412 lines
14 KiB
YAML
412 lines
14 KiB
YAML
---
|
|
profiles::haproxy::dns::ipaddr: "%{hiera('anycast_ip')}"
|
|
profiles::haproxy::dns::vrrp_cnames:
|
|
- sonarr.main.unkin.net
|
|
- radarr.main.unkin.net
|
|
- lidarr.main.unkin.net
|
|
- readarr.main.unkin.net
|
|
- prowlarr.main.unkin.net
|
|
- nzbget.main.unkin.net
|
|
- git.unkin.net
|
|
- fafflix.unkin.net
|
|
- grafana.unkin.net
|
|
- dashboard.ceph.unkin.net
|
|
- mail-webadmin.main.unkin.net
|
|
- mail-in.main.unkin.net
|
|
- imap.main.unkin.net
|
|
- imaps.main.unkin.net
|
|
- autoconfig.main.unkin.net
|
|
- autodiscover.main.unkin.net
|
|
|
|
profiles::haproxy::mappings:
|
|
fe_http:
|
|
ensure: present
|
|
mappings:
|
|
- 'au-syd1-pve.main.unkin.net be_ausyd1pve_web'
|
|
- 'au-syd1-pve-api.main.unkin.net be_ausyd1pve_api'
|
|
- 'sonarr.main.unkin.net be_sonarr'
|
|
- 'radarr.main.unkin.net be_radarr'
|
|
- 'lidarr.main.unkin.net be_lidarr'
|
|
- 'readarr.main.unkin.net be_readarr'
|
|
- 'prowlarr.main.unkin.net be_prowlarr'
|
|
- 'nzbget.main.unkin.net be_nzbget'
|
|
- 'jellyfin.main.unkin.net be_jellyfin'
|
|
- 'fafflix.unkin.net be_jellyfin'
|
|
- 'git.unkin.net be_gitea'
|
|
- 'grafana.unkin.net be_grafana'
|
|
- 'dashboard.ceph.unkin.net be_ceph_dashboard'
|
|
- 'mail-webadmin.main.unkin.net be_stalwart_webadmin'
|
|
- 'autoconfig.main.unkin.net be_stalwart_webadmin'
|
|
- 'autodiscovery.main.unkin.net be_stalwart_webadmin'
|
|
fe_https:
|
|
ensure: present
|
|
mappings:
|
|
- 'au-syd1-pve.main.unkin.net be_ausyd1pve_web'
|
|
- 'au-syd1-pve-api.main.unkin.net be_ausyd1pve_api'
|
|
- 'sonarr.main.unkin.net be_sonarr'
|
|
- 'radarr.main.unkin.net be_radarr'
|
|
- 'lidarr.main.unkin.net be_lidarr'
|
|
- 'readarr.main.unkin.net be_readarr'
|
|
- 'prowlarr.main.unkin.net be_prowlarr'
|
|
- 'nzbget.main.unkin.net be_nzbget'
|
|
- 'jellyfin.main.unkin.net be_jellyfin'
|
|
- 'fafflix.unkin.net be_jellyfin'
|
|
- 'git.unkin.net be_gitea'
|
|
- 'grafana.unkin.net be_grafana'
|
|
- 'dashboard.ceph.unkin.net be_ceph_dashboard'
|
|
- 'mail-webadmin.main.unkin.net be_stalwart_webadmin'
|
|
- 'autoconfig.main.unkin.net be_stalwart_webadmin'
|
|
- 'autodiscovery.main.unkin.net be_stalwart_webadmin'
|
|
|
|
profiles::haproxy::frontends:
|
|
fe_http:
|
|
options:
|
|
use_backend:
|
|
- "%[req.hdr(host),lower,map(/etc/haproxy/fe_http.map,be_default)]"
|
|
fe_https:
|
|
options:
|
|
acl:
|
|
- 'acl_ausyd1pve req.hdr(host) -i au-syd1-pve.main.unkin.net'
|
|
- 'acl_sonarr req.hdr(host) -i sonarr.main.unkin.net'
|
|
- 'acl_radarr req.hdr(host) -i radarr.main.unkin.net'
|
|
- 'acl_lidarr req.hdr(host) -i lidarr.main.unkin.net'
|
|
- 'acl_readarr req.hdr(host) -i readarr.main.unkin.net'
|
|
- 'acl_prowlarr req.hdr(host) -i prowlarr.main.unkin.net'
|
|
- 'acl_nzbget req.hdr(host) -i nzbget.main.unkin.net'
|
|
- 'acl_jellyfin req.hdr(host) -i jellyfin.main.unkin.net'
|
|
- 'acl_fafflix req.hdr(host) -i fafflix.unkin.net'
|
|
- 'acl_gitea req.hdr(host) -i git.unkin.net'
|
|
- 'acl_grafana req.hdr(host) -i grafana.unkin.net'
|
|
- 'acl_ceph_dashboard req.hdr(host) -i dashboard.ceph.unkin.net'
|
|
- 'acl_stalwart_webadmin req.hdr(host) -i mail-webadmin.main.unkin.net'
|
|
- 'acl_stalwart_webadmin req.hdr(host) -i autoconfig.main.unkin.net'
|
|
- 'acl_stalwart_webadmin req.hdr(host) -i autodiscovery.main.unkin.net'
|
|
- 'acl_internalsubnets src 198.18.0.0/16 10.10.12.0/24'
|
|
use_backend:
|
|
- "%[req.hdr(host),lower,map(/etc/haproxy/fe_https.map,be_default)]"
|
|
http-request:
|
|
- 'deny if { hdr_dom(host) -i au-syd1-pve.main.unkin.net } !acl_internalsubnets'
|
|
http-response:
|
|
- 'set-header X-Frame-Options DENY if acl_ausyd1pve'
|
|
- 'set-header X-Frame-Options DENY if acl_sonarr'
|
|
- 'set-header X-Frame-Options DENY if acl_radarr'
|
|
- 'set-header X-Frame-Options DENY if acl_lidarr'
|
|
- 'set-header X-Frame-Options DENY if acl_readarr'
|
|
- 'set-header X-Frame-Options DENY if acl_prowlarr'
|
|
- 'set-header X-Frame-Options DENY if acl_nzbget'
|
|
- 'set-header X-Frame-Options DENY if acl_jellyfin'
|
|
- 'set-header X-Frame-Options DENY if acl_fafflix'
|
|
- 'set-header X-Frame-Options DENY if acl_gitea'
|
|
- 'set-header X-Frame-Options DENY if acl_grafana'
|
|
- 'set-header X-Frame-Options DENY if acl_ceph_dashboard'
|
|
- 'set-header X-Frame-Options DENY if acl_stalwart_webadmin'
|
|
- 'set-header X-Content-Type-Options nosniff'
|
|
- 'set-header X-XSS-Protection 1;mode=block'
|
|
|
|
profiles::haproxy::backends:
|
|
be_ausyd1pve_web:
|
|
description: Backend for au-syd1 pve cluster (Web)
|
|
collect_exported: false # handled in custom function
|
|
options:
|
|
balance: roundrobin
|
|
option:
|
|
- httpchk GET /
|
|
- forwardfor
|
|
- http-keep-alive
|
|
- prefer-last-server
|
|
cookie: SRVNAME insert indirect nocache
|
|
http-reuse: always
|
|
http-request:
|
|
- set-header X-Forwarded-Port %[dst_port]
|
|
- add-header X-Forwarded-Proto https if { dst_port 443 }
|
|
redirect: 'scheme https if !{ ssl_fc }'
|
|
be_ausyd1pve_api:
|
|
description: Backend for au-syd1 pve cluster (API only)
|
|
collect_exported: false # handled in custom function
|
|
options:
|
|
balance: roundrobin
|
|
option:
|
|
- httpchk GET /
|
|
- forwardfor
|
|
- http-keep-alive
|
|
- prefer-last-server
|
|
http-reuse: always
|
|
http-request:
|
|
- set-header X-Forwarded-Port %[dst_port]
|
|
- add-header X-Forwarded-Proto https if { dst_port 443 }
|
|
redirect: 'scheme https if !{ ssl_fc }'
|
|
be_sonarr:
|
|
description: Backend for au-syd1 sonarr
|
|
collect_exported: false # handled in custom function
|
|
options:
|
|
balance: roundrobin
|
|
option:
|
|
- httpchk GET /consul/health
|
|
- forwardfor
|
|
- http-keep-alive
|
|
- prefer-last-server
|
|
cookie: SRVNAME insert indirect nocache
|
|
http-reuse: always
|
|
http-request:
|
|
- set-header X-Forwarded-Port %[dst_port]
|
|
- add-header X-Forwarded-Proto https if { dst_port 443 }
|
|
redirect: 'scheme https if !{ ssl_fc }'
|
|
be_radarr:
|
|
description: Backend for au-syd1 radarr
|
|
collect_exported: false # handled in custom function
|
|
options:
|
|
balance: roundrobin
|
|
option:
|
|
- httpchk GET /consul/health
|
|
- forwardfor
|
|
- http-keep-alive
|
|
- prefer-last-server
|
|
cookie: SRVNAME insert indirect nocache
|
|
http-reuse: always
|
|
http-request:
|
|
- set-header X-Forwarded-Port %[dst_port]
|
|
- add-header X-Forwarded-Proto https if { dst_port 443 }
|
|
redirect: 'scheme https if !{ ssl_fc }'
|
|
be_lidarr:
|
|
description: Backend for au-syd1 lidarr
|
|
collect_exported: false # handled in custom function
|
|
options:
|
|
balance: roundrobin
|
|
option:
|
|
- httpchk GET /consul/health
|
|
- forwardfor
|
|
- http-keep-alive
|
|
- prefer-last-server
|
|
cookie: SRVNAME insert indirect nocache
|
|
http-reuse: always
|
|
http-request:
|
|
- set-header X-Forwarded-Port %[dst_port]
|
|
- add-header X-Forwarded-Proto https if { dst_port 443 }
|
|
redirect: 'scheme https if !{ ssl_fc }'
|
|
be_readarr:
|
|
description: Backend for au-syd1 readarr
|
|
collect_exported: false # handled in custom function
|
|
options:
|
|
balance: roundrobin
|
|
option:
|
|
- httpchk GET /consul/health
|
|
- forwardfor
|
|
- http-keep-alive
|
|
- prefer-last-server
|
|
cookie: SRVNAME insert indirect nocache
|
|
http-reuse: always
|
|
http-request:
|
|
- set-header X-Forwarded-Port %[dst_port]
|
|
- add-header X-Forwarded-Proto https if { dst_port 443 }
|
|
redirect: 'scheme https if !{ ssl_fc }'
|
|
be_prowlarr:
|
|
description: Backend for au-syd1 prowlarr
|
|
collect_exported: false # handled in custom function
|
|
options:
|
|
balance: roundrobin
|
|
option:
|
|
- httpchk GET /consul/health
|
|
- forwardfor
|
|
- http-keep-alive
|
|
- prefer-last-server
|
|
cookie: SRVNAME insert indirect nocache
|
|
http-reuse: always
|
|
http-request:
|
|
- set-header X-Forwarded-Port %[dst_port]
|
|
- add-header X-Forwarded-Proto https if { dst_port 443 }
|
|
redirect: 'scheme https if !{ ssl_fc }'
|
|
be_nzbget:
|
|
description: Backend for au-syd1 nzbget
|
|
collect_exported: false # handled in custom function
|
|
options:
|
|
balance: roundrobin
|
|
option:
|
|
- httpchk GET /consul/health
|
|
- forwardfor
|
|
- http-keep-alive
|
|
- prefer-last-server
|
|
cookie: SRVNAME insert indirect nocache
|
|
http-reuse: always
|
|
http-request:
|
|
- set-header X-Forwarded-Port %[dst_port]
|
|
- add-header X-Forwarded-Proto https if { dst_port 443 }
|
|
redirect: 'scheme https if !{ ssl_fc }'
|
|
be_jellyfin:
|
|
description: Backend for au-syd1 jellyfin
|
|
collect_exported: false # handled in custom function
|
|
options:
|
|
balance: roundrobin
|
|
option:
|
|
- httpchk GET /
|
|
- forwardfor
|
|
- http-keep-alive
|
|
- prefer-last-server
|
|
cookie: SRVNAME insert indirect nocache
|
|
http-reuse: always
|
|
http-request:
|
|
- set-header X-Forwarded-Port %[dst_port]
|
|
- add-header X-Forwarded-Proto https if { dst_port 443 }
|
|
redirect: 'scheme https if !{ ssl_fc }'
|
|
be_gitea:
|
|
description: Backend for gitea cluster
|
|
collect_exported: false # handled in custom function
|
|
options:
|
|
balance: roundrobin
|
|
option:
|
|
- httpchk GET /
|
|
- forwardfor
|
|
- http-keep-alive
|
|
- prefer-last-server
|
|
cookie: SRVNAME insert indirect nocache
|
|
http-reuse: always
|
|
http-request:
|
|
- set-header X-Forwarded-Port %[dst_port]
|
|
- add-header X-Forwarded-Proto https if { dst_port 443 }
|
|
redirect: 'scheme https if !{ ssl_fc }'
|
|
stick-table: 'type ip size 200k expire 30m'
|
|
stick: 'on src'
|
|
be_grafana:
|
|
description: Backend for grafana nodes
|
|
collect_exported: false # handled in custom function
|
|
options:
|
|
balance: roundrobin
|
|
option:
|
|
- httpchk GET /
|
|
- forwardfor
|
|
- http-keep-alive
|
|
- prefer-last-server
|
|
cookie: SRVNAME insert indirect nocache
|
|
http-reuse: always
|
|
http-request:
|
|
- set-header X-Forwarded-Port %[dst_port]
|
|
- add-header X-Forwarded-Proto https if { dst_port 443 }
|
|
redirect: 'scheme https if !{ ssl_fc }'
|
|
stick-table: 'type ip size 200k expire 30m'
|
|
stick: 'on src'
|
|
be_ceph_dashboard:
|
|
description: Backend for Ceph Dashboard from Mgr instances
|
|
collect_exported: false # handled in custom function
|
|
options:
|
|
balance: roundrobin
|
|
option:
|
|
- httpchk GET /
|
|
- forwardfor
|
|
- http-keep-alive
|
|
- prefer-last-server
|
|
cookie: SRVNAME insert indirect nocache
|
|
http-reuse: always
|
|
http-check:
|
|
- expect status 200
|
|
http-request:
|
|
- set-header X-Forwarded-Port %[dst_port]
|
|
- add-header X-Forwarded-Proto https if { dst_port 9443 }
|
|
redirect: 'scheme https if !{ ssl_fc }'
|
|
stick-table: 'type ip size 200k expire 30m'
|
|
be_stalwart_webadmin:
|
|
description: Backend for Stalwart Webadmin
|
|
collect_exported: false # handled in custom function
|
|
options:
|
|
balance: roundrobin
|
|
option:
|
|
- httpchk GET /
|
|
- forwardfor
|
|
- http-keep-alive
|
|
- prefer-last-server
|
|
cookie: SRVNAME insert indirect nocache
|
|
http-reuse: always
|
|
http-check:
|
|
- expect status 200
|
|
http-request:
|
|
- set-header X-Forwarded-Port %[dst_port]
|
|
- add-header X-Forwarded-Proto https if { dst_port 9443 }
|
|
redirect: 'scheme https if !{ ssl_fc }'
|
|
stick-table: 'type ip size 200k expire 30m'
|
|
be_stalwart_imap:
|
|
description: Backend for Stalwart IMAP (STARTTLS)
|
|
collect_exported: false
|
|
options:
|
|
mode: tcp
|
|
balance: roundrobin
|
|
option:
|
|
- tcp-check
|
|
- prefer-last-server
|
|
stick-table: 'type ip size 200k expire 30m'
|
|
stick: 'on src'
|
|
tcp-check:
|
|
- connect port 143
|
|
- expect string "* OK"
|
|
- send "A001 STARTTLS\r\n"
|
|
- expect rstring "A001 (OK|2.0.0)"
|
|
be_stalwart_imaps:
|
|
description: Backend for Stalwart IMAPS (implicit TLS)
|
|
collect_exported: false
|
|
options:
|
|
mode: tcp
|
|
balance: roundrobin
|
|
option:
|
|
- tcp-check
|
|
- prefer-last-server
|
|
stick-table: 'type ip size 200k expire 30m'
|
|
stick: 'on src'
|
|
tcp-check:
|
|
- connect ssl
|
|
- expect string "* OK"
|
|
be_stalwart_smtp:
|
|
description: Backend for Stalwart SMTP
|
|
collect_exported: false
|
|
options:
|
|
mode: tcp
|
|
balance: roundrobin
|
|
option:
|
|
- tcp-check
|
|
- prefer-last-server
|
|
stick-table: 'type ip size 200k expire 30m'
|
|
stick: 'on src'
|
|
tcp-check:
|
|
- connect port 25
|
|
- expect string "220 "
|
|
|
|
profiles::haproxy::certlist::enabled: true
|
|
profiles::haproxy::certlist::certificates:
|
|
- /etc/pki/tls/letsencrypt/au-syd1-pve.main.unkin.net/fullchain_combined.pem
|
|
- /etc/pki/tls/letsencrypt/au-syd1-pve-api.main.unkin.net/fullchain_combined.pem
|
|
- /etc/pki/tls/letsencrypt/sonarr.main.unkin.net/fullchain_combined.pem
|
|
- /etc/pki/tls/letsencrypt/radarr.main.unkin.net/fullchain_combined.pem
|
|
- /etc/pki/tls/letsencrypt/lidarr.main.unkin.net/fullchain_combined.pem
|
|
- /etc/pki/tls/letsencrypt/readarr.main.unkin.net/fullchain_combined.pem
|
|
- /etc/pki/tls/letsencrypt/prowlarr.main.unkin.net/fullchain_combined.pem
|
|
- /etc/pki/tls/letsencrypt/nzbget.main.unkin.net/fullchain_combined.pem
|
|
- /etc/pki/tls/letsencrypt/fafflix.unkin.net/fullchain_combined.pem
|
|
- /etc/pki/tls/letsencrypt/git.unkin.net/fullchain_combined.pem
|
|
- /etc/pki/tls/letsencrypt/grafana.unkin.net/fullchain_combined.pem
|
|
- /etc/pki/tls/letsencrypt/dashboard.ceph.unkin.net/fullchain_combined.pem
|
|
- /etc/pki/tls/vault/certificate.pem
|
|
|
|
# additional altnames
|
|
profiles::pki::vault::alt_names:
|
|
- au-syd1-pve.main.unkin.net
|
|
- au-syd1-pve-api.main.unkin.net
|
|
- jellyfin.main.unkin.net
|
|
- mail-webadmin.main.unkin.net
|
|
|
|
# additional cnames
|
|
profiles::haproxy::dns::cnames:
|
|
- au-syd1-pve.main.unkin.net
|
|
- au-syd1-pve-api.main.unkin.net
|
|
|
|
# letsencrypt certificates
|
|
certbot::client::service: haproxy
|
|
certbot::client::domains:
|
|
- au-syd1-pve.main.unkin.net
|
|
- au-syd1-pve-api.main.unkin.net
|
|
- sonarr.main.unkin.net
|
|
- radarr.main.unkin.net
|
|
- lidarr.main.unkin.net
|
|
- readarr.main.unkin.net
|
|
- prowlarr.main.unkin.net
|
|
- nzbget.main.unkin.net
|
|
- fafflix.unkin.net
|
|
- git.unkin.net
|
|
- grafana.unkin.net
|
|
- dashboard.ceph.unkin.net
|