viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

add reverse proxy with a bunch of internal sites exposed behind oauth; also update dashy [ci skip]

Browse source
This commit is contained in:
Viktor Barzin 2023-11-01 13:27:23 +00:00
parent c817655e00
commit 4e7752306d
4 changed files with 209 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

18
modules/kubernetes/dashy/conf.yml
View file

@ -61,39 +61,39 @@ sections:
title: ESXi R730 (Server) title: ESXi R730 (Server)
description: R730 esxi UI description: R730 esxi UI
icon: si-vmware icon: si-vmware
url: https://r730.viktorbarzin.lan/ui/#/login url: https://esxi.viktorbarzin.me/ui/#/login
target: newtab target: newtab
id: 0_496_esxirserver id: 0_496_esxirserver
- &ref_1 - &ref_1
title: PFsense (Firewall) title: PFsense (Firewall)
description: Firewall description: Firewall
icon: si-pfsense icon: si-pfsense
url: https://pfsense.viktorbarzin.lan url: https://pfsense.viktorbarzin.me
target: newtab target: newtab
id: 1_496_pfsensefirewall id: 1_496_pfsensefirewall
- &ref_2 - &ref_2
title: iDRAC title: iDRAC
description: "" description: ""
icon: si-dell icon: si-dell
url: https://idrac.viktorbarzin.lan/ url: https://idrac.viktorbarzin.me/
target: newtab target: newtab
id: 2_496_idrac id: 2_496_idrac
- &ref_3 - &ref_3
title: TP-Link Gateway Router title: TP-Link Gateway Router
icon: hl-asus-router icon: hl-asus-router
url: https://192.168.1.1/webpages/login.html url: https://gw.viktorbarzin.me/webpages/login.html
id: 3_496_tplinkgatewayrouter id: 3_496_tplinkgatewayrouter
- &ref_4 - &ref_4
title: Truenas title: Truenas
description: Network Storage VM description: Network Storage VM
icon: si-truenas icon: si-truenas
url: http://truenas.viktorbarzin.lan/ui/dashboard url: http://truenas.viktorbarzin.me/ui/dashboard
id: 4_496_truenas id: 4_496_truenas
- &ref_5 - &ref_5
title: NAS title: NAS
description: "" description: ""
icon: si-synology icon: si-synology
url: https://nas.viktorbarzin.lan:5001/ url: https://nas.viktorbarzin.me/
id: 5_496_nas id: 5_496_nas
- &ref_6 - &ref_6
title: Server Switch title: Server Switch
@ -121,19 +121,19 @@ sections:
- &ref_7 - &ref_7
title: Valchedrym OpenWRT title: Valchedrym OpenWRT
icon: si-openwrt icon: si-openwrt
url: https://valchedrym.viktorbarzin.lan/ url: https://valchedrym.viktorbarzin.me/
target: newtab target: newtab
id: 0_1567_valchedrymopenwrt id: 0_1567_valchedrymopenwrt
- &ref_8 - &ref_8
title: Valchedram Alarm IP150 title: Valchedram Alarm IP150
icon: 📷 icon: 📷
url: http://valchedrym.ddns.net:8080/login_page.html url: https://ip150.viktorbarzin.me/
target: newtab target: newtab
id: 1_1567_valchedramalarmip id: 1_1567_valchedramalarmip
- &ref_9 - &ref_9
title: Mladost 3 Router title: Mladost 3 Router
icon: si-ghostery icon: si-ghostery
url: http://mladost3.ddns.net:8080/ url: https://mladost3.viktorbarzin.me/
target: newtab target: newtab
id: 2_1567_mladostrouter id: 2_1567_mladostrouter
filteredItems: filteredItems:

5
modules/kubernetes/main.tf
View file

@ -307,3 +307,8 @@ module "vaultwarden" {
source = "./vaultwarden" source = "./vaultwarden"
tls_secret_name = var.tls_secret_name tls_secret_name = var.tls_secret_name
} }
module "reverse-proxy" {
source = "./reverse_proxy"
tls_secret_name = var.tls_secret_name
}

72
modules/kubernetes/reverse_proxy/factory/main.tf Normal file
View file

@ -0,0 +1,72 @@
variable "name" {}
variable "namespace" {
default = "reverse-proxy"
}
variable "external_name" {}
variable "port" {
default = "80"
}
variable "tls_secret_name" {}
variable "backend_protocol" {
default = "HTTP"
}
resource "kubernetes_service" "proxied-service" {
metadata {
name = var.name
namespace = var.namespace
labels = {
"app" = var.name
}
}
spec {
type = "ExternalName"
external_name = var.external_name
port {
name = "${var.name}-web"
port = var.port
protocol = "TCP"
target_port = var.port
}
}
}
resource "kubernetes_ingress_v1" "proxied-ingress" {
metadata {
name = var.name
namespace = var.namespace
annotations = {
"nginx.ingress.kubernetes.io/backend-protocol" = "${var.backend_protocol}"
"kubernetes.io/ingress.class" = "nginx"
"nginx.ingress.kubernetes.io/auth-url" : "https://oauth2.viktorbarzin.me/oauth2/auth"
"nginx.ingress.kubernetes.io/auth-signin" : "https://oauth2.viktorbarzin.me/oauth2/start?rd=/redirect/$http_host$escaped_request_uri"
}
}
spec {
tls {
hosts = ["${var.name}.viktorbarzin.me"]
secret_name = var.tls_secret_name
}
rule {
host = "${var.name}.viktorbarzin.me"
http {
path {
path = "/"
backend {
service {
name = var.name
port {
number = var.port
}
}
}
}
}
}
}
}

123
modules/kubernetes/reverse_proxy/main.tf Normal file
View file

@ -0,0 +1,123 @@
# Reverse proxy for things in my infra that are
# outside of K8S but would be nice to use the Nginx-ingress
variable "tls_secret_name" {}
resource "kubernetes_namespace" "reverse-proxy" {
metadata {
name = "reverse-proxy"
}
}
module "tls_secret" {
source = "../setup_tls_secret"
namespace = "reverse-proxy"
tls_secret_name = var.tls_secret_name
}
# https://pfsense.viktorbarzin.me/
module "pfsense" {
source = "./factory"
name = "pfsense"
external_name = "pfsense.viktorbarzin.lan"
tls_secret_name = var.tls_secret_name
port = 443
backend_protocol = "HTTPS"
}
# https://nas.viktorbarzin.me/
module "nas" {
source = "./factory"
name = "nas"
external_name = "nas.viktorbarzin.lan"
port = 5001
tls_secret_name = var.tls_secret_name
backend_protocol = "HTTPS"
}
# https://idrac.viktorbarzin.me/
module "idrac" {
source = "./factory"
name = "idrac"
external_name = "idrac.viktorbarzin.lan"
port = 80
tls_secret_name = var.tls_secret_name
}
# Can either listen on https or http; can't do both :/
# TODO: Not working yet
module "tp-link-gateway" {
source = "./factory"
name = "gw"
external_name = "gw.viktorbarzin.lan"
port = 443
tls_secret_name = var.tls_secret_name
backend_protocol = "HTTPS"
}
# https://truenas.viktorbarzin.me/
module "truenas" {
source = "./factory"
name = "truenas"
external_name = "truenas.viktorbarzin.lan"
port = 80
tls_secret_name = var.tls_secret_name
}
# https://r730.viktorbarzin.me/
module "r730" {
source = "./factory"
name = "r730"
external_name = "r730.viktorbarzin.lan"
port = 443
tls_secret_name = var.tls_secret_name
backend_protocol = "HTTPS"
}
# https://esxi.viktorbarzin.me/
module "esxi" {
source = "./factory"
name = "esxi"
external_name = "esxi.viktorbarzin.lan"
port = 443
tls_secret_name = var.tls_secret_name
backend_protocol = "HTTPS"
}
# https://valchedrym.viktorbarzin.me/
module "valchedrym" {
source = "./factory"
name = "valchedrym"
external_name = "valchedrym.viktorbarzin.lan"
port = 20123
tls_secret_name = var.tls_secret_name
backend_protocol = "HTTPS"
}
# https://ip150.viktorbarzin.me/
# Does not seem to load? - works when auth is down
module "valchedrym-ip150" {
source = "./factory"
name = "ip150"
external_name = "valchedrym.ddns.net"
port = 8080
tls_secret_name = var.tls_secret_name
}
# https://mladost3.viktorbarzin.me/
module "mladost3" {
source = "./factory"
name = "mladost3"
external_name = "mladost3.ddns.net"
port = 8080
tls_secret_name = var.tls_secret_name
}
# https://server-switch.viktorbarzin.me/
module "server-switch" {
source = "./factory"
name = "server-switch"
external_name = "server-switch.viktorbarzin.lan"
port = 80
tls_secret_name = var.tls_secret_name
}