cleanup bastion

group_vars/all.yml

@@ -11,3 +11,67 @@ users:
           3461626364346238666434303839373839633661616166613364
     authorized_keys:
       - https://github.com/badjware.keys
+
+haproxy:
+  routing:
+    https:
+      - frontend:
+          - cloud.badjware.dev
+          - code.badjware.dev
+          - drone.badjware.dev
+          - grafana.badjware.dev
+        backend:
+          - server: 192.168.20.20
+          - server: 192.168.20.21
+            extra_param: backup
+          - server: 192.168.20.22
+            extra_param: backup
+          - server: 192.168.20.23
+            extra_param: backup
+          - server: 192.168.20.24
+            extra_param: backup
+      - frontend:
+          - s3.badjware.dev
+        backend:
+          - server: 192.168.20.30:9000
+        ssl: false
+      # - frontend:
+      #     - kubernetes-dashboard.badjnet.home
+      #     - traefik.badjnet.home
+      #     - longhorn.badjnet.home
+      #     - grafana.badjnet.home
+      #     - prometheus.badjnet.home
+      #   backend:
+      #     - 192.168.20.20
+      #     - 192.168.20.21
+      #     - 192.168.20.22
+      #     - 192.168.20.23
+    tcp:
+      - frontend: "30022"
+        backend:
+          - server: 192.168.20.20:30022
+          - server: 192.168.20.21:30022
+            extra_param: backup
+          - server: 192.168.20.22:30022
+            extra_param: backup
+          - server: 192.168.20.23:30022
+            extra_param: backup
+          - server: 192.168.20.24:30022
+            extra_param: backup
+
+letsencrypt:
+  domains:
+    - badjware.dev
+    - '*.badjware.dev'
+  email: marchambault@badjware.dev
+  digitalocean:
+    token: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          35643864626166636564363831336663363335356530316464353864643030316662633230343763
+          3439343831386632366137376137383936396164646237640a633132356332636134653832666636
+          63386235636632613666393036643737633635613139326362353166653264633536633037306632
+          3461313436326139330a366265343131366436653635623138373736353262653633666337623935
+          31653964336664313261373031613566636337643934316430306638626631633434366164306639
+          30616238613334633933343339393938326561633036633062323463636161336665373732626330
+          37386264353239353435643266333033353931336637343038353765396134333763386637653638
+          35343739666634323562

group_vars/bastions.yml

@@ -1,63 +0,0 @@
-haproxy:
-  routing:
-    https:
-      - src:
-          - cloud.badjware.dev
-          - code.badjware.dev
-          - drone.badjware.dev
-          - grafana.badjware.dev
-        dst:
-          - server: 192.168.20.20
-          - server: 192.168.20.21
-            extra_param: backup
-          - server: 192.168.20.22
-            extra_param: backup
-          - server: 192.168.20.23
-            extra_param: backup
-          - server: 192.168.20.24
-            extra_param: backup
-      - src:
-          - s3.badjware.dev
-        dst:
-          - server: 192.168.20.30:9000
-        ssl: false
-      # - src:
-      #     - kubernetes-dashboard.badjnet.home
-      #     - traefik.badjnet.home
-      #     - longhorn.badjnet.home
-      #     - grafana.badjnet.home
-      #     - prometheus.badjnet.home
-      #   dst:
-      #     - 192.168.20.20
-      #     - 192.168.20.21
-      #     - 192.168.20.22
-      #     - 192.168.20.23
-    tcp:
-      - src: "30022"
-        dst:
-          - server: 192.168.20.20:30022
-          - server: 192.168.20.21:30022
-            extra_param: backup
-          - server: 192.168.20.22:30022
-            extra_param: backup
-          - server: 192.168.20.23:30022
-            extra_param: backup
-          - server: 192.168.20.24:30022
-            extra_param: backup
-
-letsencrypt:
-  domains:
-    - badjware.dev
-    - '*.badjware.dev'
-  email: marchambault@badjware.dev
-  digitalocean:
-    token: !vault |
-          $ANSIBLE_VAULT;1.1;AES256
-          35643864626166636564363831336663363335356530316464353864643030316662633230343763
-          3439343831386632366137376137383936396164646237640a633132356332636134653832666636
-          63386235636632613666393036643737633635613139326362353166653264633536633037306632
-          3461313436326139330a366265343131366436653635623138373736353262653633666337623935
-          31653964336664313261373031613566636337643934316430306638626631633434366164306639
-          30616238613334633933343339393938326561633036633062323463636161336665373732626330
-          37386264353239353435643266333033353931336637343038353765396134333763386637653638
-          35343739666634323562

hosts

@@ -2,25 +2,6 @@
 # 1. create new user `useradd -m -G sudo -s /bin/bash ansible`
 # 2. configure user password `passwd ansible` (set password to badjnet/ssh/ansible)
 
-# These will throw some warnings that can be safely be ignored
-.user_config: &user_config
-  ansible_user: ansible
-  ansible_password: !vault |
-          $ANSIBLE_VAULT;1.1;AES256
-          34376132666239383830316437356430306535396466396537323833633137376239386464343363
-          6234303430623964353762383935323335383737666533390a643033363235383138393932393833
-          34633732646430383131643662626635373661373261323365366531316439653963353739383664
-          6139363534616231380a373931333530373339653132626238333566663362343663623532393330
-          35616230643533363032623066376536366236353335373130643262613561396131
-  ansible_become: 'yes'
-  ansible_become_password: !vault |
-          $ANSIBLE_VAULT;1.1;AES256
-          34376132666239383830316437356430306535396466396537323833633137376239386464343363
-          6234303430623964353762383935323335383737666533390a643033363235383138393932393833
-          34633732646430383131643662626635373661373261323365366531316439653963353739383664
-          6139363534616231380a373931333530373339653132626238333566663362343663623532393330
-          35616230643533363032623066376536366236353335373130643262613561396131
-
 # Actual config starts here
 all:
   hosts:
@@ -81,4 +62,19 @@ all:
         k3s:
         plex:
       vars:
-        <<: *user_config
+        ansible_user: ansible
+        ansible_password: !vault |
+                $ANSIBLE_VAULT;1.1;AES256
+                34376132666239383830316437356430306535396466396537323833633137376239386464343363
+                6234303430623964353762383935323335383737666533390a643033363235383138393932393833
+                34633732646430383131643662626635373661373261323365366531316439653963353739383664
+                6139363534616231380a373931333530373339653132626238333566663362343663623532393330
+                35616230643533363032623066376536366236353335373130643262613561396131
+        ansible_become: 'yes'
+        ansible_become_password: !vault |
+                $ANSIBLE_VAULT;1.1;AES256
+                34376132666239383830316437356430306535396466396537323833633137376239386464343363
+                6234303430623964353762383935323335383737666533390a643033363235383138393932393833
+                34633732646430383131643662626635373661373261323365366531316439653963353739383664
+                6139363534616231380a373931333530373339653132626238333566663362343663623532393330
+                35616230643533363032623066376536366236353335373130643262613561396131

roles/haproxy/templates/haproxy.cfg

@@ -35,7 +35,7 @@ frontend http_management
     acl prefixed-with-metrics path_beg -i /metrics
     use_backend haproxy_metrics if prefixed-with-metrics
 
-# http frontend
+# https frontend
 frontend https_in
     bind *:80
     # backend is assumed to be http, perform ssl termination here
@@ -59,8 +59,8 @@ frontend https_in
     # tcp-request content accept if { req.ssl_hello_type 1  }
 
 {% for http_route in https_routing %}
-    #use_backend https_{{ http_route.src[0]|replace('.','_') }} if { req.ssl_sni -i {% for src in http_route.src %}{{ src }} {% endfor %}}
-    use_backend https_{{ http_route.src[0]|replace('.','_') }} if { hdr_end(host) -i {% for src in http_route.src %}{{ src }} {% endfor %}}
+    #use_backend https_{{ http_route.frontend[0]|replace('.','_') }} if { req.ssl_sni -i {% for src in http_route.frontend %}{{ src }} {% endfor %}}
+    use_backend https_{{ http_route.frontend[0]|replace('.','_') }} if { hdr_end(host) -i {% for src in http_route.frontend %}{{ src }} {% endfor %}}
 {% endfor %}
 
 ## BACKENDS ##
@@ -79,11 +79,11 @@ backend haproxy_metrics
     http-request use-service prometheus-exporter
 
 {% for http_route in https_routing %}
-# backend for {{ ', '.join(http_route.src) }}
-backend https_{{ http_route.src[0]|replace('.','_') }}
+# backend for {{ ', '.join(http_route.frontend) }}
+backend https_{{ http_route.frontend[0]|replace('.','_') }}
     mode http
     balance roundrobin
-{% for dst in http_route.dst %}
+{% for dst in http_route.backend %}
     server {{ dst.server }} {{ dst.server }}{% if ':' not in dst.server %}:443{% endif %} check {% if http_route.ssl|default(true) %}ssl verify none alpn h2{% endif %} {{ dst.extra_param|default('') }}
 
 {% endfor %}
@@ -92,14 +92,14 @@ backend https_{{ http_route.src[0]|replace('.','_') }}
 
 ## TCP ##
 {% for tcp_route in tcp_routing %}
-frontend tcp_{{ tcp_route.src }}
-    bind *:{{ tcp_route.src }}
+frontend tcp_{{ tcp_route.frontend }}
+    bind *:{{ tcp_route.frontend }}
     mode tcp
-    use_backend tcp_{{ tcp_route.src }}
+    use_backend tcp_{{ tcp_route.frontend }}
 
-backend tcp_{{ tcp_route.src }}
+backend tcp_{{ tcp_route.frontend }}
     mode tcp
-{% for dst in tcp_route.dst %}
+{% for dst in tcp_route.backend %}
     server {{ dst.server }} {{ dst.server }} check {{ dst.extra_param|default('') }}
 {% endfor %}
 {% endfor %}

roles/k3s/tasks/main.yml

@@ -3,6 +3,7 @@
     name:
       - open-iscsi # required by longhorn
       - nfs-common # required for nfs support
+      - iptables # required for docker-in-docker workload support
 
 # https://longhorn.io/kb/troubleshooting-volume-with-multipath/
 - name: Disable multipath (for longhorn volumes)