--- hiera_include: - sonarr - profiles::nginx::simpleproxy - profiles::nginx::ldapauth # manage sonarr sonarr::params::user: sonarr sonarr::params::group: media sonarr::params::manage_group: false sonarr::params::archive_version: 4.0.5 sonarr::params::port: 8000 # additional altnames profiles::pki::vault::alt_names: - sonarr.main.unkin.net - sonarr.service.consul - sonarr.query.consul - "sonarr.service.%{facts.country}-%{facts.region}.consul" # manage a simple nginx reverse proxy profiles::nginx::simpleproxy::nginx_vhost: 'sonarr.query.consul' profiles::nginx::simpleproxy::nginx_aliases: - sonarr.main.unkin.net - sonarr.service.consul - sonarr.query.consul - "sonarr.service.%{facts.country}-%{facts.region}.consul" profiles::nginx::simpleproxy::proxy_port: 8000 profiles::nginx::simpleproxy::proxy_host: 127.0.0.1 profiles::nginx::simpleproxy::proxy_path: '/' profiles::nginx::simpleproxy::use_default_location: false nginx::client_max_body_size: 20M ldap_host: 'ldap.service.consul' ldap_basedn: 'dc=main,dc=unkin,dc=net' ldap_binddn: 'cn=svc_sonarr,ou=services,ou=users,dc=main,dc=unkin,dc=net' ldap_template: '(memberOf=ou=sonarr_access,ou=groups,dc=main,dc=unkin,dc=net)' profiles::nginx::simpleproxy::locations: # authentication proxy authproxy: ensure: 'present' server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}" ssl_only: true internal: true location: '= /auth-proxy' proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:8888" proxy_set_header: - 'Content-Length ""' - "X-Ldap-URL ldap://%{lookup('ldap_host')}" - 'X-Ldap-Starttls "false"' - "X-Ldap-BaseDN %{lookup('ldap_basedn')}" - "X-Ldap-BindDN %{lookup('ldap_binddn')}" - "X-Ldap-BindPass %{lookup('ldap_bindpass')}" - 'X-CookieName "nginxauth"' - 'Cookie nginxauth=$cookie_nginxauth' - "X-Ldap-Template %{lookup('ldap_template')}" - 'X-Ldap-Realm "Restricted"' proxy_cache: 'cache' proxy_cache_valid: '200 10m' proxy_cache_key: '"$http_authorization$cookie_nginxauth"' location_cfg_append: proxy_pass_request_body: 'off' # sonarr health checks by consul sonarr_web_consul: ensure: 'present' server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}" ssl_only: true location: '/consul/health' proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:%{lookup('profiles::nginx::simpleproxy::proxy_port')}" proxy_set_header: - 'Host $host' - 'X-Forwarded-For $proxy_add_x_forwarded_for' - 'X-Forwarded-Host $host' - 'X-Forwarded-Proto $scheme' - 'Upgrade $http_upgrade' - 'Connection $http_connection' proxy_redirect: 'off' proxy_http_version: '1.1' location_allow: - 127.0.0.1 - "%{facts.networking.ip}" location_deny: - all # authorised sonarr access from external sonarr_web_external: ensure: 'present' server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}" ssl_only: true location: '/' auth_request: '/auth-proxy' proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:%{lookup('profiles::nginx::simpleproxy::proxy_port')}" proxy_set_header: - 'Host $host' - 'X-Forwarded-For $proxy_add_x_forwarded_for' - 'X-Forwarded-Host $host' - 'X-Forwarded-Proto $scheme' - 'Upgrade $http_upgrade' - 'Connection $http_connection' proxy_redirect: 'off' proxy_http_version: '1.1' # location for sonarr api, which should be accessible without authentication sonarr_api: ensure: 'present' server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}" ssl_only: true location: '~ /api' proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:%{lookup('profiles::nginx::simpleproxy::proxy_port')}" location_cfg_append: client_max_body_size: '10m' # configure consul service consul::services: sonarr: service_name: 'sonarr' tags: - 'media' - 'sonarr' address: "%{facts.networking.ip}" port: 443 checks: - id: 'sonarr_http_check' name: 'Sonarr HTTP Check' http: "https://%{facts.networking.fqdn}:443/consul/health" method: 'GET' tls_skip_verify: true interval: '10s' timeout: '1s' profiles::consul::client::node_rules: - resource: service segment: sonarr disposition: write