auto02 and haproxy

2021-01-31 16:54:54 +01:00
parent 50ce8787a2
commit fa6c62c1f6
2 changed files with 141 additions and 99 deletions
--- a/base/hostconfig/auto02.sls
+++ b/base/hostconfig/auto02.sls
@@ -4,6 +4,7 @@ systemd:
      Unit:
        Description: Homeassistant
        After: network-online.target local-fs.target
+        Before: haproxy.service
        Requires: io.podman.service
      Service:
        ExecStart: /usr/bin/podman start -a homeassistant
@@ -14,6 +15,7 @@ systemd:
      Unit:
        Description: Homeassistant Configurator
        After: network-online.target local-fs.target
+        Before: haproxy.service
        Requires: io.podman.service
      Service:
        ExecStart: /usr/bin/podman start -a homeassistant-configurator
@@ -24,6 +26,7 @@ systemd:
      Unit:
        Description: pihole
        After: network-online.target local-fs.target
+        Before: haproxy.service
        Requires: io.podman.service
      Service:
        ExecStart: /usr/bin/podman start -a pihole
@@ -34,6 +37,7 @@ systemd:
      Unit:
        Description: Docker Registry
        After: network-online.target local-fs.target
+        Before: haproxy.service
        Requires: io.podman.service
      Service:
        ExecStart: /usr/bin/podman start -a docker-registry
@@ -44,107 +48,145 @@ systemd:
      Unit:
        Description: zwave2mqtt - yes
        After: network-online.target local-fs.target
+        Before: haproxy.service
        Requires: io.podman.service
      Service:
        ExecStart: /usr/bin/podman start -a zwave2mqtt
        ExecStop: /usr/bin/podman stop zwave2mqtt
      Install:
        WantedBy: multi-user.target
-nginx:
-  install_from_repo: False
-  server:
-    config:
-      events:
-        worker_connections: 100
+haproxy:
+  enabled: True
+  overwrite: True
+  global:
+    stats:
+      enable: True
+      socketpath: /var/lib/haproxy/stats
+      mode: 660
+      level: admin
+      # Optional extra bind parameter, for example to set the owner/group on the socket file
+      extra: user haproxy group haproxy
+    ssl-default-bind-ciphers: "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384"
+    ssl-default-bind-options: "no-sslv3 no-tlsv10 no-tlsv11"
+
+    user: haproxy
+    group: haproxy
+    chroot:
+      enable: True
+      path: /var/lib/haproxy
+    daemon: True
+  defaults:
+    mode: http
+    stats:
+      - enable
+      - uri: '/admin?stats'
+      - realm: 'Haproxy\ Statistics'
+      - auth: 'admin1:AdMiN123'
+    options:
+      - httplog
+      - dontlognull
+      - forwardfor
+    timeouts:
+      - connect 5000
+      - client 50000
+      - server 50000
+      - tunnel 60000 #longer timeouts for websockets
+      - http-request 5s
+    errorfiles:
+      400: /etc/haproxy/errors/400.http
+      403: /etc/haproxy/errors/403.http
+      408: /etc/haproxy/errors/408.http
+      500: /etc/haproxy/errors/500.http
+      502: /etc/haproxy/errors/502.http
+      503: /etc/haproxy/errors/503.http
+      504: /etc/haproxy/errors/504.http
+  #resolvers:
+  #  local_dns:
+  #    options:
+  #      - nameserver resolvconf 192.168.10.1:53
+  #      - resolve_retries 3
+  #      - timeout retry 1s
+  #      - hold valid 10s
+  listens:
+    stats:
+      bind:
+        - "127.0.0.1:8998"
+      mode: http
+      stats:
+        enable: True
+        uri: "/admin?stats"
+        refresh: "20s"
+  frontends:
+    frontend1:
+      name: www-http 
+      bind: "*:80"
+      default_backend: auto
+      acls: 
+        - host_auto hdr_beg(host) -i auto.
+        - host_auto-conf hdr_beg(host) -i auto-conf.
+        - host_z2m hdr_beg(host) -i zwave2mqtt.
+        - host_pihole hdr_beg(host) -i pihole.
+        - host_docker-registry hdr_beg(host) -i docker-registry.
+      use_backends: 
+        - auto if host_auto
+        - auto-conf if host_auto-conf
+        - z2m if host_z2m
+        - pihole if host_pihole
+        - docker-registry if host_docker-registry 
+  backends:
+    backend1:
+      name: auto
+      balance: roundrobin
      servers:
-    managed:
-      default:
-        enabled: false
-      status:
-        enabled: true
-        config:
-        - server:
-          - server_name: _
-          - listen:
-            - 127.0.0.1:80
-          - location /stub_status:
-            - stub_status: ''
-      proxy_auto:
-        enabled: true
-        config:
-        - server:
-          - server_name: auto2 auto2.chaos
-          - listen:
-            - 80 default_server
-          - location /:
-            - proxy_pass: http://127.0.0.1:8123
-            - proxy_set_header: "Host $host"
-            - proxy_http_version: "1.1"
-            - proxy_set_header: "X-Real-IP $remote_addr"
-            - proxy_set_header: "X-Forwarded-For $proxy_add_x_forwarded_for"
-            - proxy_set_header: "Ugrade $http_upgrade"
-            - proxy_set_header: "Connection \"Upgrade\""
-          - location /api/websocket:
-            - proxy_pass: http://127.0.0.1:8123/api/websocket
-            - proxy_set_header: "Host $host"
-            - proxy_http_version: "1.1"
-            - proxy_set_header: "X-Real-IP $remote_addr"
-            - proxy_set_header: "X-Forwarded-For $proxy_add_x_forwarded_for"
-            - proxy_set_header: "Ugrade $http_upgrade"
-            - proxy_set_header: "Connection \"Upgrade\""
-      proxy_auto-conf:
-        enabled: true
-        config:
-        - server:
-          - server_name: auto-conf auto-conf.chaos
-          - listen:
-            - '80'
-          - location /:
-            - proxy_redirect: "off"
-            - proxy_pass: http://127.0.0.1:3218
-      proxy_pihole:
-        enabled: true
-        config:
-        - server:
-          - server_name: pihole pihole.chaos
-          - listen:
-            - '80'
-          - location /admin:
-            - proxy_redirect: "off"
-            - proxy_pass: http://127.0.0.1:8080/admin
-            - add_header: 'Access-Control-Allow-Origin: "*"'
-            - proxy_set_header: 'Access-Control-Allow-Origin: "*"'
-      proxy_docker-reg:
-        enabled: true
-        config:
-        - server:
-          - server_name: docker-registry docker-registry.chaos docker-registry.lan
-          - listen:
-            - '80'
-          - location /:
-            - proxy_redirect: "off"
-            - proxy_pass: http://127.0.0.1:5000
-            - client_max_body_size: '10G'
-            - proxy_set_header: 'Host $host'
-            - proxy_set_header: 'X-Forwarded-For  $remote_addr'  
-            - proxy_set_header: 'Proxy-Connection ""'
-            - proxy_set_header: 'Access-Control-Allow-Origin "*"'
-            - proxy_set_header: 'Access-Control-Allow-Methods "HEAD, GET, OPTIONS, DELETE"'
-            - proxy_set_header: 'Access-Control-Allow-Headers "Authorization, Accept"'
-            - proxy_set_header: 'Access-Control-Allow-Credentials true'
-            - proxy_set_header: 'Access-Control-Expose-Headers "Docker-Content-Digest"'
-            - add_header: 'Access-Control-Allow-Origin "*"'
-            - add_header: 'Access-Control-Allow-Methods "HEAD, GET, OPTIONS, DELETE"'
-            - add_header: 'Access-Control-Allow-Headers "Authorization, Accept"'
-            - add_header: 'Access-Control-Allow-Credentials true'
-            - add_header: 'Access-Control-Expose-Headers "Docker-Content-Digest"'
-      proxy_zwave2mqtt:
-        enabled: true
-        config:
-        - server:
-          - server_name: zwave2mqtt zwave2mqtt.chaos
-          - listen:
-            - '80'
-          - location /:
-            - proxy_redirect: "off"
-            - proxy_pass: http://127.0.0.1:8091
+        server1:
+          name: auto02
+          host: 127.0.0.1
+          port: 8123
+          check: check
+    backend2:
+      name: auto-conf
+      balance: roundrobin
+      servers:
+        server1:
+          name: auto02
+          host: 127.0.0.1
+          port: 3218
+          check: check
+    backend3:
+      name: z2m
+      balance: roundrobin
+      servers:
+        server1:
+          name: auto02
+          host: 127.0.0.1
+          port: 8091
+          check: check
+    backend4:
+      name: pihole
+      balance: roundrobin
+      servers:
+        server1:
+          name: auto02
+          host: 127.0.0.1
+          port: 8080
+          check: check
+    backend5:
+      name: docker-registry
+      balance: roundrobin
+      servers:
+        server1:
+          name: auto02
+          host: 127.0.0.1
+          port: 5000
+          check: check
+      options:
+        - http-server-close
+      extra:
+        #- http-request add-header Access-Control-Allow-Origin "http://docker-registry.lan"
+        - http-response add-header Access-Control-Allow-Origin "*"
+        - http-response add-header Access-Control-Allow-Methods "HEAD, GET, OPTIONS, DELETE"
+        - http-response add-header Access-Control-Allow-Headers "Authorization, Accept"
+        - http-response add-header Access-Control-Allow-Credentials true
+        - http-response add-header Access-Control-Expose-Headers "Docker-Content-Digest"
+        
+        
--- a/base/init.sls
+++ b/base/init.sls
@@ -5,7 +5,7 @@
 include:
  - base.services
  - base.hardware
-  - base.sys.sysctl
+  - base.sys
  - base.hostconfig
  - saltmine
  - prometheus.node_exporter