1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
|
node 'h1.pdp7.net' {
class {'proxmox::freeipa':}
class {'dns_dhcp':}
class {'backups':
sanoid_config => @("EOT")
# pg data
[rpool/data/subvol-204-disk-1]
use_template = backup
[template_backup]
frequently=0
hourly=0
daily=100000
monthly=0
yearly=0
autosnap=yes
| EOT
,
}
# TODO: ugly; tinc scripts require this :(
package {'net-tools':}
# https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/EZSM6LQPSNRY4WA52IYVR46RSXIDU3U7/
# SSH hack
file {'/etc/ssh/sshd_config.d/weak-gss.conf':
content => "GSSAPIStrictAcceptorCheck no\n",
}
~>
service {'sshd':}
class {'proxmox::proxy':
mail => lookup('mail.root_mail'),
base_hostname => lookup('network.public_hostname'),
}
proxmox::proxy_host {'idp.pdp7.net':
target => 'https://ipsilon.h1.int.pdp7.net/',
overwrite_rh_certs => 'ipsilon.h1.int.pdp7.net',
}
proxmox::proxy_host {'weight.pdp7.net':
target => 'https://k8s-prod.h1.int.pdp7.net/',
}
proxmox::proxy_host {'blog.pdp7.net':
target => 'https://k8s-test.h1.int.pdp7.net/',
}
proxmox::proxy_host {'miniflux.pdp7.net':
target => 'http://miniflux.h1.int.pdp7.net:8080/',
}
package {'haproxy':}
->
file {'/etc/haproxy/haproxy.cfg':
content => @("EOT")
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend gemini
bind :1965
mode tcp
option tcplog
default_backend blog
# TODO: sni
# tcp-request inspect-delay 5s
# acl blog req_ssl_sni blog.pdp7.net
# use_backend blog if blog
backend blog
mode tcp
server blog k8s-test.h1.int.pdp7.net:31965
| EOT
,
}
~>
service {'haproxy':
enable => true,
ensure => running,
}
}
|
