV+fgsqxo4gNpXnuQ+46ZZPQce/dzHzux+4aEK4Q6UbD/ZZSQklD6zEUV+Agj6E9cQlJPBiHtTyUdXOYHYlJN1HhFPXu3C6KIz63YioVCah1n6T/rJtPQ07pVUfizIaJiPpzcUN91+ZWyyjUPo0bRGZtYKVs/uCAYXht4F5ttKQDaGa3wd4a5IdtacmEWQWFqk3TBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDtB/68xkjxK3nrNh0MilACgDDt85aBvSp/Oj9EY67eNPr+JcnQ7WfyuqAYAnmYqfbQI8MDtYAx7br0+inJXvQ1BvI=]

hieradata/roles/apps/media/sonarr.yaml

@@ -2,6 +2,7 @@
 hiera_include:
   - sonarr
   - profiles::nginx::simpleproxy
+  - profiles::nginx::ldapauth
 
 # manage sonarr
 sonarr::params::user: sonarr
@@ -27,9 +28,88 @@ profiles::nginx::simpleproxy::nginx_aliases:
 profiles::nginx::simpleproxy::proxy_port: 8000
 profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
 profiles::nginx::simpleproxy::proxy_path: '/'
+profiles::nginx::simpleproxy::use_default_location: false
+nginx::client_max_body_size: 20M
+
+ldap_host: 'ldap.service.consul'
+ldap_basedn: 'dc=main,dc=unkin,dc=net'
+ldap_binddn: 'cn=svc_sonarr,ou=services,ou=users,dc=main,dc=unkin,dc=net'
+ldap_template: '(memberOf=ou=sonarr_access,ou=groups,dc=main,dc=unkin,dc=net)'
+
+profiles::nginx::simpleproxy::locations:
+  # authentication proxy
+  authproxy:
+    ensure: 'present'
+    server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
+    ssl_only: true
+    internal: true
+    location: '= /auth-proxy'
+    proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:8888"
+    proxy_set_header:
+      - 'Content-Length ""'
+      - "X-Ldap-URL ldap://%{lookup('ldap_host')}"
+      - 'X-Ldap-Starttls "false"'
+      - "X-Ldap-BaseDN %{lookup('ldap_basedn')}"
+      - "X-Ldap-BindDN %{lookup('ldap_binddn')}"
+      - "X-Ldap-BindPass %{lookup('ldap_bindpass')}"
+      - 'X-CookieName "nginxauth"'
+      - 'Cookie nginxauth=$cookie_nginxauth'
+      - "X-Ldap-Template %{lookup('ldap_template')}"
+      - 'X-Ldap-Realm "Restricted"'
+    proxy_cache: 'cache'
+    proxy_cache_valid: '200 10m'
+    proxy_cache_key: '"$http_authorization$cookie_nginxauth"'
+    location_cfg_append:
+      proxy_pass_request_body: 'off'
+  # sonarr health checks by consul
+  sonarr_web_consul:
+    ensure: 'present'
+    server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
+    ssl_only: true
+    location: '/consul/health'
+    proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:%{lookup('profiles::nginx::simpleproxy::proxy_port')}"
+    proxy_set_header:
+      - 'Host $host'
+      - 'X-Forwarded-For $proxy_add_x_forwarded_for'
+      - 'X-Forwarded-Host $host'
+      - 'X-Forwarded-Proto $scheme'
+      - 'Upgrade $http_upgrade'
+      - 'Connection $http_connection'
+    proxy_redirect: 'off'
+    proxy_http_version: '1.1'
+    location_allow:
+      - 127.0.0.1
+      - "%{facts.networking.ip}"
+    location_deny:
+      - all
+  # authorised sonarr access from external
+  sonarr_web_external:
+    ensure: 'present'
+    server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
+    ssl_only: true
+    location: '/'
+    auth_request: '/auth-proxy'
+    proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:%{lookup('profiles::nginx::simpleproxy::proxy_port')}"
+    proxy_set_header:
+      - 'Host $host'
+      - 'X-Forwarded-For $proxy_add_x_forwarded_for'
+      - 'X-Forwarded-Host $host'
+      - 'X-Forwarded-Proto $scheme'
+      - 'Upgrade $http_upgrade'
+      - 'Connection $http_connection'
+    proxy_redirect: 'off'
+    proxy_http_version: '1.1'
+  # location for sonarr api, which should be accessible without authentication
+  sonarr_api:
+    ensure: 'present'
+    server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
+    ssl_only: true
+    location: '~ /api'
+    proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:%{lookup('profiles::nginx::simpleproxy::proxy_port')}"
+    location_cfg_append:
+      client_max_body_size: '10m'
 
 # configure consul service
-nginx::client_max_body_size: 10M
 consul::services:
   sonarr:
     service_name: 'sonarr'
@@ -41,7 +121,7 @@ consul::services:
     checks:
       - id: 'sonarr_http_check'
         name: 'Sonarr HTTP Check'
-        http: "https://%{facts.networking.fqdn}:443"
+        http: "https://%{facts.networking.fqdn}:443/consul/health"
         method: 'GET'
         tls_skip_verify: true
         interval: '10s'