Ben Vincent
cbded220bb
- add authproxy - add api and web - add /consul/health for unauth access from consul - update sonarr/consul check to use /consul/health - change client body side to 20mb
133 lines
4.4 KiB
YAML
133 lines
4.4 KiB
YAML
---
|
|
hiera_include:
|
|
- sonarr
|
|
- profiles::nginx::simpleproxy
|
|
- profiles::nginx::ldapauth
|
|
|
|
# manage sonarr
|
|
sonarr::params::user: sonarr
|
|
sonarr::params::group: media
|
|
sonarr::params::manage_group: false
|
|
sonarr::params::archive_version: 4.0.5
|
|
sonarr::params::port: 8000
|
|
|
|
# additional altnames
|
|
profiles::pki::vault::alt_names:
|
|
- sonarr.main.unkin.net
|
|
- sonarr.service.consul
|
|
- sonarr.query.consul
|
|
- "sonarr.service.%{facts.country}-%{facts.region}.consul"
|
|
|
|
# manage a simple nginx reverse proxy
|
|
profiles::nginx::simpleproxy::nginx_vhost: 'sonarr.query.consul'
|
|
profiles::nginx::simpleproxy::nginx_aliases:
|
|
- sonarr.main.unkin.net
|
|
- sonarr.service.consul
|
|
- sonarr.query.consul
|
|
- "sonarr.service.%{facts.country}-%{facts.region}.consul"
|
|
profiles::nginx::simpleproxy::proxy_port: 8000
|
|
profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
|
|
profiles::nginx::simpleproxy::proxy_path: '/'
|
|
profiles::nginx::simpleproxy::use_default_location: false
|
|
nginx::client_max_body_size: 20M
|
|
|
|
ldap_host: 'ldap.service.consul'
|
|
ldap_basedn: 'dc=main,dc=unkin,dc=net'
|
|
ldap_binddn: 'cn=svc_sonarr,ou=services,ou=users,dc=main,dc=unkin,dc=net'
|
|
ldap_template: '(memberOf=ou=sonarr_access,ou=groups,dc=main,dc=unkin,dc=net)'
|
|
|
|
profiles::nginx::simpleproxy::locations:
|
|
# authentication proxy
|
|
authproxy:
|
|
ensure: 'present'
|
|
server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
|
|
ssl_only: true
|
|
internal: true
|
|
location: '= /auth-proxy'
|
|
proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:8888"
|
|
proxy_set_header:
|
|
- 'Content-Length ""'
|
|
- "X-Ldap-URL ldap://%{lookup('ldap_host')}"
|
|
- 'X-Ldap-Starttls "false"'
|
|
- "X-Ldap-BaseDN %{lookup('ldap_basedn')}"
|
|
- "X-Ldap-BindDN %{lookup('ldap_binddn')}"
|
|
- "X-Ldap-BindPass %{lookup('ldap_bindpass')}"
|
|
- 'X-CookieName "nginxauth"'
|
|
- 'Cookie nginxauth=$cookie_nginxauth'
|
|
- "X-Ldap-Template %{lookup('ldap_template')}"
|
|
- 'X-Ldap-Realm "Restricted"'
|
|
proxy_cache: 'cache'
|
|
proxy_cache_valid: '200 10m'
|
|
proxy_cache_key: '"$http_authorization$cookie_nginxauth"'
|
|
location_cfg_append:
|
|
proxy_pass_request_body: 'off'
|
|
# sonarr health checks by consul
|
|
sonarr_web_consul:
|
|
ensure: 'present'
|
|
server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
|
|
ssl_only: true
|
|
location: '/consul/health'
|
|
proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:%{lookup('profiles::nginx::simpleproxy::proxy_port')}"
|
|
proxy_set_header:
|
|
- 'Host $host'
|
|
- 'X-Forwarded-For $proxy_add_x_forwarded_for'
|
|
- 'X-Forwarded-Host $host'
|
|
- 'X-Forwarded-Proto $scheme'
|
|
- 'Upgrade $http_upgrade'
|
|
- 'Connection $http_connection'
|
|
proxy_redirect: 'off'
|
|
proxy_http_version: '1.1'
|
|
location_allow:
|
|
- 127.0.0.1
|
|
- "%{facts.networking.ip}"
|
|
location_deny:
|
|
- all
|
|
# authorised sonarr access from external
|
|
sonarr_web_external:
|
|
ensure: 'present'
|
|
server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
|
|
ssl_only: true
|
|
location: '/'
|
|
auth_request: '/auth-proxy'
|
|
proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:%{lookup('profiles::nginx::simpleproxy::proxy_port')}"
|
|
proxy_set_header:
|
|
- 'Host $host'
|
|
- 'X-Forwarded-For $proxy_add_x_forwarded_for'
|
|
- 'X-Forwarded-Host $host'
|
|
- 'X-Forwarded-Proto $scheme'
|
|
- 'Upgrade $http_upgrade'
|
|
- 'Connection $http_connection'
|
|
proxy_redirect: 'off'
|
|
proxy_http_version: '1.1'
|
|
# location for sonarr api, which should be accessible without authentication
|
|
sonarr_api:
|
|
ensure: 'present'
|
|
server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
|
|
ssl_only: true
|
|
location: '~ /api'
|
|
proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:%{lookup('profiles::nginx::simpleproxy::proxy_port')}"
|
|
location_cfg_append:
|
|
client_max_body_size: '10m'
|
|
|
|
# configure consul service
|
|
consul::services:
|
|
sonarr:
|
|
service_name: 'sonarr'
|
|
tags:
|
|
- 'media'
|
|
- 'sonarr'
|
|
address: "%{facts.networking.ip}"
|
|
port: 443
|
|
checks:
|
|
- id: 'sonarr_http_check'
|
|
name: 'Sonarr HTTP Check'
|
|
http: "https://%{facts.networking.fqdn}:443/consul/health"
|
|
method: 'GET'
|
|
tls_skip_verify: true
|
|
interval: '10s'
|
|
timeout: '1s'
|
|
profiles::consul::client::node_rules:
|
|
- resource: service
|
|
segment: sonarr
|
|
disposition: write
|