Ben Vincent
2ab2cd1399
- refactor sonarr locations to generalised locations - set locations to be deep merged - updated hiera_include statements for media and media subroles - added eyaml entries for all ldap credentials
100 lines
3.3 KiB
YAML
100 lines
3.3 KiB
YAML
---
|
|
hiera_include:
|
|
- profiles::nginx::simpleproxy
|
|
|
|
profiles::yum::global::repos:
|
|
ceph-reef:
|
|
name: ceph-reef
|
|
descr: ceph reef repository
|
|
target: /etc/yum.repos.d/ceph-reef.repo
|
|
baseurl: https://edgecache.query.consul/ceph/yum/el%{facts.os.release.major}/%{facts.os.architecture}
|
|
gpgcheck: 0,
|
|
mirrorlist: absent
|
|
|
|
profiles::ceph::client::keyrings:
|
|
media:
|
|
key: "%{hiera('ceph::key::media')}"
|
|
|
|
profiles::base::groups::local:
|
|
media:
|
|
ensure: present
|
|
gid: 20000
|
|
allowdupe: false
|
|
forcelocal: true
|
|
|
|
ldap_host: 'ldap.service.consul'
|
|
ldap_basedn: 'dc=main,dc=unkin,dc=net'
|
|
|
|
profiles::nginx::simpleproxy::locations:
|
|
# authentication proxy
|
|
authproxy:
|
|
ensure: 'present'
|
|
server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
|
|
ssl_only: true
|
|
internal: true
|
|
location: '= /auth-proxy'
|
|
proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:8888"
|
|
proxy_set_header:
|
|
- 'Content-Length ""'
|
|
- "X-Ldap-URL ldap://%{lookup('ldap_host')}"
|
|
- 'X-Ldap-Starttls "false"'
|
|
- "X-Ldap-BaseDN %{lookup('ldap_basedn')}"
|
|
- "X-Ldap-BindDN %{lookup('ldap_binddn')}"
|
|
- "X-Ldap-BindPass %{lookup('ldap_bindpass')}"
|
|
- 'X-CookieName "nginxauth"'
|
|
- 'Cookie nginxauth=$cookie_nginxauth'
|
|
- "X-Ldap-Template %{lookup('ldap_template')}"
|
|
- 'X-Ldap-Realm "Restricted"'
|
|
proxy_cache: 'cache'
|
|
proxy_cache_valid: '200 10m'
|
|
proxy_cache_key: '"$http_authorization$cookie_nginxauth"'
|
|
location_cfg_append:
|
|
proxy_pass_request_body: 'off'
|
|
# health checks by consul
|
|
arrstack_web_consul:
|
|
ensure: 'present'
|
|
server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
|
|
ssl_only: true
|
|
location: '/consul/health'
|
|
proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:%{lookup('profiles::nginx::simpleproxy::proxy_port')}"
|
|
proxy_set_header:
|
|
- 'Host $host'
|
|
- 'X-Forwarded-For $proxy_add_x_forwarded_for'
|
|
- 'X-Forwarded-Host $host'
|
|
- 'X-Forwarded-Proto $scheme'
|
|
- 'Upgrade $http_upgrade'
|
|
- 'Connection $http_connection'
|
|
proxy_redirect: 'off'
|
|
proxy_http_version: '1.1'
|
|
location_allow:
|
|
- 127.0.0.1
|
|
- "%{facts.networking.ip}"
|
|
location_deny:
|
|
- all
|
|
# authorised access from external
|
|
arrstack_web_external:
|
|
ensure: 'present'
|
|
server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
|
|
ssl_only: true
|
|
location: '/'
|
|
auth_request: '/auth-proxy'
|
|
proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:%{lookup('profiles::nginx::simpleproxy::proxy_port')}"
|
|
proxy_set_header:
|
|
- 'Host $host'
|
|
- 'X-Forwarded-For $proxy_add_x_forwarded_for'
|
|
- 'X-Forwarded-Host $host'
|
|
- 'X-Forwarded-Proto $scheme'
|
|
- 'Upgrade $http_upgrade'
|
|
- 'Connection $http_connection'
|
|
proxy_redirect: 'off'
|
|
proxy_http_version: '1.1'
|
|
# location for api, which should be accessible without authentication
|
|
arrstack_api:
|
|
ensure: 'present'
|
|
server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
|
|
ssl_only: true
|
|
location: '~ /api'
|
|
proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:%{lookup('profiles::nginx::simpleproxy::proxy_port')}"
|
|
location_cfg_append:
|
|
client_max_body_size: '20m'
|