haproxy with chain.pem ssl

base/hostconfig/auto02.sls

@@ -1,45 +1,60 @@
 systemd:
   service:
-   homeassistant:
+    container-homeassistant:
       Unit:
         Description: Homeassistant
         After: network-online.target local-fs.target
+        Before: haproxy.service
         Requires: io.podman.service
       Service:
         ExecStart: /usr/bin/podman start -a homeassistant
-        ExecStop: /usr/bin/podman stop homeassistant 
+        ExecStop: /usr/bin/podman stop homeassistant
       Install:
         WantedBy: multi-user.target
-   homeassistant-configurator:
+    container-homeassistant-configurator:
       Unit:
         Description: Homeassistant Configurator
         After: network-online.target local-fs.target
+        Before: haproxy.service
         Requires: io.podman.service
       Service:
         ExecStart: /usr/bin/podman start -a homeassistant-configurator
         ExecStop: /usr/bin/podman stop homeassistant-configurator
       Install:
         WantedBy: multi-user.target
-   pihole:
+    container-pihole:
       Unit:
         Description: pihole
         After: network-online.target local-fs.target
+        Before: haproxy.service
         Requires: io.podman.service
       Service:
         ExecStart: /usr/bin/podman start -a pihole
-        ExecStop: /usr/bin/podman stop pihole 
+        ExecStop: /usr/bin/podman stop pihole
       Install:
         WantedBy: multi-user.target
-   docker-registry:
+    container-docker-registry:
       Unit:
         Description: Docker Registry
         After: network-online.target local-fs.target
+        Before: haproxy.service
         Requires: io.podman.service
       Service:
         ExecStart: /usr/bin/podman start -a docker-registry
         ExecStop: /usr/bin/podman stop docker-registry
       Install:
-        WantedBy: multi-user.target        
+        WantedBy: multi-user.target
+    container-zwave2mqtt:
+      Unit:
+        Description: zwave2mqtt - yes
+        After: network-online.target local-fs.target
+        Before: haproxy.service
+        Requires: io.podman.service
+      Service:
+        ExecStart: /usr/bin/podman start -a zwave2mqtt
+        ExecStop: /usr/bin/podman stop zwave2mqtt
+      Install:
+        WantedBy: multi-user.target
 haproxy:
   enabled: True
   overwrite: True
@@ -61,11 +76,22 @@ haproxy:
       path: /var/lib/haproxy
     daemon: True
   defaults:
+    mode: http
     stats:
       - enable
       - uri: '/admin?stats'
       - realm: 'Haproxy\ Statistics'
       - auth: 'admin1:AdMiN123'
+    options:
+      - httplog
+      - dontlognull
+      - forwardfor
+    timeouts:
+      - connect 5000
+      - client 50000
+      - server 50000
+      - tunnel 80000 #longer timeouts for websockets
+      - http-request 5s
     errorfiles:
       400: /etc/haproxy/errors/400.http
       403: /etc/haproxy/errors/403.http
@@ -74,17 +100,17 @@ haproxy:
       502: /etc/haproxy/errors/502.http
       503: /etc/haproxy/errors/503.http
       504: /etc/haproxy/errors/504.http
-  resolvers:
+  #resolvers:
-    local_dns:
+  #  local_dns:
-      options:
+  #    options:
-        - nameserver resolvconf 192.168.10.1:53
+  #      - nameserver resolvconf 192.168.10.1:53
-        - resolve_retries 3
+  #      - resolve_retries 3
-        - timeout retry 1s
+  #      - timeout retry 1s
-        - hold valid 10s
+  #      - hold valid 10s
   listens:
     stats:
       bind:
-        - "0.0.0.0:8998"
+        - "127.0.0.1:8998"
       mode: http
       stats:
         enable: True
@@ -92,13 +118,23 @@ haproxy:
         refresh: "20s"
   frontends:
     frontend1:
-      name: auto 
+      name: www-http 
-      bind: "*:80"
+      bind: 
+       - "*:80"
+       - "*:443 ssl crt /etc/pki/chain.pem"
       default_backend: auto
       acls: 
         - host_auto hdr_beg(host) -i auto.
+        - host_auto-conf hdr_beg(host) -i auto-conf.
+        - host_z2m hdr_beg(host) -i zwave2mqtt.
+        - host_pihole hdr_beg(host) -i pihole.
+        - host_docker-registry hdr_beg(host) -i docker-registry.
       use_backends: 
         - auto if host_auto
+        - auto-conf if host_auto-conf
+        - z2m if host_z2m
+        - pihole if host_pihole
+        - docker-registry if host_docker-registry 
   backends:
     backend1:
       name: auto
@@ -109,4 +145,50 @@ haproxy:
           host: 127.0.0.1
           port: 8123
           check: check
+    backend2:
+      name: auto-conf
+      balance: roundrobin
+      servers:
+        server1:
+          name: auto02
+          host: 127.0.0.1
+          port: 3218
+          check: check
+    backend3:
+      name: z2m
+      balance: roundrobin
+      servers:
+        server1:
+          name: auto02
+          host: 127.0.0.1
+          port: 8091
+          check: check
+    backend4:
+      name: pihole
+      balance: roundrobin
+      servers:
+        server1:
+          name: auto02
+          host: 127.0.0.1
+          port: 8080
+          check: check
+    backend5:
+      name: docker-registry
+      balance: roundrobin
+      servers:
+        server1:
+          name: auto02
+          host: 127.0.0.1
+          port: 5000
+          check: check
+      options:
+        - http-server-close
+      extra:
+        #- http-request add-header Access-Control-Allow-Origin "http://docker-registry.lan"
+        - http-response add-header Access-Control-Allow-Origin "*"
+        - http-response add-header Access-Control-Allow-Methods "HEAD, GET, OPTIONS, DELETE"
+        - http-response add-header Access-Control-Allow-Headers "Authorization, Accept"
+        - http-response add-header Access-Control-Allow-Credentials true
+        - http-response add-header Access-Control-Expose-Headers "Docker-Content-Digest"
+        
         

base/init.sls

@@ -5,7 +5,7 @@
 include:
   - base.services
   - base.hardware
-  - base.sys.sysctl
+  - base.sys
   - base.hostconfig
   - saltmine
   - prometheus.node_exporter

base/sys/cp15_barrier.sls

@@ -0,0 +1,13 @@
+# -*- coding: utf-8 -*-
+# vim: ft=yaml
+---
+{%- if grains.get('cpuarch') in ['aarch64'] %}
+sysctl:
+  lookup:
+    config:
+      location: '/etc/sysctl.d'
+  params:
+    abi.cp15_barrier:
+      value: 2
+{%- endif %}
+

base/sys/init.sls

@@ -0,0 +1,3 @@
+include:
+  - .sysctl
+  - .cp15_barrier

grafana.sls

@@ -1,40 +0,0 @@
-# -*- coding: utf-8 -*-
-# vim: ft=yaml
----
-
-grafana:
-  pkg:
-    name: grafana
-    use_upstream_archive: false
-    repo:
-      humanname: grafana_official
-      name: deb https://packages.grafana.com/oss/deb stable main
-      file: /etc/apt/sources.list.d/grafana.list
-      key_url: https://packages.grafana.com/gpg.key
-
-  config_file: /etc/grafana/grafana.ini
-  service:
-    name: grafana-server
-  config:
-    default:
-      app_mode: production
-      instance_name: stats
-    server:
-      domain: chaos
-    security:
-      admin_user: admin
-      allow_embedding: true
-    users:
-      allow_signup: false
-    auth:
-      login_maximum_inactive_lifetime_days: 21
-      login_maximumx_lifetime_days: 60
-      token_rotation_interval: 240
-    auth.anonymous:
-      enabled: true
-      org_name: Dahoam
-      org_role: Viewer
-    log:
-      level: error
-      mode: syslog
-