Moved 1password connect out of the cluster. A few firewall/static dns changes.

This commit is contained in:
Joseph Hanson 2023-05-02 15:39:07 -05:00
parent d0e61a8c90
commit 59cdb11409
Signed by: jahanson
SSH key fingerprint: SHA256:vy6dKBECV522aPAwklFM3ReKAVB086rT3oWwiuiFG7o
7 changed files with 91 additions and 50 deletions

View file

@ -83,6 +83,7 @@ else
run delete container image "${image_id}"
fi
done
# Clean annoying overlay* folders
sudo find "/config" -name "overlay*" -type d -prune -exec rm -rf "{}" \;
fi

View file

@ -120,3 +120,29 @@ set container name unifi restart 'on-failure'
set container name unifi shared-memory '0'
set container name unifi volume data destination '/unifi'
set container name unifi volume data source '/config/containers/unifi'
# onepassword-connect
set container name onepassword-connect image 'docker.io/1password/connect-api:1.7.0'
set container name onepassword-connect environment TZ value 'America/Chicago'
set container name onepassword-connect memory '0'
set container name onepassword-connect network services address '10.5.0.5'
set container name onepassword-connect shared-memory '0'
set container name onepassword-connect volume credentials source '/config/secrets/1password-credentials.json'
set container name onepassword-connect volume credentials destination '/home/opuser/.op/1password-credentials.json'
set container name onepassword-connect volume credentials mode 'ro'
set container name onepassword-connect volume data source '/tmp/onepassword/data'
set container name onepassword-connect volume data destination '/home/opuser/.op/data'
set container name onepassword-connect volume data mode 'rw'
# onepassword-sync
set container name onepassword-sync image 'docker.io/1password/connect-sync:1.7.0'
set container name onepassword-sync environment TZ value 'America/Chicago'
set container name onepassword-sync memory '0'
set container name onepassword-sync shared-memory '0'
set container name onepassword-sync network services address '10.5.0.6'
set container name onepassword-sync volume credentials source '/config/secrets/1password-credentials.json'
set container name onepassword-sync volume credentials destination '/home/opuser/.op/1password-credentials.json'
set container name onepassword-sync volume credentials mode 'ro'
set container name onepassword-connect volume data source '/tmp/onepassword/data'
set container name onepassword-sync volume data destination '/home/opuser/.op/data'
set container name onepassword-sync volume data mode 'rw'

View file

@ -570,19 +570,23 @@ set firewall name trusted-local rule 6 destination port 'mdns'
set firewall name trusted-local rule 6 protocol 'udp'
set firewall name trusted-local rule 6 source port 'mdns'
set firewall name trusted-local rule 7 action 'accept'
set firewall name trusted-local rule 7 description 'Rule: accept_vyos_api'
set firewall name trusted-local rule 7 destination port '8443'
set firewall name trusted-local rule 7 protocol 'tcp'
set firewall name trusted-local rule 7 description 'Rule: accept_wireguard'
set firewall name trusted-local rule 7 destination port '51820'
set firewall name trusted-local rule 7 protocol 'udp'
set firewall name trusted-local rule 8 action 'accept'
set firewall name trusted-local rule 8 description 'Rule: accept_discovery_from_sonos_players'
set firewall name trusted-local rule 8 destination port '1900,1901,1902'
set firewall name trusted-local rule 8 protocol 'udp'
set firewall name trusted-local rule 8 source group address-group 'sonos_players'
set firewall name trusted-local rule 8 description 'Rule: accept_vyos_api'
set firewall name trusted-local rule 8 destination port '8443'
set firewall name trusted-local rule 8 protocol 'tcp'
set firewall name trusted-local rule 9 action 'accept'
set firewall name trusted-local rule 9 description 'Rule: accept_discovery_from_sonos_controllers'
set firewall name trusted-local rule 9 destination port '1900,1901,1902,57621'
set firewall name trusted-local rule 9 description 'Rule: accept_discovery_from_sonos_players'
set firewall name trusted-local rule 9 destination port '1900,1901,1902'
set firewall name trusted-local rule 9 protocol 'udp'
set firewall name trusted-local rule 9 source group address-group 'sonos_controllers'
set firewall name trusted-local rule 9 source group address-group 'sonos_players'
set firewall name trusted-local rule 10 action 'accept'
set firewall name trusted-local rule 10 description 'Rule: accept_discovery_from_sonos_controllers'
set firewall name trusted-local rule 10 destination port '1900,1901,1902,57621'
set firewall name trusted-local rule 10 protocol 'udp'
set firewall name trusted-local rule 10 source group address-group 'sonos_controllers'
# From TRUSTED to SERVERS
set firewall name trusted-servers default-action 'accept'

View file

@ -112,8 +112,6 @@ set firewall group address-group unifi_devices address '10.1.0.24'
set firewall group address-group vector_journald_allowed address '10.1.3.56'
set firewall group address-group vector_journald_allowed address '10.1.3.60'
set firewall group address-group vyos_chronyd address '10.5.0.5'
set firewall group address-group vyos_coredns address '10.5.0.3'
set firewall group address-group vyos_dnsdist address '10.5.0.4'

View file

@ -6,6 +6,9 @@ set system static-host-mapping host-name gateway.jahanson.tech alias ipv4.hsn.de
# Unifi controller
set system static-host-mapping host-name unifi inet 10.5.0.10
# 1Password Connect
set system static-host-mapping host-name onepassword-connect.hsn.dev inet 10.5.0.5
# NAS
set system static-host-mapping host-name elessar.jahanson.tech inet 10.1.1.11
set system static-host-mapping host-name elessar.jahanson.tech alias nas.jahanson.tech

View file

@ -15,52 +15,54 @@ defaults
log global
option httplog
option dontlognull
option http-server-close
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 1
retries 3
timeout http-request 10s
timeout queue 20s
timeout connect 5s
timeout client 20s
timeout server 20s
timeout connect 10s
timeout client 1h
timeout server 1h
timeout http-keep-alive 10s
timeout check 10s
#---------------------------------------------------------------------
# apiserver frontend which proxys to the control plane nodes
# apiserver frontend which proxys to the control plane nodes
#---------------------------------------------------------------------
frontend k8s_apiserver
bind *:6443
mode tcp
option tcplog
default_backend k8s_controlplane
frontend talos_apiserver
bind *:50000
mode tcp
option tcplog
default_backend talos_controlplane
frontend k8s_apiserver
bind *:6443
mode tcp
option tcplog
default_backend k8s_controlplane
frontend talos_apiserver
bind *:50000
mode tcp
option tcplog
default_backend talos_controlplane
#---------------------------------------------------------------------
# round robin balancing for apiserver
# round robin balancing for apiserver
#---------------------------------------------------------------------
backend k8s_controlplane
option httpchk GET /healthz
http-check expect status 200
mode tcp
option ssl-hello-chk
balance roundrobin
server worker1 gandalf.jahanson.tech:6443 check
server worker2 glamdring.jahanson.tech:6443 check
server worker3 lembas.jahanson.tech:6443 check
backend talos_controlplane
option httpchk GET /healthz
http-check expect status 200
mode tcp
option ssl-hello-chk
balance roundrobin
server worker1 gandalf.jahanson.tech:50000 check
server worker2 glamdring.jahanson.tech:50000 check
server worker3 lembas.jahanson.tech:50000 check
backend k8s_controlplane
option httpchk GET /healthz
http-check expect status 200
mode tcp
option ssl-hello-chk
balance roundrobin
server worker1 10.1.1.31:6443 check
server worker2 10.1.1.32:6443 check
server worker3 10.1.1.33:6443 check
server worker4 10.1.1.34:6443 check
backend talos_controlplane
option httpchk GET /healthz
http-check expect status 200
mode tcp
option ssl-hello-chk
balance roundrobin
server worker1 10.1.1.31:50000 check
server worker2 10.1.1.32:50000 check
server worker3 10.1.1.33:50000 check
server worker4 10.1.1.34:50000 check

View file

@ -7,6 +7,13 @@
# Clean dangling container network files
# rm /var/lib/cni/networks/services/10.5.*
# Fix for containers requiring a custom user/group id
# and Vyos not preserving file perms on upgrade
mkdir -p /tmp/onepassword/data
chown -R 999 /tmp/onepassword/data
mkdir -p /tmp/bind/cache
chown -R 104 /tmp/bind/cache
# Mount USB Backup Drive
# backupdest=/media/usb-backup
# mkdir -p "$backupdest"