Adapt Ingress to work on both blowhole and toothpick

Signed-off-by: main <magic_rb@redalder.org>
This commit is contained in:
main 2022-03-23 10:36:25 +01:00
parent 8ec8e424b1
commit 5391565dea
No known key found for this signature in database
GPG key ID: 08D5287CC5DDCA0E
4 changed files with 323 additions and 9 deletions

View file

@ -0,0 +1,98 @@
{ nglib, nixpkgs }:
nglib.makeSystem {
system = "x86_64-linux";
name = "ra-systems-ingress-blowhole";
inherit nixpkgs;
config = ({ pkgs, config, nglib, ... }:
let
ids = config.ids;
in
{
config = {
dumb-init = {
enable = true;
sigell = {
entries = [
{
signal = "HUP";
action = {
type = "exec";
environment = {
PATH = "${pkgs.bash}/bin:${pkgs.busybox}/bin";
};
command =
[ "bash"
"-c"
"kill -s HUP \"$(cat /nginx.pid)\""
];
};
}
{
signal = "TERM";
action = {
type = "signal";
rewrite = "TERM";
selector = {
type = "child";
};
};
}
];
};
type.services = {};
};
init.services.nginx = {
shutdownOnExit = true;
};
services.nginx = {
enable = true;
envsubst = true;
configuration = [
{
daemon = "off";
worker_processes = 2;
user = "nginx";
events."" = {
use = "epoll";
worker_connections = 128;
};
error_log = [ "/dev/stderr" "warn" ];
pid = "/nginx.pid";
stream."" = {
include = [
[ "/local/streams.conf" ]
];
};
http."" = {
server_tokens = "off";
include = [
[ "${pkgs.nginx}/conf/mime.types" ]
[ "/local/upstreams.conf" ]
];
charset = "utf-8";
access_log = [ "/dev/stdout" "combined" ];
server."" = {
listen = [ "80" "default_server" ];
server_name = [
"blowhole.in.redalder.org"
];
location."/" = {
return = [ "301" "https://$$host$$request_uri" ];
};
};
};
}
];
};
};
});
}

View file

@ -29,13 +29,15 @@
{ {
hydra = (import ./containers/hydra.nix base).hydra; hydra = (import ./containers/hydra.nix base).hydra;
hydraPostgresql = (import ./containers/hydra.nix base).postgresql; hydraPostgresql = (import ./containers/hydra.nix base).postgresql;
ingress = import ./containers/ingress.nix base; ingressToothpick = import ./containers/ingress-toothpick.nix base;
ingressBlowhole = import ./containers/ingress-blowhole.nix base;
website = import ./containers/website.nix (base // { inherit (inputs.website) website; }); website = import ./containers/website.nix (base // { inherit (inputs.website) website; });
jmusicbot = import ./containers/jmusicbot.nix base; jmusicbot = import ./containers/jmusicbot.nix base;
camptules = (import ./containers/camptules.nix (base // { inherit (inputs) camptules; })); camptules = (import ./containers/camptules.nix (base // { inherit (inputs) camptules; }));
gitea = import ./containers/gitea.nix base; gitea = import ./containers/gitea.nix base;
minecraft = import ./containers/minecraft.nix base; minecraft = import ./containers/minecraft.nix base;
mosquitto = import ./containers/mosquitto.nix base; mosquitto = import ./containers/mosquitto.nix base;
syncthing = import ./containers/syncthing.nix base;
zigbee2mqtt = import ./containers/zigbee2mqtt.nix base; zigbee2mqtt = import ./containers/zigbee2mqtt.nix base;
home-assistant = import ./containers/home-assistant.nix base; home-assistant = import ./containers/home-assistant.nix base;
}; };

View file

@ -1,15 +1,15 @@
job "ingress" { job "ingress" {
datacenters = [ "do-1" ] datacenters = [ "do-1", "homelab-1" ]
type = "service" type = "service"
group "ingress-toothpick" {
count = 1
constraint { constraint {
attribute = "${attr.unique.hostname}" attribute = "${attr.unique.hostname}"
value = "toothpick" value = "toothpick"
} }
group "ingress" {
count = 1
volume "ingress-letsencrypt" { volume "ingress-letsencrypt" {
type = "csi" type = "csi"
source = "ingress-letsencrypt" source = "ingress-letsencrypt"
@ -41,7 +41,7 @@ job "ingress" {
} }
service { service {
name = "ingress" name = "ingress-toothpick"
port = "http" port = "http"
connect { connect {
@ -268,4 +268,218 @@ EOF
} }
} }
} }
group "ingress-blowhole" {
count = 1
constraint {
attribute = "${attr.unique.hostname}"
value = "blowhole"
}
network {
mode = "bridge"
port "http" {
static = 8080
to = 80
}
port "https" {
static = 443
to = 443
}
port "jellyfin" {
static = 8096
to = 8096
}
}
service {
name = "ingress-blowhole"
port = "80"
connect {
sidecar_service {
proxy {
upstreams {
destination_name = "jellyfin"
local_bind_port = 8001
}
upstreams {
destination_name = "zigbee2mqtt"
local_bind_port = 8002
}
upstreams {
destination_name = "home-assistant"
local_bind_port = 8003
}
}
}
sidecar_task {
resources {
cpu = 75
memory = 48
}
config {
memory_hard_limit = 96
image = "envoyproxy/envoy:v1.20.2"
}
}
}
}
task "nginx" {
driver = "docker"
config {
image = "ra-systems-ingress-blowhole:local"
ports = ["http", "https", "jellyfin"]
memory_hard_limit = 128
}
resources {
cpu = 200
memory = 32
}
template {
data = <<EOF
ssl_certificate_key /etc/letsencrypt/live/redalder.org/privkey.pem;
ssl_certificate /etc/letsencrypt/live/redalder.org/fullchain.pem;
ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
EOF
destination = "local/ssl.conf"
change_mode = "signal"
change_signal = "SIGHUP"
}
template {
data = <<EOF
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
EOF
destination = "local/headers.conf"
change_mode = "signal"
change_signal = "SIGHUP"
}
template {
data = <<EOF
add_header X-Frame-Options "SAMEORIGIN";
add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
EOF
destination = "local/security.conf"
change_mode = "signal"
change_signal = "SIGHUP"
}
template {
data = <<EOF
upstream jellyfin {
server {{ env "NOMAD_UPSTREAM_ADDR_jellyfin" }};
}
upstream zigbee2mqtt {
server {{ env "NOMAD_UPSTREAM_ADDR_zigbee2mqtt" }};
}
upstream home-assistant {
server {{ env "NOMAD_UPSTREAM_ADDR_home-assistant" }};
}
server {
listen 8096;
server_name _;
include /local/security.conf;
client_max_body_size 100M;
location /jellyfin {
include /local/headers.conf;
proxy_pass http://jellyfin;
}
location ~ "^/(static/icons/|static/fonts/|static/translations/|static/images/|static/panels/|static/polyfills|api/|auth/|frontend_latest/|frontend_es5/|local/|lovelace|map|config|developer-tools|history|logbook|profile|states|hassio|onboarding.html|service_worker.js|authorize.html|manifest.json)" {
include /local/headers.conf;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass http://home-assistant;
}
location /home-assistant {
include /local/headers.conf;
rewrite /home-assistant/(.*) /$1 break;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass http://home-assistant;
}
location /zigbee2mqtt {
include /local/headers.conf;
rewrite /zigbee2mqtt/(.*) /$1 break;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass http://zigbee2mqtt;
}
}
server {
listen 80;
server_name _;
include /local/security.conf;
client_max_body_size 100M;
location /jellyfin {
include /local/headers.conf;
proxy_pass http://jellyfin;
}
}
EOF
destination = "local/upstreams.conf"
change_mode = "signal"
change_signal = "SIGHUP"
}
template {
data = <<EOF
EOF
destination = "local/streams.conf"
change_mode = "signal"
change_signal = "SIGHUP"
}
}
}
} }