mirror of
https://git.sr.ht/~magic_rb/cluster
synced 2024-12-07 07:24:47 +01:00
Adapt Ingress to work on both blowhole and toothpick
Signed-off-by: main <magic_rb@redalder.org>
This commit is contained in:
parent
8ec8e424b1
commit
5391565dea
4 changed files with 323 additions and 9 deletions
98
containers/ingress-blowhole.nix
Normal file
98
containers/ingress-blowhole.nix
Normal file
|
@ -0,0 +1,98 @@
|
|||
{ nglib, nixpkgs }:
|
||||
nglib.makeSystem {
|
||||
system = "x86_64-linux";
|
||||
name = "ra-systems-ingress-blowhole";
|
||||
inherit nixpkgs;
|
||||
config = ({ pkgs, config, nglib, ... }:
|
||||
let
|
||||
ids = config.ids;
|
||||
in
|
||||
{
|
||||
config = {
|
||||
dumb-init = {
|
||||
enable = true;
|
||||
sigell = {
|
||||
entries = [
|
||||
{
|
||||
signal = "HUP";
|
||||
action = {
|
||||
type = "exec";
|
||||
environment = {
|
||||
PATH = "${pkgs.bash}/bin:${pkgs.busybox}/bin";
|
||||
};
|
||||
command =
|
||||
[ "bash"
|
||||
"-c"
|
||||
"kill -s HUP \"$(cat /nginx.pid)\""
|
||||
];
|
||||
};
|
||||
}
|
||||
{
|
||||
signal = "TERM";
|
||||
action = {
|
||||
type = "signal";
|
||||
rewrite = "TERM";
|
||||
selector = {
|
||||
type = "child";
|
||||
};
|
||||
};
|
||||
}
|
||||
];
|
||||
};
|
||||
type.services = {};
|
||||
};
|
||||
init.services.nginx = {
|
||||
shutdownOnExit = true;
|
||||
};
|
||||
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
envsubst = true;
|
||||
configuration = [
|
||||
{
|
||||
daemon = "off";
|
||||
worker_processes = 2;
|
||||
user = "nginx";
|
||||
|
||||
events."" = {
|
||||
use = "epoll";
|
||||
worker_connections = 128;
|
||||
};
|
||||
|
||||
error_log = [ "/dev/stderr" "warn" ];
|
||||
|
||||
pid = "/nginx.pid";
|
||||
|
||||
stream."" = {
|
||||
include = [
|
||||
[ "/local/streams.conf" ]
|
||||
];
|
||||
};
|
||||
|
||||
http."" = {
|
||||
server_tokens = "off";
|
||||
include = [
|
||||
[ "${pkgs.nginx}/conf/mime.types" ]
|
||||
[ "/local/upstreams.conf" ]
|
||||
];
|
||||
charset = "utf-8";
|
||||
access_log = [ "/dev/stdout" "combined" ];
|
||||
|
||||
server."" = {
|
||||
listen = [ "80" "default_server" ];
|
||||
server_name = [
|
||||
"blowhole.in.redalder.org"
|
||||
];
|
||||
|
||||
location."/" = {
|
||||
return = [ "301" "https://$$host$$request_uri" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
});
|
||||
}
|
|
@ -29,13 +29,15 @@
|
|||
{
|
||||
hydra = (import ./containers/hydra.nix base).hydra;
|
||||
hydraPostgresql = (import ./containers/hydra.nix base).postgresql;
|
||||
ingress = import ./containers/ingress.nix base;
|
||||
ingressToothpick = import ./containers/ingress-toothpick.nix base;
|
||||
ingressBlowhole = import ./containers/ingress-blowhole.nix base;
|
||||
website = import ./containers/website.nix (base // { inherit (inputs.website) website; });
|
||||
jmusicbot = import ./containers/jmusicbot.nix base;
|
||||
camptules = (import ./containers/camptules.nix (base // { inherit (inputs) camptules; }));
|
||||
gitea = import ./containers/gitea.nix base;
|
||||
minecraft = import ./containers/minecraft.nix base;
|
||||
mosquitto = import ./containers/mosquitto.nix base;
|
||||
syncthing = import ./containers/syncthing.nix base;
|
||||
zigbee2mqtt = import ./containers/zigbee2mqtt.nix base;
|
||||
home-assistant = import ./containers/home-assistant.nix base;
|
||||
};
|
||||
|
|
|
@ -1,15 +1,15 @@
|
|||
job "ingress" {
|
||||
datacenters = [ "do-1" ]
|
||||
datacenters = [ "do-1", "homelab-1" ]
|
||||
type = "service"
|
||||
|
||||
constraint {
|
||||
attribute = "${attr.unique.hostname}"
|
||||
value = "toothpick"
|
||||
}
|
||||
|
||||
group "ingress" {
|
||||
group "ingress-toothpick" {
|
||||
count = 1
|
||||
|
||||
constraint {
|
||||
attribute = "${attr.unique.hostname}"
|
||||
value = "toothpick"
|
||||
}
|
||||
|
||||
volume "ingress-letsencrypt" {
|
||||
type = "csi"
|
||||
source = "ingress-letsencrypt"
|
||||
|
@ -41,7 +41,7 @@ job "ingress" {
|
|||
}
|
||||
|
||||
service {
|
||||
name = "ingress"
|
||||
name = "ingress-toothpick"
|
||||
port = "http"
|
||||
|
||||
connect {
|
||||
|
@ -268,4 +268,218 @@ EOF
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
group "ingress-blowhole" {
|
||||
count = 1
|
||||
|
||||
constraint {
|
||||
attribute = "${attr.unique.hostname}"
|
||||
value = "blowhole"
|
||||
}
|
||||
|
||||
network {
|
||||
mode = "bridge"
|
||||
port "http" {
|
||||
static = 8080
|
||||
to = 80
|
||||
}
|
||||
|
||||
port "https" {
|
||||
static = 443
|
||||
to = 443
|
||||
}
|
||||
|
||||
port "jellyfin" {
|
||||
static = 8096
|
||||
to = 8096
|
||||
}
|
||||
}
|
||||
|
||||
service {
|
||||
name = "ingress-blowhole"
|
||||
port = "80"
|
||||
|
||||
connect {
|
||||
sidecar_service {
|
||||
proxy {
|
||||
upstreams {
|
||||
destination_name = "jellyfin"
|
||||
local_bind_port = 8001
|
||||
}
|
||||
|
||||
upstreams {
|
||||
destination_name = "zigbee2mqtt"
|
||||
local_bind_port = 8002
|
||||
}
|
||||
|
||||
upstreams {
|
||||
destination_name = "home-assistant"
|
||||
local_bind_port = 8003
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
sidecar_task {
|
||||
resources {
|
||||
cpu = 75
|
||||
memory = 48
|
||||
}
|
||||
|
||||
config {
|
||||
memory_hard_limit = 96
|
||||
image = "envoyproxy/envoy:v1.20.2"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
task "nginx" {
|
||||
driver = "docker"
|
||||
|
||||
config {
|
||||
image = "ra-systems-ingress-blowhole:local"
|
||||
|
||||
ports = ["http", "https", "jellyfin"]
|
||||
memory_hard_limit = 128
|
||||
}
|
||||
|
||||
resources {
|
||||
cpu = 200
|
||||
memory = 32
|
||||
}
|
||||
|
||||
template {
|
||||
data = <<EOF
|
||||
ssl_certificate_key /etc/letsencrypt/live/redalder.org/privkey.pem;
|
||||
ssl_certificate /etc/letsencrypt/live/redalder.org/fullchain.pem;
|
||||
|
||||
ssl_session_cache shared:le_nginx_SSL:10m;
|
||||
ssl_session_timeout 1440m;
|
||||
ssl_session_tickets off;
|
||||
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_prefer_server_ciphers off;
|
||||
|
||||
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
|
||||
EOF
|
||||
destination = "local/ssl.conf"
|
||||
change_mode = "signal"
|
||||
change_signal = "SIGHUP"
|
||||
}
|
||||
|
||||
template {
|
||||
data = <<EOF
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
EOF
|
||||
destination = "local/headers.conf"
|
||||
change_mode = "signal"
|
||||
change_signal = "SIGHUP"
|
||||
}
|
||||
|
||||
template {
|
||||
data = <<EOF
|
||||
add_header X-Frame-Options "SAMEORIGIN";
|
||||
add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
|
||||
EOF
|
||||
destination = "local/security.conf"
|
||||
change_mode = "signal"
|
||||
change_signal = "SIGHUP"
|
||||
}
|
||||
|
||||
template {
|
||||
data = <<EOF
|
||||
upstream jellyfin {
|
||||
server {{ env "NOMAD_UPSTREAM_ADDR_jellyfin" }};
|
||||
}
|
||||
|
||||
upstream zigbee2mqtt {
|
||||
server {{ env "NOMAD_UPSTREAM_ADDR_zigbee2mqtt" }};
|
||||
}
|
||||
|
||||
upstream home-assistant {
|
||||
server {{ env "NOMAD_UPSTREAM_ADDR_home-assistant" }};
|
||||
}
|
||||
|
||||
server {
|
||||
listen 8096;
|
||||
|
||||
server_name _;
|
||||
|
||||
include /local/security.conf;
|
||||
|
||||
client_max_body_size 100M;
|
||||
|
||||
location /jellyfin {
|
||||
include /local/headers.conf;
|
||||
proxy_pass http://jellyfin;
|
||||
}
|
||||
|
||||
location ~ "^/(static/icons/|static/fonts/|static/translations/|static/images/|static/panels/|static/polyfills|api/|auth/|frontend_latest/|frontend_es5/|local/|lovelace|map|config|developer-tools|history|logbook|profile|states|hassio|onboarding.html|service_worker.js|authorize.html|manifest.json)" {
|
||||
include /local/headers.conf;
|
||||
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
|
||||
proxy_pass http://home-assistant;
|
||||
}
|
||||
|
||||
location /home-assistant {
|
||||
include /local/headers.conf;
|
||||
|
||||
rewrite /home-assistant/(.*) /$1 break;
|
||||
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
|
||||
proxy_pass http://home-assistant;
|
||||
}
|
||||
|
||||
location /zigbee2mqtt {
|
||||
include /local/headers.conf;
|
||||
|
||||
rewrite /zigbee2mqtt/(.*) /$1 break;
|
||||
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
|
||||
proxy_pass http://zigbee2mqtt;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
|
||||
server_name _;
|
||||
|
||||
include /local/security.conf;
|
||||
|
||||
client_max_body_size 100M;
|
||||
|
||||
location /jellyfin {
|
||||
include /local/headers.conf;
|
||||
proxy_pass http://jellyfin;
|
||||
}
|
||||
}
|
||||
EOF
|
||||
destination = "local/upstreams.conf"
|
||||
change_mode = "signal"
|
||||
change_signal = "SIGHUP"
|
||||
}
|
||||
|
||||
template {
|
||||
data = <<EOF
|
||||
|
||||
EOF
|
||||
destination = "local/streams.conf"
|
||||
change_mode = "signal"
|
||||
change_signal = "SIGHUP"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue