1af9979cc7
ci/woodpecker/pr/ruby-validate Pipeline was successful
ci/woodpecker/pr/puppet-lint Pipeline was successful
ci/woodpecker/pr/bolt-validate Pipeline was successful
ci/woodpecker/pr/yamllint Pipeline was successful
ci/woodpecker/pr/erb-validate Pipeline was successful
ci/woodpecker/pr/epp-validate Pipeline was successful
ci/woodpecker/pr/puppet-validate Pipeline was successful
ci/woodpecker/pr/ruby-check Pipeline was successful
Add static haproxy2 backends for syd1 Kubernetes Traefik ingress (external 198.18.199.0, internal 198.18.200.4) and route auth.unkin.net to the internal backend with Let's Encrypt cert.
455 lines
16 KiB
YAML
455 lines
16 KiB
YAML
---
|
|
haproxy_server_k8s_syd1_traefik_internal: 'k8s-traefik-internal 198.18.200.4:443 ssl verify none check inter 2s rise 3 fall 2'
|
|
haproxy_server_k8s_syd1_traefik_external: 'k8s-traefik-external 198.18.199.0:443 ssl verify none check inter 2s rise 3 fall 2'
|
|
|
|
profiles::haproxy::dns::ipaddr: "%{hiera('anycast_ip')}"
|
|
profiles::haproxy::dns::vrrp_cnames:
|
|
- sonarr.main.unkin.net
|
|
- radarr.main.unkin.net
|
|
- lidarr.main.unkin.net
|
|
- readarr.main.unkin.net
|
|
- prowlarr.main.unkin.net
|
|
- nzbget.main.unkin.net
|
|
- git.unkin.net
|
|
- fafflix.unkin.net
|
|
- grafana.unkin.net
|
|
- dashboard.ceph.unkin.net
|
|
- mail-webadmin.main.unkin.net
|
|
- mail-in.main.unkin.net
|
|
- mail.main.unkin.net
|
|
- autoconfig.main.unkin.net
|
|
- autodiscover.main.unkin.net
|
|
- auth.unkin.net
|
|
|
|
profiles::haproxy::mappings:
|
|
fe_http:
|
|
ensure: present
|
|
mappings:
|
|
- 'au-syd1-pve.main.unkin.net be_ausyd1pve_web'
|
|
- 'au-syd1-pve-api.main.unkin.net be_ausyd1pve_api'
|
|
- 'sonarr.main.unkin.net be_sonarr'
|
|
- 'radarr.main.unkin.net be_radarr'
|
|
- 'lidarr.main.unkin.net be_lidarr'
|
|
- 'readarr.main.unkin.net be_readarr'
|
|
- 'prowlarr.main.unkin.net be_prowlarr'
|
|
- 'nzbget.main.unkin.net be_nzbget'
|
|
- 'jellyfin.main.unkin.net be_jellyfin'
|
|
- 'fafflix.unkin.net be_jellyfin'
|
|
- 'git.unkin.net be_gitea'
|
|
- 'grafana.unkin.net be_grafana'
|
|
- 'dashboard.ceph.unkin.net be_ceph_dashboard'
|
|
- 'mail-webadmin.main.unkin.net be_stalwart_webadmin'
|
|
- 'autoconfig.main.unkin.net be_stalwart_webadmin'
|
|
- 'autodiscovery.main.unkin.net be_stalwart_webadmin'
|
|
- 'auth.unkin.net be_k8s_kanidm'
|
|
fe_https:
|
|
ensure: present
|
|
mappings:
|
|
- 'au-syd1-pve.main.unkin.net be_ausyd1pve_web'
|
|
- 'au-syd1-pve-api.main.unkin.net be_ausyd1pve_api'
|
|
- 'sonarr.main.unkin.net be_sonarr'
|
|
- 'radarr.main.unkin.net be_radarr'
|
|
- 'lidarr.main.unkin.net be_lidarr'
|
|
- 'readarr.main.unkin.net be_readarr'
|
|
- 'prowlarr.main.unkin.net be_prowlarr'
|
|
- 'nzbget.main.unkin.net be_nzbget'
|
|
- 'jellyfin.main.unkin.net be_jellyfin'
|
|
- 'fafflix.unkin.net be_jellyfin'
|
|
- 'git.unkin.net be_gitea'
|
|
- 'grafana.unkin.net be_grafana'
|
|
- 'dashboard.ceph.unkin.net be_ceph_dashboard'
|
|
- 'mail-webadmin.main.unkin.net be_stalwart_webadmin'
|
|
- 'autoconfig.main.unkin.net be_stalwart_webadmin'
|
|
- 'autodiscovery.main.unkin.net be_stalwart_webadmin'
|
|
- 'auth.unkin.net be_k8s_kanidm'
|
|
|
|
profiles::haproxy::frontends:
|
|
fe_http:
|
|
options:
|
|
use_backend:
|
|
- "%[req.hdr(host),lower,map(/etc/haproxy/fe_http.map,be_default)]"
|
|
fe_https:
|
|
options:
|
|
acl:
|
|
- 'acl_ausyd1pve req.hdr(host) -i au-syd1-pve.main.unkin.net'
|
|
- 'acl_sonarr req.hdr(host) -i sonarr.main.unkin.net'
|
|
- 'acl_radarr req.hdr(host) -i radarr.main.unkin.net'
|
|
- 'acl_lidarr req.hdr(host) -i lidarr.main.unkin.net'
|
|
- 'acl_readarr req.hdr(host) -i readarr.main.unkin.net'
|
|
- 'acl_prowlarr req.hdr(host) -i prowlarr.main.unkin.net'
|
|
- 'acl_nzbget req.hdr(host) -i nzbget.main.unkin.net'
|
|
- 'acl_jellyfin req.hdr(host) -i jellyfin.main.unkin.net'
|
|
- 'acl_fafflix req.hdr(host) -i fafflix.unkin.net'
|
|
- 'acl_gitea req.hdr(host) -i git.unkin.net'
|
|
- 'acl_grafana req.hdr(host) -i grafana.unkin.net'
|
|
- 'acl_ceph_dashboard req.hdr(host) -i dashboard.ceph.unkin.net'
|
|
- 'acl_stalwart_webadmin req.hdr(host) -i mail-webadmin.main.unkin.net'
|
|
- 'acl_stalwart_webadmin req.hdr(host) -i autoconfig.main.unkin.net'
|
|
- 'acl_stalwart_webadmin req.hdr(host) -i autodiscovery.main.unkin.net'
|
|
- 'acl_kanidm req.hdr(host) -i auth.unkin.net'
|
|
- 'acl_internalsubnets src 198.18.0.0/16 10.10.12.0/24'
|
|
use_backend:
|
|
- "%[req.hdr(host),lower,map(/etc/haproxy/fe_https.map,be_default)]"
|
|
http-request:
|
|
- 'deny if { hdr_dom(host) -i au-syd1-pve.main.unkin.net } !acl_internalsubnets'
|
|
http-response:
|
|
- 'set-header X-Frame-Options DENY if acl_ausyd1pve'
|
|
- 'set-header X-Frame-Options DENY if acl_sonarr'
|
|
- 'set-header X-Frame-Options DENY if acl_radarr'
|
|
- 'set-header X-Frame-Options DENY if acl_lidarr'
|
|
- 'set-header X-Frame-Options DENY if acl_readarr'
|
|
- 'set-header X-Frame-Options DENY if acl_prowlarr'
|
|
- 'set-header X-Frame-Options DENY if acl_nzbget'
|
|
- 'set-header X-Frame-Options DENY if acl_jellyfin'
|
|
- 'set-header X-Frame-Options DENY if acl_fafflix'
|
|
- 'set-header X-Frame-Options DENY if acl_gitea'
|
|
- 'set-header X-Frame-Options DENY if acl_grafana'
|
|
- 'set-header X-Frame-Options DENY if acl_ceph_dashboard'
|
|
- 'set-header X-Frame-Options DENY if acl_stalwart_webadmin'
|
|
- 'set-header X-Frame-Options DENY if acl_kanidm'
|
|
- 'set-header X-Content-Type-Options nosniff'
|
|
- 'set-header X-XSS-Protection 1;mode=block'
|
|
|
|
profiles::haproxy::backends:
|
|
be_ausyd1pve_web:
|
|
description: Backend for au-syd1 pve cluster (Web)
|
|
collect_exported: false # handled in custom function
|
|
options:
|
|
balance: roundrobin
|
|
option:
|
|
- httpchk GET /
|
|
- forwardfor
|
|
- http-keep-alive
|
|
- prefer-last-server
|
|
cookie: SRVNAME insert indirect nocache
|
|
http-reuse: always
|
|
http-request:
|
|
- set-header X-Forwarded-Port %[dst_port]
|
|
- add-header X-Forwarded-Proto https if { dst_port 443 }
|
|
redirect: 'scheme https if !{ ssl_fc }'
|
|
be_ausyd1pve_api:
|
|
description: Backend for au-syd1 pve cluster (API only)
|
|
collect_exported: false # handled in custom function
|
|
options:
|
|
balance: roundrobin
|
|
option:
|
|
- httpchk GET /
|
|
- forwardfor
|
|
- http-keep-alive
|
|
- prefer-last-server
|
|
http-reuse: always
|
|
http-request:
|
|
- set-header X-Forwarded-Port %[dst_port]
|
|
- add-header X-Forwarded-Proto https if { dst_port 443 }
|
|
redirect: 'scheme https if !{ ssl_fc }'
|
|
be_sonarr:
|
|
description: Backend for au-syd1 sonarr
|
|
collect_exported: false # handled in custom function
|
|
options:
|
|
balance: roundrobin
|
|
option:
|
|
- httpchk GET /consul/health
|
|
- forwardfor
|
|
- http-keep-alive
|
|
- prefer-last-server
|
|
cookie: SRVNAME insert indirect nocache
|
|
http-reuse: always
|
|
http-request:
|
|
- set-header X-Forwarded-Port %[dst_port]
|
|
- add-header X-Forwarded-Proto https if { dst_port 443 }
|
|
redirect: 'scheme https if !{ ssl_fc }'
|
|
be_radarr:
|
|
description: Backend for au-syd1 radarr
|
|
collect_exported: false # handled in custom function
|
|
options:
|
|
balance: roundrobin
|
|
option:
|
|
- httpchk GET /consul/health
|
|
- forwardfor
|
|
- http-keep-alive
|
|
- prefer-last-server
|
|
cookie: SRVNAME insert indirect nocache
|
|
http-reuse: always
|
|
http-request:
|
|
- set-header X-Forwarded-Port %[dst_port]
|
|
- add-header X-Forwarded-Proto https if { dst_port 443 }
|
|
redirect: 'scheme https if !{ ssl_fc }'
|
|
be_lidarr:
|
|
description: Backend for au-syd1 lidarr
|
|
collect_exported: false # handled in custom function
|
|
options:
|
|
balance: roundrobin
|
|
option:
|
|
- httpchk GET /consul/health
|
|
- forwardfor
|
|
- http-keep-alive
|
|
- prefer-last-server
|
|
cookie: SRVNAME insert indirect nocache
|
|
http-reuse: always
|
|
http-request:
|
|
- set-header X-Forwarded-Port %[dst_port]
|
|
- add-header X-Forwarded-Proto https if { dst_port 443 }
|
|
redirect: 'scheme https if !{ ssl_fc }'
|
|
be_readarr:
|
|
description: Backend for au-syd1 readarr
|
|
collect_exported: false # handled in custom function
|
|
options:
|
|
balance: roundrobin
|
|
option:
|
|
- httpchk GET /consul/health
|
|
- forwardfor
|
|
- http-keep-alive
|
|
- prefer-last-server
|
|
cookie: SRVNAME insert indirect nocache
|
|
http-reuse: always
|
|
http-request:
|
|
- set-header X-Forwarded-Port %[dst_port]
|
|
- add-header X-Forwarded-Proto https if { dst_port 443 }
|
|
redirect: 'scheme https if !{ ssl_fc }'
|
|
be_prowlarr:
|
|
description: Backend for au-syd1 prowlarr
|
|
collect_exported: false # handled in custom function
|
|
options:
|
|
balance: roundrobin
|
|
option:
|
|
- httpchk GET /consul/health
|
|
- forwardfor
|
|
- http-keep-alive
|
|
- prefer-last-server
|
|
cookie: SRVNAME insert indirect nocache
|
|
http-reuse: always
|
|
http-request:
|
|
- set-header X-Forwarded-Port %[dst_port]
|
|
- add-header X-Forwarded-Proto https if { dst_port 443 }
|
|
redirect: 'scheme https if !{ ssl_fc }'
|
|
be_nzbget:
|
|
description: Backend for au-syd1 nzbget
|
|
collect_exported: false # handled in custom function
|
|
options:
|
|
balance: roundrobin
|
|
option:
|
|
- httpchk GET /consul/health
|
|
- forwardfor
|
|
- http-keep-alive
|
|
- prefer-last-server
|
|
cookie: SRVNAME insert indirect nocache
|
|
http-reuse: always
|
|
http-request:
|
|
- set-header X-Forwarded-Port %[dst_port]
|
|
- add-header X-Forwarded-Proto https if { dst_port 443 }
|
|
redirect: 'scheme https if !{ ssl_fc }'
|
|
be_jellyfin:
|
|
description: Backend for au-syd1 jellyfin
|
|
collect_exported: false # handled in custom function
|
|
options:
|
|
balance: roundrobin
|
|
option:
|
|
- httpchk GET /
|
|
- forwardfor
|
|
- http-keep-alive
|
|
- prefer-last-server
|
|
cookie: SRVNAME insert indirect nocache
|
|
http-reuse: always
|
|
http-request:
|
|
- set-header X-Forwarded-Port %[dst_port]
|
|
- add-header X-Forwarded-Proto https if { dst_port 443 }
|
|
redirect: 'scheme https if !{ ssl_fc }'
|
|
be_gitea:
|
|
description: Backend for gitea cluster
|
|
collect_exported: false # handled in custom function
|
|
options:
|
|
balance: roundrobin
|
|
option:
|
|
- httpchk GET /
|
|
- forwardfor
|
|
- http-keep-alive
|
|
- prefer-last-server
|
|
cookie: SRVNAME insert indirect nocache
|
|
http-reuse: always
|
|
http-request:
|
|
- set-header X-Forwarded-Port %[dst_port]
|
|
- add-header X-Forwarded-Proto https if { dst_port 443 }
|
|
redirect: 'scheme https if !{ ssl_fc }'
|
|
stick-table: 'type ip size 200k expire 30m'
|
|
stick: 'on src'
|
|
be_grafana:
|
|
description: Backend for grafana nodes
|
|
collect_exported: false # handled in custom function
|
|
options:
|
|
balance: roundrobin
|
|
option:
|
|
- httpchk GET /
|
|
- forwardfor
|
|
- http-keep-alive
|
|
- prefer-last-server
|
|
cookie: SRVNAME insert indirect nocache
|
|
http-reuse: always
|
|
http-request:
|
|
- set-header X-Forwarded-Port %[dst_port]
|
|
- add-header X-Forwarded-Proto https if { dst_port 443 }
|
|
redirect: 'scheme https if !{ ssl_fc }'
|
|
stick-table: 'type ip size 200k expire 30m'
|
|
stick: 'on src'
|
|
be_ceph_dashboard:
|
|
description: Backend for Ceph Dashboard from Mgr instances
|
|
collect_exported: false # handled in custom function
|
|
options:
|
|
balance: roundrobin
|
|
option:
|
|
- httpchk GET /
|
|
- forwardfor
|
|
- http-keep-alive
|
|
- prefer-last-server
|
|
cookie: SRVNAME insert indirect nocache
|
|
http-reuse: always
|
|
http-check:
|
|
- expect status 200
|
|
http-request:
|
|
- set-header X-Forwarded-Port %[dst_port]
|
|
- add-header X-Forwarded-Proto https if { dst_port 9443 }
|
|
redirect: 'scheme https if !{ ssl_fc }'
|
|
stick-table: 'type ip size 200k expire 30m'
|
|
be_stalwart_webadmin:
|
|
description: Backend for Stalwart Webadmin
|
|
collect_exported: false # handled in custom function
|
|
options:
|
|
balance: roundrobin
|
|
option:
|
|
- httpchk GET /
|
|
- forwardfor
|
|
- http-keep-alive
|
|
- prefer-last-server
|
|
cookie: SRVNAME insert indirect nocache
|
|
http-reuse: always
|
|
http-check:
|
|
- expect status 200
|
|
http-request:
|
|
- set-header X-Forwarded-Port %[dst_port]
|
|
- add-header X-Forwarded-Proto https if { dst_port 9443 }
|
|
redirect: 'scheme https if !{ ssl_fc }'
|
|
stick-table: 'type ip size 200k expire 30m'
|
|
be_k8s_kanidm:
|
|
description: Backend for Kanidm (auth.unkin.net via Kubernetes internal Traefik)
|
|
collect_exported: false
|
|
options:
|
|
balance: roundrobin
|
|
option:
|
|
- httpchk
|
|
- forwardfor
|
|
- http-keep-alive
|
|
- prefer-last-server
|
|
http-check:
|
|
- 'connect ssl sni auth.unkin.net'
|
|
- 'send meth GET uri /status ver HTTP/1.1 hdr Host auth.unkin.net'
|
|
- 'expect status 200'
|
|
http-reuse: always
|
|
http-request:
|
|
- set-header X-Forwarded-Port %[dst_port]
|
|
- add-header X-Forwarded-Proto https if { dst_port 443 }
|
|
redirect: 'scheme https if !{ ssl_fc }'
|
|
server: "%{lookup('haproxy_server_k8s_syd1_traefik_internal')} sni str(auth.unkin.net)"
|
|
be_stalwart_imap:
|
|
description: Backend for Stalwart IMAP (STARTTLS)
|
|
collect_exported: false
|
|
options:
|
|
mode: tcp
|
|
balance: roundrobin
|
|
option:
|
|
- tcp-check
|
|
- prefer-last-server
|
|
stick-table: 'type ip size 200k expire 30m'
|
|
stick: 'on src'
|
|
tcp-check:
|
|
- connect port 143 send-proxy
|
|
- expect string "* OK"
|
|
- send "A001 STARTTLS\r\n"
|
|
- expect rstring "A001 (OK|2.0.0)"
|
|
be_stalwart_imaps:
|
|
description: Backend for Stalwart IMAPS (implicit TLS)
|
|
collect_exported: false
|
|
options:
|
|
mode: tcp
|
|
balance: roundrobin
|
|
option:
|
|
- tcp-check
|
|
- prefer-last-server
|
|
stick-table: 'type ip size 200k expire 30m'
|
|
stick: 'on src'
|
|
tcp-check:
|
|
- connect ssl send-proxy
|
|
- expect string "* OK"
|
|
be_stalwart_smtp:
|
|
description: Backend for Stalwart SMTP
|
|
collect_exported: false
|
|
options:
|
|
mode: tcp
|
|
balance: roundrobin
|
|
option:
|
|
- tcp-check
|
|
- prefer-last-server
|
|
stick-table: 'type ip size 200k expire 30m'
|
|
stick: 'on src'
|
|
tcp-check:
|
|
- connect port 25 send-proxy
|
|
- expect string "220 "
|
|
be_stalwart_submission:
|
|
description: Backend for Stalwart SMTP Submission
|
|
collect_exported: false
|
|
options:
|
|
mode: tcp
|
|
balance: roundrobin
|
|
option:
|
|
- tcp-check
|
|
- prefer-last-server
|
|
stick-table: 'type ip size 200k expire 30m'
|
|
stick: 'on src'
|
|
tcp-check:
|
|
- connect port 587 send-proxy
|
|
- expect string "220 "
|
|
|
|
profiles::haproxy::certlist::enabled: true
|
|
profiles::haproxy::certlist::certificates:
|
|
- /etc/pki/tls/letsencrypt/au-syd1-pve.main.unkin.net/fullchain_combined.pem
|
|
- /etc/pki/tls/letsencrypt/au-syd1-pve-api.main.unkin.net/fullchain_combined.pem
|
|
- /etc/pki/tls/letsencrypt/sonarr.main.unkin.net/fullchain_combined.pem
|
|
- /etc/pki/tls/letsencrypt/radarr.main.unkin.net/fullchain_combined.pem
|
|
- /etc/pki/tls/letsencrypt/lidarr.main.unkin.net/fullchain_combined.pem
|
|
- /etc/pki/tls/letsencrypt/readarr.main.unkin.net/fullchain_combined.pem
|
|
- /etc/pki/tls/letsencrypt/prowlarr.main.unkin.net/fullchain_combined.pem
|
|
- /etc/pki/tls/letsencrypt/nzbget.main.unkin.net/fullchain_combined.pem
|
|
- /etc/pki/tls/letsencrypt/fafflix.unkin.net/fullchain_combined.pem
|
|
- /etc/pki/tls/letsencrypt/git.unkin.net/fullchain_combined.pem
|
|
- /etc/pki/tls/letsencrypt/grafana.unkin.net/fullchain_combined.pem
|
|
- /etc/pki/tls/letsencrypt/dashboard.ceph.unkin.net/fullchain_combined.pem
|
|
- /etc/pki/tls/letsencrypt/auth.unkin.net/fullchain_combined.pem
|
|
- /etc/pki/tls/vault/certificate.pem
|
|
|
|
# additional altnames
|
|
profiles::pki::vault::alt_names:
|
|
- au-syd1-pve.main.unkin.net
|
|
- au-syd1-pve-api.main.unkin.net
|
|
- jellyfin.main.unkin.net
|
|
- mail-webadmin.main.unkin.net
|
|
|
|
# additional cnames
|
|
profiles::haproxy::dns::cnames:
|
|
- au-syd1-pve.main.unkin.net
|
|
- au-syd1-pve-api.main.unkin.net
|
|
|
|
# letsencrypt certificates
|
|
certbot::client::service: haproxy
|
|
certbot::client::domains:
|
|
- au-syd1-pve.main.unkin.net
|
|
- au-syd1-pve-api.main.unkin.net
|
|
- sonarr.main.unkin.net
|
|
- radarr.main.unkin.net
|
|
- lidarr.main.unkin.net
|
|
- readarr.main.unkin.net
|
|
- prowlarr.main.unkin.net
|
|
- nzbget.main.unkin.net
|
|
- fafflix.unkin.net
|
|
- git.unkin.net
|
|
- grafana.unkin.net
|
|
- dashboard.ceph.unkin.net
|
|
- auth.unkin.net
|