magic_rb/dotfiles
1
0
Fork 0
mirror of https://git.sr.ht/~magic_rb/dotfiles synced 2024-11-22 08:04:20 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add terranix config for ingress-blowhole container

Browse source 
Signed-off-by: Magic_RB <magic_rb@redalder.org>
This commit is contained in:
Magic_RB 2023-06-15 23:07:14 +02:00
parent 084c85e436
commit c09fea6f75
3 changed files with 581 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
terranix/containers/ingress-blowhole/default.nix Normal file
View file

@ -0,0 +1,21 @@
{ elib, ... }:
let
inherit (elib)
nomadJob;
flake_host = "";
flake_rev = "";
flake_ref = "";
flake_sha = "";
in
{
resource."nomad_job"."ingress" = nomadJob {
jobspec = ./job.hcl;
vars = {
flake_ref = "${flake_host}?rev=${flake_rev}&ref=${flake_ref}";
flake_sha = flake_sha;
upstreams = "\${file(\"${./upstreams.conf}\")}";
};
};
}

284
terranix/containers/ingress-blowhole/job.hcl Normal file
View file

@ -0,0 +1,284 @@
variable "flake_ref" {
type = string
}
variable "flake_sha" {
type = string
}
variable "upstreams" {
type = string
}
job "ingress" {
datacenters = [ "homelab-1" ]
type = "service"
group "ingress" {
count = 1
constraint {
attribute = "${attr.unique.hostname}"
value = "blowhole"
}
network {
mode = "bridge"
port "http" {
host_network = "mesh"
static = 80
to = 80
}
port "https" {
host_network = "mesh"
static = 443
to = 443
}
port "imap" {
host_network = "mesh"
static = 143
to = 143
}
}
service {
name = "ingress-blowhole"
port = "80"
check {
type = "http"
path = "/health"
name = "jellyfin"
port = "http"
interval = "5s"
timeout = "5s"
header {
Host = [ "jellyfin.in.redalder.org" ]
}
}
check {
type = "http"
path = "/"
name = "zigbee2mqtt"
port = "http"
interval = "5s"
timeout = "5s"
header {
Host = [ "zigbee2mqtt.in.redalder.org" ]
}
}
check {
type = "http"
path = "/"
name = "home-assistant"
port = "http"
interval = "5s"
timeout = "5s"
header {
Host = [ "hass.in.redalder.org" ]
}
}
# check {
# type = "http"
# path = "/"
# name = "syncthing"
# port = "http"
# interval = "5s"
# timeout = "5s"
# header {
# Host = [ "syncthing.in.redalder.org" ]
# }
# }
check {
type = "http"
path = "/api/health"
name = "grafana"
port = "http"
interval = "5s"
timeout = "5s"
header {
Host = [ "grafana.in.redalder.org" ]
}
}
check {
type = "http"
path = "/health"
name = "influx"
port = "http"
interval = "5s"
timeout = "5s"
header {
Host = [ "influx.in.redalder.org" ]
}
}
check {
type = "http"
path = "/"
name = "mainsail"
port = "http"
interval = "5s"
timeout = "5s"
header {
Host = [ "mainsail.in.redalder.org" ]
}
}
connect {
sidecar_service {
proxy {
upstreams {
destination_name = "jellyfin"
local_bind_port = 8001
}
upstreams {
destination_name = "zigbee2mqtt"
local_bind_port = 8002
}
upstreams {
destination_name = "home-assistant"
local_bind_port = 8003
}
upstreams {
destination_name = "syncthing"
local_bind_port = 8004
}
upstreams {
destination_name = "dovecot-imap"
local_bind_port = 8005
}
upstreams {
destination_name = "grafana"
local_bind_port = 8006
}
upstreams {
destination_name = "influx"
local_bind_port = 8007
}
upstreams {
destination_name = "mainsail"
local_bind_port = 8008
}
upstreams {
destination_name = "matrix-synapse"
local_bind_port = 8009
}
upstreams {
destination_name = "matrix-mautrix-facebook"
local_bind_port = 8010
}
}
}
sidecar_task {
resources {
cpu = 75
memory = 48
}
config {
memory_hard_limit = 96
}
}
}
}
task "nginx" {
driver = "docker"
config {
nix_flake_ref = "${var.flake_ref}#nixngSystems.ingressBlowhole.config.system.build.toplevel"
nix_flake_sha = var.flake_sha
entrypoint = [ "init" ]
}
resources {
cpu = 200
memory = 32
memory_max = 128
}
template {
data = <<EOF
ssl_certificate_key /etc/letsencrypt/live/redalder.org/privkey.pem;
ssl_certificate /etc/letsencrypt/live/redalder.org/fullchain.pem;
ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
EOF
destination = "local/ssl.conf"
change_mode = "signal"
change_signal = "SIGHUP"
}
template {
data = <<EOF
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
EOF
destination = "local/headers.conf"
change_mode = "signal"
change_signal = "SIGHUP"
}
template {
data = <<EOF
add_header X-Frame-Options "SAMEORIGIN";
add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
EOF
destination = "local/security.conf"
change_mode = "signal"
change_signal = "SIGHUP"
}
template {
data = var.upstreams
destination = "local/upstreams.conf"
change_mode = "signal"
change_signal = "SIGHUP"
}
template {
data = <<EOF
upstream dovecot-imap {
server {{ env "NOMAD_UPSTREAM_ADDR_dovecot-imap" }};
}
server {
listen 143;
proxy_pass dovecot-imap;
}
EOF
destination = "local/streams.conf"
change_mode = "signal"
change_signal = "SIGHUP"
}
}
}
}

276
terranix/containers/ingress-blowhole/upstreams.conf Normal file
View file

@ -0,0 +1,276 @@
upstream jellyfin {
server {{ env "NOMAD_UPSTREAM_ADDR_jellyfin" }};
}
upstream zigbee2mqtt {
server {{ env "NOMAD_UPSTREAM_ADDR_zigbee2mqtt" }};
}
upstream home-assistant {
server {{ env "NOMAD_UPSTREAM_ADDR_home-assistant" }};
}
upstream syncthing {
server {{ env "NOMAD_UPSTREAM_ADDR_syncthing" }};
}
upstream influx {
server {{ env "NOMAD_UPSTREAM_ADDR_influx" }};
}
upstream grafana {
server {{ env "NOMAD_UPSTREAM_ADDR_grafana" }};
}
upstream mainsail {
server {{ env "NOMAD_UPSTREAM_ADDR_mainsail" }};
}
upstream matrix-synapse {
server {{ env "NOMAD_UPSTREAM_ADDR_matrix_synapse" }};
}
upstream matrix-mautrix-facebook {
server {{ env "NOMAD_UPSTREAM_ADDR_matrix-mautrix-facebook" }};
}
server {
listen 80;
server_name jellyfin.in.redalder.org;
include /local/security.conf;
client_max_body_size 100M;
location / {
# Proxy main Jellyfin traffic
# The / at the end is significant.
# https://www.acunetix.com/blog/articles/a-fresh-look-on-reverse-proxy-related-attacks/
proxy_pass http://jellyfin/;
proxy_pass_request_headers on;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
proxy_buffering off;
}
}
server {
listen 80;
server_name syncthing.in.redalder.org;
include /local/security.conf;
location / {
include /local/headers.conf;
proxy_pass http://syncthing/;
}
}
server {
listen 80;
server_name hass.in.redalder.org;
include /local/security.conf;
location / {
include /local/headers.conf;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass http://home-assistant/;
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
proxy_buffering off;
}
}
server {
listen 80;
server_name zigbee2mqtt.in.redalder.org;
include /local/security.conf;
location / {
include /local/headers.conf;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass http://zigbee2mqtt/;
}
}
server {
listen 80;
server_name grafana.in.redalder.org;
# Grafana really doesn't like that CSP policy
# include /local/security.conf;
location / {
include /local/headers.conf;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass http://grafana/;
}
}
server {
listen 80;
server_name influx.in.redalder.org;
# Influx doesn't like it either
# include /local/security.conf;
location / {
include /local/headers.conf;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass http://influx/;
}
}
server {
listen 80;
server_name mainsail.in.redalder.org;
# Influx doesn't like it either
include /local/security.conf;
location / {
include /local/headers.conf;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass http://mainsail/;
}
}
server {
listen 80;
server_name matrix.in.redalder.org;
location ~ ^/_synapse/admin {
# note: do not add a path (even a single /) after the port in `proxy_pass`,
# otherwise nginx will canonicalise the URI and cause signature verification
# errors.
proxy_pass http://matrix-synapse;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
# Nginx by default only allows file uploads up to 1M in size
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
client_max_body_size 50M;
# Synapse responses may be chunked, which is an HTTP/1.1 feature.
proxy_http_version 1.1;
}
location /mufb/ {
proxy_pass http://matrix-mautrix-facebook$request_uri;
proxy_set_header Host $http_host;
proxy_buffering off;
}
}
server {
listen 80;
server_name nomad.in.redalder.org;
location / {
proxy_pass http://blowhole.hosts.in.redalder.org:4646;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_http_version 1.1;
}
}
server {
listen 80;
server_name consul.in.redalder.org;
location / {
proxy_pass http://blowhole.hosts.in.redalder.org:8500;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_http_version 1.1;
}
}
server {
listen 80;
server_name vault.in.redalder.org;
location / {
proxy_pass http://blowhole.hosts.in.redalder.org:8200;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_http_version 1.1;
}
}
server {
listen 80;
server_name _;
include /local/security.conf;
location / {
return 404;
}
}
# server {
# listen 443;
# server_name _;
# include /local/security.conf;
# location / {
# return 404;
# }
# }