--- profiles::haproxy::dns::ipaddr: "%{hiera('anycast_ip')}" profiles::haproxy::dns::vrrp_cnames: - sonarr.main.unkin.net - radarr.main.unkin.net - lidarr.main.unkin.net - readarr.main.unkin.net - prowlarr.main.unkin.net - nzbget.main.unkin.net - git.unkin.net - fafflix.unkin.net - grafana.unkin.net - dashboard.ceph.unkin.net profiles::haproxy::mappings: fe_http: ensure: present mappings: - 'au-syd1-pve.main.unkin.net be_ausyd1pve_web' - 'au-syd1-pve-api.main.unkin.net be_ausyd1pve_api' - 'sonarr.main.unkin.net be_sonarr' - 'radarr.main.unkin.net be_radarr' - 'lidarr.main.unkin.net be_lidarr' - 'readarr.main.unkin.net be_readarr' - 'prowlarr.main.unkin.net be_prowlarr' - 'nzbget.main.unkin.net be_nzbget' - 'jellyfin.main.unkin.net be_jellyfin' - 'fafflix.unkin.net be_jellyfin' - 'git.unkin.net be_gitea' - 'grafana.unkin.net be_grafana' - 'dashboard.ceph.unkin.net be_ceph_dashboard' fe_https: ensure: present mappings: - 'au-syd1-pve.main.unkin.net be_ausyd1pve_web' - 'au-syd1-pve-api.main.unkin.net be_ausyd1pve_api' - 'sonarr.main.unkin.net be_sonarr' - 'radarr.main.unkin.net be_radarr' - 'lidarr.main.unkin.net be_lidarr' - 'readarr.main.unkin.net be_readarr' - 'prowlarr.main.unkin.net be_prowlarr' - 'nzbget.main.unkin.net be_nzbget' - 'jellyfin.main.unkin.net be_jellyfin' - 'fafflix.unkin.net be_jellyfin' - 'git.unkin.net be_gitea' - 'grafana.unkin.net be_grafana' - 'dashboard.ceph.unkin.net be_ceph_dashboard' profiles::haproxy::frontends: fe_http: options: use_backend: - "%[req.hdr(host),lower,map(/etc/haproxy/fe_http.map,be_default)]" fe_https: options: acl: - 'acl_ausyd1pve req.hdr(host) -i au-syd1-pve.main.unkin.net' - 'acl_sonarr req.hdr(host) -i sonarr.main.unkin.net' - 'acl_radarr req.hdr(host) -i radarr.main.unkin.net' - 'acl_lidarr req.hdr(host) -i lidarr.main.unkin.net' - 'acl_readarr req.hdr(host) -i readarr.main.unkin.net' - 'acl_prowlarr req.hdr(host) -i prowlarr.main.unkin.net' - 'acl_nzbget req.hdr(host) -i nzbget.main.unkin.net' - 'acl_jellyfin req.hdr(host) -i jellyfin.main.unkin.net' - 'acl_fafflix req.hdr(host) -i fafflix.unkin.net' - 'acl_gitea req.hdr(host) -i git.unkin.net' - 'acl_grafana req.hdr(host) -i grafana.unkin.net' - 'acl_ceph_dashboard req.hdr(host) -i dashboard.ceph.unkin.net' - 'acl_internalsubnets src 198.18.0.0/16 10.10.12.0/24' use_backend: - "%[req.hdr(host),lower,map(/etc/haproxy/fe_https.map,be_default)]" http-request: - 'deny if { hdr_dom(host) -i au-syd1-pve.main.unkin.net } !acl_internalsubnets' http-response: - 'set-header X-Frame-Options DENY if acl_ausyd1pve' - 'set-header X-Frame-Options DENY if acl_sonarr' - 'set-header X-Frame-Options DENY if acl_radarr' - 'set-header X-Frame-Options DENY if acl_lidarr' - 'set-header X-Frame-Options DENY if acl_readarr' - 'set-header X-Frame-Options DENY if acl_prowlarr' - 'set-header X-Frame-Options DENY if acl_nzbget' - 'set-header X-Frame-Options DENY if acl_jellyfin' - 'set-header X-Frame-Options DENY if acl_fafflix' - 'set-header X-Frame-Options DENY if acl_gitea' - 'set-header X-Frame-Options DENY if acl_grafana' - 'set-header X-Frame-Options DENY if acl_ceph_dashboard' - 'set-header X-Content-Type-Options nosniff' - 'set-header X-XSS-Protection 1;mode=block' profiles::haproxy::backends: be_ausyd1pve_web: description: Backend for au-syd1 pve cluster (Web) collect_exported: false # handled in custom function options: balance: roundrobin option: - httpchk GET / - forwardfor - http-keep-alive - prefer-last-server cookie: SRVNAME insert indirect nocache http-reuse: always http-request: - set-header X-Forwarded-Port %[dst_port] - add-header X-Forwarded-Proto https if { dst_port 443 } redirect: 'scheme https if !{ ssl_fc }' be_ausyd1pve_api: description: Backend for au-syd1 pve cluster (API only) collect_exported: false # handled in custom function options: balance: roundrobin option: - httpchk GET / - forwardfor - http-keep-alive - prefer-last-server http-reuse: always http-request: - set-header X-Forwarded-Port %[dst_port] - add-header X-Forwarded-Proto https if { dst_port 443 } redirect: 'scheme https if !{ ssl_fc }' be_sonarr: description: Backend for au-syd1 sonarr collect_exported: false # handled in custom function options: balance: roundrobin option: - httpchk GET /consul/health - forwardfor - http-keep-alive - prefer-last-server cookie: SRVNAME insert indirect nocache http-reuse: always http-request: - set-header X-Forwarded-Port %[dst_port] - add-header X-Forwarded-Proto https if { dst_port 443 } redirect: 'scheme https if !{ ssl_fc }' be_radarr: description: Backend for au-syd1 radarr collect_exported: false # handled in custom function options: balance: roundrobin option: - httpchk GET /consul/health - forwardfor - http-keep-alive - prefer-last-server cookie: SRVNAME insert indirect nocache http-reuse: always http-request: - set-header X-Forwarded-Port %[dst_port] - add-header X-Forwarded-Proto https if { dst_port 443 } redirect: 'scheme https if !{ ssl_fc }' be_lidarr: description: Backend for au-syd1 lidarr collect_exported: false # handled in custom function options: balance: roundrobin option: - httpchk GET /consul/health - forwardfor - http-keep-alive - prefer-last-server cookie: SRVNAME insert indirect nocache http-reuse: always http-request: - set-header X-Forwarded-Port %[dst_port] - add-header X-Forwarded-Proto https if { dst_port 443 } redirect: 'scheme https if !{ ssl_fc }' be_readarr: description: Backend for au-syd1 readarr collect_exported: false # handled in custom function options: balance: roundrobin option: - httpchk GET /consul/health - forwardfor - http-keep-alive - prefer-last-server cookie: SRVNAME insert indirect nocache http-reuse: always http-request: - set-header X-Forwarded-Port %[dst_port] - add-header X-Forwarded-Proto https if { dst_port 443 } redirect: 'scheme https if !{ ssl_fc }' be_prowlarr: description: Backend for au-syd1 prowlarr collect_exported: false # handled in custom function options: balance: roundrobin option: - httpchk GET /consul/health - forwardfor - http-keep-alive - prefer-last-server cookie: SRVNAME insert indirect nocache http-reuse: always http-request: - set-header X-Forwarded-Port %[dst_port] - add-header X-Forwarded-Proto https if { dst_port 443 } redirect: 'scheme https if !{ ssl_fc }' be_nzbget: description: Backend for au-syd1 nzbget collect_exported: false # handled in custom function options: balance: roundrobin option: - httpchk GET /consul/health - forwardfor - http-keep-alive - prefer-last-server cookie: SRVNAME insert indirect nocache http-reuse: always http-request: - set-header X-Forwarded-Port %[dst_port] - add-header X-Forwarded-Proto https if { dst_port 443 } redirect: 'scheme https if !{ ssl_fc }' be_jellyfin: description: Backend for au-syd1 jellyfin collect_exported: false # handled in custom function options: balance: roundrobin option: - httpchk GET / - forwardfor - http-keep-alive - prefer-last-server cookie: SRVNAME insert indirect nocache http-reuse: always http-request: - set-header X-Forwarded-Port %[dst_port] - add-header X-Forwarded-Proto https if { dst_port 443 } redirect: 'scheme https if !{ ssl_fc }' be_gitea: description: Backend for gitea cluster collect_exported: false # handled in custom function options: balance: roundrobin option: - httpchk GET / - forwardfor - http-keep-alive - prefer-last-server cookie: SRVNAME insert indirect nocache http-reuse: always http-request: - set-header X-Forwarded-Port %[dst_port] - add-header X-Forwarded-Proto https if { dst_port 443 } redirect: 'scheme https if !{ ssl_fc }' stick-table: 'type ip size 200k expire 30m' stick: 'on src' be_grafana: description: Backend for grafana nodes collect_exported: false # handled in custom function options: balance: roundrobin option: - httpchk GET / - forwardfor - http-keep-alive - prefer-last-server cookie: SRVNAME insert indirect nocache http-reuse: always http-request: - set-header X-Forwarded-Port %[dst_port] - add-header X-Forwarded-Proto https if { dst_port 443 } redirect: 'scheme https if !{ ssl_fc }' stick-table: 'type ip size 200k expire 30m' stick: 'on src' be_ceph_dashboard: description: Backend for Ceph Dashboard from Mgr instances collect_exported: false # handled in custom function options: balance: roundrobin option: - httpchk GET / - forwardfor - http-keep-alive - prefer-last-server cookie: SRVNAME insert indirect nocache http-reuse: always http-check: - expect status 200 http-request: - set-header X-Forwarded-Port %[dst_port] - add-header X-Forwarded-Proto https if { dst_port 9443 } redirect: 'scheme https if !{ ssl_fc }' stick-table: 'type ip size 200k expire 30m' stick: 'on src' profiles::haproxy::certlist::enabled: true profiles::haproxy::certlist::certificates: - /etc/pki/tls/letsencrypt/au-syd1-pve.main.unkin.net/fullchain_combined.pem - /etc/pki/tls/letsencrypt/au-syd1-pve-api.main.unkin.net/fullchain_combined.pem - /etc/pki/tls/letsencrypt/sonarr.main.unkin.net/fullchain_combined.pem - /etc/pki/tls/letsencrypt/radarr.main.unkin.net/fullchain_combined.pem - /etc/pki/tls/letsencrypt/lidarr.main.unkin.net/fullchain_combined.pem - /etc/pki/tls/letsencrypt/readarr.main.unkin.net/fullchain_combined.pem - /etc/pki/tls/letsencrypt/prowlarr.main.unkin.net/fullchain_combined.pem - /etc/pki/tls/letsencrypt/nzbget.main.unkin.net/fullchain_combined.pem - /etc/pki/tls/letsencrypt/fafflix.unkin.net/fullchain_combined.pem - /etc/pki/tls/letsencrypt/git.unkin.net/fullchain_combined.pem - /etc/pki/tls/letsencrypt/grafana.unkin.net/fullchain_combined.pem - /etc/pki/tls/letsencrypt/dashboard.ceph.unkin.net/fullchain_combined.pem - /etc/pki/tls/vault/certificate.pem # additional altnames profiles::pki::vault::alt_names: - au-syd1-pve.main.unkin.net - au-syd1-pve-api.main.unkin.net - jellyfin.main.unkin.net # additional cnames profiles::haproxy::dns::cnames: - au-syd1-pve.main.unkin.net - au-syd1-pve-api.main.unkin.net # letsencrypt certificates certbot::client::service: haproxy certbot::client::domains: - au-syd1-pve.main.unkin.net - au-syd1-pve-api.main.unkin.net - sonarr.main.unkin.net - radarr.main.unkin.net - lidarr.main.unkin.net - readarr.main.unkin.net - prowlarr.main.unkin.net - nzbget.main.unkin.net - fafflix.unkin.net - git.unkin.net - grafana.unkin.net - dashboard.ceph.unkin.net