From 59cdb11409cccbca73f66436771fe370ecd8613d Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Tue, 2 May 2023 15:39:07 -0500 Subject: [PATCH] Moved 1password connect out of the cluster. A few firewall/static dns changes. --- apply-config.sh | 1 + config-parts/container.sh | 26 ++++++++ config-parts/firewall-name.sh | 24 ++++--- config-parts/firewall.sh | 2 - config-parts/system-static_host_mapping.sh | 3 + containers/haproxy/config/haproxy.cfg | 78 +++++++++++----------- scripts/vyos-preconfig-bootup.script | 7 ++ 7 files changed, 91 insertions(+), 50 deletions(-) diff --git a/apply-config.sh b/apply-config.sh index 2811dc0..5463ba6 100644 --- a/apply-config.sh +++ b/apply-config.sh @@ -83,6 +83,7 @@ else run delete container image "${image_id}" fi done + # Clean annoying overlay* folders sudo find "/config" -name "overlay*" -type d -prune -exec rm -rf "{}" \; fi diff --git a/config-parts/container.sh b/config-parts/container.sh index ffb7983..b163cd1 100644 --- a/config-parts/container.sh +++ b/config-parts/container.sh @@ -120,3 +120,29 @@ set container name unifi restart 'on-failure' set container name unifi shared-memory '0' set container name unifi volume data destination '/unifi' set container name unifi volume data source '/config/containers/unifi' + +# onepassword-connect +set container name onepassword-connect image 'docker.io/1password/connect-api:1.7.0' +set container name onepassword-connect environment TZ value 'America/Chicago' +set container name onepassword-connect memory '0' +set container name onepassword-connect network services address '10.5.0.5' +set container name onepassword-connect shared-memory '0' +set container name onepassword-connect volume credentials source '/config/secrets/1password-credentials.json' +set container name onepassword-connect volume credentials destination '/home/opuser/.op/1password-credentials.json' +set container name onepassword-connect volume credentials mode 'ro' +set container name onepassword-connect volume data source '/tmp/onepassword/data' +set container name onepassword-connect volume data destination '/home/opuser/.op/data' +set container name onepassword-connect volume data mode 'rw' + +# onepassword-sync +set container name onepassword-sync image 'docker.io/1password/connect-sync:1.7.0' +set container name onepassword-sync environment TZ value 'America/Chicago' +set container name onepassword-sync memory '0' +set container name onepassword-sync shared-memory '0' +set container name onepassword-sync network services address '10.5.0.6' +set container name onepassword-sync volume credentials source '/config/secrets/1password-credentials.json' +set container name onepassword-sync volume credentials destination '/home/opuser/.op/1password-credentials.json' +set container name onepassword-sync volume credentials mode 'ro' +set container name onepassword-connect volume data source '/tmp/onepassword/data' +set container name onepassword-sync volume data destination '/home/opuser/.op/data' +set container name onepassword-sync volume data mode 'rw' \ No newline at end of file diff --git a/config-parts/firewall-name.sh b/config-parts/firewall-name.sh index 73844d1..e7897b8 100644 --- a/config-parts/firewall-name.sh +++ b/config-parts/firewall-name.sh @@ -570,19 +570,23 @@ set firewall name trusted-local rule 6 destination port 'mdns' set firewall name trusted-local rule 6 protocol 'udp' set firewall name trusted-local rule 6 source port 'mdns' set firewall name trusted-local rule 7 action 'accept' -set firewall name trusted-local rule 7 description 'Rule: accept_vyos_api' -set firewall name trusted-local rule 7 destination port '8443' -set firewall name trusted-local rule 7 protocol 'tcp' +set firewall name trusted-local rule 7 description 'Rule: accept_wireguard' +set firewall name trusted-local rule 7 destination port '51820' +set firewall name trusted-local rule 7 protocol 'udp' set firewall name trusted-local rule 8 action 'accept' -set firewall name trusted-local rule 8 description 'Rule: accept_discovery_from_sonos_players' -set firewall name trusted-local rule 8 destination port '1900,1901,1902' -set firewall name trusted-local rule 8 protocol 'udp' -set firewall name trusted-local rule 8 source group address-group 'sonos_players' +set firewall name trusted-local rule 8 description 'Rule: accept_vyos_api' +set firewall name trusted-local rule 8 destination port '8443' +set firewall name trusted-local rule 8 protocol 'tcp' set firewall name trusted-local rule 9 action 'accept' -set firewall name trusted-local rule 9 description 'Rule: accept_discovery_from_sonos_controllers' -set firewall name trusted-local rule 9 destination port '1900,1901,1902,57621' +set firewall name trusted-local rule 9 description 'Rule: accept_discovery_from_sonos_players' +set firewall name trusted-local rule 9 destination port '1900,1901,1902' set firewall name trusted-local rule 9 protocol 'udp' -set firewall name trusted-local rule 9 source group address-group 'sonos_controllers' +set firewall name trusted-local rule 9 source group address-group 'sonos_players' +set firewall name trusted-local rule 10 action 'accept' +set firewall name trusted-local rule 10 description 'Rule: accept_discovery_from_sonos_controllers' +set firewall name trusted-local rule 10 destination port '1900,1901,1902,57621' +set firewall name trusted-local rule 10 protocol 'udp' +set firewall name trusted-local rule 10 source group address-group 'sonos_controllers' # From TRUSTED to SERVERS set firewall name trusted-servers default-action 'accept' diff --git a/config-parts/firewall.sh b/config-parts/firewall.sh index e0c0538..3627672 100644 --- a/config-parts/firewall.sh +++ b/config-parts/firewall.sh @@ -112,8 +112,6 @@ set firewall group address-group unifi_devices address '10.1.0.24' set firewall group address-group vector_journald_allowed address '10.1.3.56' set firewall group address-group vector_journald_allowed address '10.1.3.60' -set firewall group address-group vyos_chronyd address '10.5.0.5' - set firewall group address-group vyos_coredns address '10.5.0.3' set firewall group address-group vyos_dnsdist address '10.5.0.4' diff --git a/config-parts/system-static_host_mapping.sh b/config-parts/system-static_host_mapping.sh index 633f879..e04b016 100644 --- a/config-parts/system-static_host_mapping.sh +++ b/config-parts/system-static_host_mapping.sh @@ -6,6 +6,9 @@ set system static-host-mapping host-name gateway.jahanson.tech alias ipv4.hsn.de # Unifi controller set system static-host-mapping host-name unifi inet 10.5.0.10 +# 1Password Connect +set system static-host-mapping host-name onepassword-connect.hsn.dev inet 10.5.0.5 + # NAS set system static-host-mapping host-name elessar.jahanson.tech inet 10.1.1.11 set system static-host-mapping host-name elessar.jahanson.tech alias nas.jahanson.tech diff --git a/containers/haproxy/config/haproxy.cfg b/containers/haproxy/config/haproxy.cfg index 2c65e40..b6d8230 100644 --- a/containers/haproxy/config/haproxy.cfg +++ b/containers/haproxy/config/haproxy.cfg @@ -15,52 +15,54 @@ defaults log global option httplog option dontlognull - option http-server-close + option http-server-close option forwardfor except 127.0.0.0/8 option redispatch - retries 1 + retries 3 timeout http-request 10s timeout queue 20s - timeout connect 5s - timeout client 20s - timeout server 20s + timeout connect 10s + timeout client 1h + timeout server 1h timeout http-keep-alive 10s timeout check 10s #--------------------------------------------------------------------- -# apiserver frontend which proxys to the control plane nodes +# apiserver frontend which proxys to the control plane nodes #--------------------------------------------------------------------- -frontend k8s_apiserver - bind *:6443 - mode tcp - option tcplog - default_backend k8s_controlplane - -frontend talos_apiserver - bind *:50000 - mode tcp - option tcplog - default_backend talos_controlplane - +frontend k8s_apiserver + bind *:6443 + mode tcp + option tcplog + default_backend k8s_controlplane + +frontend talos_apiserver + bind *:50000 + mode tcp + option tcplog + default_backend talos_controlplane + #--------------------------------------------------------------------- -# round robin balancing for apiserver +# round robin balancing for apiserver #--------------------------------------------------------------------- -backend k8s_controlplane - option httpchk GET /healthz - http-check expect status 200 - mode tcp - option ssl-hello-chk - balance roundrobin - server worker1 gandalf.jahanson.tech:6443 check - server worker2 glamdring.jahanson.tech:6443 check - server worker3 lembas.jahanson.tech:6443 check - -backend talos_controlplane - option httpchk GET /healthz - http-check expect status 200 - mode tcp - option ssl-hello-chk - balance roundrobin - server worker1 gandalf.jahanson.tech:50000 check - server worker2 glamdring.jahanson.tech:50000 check - server worker3 lembas.jahanson.tech:50000 check +backend k8s_controlplane + option httpchk GET /healthz + http-check expect status 200 + mode tcp + option ssl-hello-chk + balance roundrobin + server worker1 10.1.1.31:6443 check + server worker2 10.1.1.32:6443 check + server worker3 10.1.1.33:6443 check + server worker4 10.1.1.34:6443 check + +backend talos_controlplane + option httpchk GET /healthz + http-check expect status 200 + mode tcp + option ssl-hello-chk + balance roundrobin + server worker1 10.1.1.31:50000 check + server worker2 10.1.1.32:50000 check + server worker3 10.1.1.33:50000 check + server worker4 10.1.1.34:50000 check diff --git a/scripts/vyos-preconfig-bootup.script b/scripts/vyos-preconfig-bootup.script index 66c26bc..f0f8fae 100644 --- a/scripts/vyos-preconfig-bootup.script +++ b/scripts/vyos-preconfig-bootup.script @@ -7,6 +7,13 @@ # Clean dangling container network files # rm /var/lib/cni/networks/services/10.5.* +# Fix for containers requiring a custom user/group id +# and Vyos not preserving file perms on upgrade +mkdir -p /tmp/onepassword/data +chown -R 999 /tmp/onepassword/data +mkdir -p /tmp/bind/cache +chown -R 104 /tmp/bind/cache + # Mount USB Backup Drive # backupdest=/media/usb-backup # mkdir -p "$backupdest"