diff --git a/group_vars/all.yml b/group_vars/all.yml index 7281a11..57524a5 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -11,3 +11,67 @@ users: 3461626364346238666434303839373839633661616166613364 authorized_keys: - https://github.com/badjware.keys + +haproxy: + routing: + https: + - frontend: + - cloud.badjware.dev + - code.badjware.dev + - drone.badjware.dev + - grafana.badjware.dev + backend: + - server: 192.168.20.20 + - server: 192.168.20.21 + extra_param: backup + - server: 192.168.20.22 + extra_param: backup + - server: 192.168.20.23 + extra_param: backup + - server: 192.168.20.24 + extra_param: backup + - frontend: + - s3.badjware.dev + backend: + - server: 192.168.20.30:9000 + ssl: false + # - frontend: + # - kubernetes-dashboard.badjnet.home + # - traefik.badjnet.home + # - longhorn.badjnet.home + # - grafana.badjnet.home + # - prometheus.badjnet.home + # backend: + # - 192.168.20.20 + # - 192.168.20.21 + # - 192.168.20.22 + # - 192.168.20.23 + tcp: + - frontend: "30022" + backend: + - server: 192.168.20.20:30022 + - server: 192.168.20.21:30022 + extra_param: backup + - server: 192.168.20.22:30022 + extra_param: backup + - server: 192.168.20.23:30022 + extra_param: backup + - server: 192.168.20.24:30022 + extra_param: backup + +letsencrypt: + domains: + - badjware.dev + - '*.badjware.dev' + email: marchambault@badjware.dev + digitalocean: + token: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 35643864626166636564363831336663363335356530316464353864643030316662633230343763 + 3439343831386632366137376137383936396164646237640a633132356332636134653832666636 + 63386235636632613666393036643737633635613139326362353166653264633536633037306632 + 3461313436326139330a366265343131366436653635623138373736353262653633666337623935 + 31653964336664313261373031613566636337643934316430306638626631633434366164306639 + 30616238613334633933343339393938326561633036633062323463636161336665373732626330 + 37386264353239353435643266333033353931336637343038353765396134333763386637653638 + 35343739666634323562 \ No newline at end of file diff --git a/group_vars/bastions.yml b/group_vars/bastions.yml deleted file mode 100644 index f67f075..0000000 --- a/group_vars/bastions.yml +++ /dev/null @@ -1,63 +0,0 @@ -haproxy: - routing: - https: - - src: - - cloud.badjware.dev - - code.badjware.dev - - drone.badjware.dev - - grafana.badjware.dev - dst: - - server: 192.168.20.20 - - server: 192.168.20.21 - extra_param: backup - - server: 192.168.20.22 - extra_param: backup - - server: 192.168.20.23 - extra_param: backup - - server: 192.168.20.24 - extra_param: backup - - src: - - s3.badjware.dev - dst: - - server: 192.168.20.30:9000 - ssl: false - # - src: - # - kubernetes-dashboard.badjnet.home - # - traefik.badjnet.home - # - longhorn.badjnet.home - # - grafana.badjnet.home - # - prometheus.badjnet.home - # dst: - # - 192.168.20.20 - # - 192.168.20.21 - # - 192.168.20.22 - # - 192.168.20.23 - tcp: - - src: "30022" - dst: - - server: 192.168.20.20:30022 - - server: 192.168.20.21:30022 - extra_param: backup - - server: 192.168.20.22:30022 - extra_param: backup - - server: 192.168.20.23:30022 - extra_param: backup - - server: 192.168.20.24:30022 - extra_param: backup - -letsencrypt: - domains: - - badjware.dev - - '*.badjware.dev' - email: marchambault@badjware.dev - digitalocean: - token: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 35643864626166636564363831336663363335356530316464353864643030316662633230343763 - 3439343831386632366137376137383936396164646237640a633132356332636134653832666636 - 63386235636632613666393036643737633635613139326362353166653264633536633037306632 - 3461313436326139330a366265343131366436653635623138373736353262653633666337623935 - 31653964336664313261373031613566636337643934316430306638626631633434366164306639 - 30616238613334633933343339393938326561633036633062323463636161336665373732626330 - 37386264353239353435643266333033353931336637343038353765396134333763386637653638 - 35343739666634323562 \ No newline at end of file diff --git a/hosts b/hosts index 8f6b39c..398b29f 100644 --- a/hosts +++ b/hosts @@ -2,25 +2,6 @@ # 1. create new user `useradd -m -G sudo -s /bin/bash ansible` # 2. configure user password `passwd ansible` (set password to badjnet/ssh/ansible) -# These will throw some warnings that can be safely be ignored -.user_config: &user_config - ansible_user: ansible - ansible_password: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 34376132666239383830316437356430306535396466396537323833633137376239386464343363 - 6234303430623964353762383935323335383737666533390a643033363235383138393932393833 - 34633732646430383131643662626635373661373261323365366531316439653963353739383664 - 6139363534616231380a373931333530373339653132626238333566663362343663623532393330 - 35616230643533363032623066376536366236353335373130643262613561396131 - ansible_become: 'yes' - ansible_become_password: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 34376132666239383830316437356430306535396466396537323833633137376239386464343363 - 6234303430623964353762383935323335383737666533390a643033363235383138393932393833 - 34633732646430383131643662626635373661373261323365366531316439653963353739383664 - 6139363534616231380a373931333530373339653132626238333566663362343663623532393330 - 35616230643533363032623066376536366236353335373130643262613561396131 - # Actual config starts here all: hosts: @@ -81,4 +62,19 @@ all: k3s: plex: vars: - <<: *user_config \ No newline at end of file + ansible_user: ansible + ansible_password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 34376132666239383830316437356430306535396466396537323833633137376239386464343363 + 6234303430623964353762383935323335383737666533390a643033363235383138393932393833 + 34633732646430383131643662626635373661373261323365366531316439653963353739383664 + 6139363534616231380a373931333530373339653132626238333566663362343663623532393330 + 35616230643533363032623066376536366236353335373130643262613561396131 + ansible_become: 'yes' + ansible_become_password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 34376132666239383830316437356430306535396466396537323833633137376239386464343363 + 6234303430623964353762383935323335383737666533390a643033363235383138393932393833 + 34633732646430383131643662626635373661373261323365366531316439653963353739383664 + 6139363534616231380a373931333530373339653132626238333566663362343663623532393330 + 35616230643533363032623066376536366236353335373130643262613561396131 \ No newline at end of file diff --git a/roles/haproxy/templates/haproxy.cfg b/roles/haproxy/templates/haproxy.cfg index 19de3f5..a34dcbf 100644 --- a/roles/haproxy/templates/haproxy.cfg +++ b/roles/haproxy/templates/haproxy.cfg @@ -35,7 +35,7 @@ frontend http_management acl prefixed-with-metrics path_beg -i /metrics use_backend haproxy_metrics if prefixed-with-metrics -# http frontend +# https frontend frontend https_in bind *:80 # backend is assumed to be http, perform ssl termination here @@ -59,8 +59,8 @@ frontend https_in # tcp-request content accept if { req.ssl_hello_type 1 } {% for http_route in https_routing %} - #use_backend https_{{ http_route.src[0]|replace('.','_') }} if { req.ssl_sni -i {% for src in http_route.src %}{{ src }} {% endfor %}} - use_backend https_{{ http_route.src[0]|replace('.','_') }} if { hdr_end(host) -i {% for src in http_route.src %}{{ src }} {% endfor %}} + #use_backend https_{{ http_route.frontend[0]|replace('.','_') }} if { req.ssl_sni -i {% for src in http_route.frontend %}{{ src }} {% endfor %}} + use_backend https_{{ http_route.frontend[0]|replace('.','_') }} if { hdr_end(host) -i {% for src in http_route.frontend %}{{ src }} {% endfor %}} {% endfor %} ## BACKENDS ## @@ -79,11 +79,11 @@ backend haproxy_metrics http-request use-service prometheus-exporter {% for http_route in https_routing %} -# backend for {{ ', '.join(http_route.src) }} -backend https_{{ http_route.src[0]|replace('.','_') }} +# backend for {{ ', '.join(http_route.frontend) }} +backend https_{{ http_route.frontend[0]|replace('.','_') }} mode http balance roundrobin -{% for dst in http_route.dst %} +{% for dst in http_route.backend %} server {{ dst.server }} {{ dst.server }}{% if ':' not in dst.server %}:443{% endif %} check {% if http_route.ssl|default(true) %}ssl verify none alpn h2{% endif %} {{ dst.extra_param|default('') }} {% endfor %} @@ -92,14 +92,14 @@ backend https_{{ http_route.src[0]|replace('.','_') }} ## TCP ## {% for tcp_route in tcp_routing %} -frontend tcp_{{ tcp_route.src }} - bind *:{{ tcp_route.src }} +frontend tcp_{{ tcp_route.frontend }} + bind *:{{ tcp_route.frontend }} mode tcp - use_backend tcp_{{ tcp_route.src }} + use_backend tcp_{{ tcp_route.frontend }} -backend tcp_{{ tcp_route.src }} +backend tcp_{{ tcp_route.frontend }} mode tcp -{% for dst in tcp_route.dst %} +{% for dst in tcp_route.backend %} server {{ dst.server }} {{ dst.server }} check {{ dst.extra_param|default('') }} {% endfor %} {% endfor %} diff --git a/roles/k3s/tasks/main.yml b/roles/k3s/tasks/main.yml index 99a3636..c371a46 100644 --- a/roles/k3s/tasks/main.yml +++ b/roles/k3s/tasks/main.yml @@ -3,6 +3,7 @@ name: - open-iscsi # required by longhorn - nfs-common # required for nfs support + - iptables # required for docker-in-docker workload support # https://longhorn.io/kb/troubleshooting-volume-with-multipath/ - name: Disable multipath (for longhorn volumes)