cleanup bastion
This commit is contained in:
parent
6fac939363
commit
a069ec3ca3
|
|
@ -11,3 +11,67 @@ users:
|
||||||
3461626364346238666434303839373839633661616166613364
|
3461626364346238666434303839373839633661616166613364
|
||||||
authorized_keys:
|
authorized_keys:
|
||||||
- https://github.com/badjware.keys
|
- https://github.com/badjware.keys
|
||||||
|
|
||||||
|
haproxy:
|
||||||
|
routing:
|
||||||
|
https:
|
||||||
|
- frontend:
|
||||||
|
- cloud.badjware.dev
|
||||||
|
- code.badjware.dev
|
||||||
|
- drone.badjware.dev
|
||||||
|
- grafana.badjware.dev
|
||||||
|
backend:
|
||||||
|
- server: 192.168.20.20
|
||||||
|
- server: 192.168.20.21
|
||||||
|
extra_param: backup
|
||||||
|
- server: 192.168.20.22
|
||||||
|
extra_param: backup
|
||||||
|
- server: 192.168.20.23
|
||||||
|
extra_param: backup
|
||||||
|
- server: 192.168.20.24
|
||||||
|
extra_param: backup
|
||||||
|
- frontend:
|
||||||
|
- s3.badjware.dev
|
||||||
|
backend:
|
||||||
|
- server: 192.168.20.30:9000
|
||||||
|
ssl: false
|
||||||
|
# - frontend:
|
||||||
|
# - kubernetes-dashboard.badjnet.home
|
||||||
|
# - traefik.badjnet.home
|
||||||
|
# - longhorn.badjnet.home
|
||||||
|
# - grafana.badjnet.home
|
||||||
|
# - prometheus.badjnet.home
|
||||||
|
# backend:
|
||||||
|
# - 192.168.20.20
|
||||||
|
# - 192.168.20.21
|
||||||
|
# - 192.168.20.22
|
||||||
|
# - 192.168.20.23
|
||||||
|
tcp:
|
||||||
|
- frontend: "30022"
|
||||||
|
backend:
|
||||||
|
- server: 192.168.20.20:30022
|
||||||
|
- server: 192.168.20.21:30022
|
||||||
|
extra_param: backup
|
||||||
|
- server: 192.168.20.22:30022
|
||||||
|
extra_param: backup
|
||||||
|
- server: 192.168.20.23:30022
|
||||||
|
extra_param: backup
|
||||||
|
- server: 192.168.20.24:30022
|
||||||
|
extra_param: backup
|
||||||
|
|
||||||
|
letsencrypt:
|
||||||
|
domains:
|
||||||
|
- badjware.dev
|
||||||
|
- '*.badjware.dev'
|
||||||
|
email: marchambault@badjware.dev
|
||||||
|
digitalocean:
|
||||||
|
token: !vault |
|
||||||
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
|
35643864626166636564363831336663363335356530316464353864643030316662633230343763
|
||||||
|
3439343831386632366137376137383936396164646237640a633132356332636134653832666636
|
||||||
|
63386235636632613666393036643737633635613139326362353166653264633536633037306632
|
||||||
|
3461313436326139330a366265343131366436653635623138373736353262653633666337623935
|
||||||
|
31653964336664313261373031613566636337643934316430306638626631633434366164306639
|
||||||
|
30616238613334633933343339393938326561633036633062323463636161336665373732626330
|
||||||
|
37386264353239353435643266333033353931336637343038353765396134333763386637653638
|
||||||
|
35343739666634323562
|
||||||
|
|
@ -1,63 +0,0 @@
|
||||||
haproxy:
|
|
||||||
routing:
|
|
||||||
https:
|
|
||||||
- src:
|
|
||||||
- cloud.badjware.dev
|
|
||||||
- code.badjware.dev
|
|
||||||
- drone.badjware.dev
|
|
||||||
- grafana.badjware.dev
|
|
||||||
dst:
|
|
||||||
- server: 192.168.20.20
|
|
||||||
- server: 192.168.20.21
|
|
||||||
extra_param: backup
|
|
||||||
- server: 192.168.20.22
|
|
||||||
extra_param: backup
|
|
||||||
- server: 192.168.20.23
|
|
||||||
extra_param: backup
|
|
||||||
- server: 192.168.20.24
|
|
||||||
extra_param: backup
|
|
||||||
- src:
|
|
||||||
- s3.badjware.dev
|
|
||||||
dst:
|
|
||||||
- server: 192.168.20.30:9000
|
|
||||||
ssl: false
|
|
||||||
# - src:
|
|
||||||
# - kubernetes-dashboard.badjnet.home
|
|
||||||
# - traefik.badjnet.home
|
|
||||||
# - longhorn.badjnet.home
|
|
||||||
# - grafana.badjnet.home
|
|
||||||
# - prometheus.badjnet.home
|
|
||||||
# dst:
|
|
||||||
# - 192.168.20.20
|
|
||||||
# - 192.168.20.21
|
|
||||||
# - 192.168.20.22
|
|
||||||
# - 192.168.20.23
|
|
||||||
tcp:
|
|
||||||
- src: "30022"
|
|
||||||
dst:
|
|
||||||
- server: 192.168.20.20:30022
|
|
||||||
- server: 192.168.20.21:30022
|
|
||||||
extra_param: backup
|
|
||||||
- server: 192.168.20.22:30022
|
|
||||||
extra_param: backup
|
|
||||||
- server: 192.168.20.23:30022
|
|
||||||
extra_param: backup
|
|
||||||
- server: 192.168.20.24:30022
|
|
||||||
extra_param: backup
|
|
||||||
|
|
||||||
letsencrypt:
|
|
||||||
domains:
|
|
||||||
- badjware.dev
|
|
||||||
- '*.badjware.dev'
|
|
||||||
email: marchambault@badjware.dev
|
|
||||||
digitalocean:
|
|
||||||
token: !vault |
|
|
||||||
$ANSIBLE_VAULT;1.1;AES256
|
|
||||||
35643864626166636564363831336663363335356530316464353864643030316662633230343763
|
|
||||||
3439343831386632366137376137383936396164646237640a633132356332636134653832666636
|
|
||||||
63386235636632613666393036643737633635613139326362353166653264633536633037306632
|
|
||||||
3461313436326139330a366265343131366436653635623138373736353262653633666337623935
|
|
||||||
31653964336664313261373031613566636337643934316430306638626631633434366164306639
|
|
||||||
30616238613334633933343339393938326561633036633062323463636161336665373732626330
|
|
||||||
37386264353239353435643266333033353931336637343038353765396134333763386637653638
|
|
||||||
35343739666634323562
|
|
||||||
36
hosts
36
hosts
|
|
@ -2,25 +2,6 @@
|
||||||
# 1. create new user `useradd -m -G sudo -s /bin/bash ansible`
|
# 1. create new user `useradd -m -G sudo -s /bin/bash ansible`
|
||||||
# 2. configure user password `passwd ansible` (set password to badjnet/ssh/ansible)
|
# 2. configure user password `passwd ansible` (set password to badjnet/ssh/ansible)
|
||||||
|
|
||||||
# These will throw some warnings that can be safely be ignored
|
|
||||||
.user_config: &user_config
|
|
||||||
ansible_user: ansible
|
|
||||||
ansible_password: !vault |
|
|
||||||
$ANSIBLE_VAULT;1.1;AES256
|
|
||||||
34376132666239383830316437356430306535396466396537323833633137376239386464343363
|
|
||||||
6234303430623964353762383935323335383737666533390a643033363235383138393932393833
|
|
||||||
34633732646430383131643662626635373661373261323365366531316439653963353739383664
|
|
||||||
6139363534616231380a373931333530373339653132626238333566663362343663623532393330
|
|
||||||
35616230643533363032623066376536366236353335373130643262613561396131
|
|
||||||
ansible_become: 'yes'
|
|
||||||
ansible_become_password: !vault |
|
|
||||||
$ANSIBLE_VAULT;1.1;AES256
|
|
||||||
34376132666239383830316437356430306535396466396537323833633137376239386464343363
|
|
||||||
6234303430623964353762383935323335383737666533390a643033363235383138393932393833
|
|
||||||
34633732646430383131643662626635373661373261323365366531316439653963353739383664
|
|
||||||
6139363534616231380a373931333530373339653132626238333566663362343663623532393330
|
|
||||||
35616230643533363032623066376536366236353335373130643262613561396131
|
|
||||||
|
|
||||||
# Actual config starts here
|
# Actual config starts here
|
||||||
all:
|
all:
|
||||||
hosts:
|
hosts:
|
||||||
|
|
@ -81,4 +62,19 @@ all:
|
||||||
k3s:
|
k3s:
|
||||||
plex:
|
plex:
|
||||||
vars:
|
vars:
|
||||||
<<: *user_config
|
ansible_user: ansible
|
||||||
|
ansible_password: !vault |
|
||||||
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
|
34376132666239383830316437356430306535396466396537323833633137376239386464343363
|
||||||
|
6234303430623964353762383935323335383737666533390a643033363235383138393932393833
|
||||||
|
34633732646430383131643662626635373661373261323365366531316439653963353739383664
|
||||||
|
6139363534616231380a373931333530373339653132626238333566663362343663623532393330
|
||||||
|
35616230643533363032623066376536366236353335373130643262613561396131
|
||||||
|
ansible_become: 'yes'
|
||||||
|
ansible_become_password: !vault |
|
||||||
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
|
34376132666239383830316437356430306535396466396537323833633137376239386464343363
|
||||||
|
6234303430623964353762383935323335383737666533390a643033363235383138393932393833
|
||||||
|
34633732646430383131643662626635373661373261323365366531316439653963353739383664
|
||||||
|
6139363534616231380a373931333530373339653132626238333566663362343663623532393330
|
||||||
|
35616230643533363032623066376536366236353335373130643262613561396131
|
||||||
|
|
@ -35,7 +35,7 @@ frontend http_management
|
||||||
acl prefixed-with-metrics path_beg -i /metrics
|
acl prefixed-with-metrics path_beg -i /metrics
|
||||||
use_backend haproxy_metrics if prefixed-with-metrics
|
use_backend haproxy_metrics if prefixed-with-metrics
|
||||||
|
|
||||||
# http frontend
|
# https frontend
|
||||||
frontend https_in
|
frontend https_in
|
||||||
bind *:80
|
bind *:80
|
||||||
# backend is assumed to be http, perform ssl termination here
|
# backend is assumed to be http, perform ssl termination here
|
||||||
|
|
@ -59,8 +59,8 @@ frontend https_in
|
||||||
# tcp-request content accept if { req.ssl_hello_type 1 }
|
# tcp-request content accept if { req.ssl_hello_type 1 }
|
||||||
|
|
||||||
{% for http_route in https_routing %}
|
{% for http_route in https_routing %}
|
||||||
#use_backend https_{{ http_route.src[0]|replace('.','_') }} if { req.ssl_sni -i {% for src in http_route.src %}{{ src }} {% endfor %}}
|
#use_backend https_{{ http_route.frontend[0]|replace('.','_') }} if { req.ssl_sni -i {% for src in http_route.frontend %}{{ src }} {% endfor %}}
|
||||||
use_backend https_{{ http_route.src[0]|replace('.','_') }} if { hdr_end(host) -i {% for src in http_route.src %}{{ src }} {% endfor %}}
|
use_backend https_{{ http_route.frontend[0]|replace('.','_') }} if { hdr_end(host) -i {% for src in http_route.frontend %}{{ src }} {% endfor %}}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
||||||
## BACKENDS ##
|
## BACKENDS ##
|
||||||
|
|
@ -79,11 +79,11 @@ backend haproxy_metrics
|
||||||
http-request use-service prometheus-exporter
|
http-request use-service prometheus-exporter
|
||||||
|
|
||||||
{% for http_route in https_routing %}
|
{% for http_route in https_routing %}
|
||||||
# backend for {{ ', '.join(http_route.src) }}
|
# backend for {{ ', '.join(http_route.frontend) }}
|
||||||
backend https_{{ http_route.src[0]|replace('.','_') }}
|
backend https_{{ http_route.frontend[0]|replace('.','_') }}
|
||||||
mode http
|
mode http
|
||||||
balance roundrobin
|
balance roundrobin
|
||||||
{% for dst in http_route.dst %}
|
{% for dst in http_route.backend %}
|
||||||
server {{ dst.server }} {{ dst.server }}{% if ':' not in dst.server %}:443{% endif %} check {% if http_route.ssl|default(true) %}ssl verify none alpn h2{% endif %} {{ dst.extra_param|default('') }}
|
server {{ dst.server }} {{ dst.server }}{% if ':' not in dst.server %}:443{% endif %} check {% if http_route.ssl|default(true) %}ssl verify none alpn h2{% endif %} {{ dst.extra_param|default('') }}
|
||||||
|
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
@ -92,14 +92,14 @@ backend https_{{ http_route.src[0]|replace('.','_') }}
|
||||||
|
|
||||||
## TCP ##
|
## TCP ##
|
||||||
{% for tcp_route in tcp_routing %}
|
{% for tcp_route in tcp_routing %}
|
||||||
frontend tcp_{{ tcp_route.src }}
|
frontend tcp_{{ tcp_route.frontend }}
|
||||||
bind *:{{ tcp_route.src }}
|
bind *:{{ tcp_route.frontend }}
|
||||||
mode tcp
|
mode tcp
|
||||||
use_backend tcp_{{ tcp_route.src }}
|
use_backend tcp_{{ tcp_route.frontend }}
|
||||||
|
|
||||||
backend tcp_{{ tcp_route.src }}
|
backend tcp_{{ tcp_route.frontend }}
|
||||||
mode tcp
|
mode tcp
|
||||||
{% for dst in tcp_route.dst %}
|
{% for dst in tcp_route.backend %}
|
||||||
server {{ dst.server }} {{ dst.server }} check {{ dst.extra_param|default('') }}
|
server {{ dst.server }} {{ dst.server }} check {{ dst.extra_param|default('') }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
|
||||||
|
|
@ -3,6 +3,7 @@
|
||||||
name:
|
name:
|
||||||
- open-iscsi # required by longhorn
|
- open-iscsi # required by longhorn
|
||||||
- nfs-common # required for nfs support
|
- nfs-common # required for nfs support
|
||||||
|
- iptables # required for docker-in-docker workload support
|
||||||
|
|
||||||
# https://longhorn.io/kb/troubleshooting-volume-with-multipath/
|
# https://longhorn.io/kb/troubleshooting-volume-with-multipath/
|
||||||
- name: Disable multipath (for longhorn volumes)
|
- name: Disable multipath (for longhorn volumes)
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue