add reverse proxy with a bunch of internal sites exposed behind oauth; also update dashy [ci skip]

2023-11-01 13:27:23 +00:00 · 2023-11-01 13:27:23 +00:00 · 4e7752306d
commit 4e7752306d
parent c817655e00
4 changed files with 209 additions and 9 deletions
--- a/modules/kubernetes/dashy/conf.yml
+++ b/modules/kubernetes/dashy/conf.yml
@ -61,39 +61,39 @@ sections:
        title: ESXi R730 (Server)
        description: R730 esxi UI
        icon: si-vmware
-        url: https://r730.viktorbarzin.lan/ui/#/login
+        url: https://esxi.viktorbarzin.me/ui/#/login
        target: newtab
        id: 0_496_esxirserver
      - &ref_1
        title: PFsense (Firewall)
        description: Firewall
        icon: si-pfsense
-        url: https://pfsense.viktorbarzin.lan
+        url: https://pfsense.viktorbarzin.me
        target: newtab
        id: 1_496_pfsensefirewall
      - &ref_2
        title: iDRAC
        description: ""
        icon: si-dell
-        url: https://idrac.viktorbarzin.lan/
+        url: https://idrac.viktorbarzin.me/
        target: newtab
        id: 2_496_idrac
      - &ref_3
        title: TP-Link Gateway Router
        icon: hl-asus-router
-        url: https://192.168.1.1/webpages/login.html
+        url: https://gw.viktorbarzin.me/webpages/login.html
        id: 3_496_tplinkgatewayrouter
      - &ref_4
        title: Truenas
        description: Network Storage VM
        icon: si-truenas
-        url: http://truenas.viktorbarzin.lan/ui/dashboard
+        url: http://truenas.viktorbarzin.me/ui/dashboard
        id: 4_496_truenas
      - &ref_5
        title: NAS
        description: ""
        icon: si-synology
-        url: https://nas.viktorbarzin.lan:5001/
+        url: https://nas.viktorbarzin.me/
        id: 5_496_nas
      - &ref_6
        title: Server Switch
@ -121,19 +121,19 @@ sections:
      - &ref_7
        title: Valchedrym OpenWRT
        icon: si-openwrt
-        url: https://valchedrym.viktorbarzin.lan/
+        url: https://valchedrym.viktorbarzin.me/
        target: newtab
        id: 0_1567_valchedrymopenwrt
      - &ref_8
        title: Valchedram Alarm IP150
        icon: 📷
-        url: http://valchedrym.ddns.net:8080/login_page.html
+        url: https://ip150.viktorbarzin.me/
        target: newtab
        id: 1_1567_valchedramalarmip
      - &ref_9
        title: Mladost 3 Router
        icon: si-ghostery
-        url: http://mladost3.ddns.net:8080/
+        url: https://mladost3.viktorbarzin.me/
        target: newtab
        id: 2_1567_mladostrouter
    filteredItems:
--- a/modules/kubernetes/main.tf
+++ b/modules/kubernetes/main.tf
@ -307,3 +307,8 @@ module "vaultwarden" {
  source          = "./vaultwarden"
  tls_secret_name = var.tls_secret_name
 }
+
+module "reverse-proxy" {
+  source          = "./reverse_proxy"
+  tls_secret_name = var.tls_secret_name
+}
--- a/modules/kubernetes/reverse_proxy/factory/main.tf
+++ b/modules/kubernetes/reverse_proxy/factory/main.tf
@ -0,0 +1,72 @@
+variable "name" {}
+variable "namespace" {
+  default = "reverse-proxy"
+}
+variable "external_name" {}
+variable "port" {
+  default = "80"
+}
+variable "tls_secret_name" {}
+variable "backend_protocol" {
+  default = "HTTP"
+}
+
+
+resource "kubernetes_service" "proxied-service" {
+  metadata {
+    name      = var.name
+    namespace = var.namespace
+    labels = {
+      "app" = var.name
+    }
+  }
+
+  spec {
+    type          = "ExternalName"
+    external_name = var.external_name
+
+    port {
+      name        = "${var.name}-web"
+      port        = var.port
+      protocol    = "TCP"
+      target_port = var.port
+    }
+  }
+}
+
+resource "kubernetes_ingress_v1" "proxied-ingress" {
+  metadata {
+    name      = var.name
+    namespace = var.namespace
+    annotations = {
+      "nginx.ingress.kubernetes.io/backend-protocol" = "${var.backend_protocol}"
+      "kubernetes.io/ingress.class"                  = "nginx"
+      "nginx.ingress.kubernetes.io/auth-url" : "https://oauth2.viktorbarzin.me/oauth2/auth"
+      "nginx.ingress.kubernetes.io/auth-signin" : "https://oauth2.viktorbarzin.me/oauth2/start?rd=/redirect/$http_host$escaped_request_uri"
+    }
+  }
+
+  spec {
+    tls {
+      hosts       = ["${var.name}.viktorbarzin.me"]
+      secret_name = var.tls_secret_name
+    }
+    rule {
+      host = "${var.name}.viktorbarzin.me"
+      http {
+        path {
+          path = "/"
+          backend {
+            service {
+
+              name = var.name
+              port {
+                number = var.port
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}
--- a/modules/kubernetes/reverse_proxy/main.tf
+++ b/modules/kubernetes/reverse_proxy/main.tf
@ -0,0 +1,123 @@
+# Reverse proxy for things in my infra that are 
+# outside of K8S but would be nice to use the Nginx-ingress
+
+variable "tls_secret_name" {}
+
+resource "kubernetes_namespace" "reverse-proxy" {
+  metadata {
+    name = "reverse-proxy"
+  }
+}
+
+module "tls_secret" {
+  source          = "../setup_tls_secret"
+  namespace       = "reverse-proxy"
+  tls_secret_name = var.tls_secret_name
+}
+
+# https://pfsense.viktorbarzin.me/
+module "pfsense" {
+  source           = "./factory"
+  name             = "pfsense"
+  external_name    = "pfsense.viktorbarzin.lan"
+  tls_secret_name  = var.tls_secret_name
+  port             = 443
+  backend_protocol = "HTTPS"
+}
+
+# https://nas.viktorbarzin.me/
+module "nas" {
+  source           = "./factory"
+  name             = "nas"
+  external_name    = "nas.viktorbarzin.lan"
+  port             = 5001
+  tls_secret_name  = var.tls_secret_name
+  backend_protocol = "HTTPS"
+}
+
+# https://idrac.viktorbarzin.me/
+module "idrac" {
+  source          = "./factory"
+  name            = "idrac"
+  external_name   = "idrac.viktorbarzin.lan"
+  port            = 80
+  tls_secret_name = var.tls_secret_name
+}
+
+# Can either listen on https or http; can't do both :/
+# TODO: Not working yet
+module "tp-link-gateway" {
+  source           = "./factory"
+  name             = "gw"
+  external_name    = "gw.viktorbarzin.lan"
+  port             = 443
+  tls_secret_name  = var.tls_secret_name
+  backend_protocol = "HTTPS"
+}
+
+# https://truenas.viktorbarzin.me/
+module "truenas" {
+  source          = "./factory"
+  name            = "truenas"
+  external_name   = "truenas.viktorbarzin.lan"
+  port            = 80
+  tls_secret_name = var.tls_secret_name
+}
+
+# https://r730.viktorbarzin.me/
+module "r730" {
+  source           = "./factory"
+  name             = "r730"
+  external_name    = "r730.viktorbarzin.lan"
+  port             = 443
+  tls_secret_name  = var.tls_secret_name
+  backend_protocol = "HTTPS"
+}
+
+# https://esxi.viktorbarzin.me/
+module "esxi" {
+  source           = "./factory"
+  name             = "esxi"
+  external_name    = "esxi.viktorbarzin.lan"
+  port             = 443
+  tls_secret_name  = var.tls_secret_name
+  backend_protocol = "HTTPS"
+}
+
+# https://valchedrym.viktorbarzin.me/
+module "valchedrym" {
+  source           = "./factory"
+  name             = "valchedrym"
+  external_name    = "valchedrym.viktorbarzin.lan"
+  port             = 20123
+  tls_secret_name  = var.tls_secret_name
+  backend_protocol = "HTTPS"
+}
+
+# https://ip150.viktorbarzin.me/
+# Does not seem to load? - works when auth is down
+module "valchedrym-ip150" {
+  source          = "./factory"
+  name            = "ip150"
+  external_name   = "valchedrym.ddns.net"
+  port            = 8080
+  tls_secret_name = var.tls_secret_name
+}
+
+# https://mladost3.viktorbarzin.me/
+module "mladost3" {
+  source          = "./factory"
+  name            = "mladost3"
+  external_name   = "mladost3.ddns.net"
+  port            = 8080
+  tls_secret_name = var.tls_secret_name
+}
+
+# https://server-switch.viktorbarzin.me/
+module "server-switch" {
+  source          = "./factory"
+  name            = "server-switch"
+  external_name   = "server-switch.viktorbarzin.lan"
+  port            = 80
+  tls_secret_name = var.tls_secret_name
+}