Moved 1password connect out of the cluster. A few firewall/static dns changes.
This commit is contained in:
parent
d0e61a8c90
commit
59cdb11409
7 changed files with 91 additions and 50 deletions
|
@ -83,6 +83,7 @@ else
|
||||||
run delete container image "${image_id}"
|
run delete container image "${image_id}"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
# Clean annoying overlay* folders
|
||||||
sudo find "/config" -name "overlay*" -type d -prune -exec rm -rf "{}" \;
|
sudo find "/config" -name "overlay*" -type d -prune -exec rm -rf "{}" \;
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
|
@ -120,3 +120,29 @@ set container name unifi restart 'on-failure'
|
||||||
set container name unifi shared-memory '0'
|
set container name unifi shared-memory '0'
|
||||||
set container name unifi volume data destination '/unifi'
|
set container name unifi volume data destination '/unifi'
|
||||||
set container name unifi volume data source '/config/containers/unifi'
|
set container name unifi volume data source '/config/containers/unifi'
|
||||||
|
|
||||||
|
# onepassword-connect
|
||||||
|
set container name onepassword-connect image 'docker.io/1password/connect-api:1.7.0'
|
||||||
|
set container name onepassword-connect environment TZ value 'America/Chicago'
|
||||||
|
set container name onepassword-connect memory '0'
|
||||||
|
set container name onepassword-connect network services address '10.5.0.5'
|
||||||
|
set container name onepassword-connect shared-memory '0'
|
||||||
|
set container name onepassword-connect volume credentials source '/config/secrets/1password-credentials.json'
|
||||||
|
set container name onepassword-connect volume credentials destination '/home/opuser/.op/1password-credentials.json'
|
||||||
|
set container name onepassword-connect volume credentials mode 'ro'
|
||||||
|
set container name onepassword-connect volume data source '/tmp/onepassword/data'
|
||||||
|
set container name onepassword-connect volume data destination '/home/opuser/.op/data'
|
||||||
|
set container name onepassword-connect volume data mode 'rw'
|
||||||
|
|
||||||
|
# onepassword-sync
|
||||||
|
set container name onepassword-sync image 'docker.io/1password/connect-sync:1.7.0'
|
||||||
|
set container name onepassword-sync environment TZ value 'America/Chicago'
|
||||||
|
set container name onepassword-sync memory '0'
|
||||||
|
set container name onepassword-sync shared-memory '0'
|
||||||
|
set container name onepassword-sync network services address '10.5.0.6'
|
||||||
|
set container name onepassword-sync volume credentials source '/config/secrets/1password-credentials.json'
|
||||||
|
set container name onepassword-sync volume credentials destination '/home/opuser/.op/1password-credentials.json'
|
||||||
|
set container name onepassword-sync volume credentials mode 'ro'
|
||||||
|
set container name onepassword-connect volume data source '/tmp/onepassword/data'
|
||||||
|
set container name onepassword-sync volume data destination '/home/opuser/.op/data'
|
||||||
|
set container name onepassword-sync volume data mode 'rw'
|
|
@ -570,19 +570,23 @@ set firewall name trusted-local rule 6 destination port 'mdns'
|
||||||
set firewall name trusted-local rule 6 protocol 'udp'
|
set firewall name trusted-local rule 6 protocol 'udp'
|
||||||
set firewall name trusted-local rule 6 source port 'mdns'
|
set firewall name trusted-local rule 6 source port 'mdns'
|
||||||
set firewall name trusted-local rule 7 action 'accept'
|
set firewall name trusted-local rule 7 action 'accept'
|
||||||
set firewall name trusted-local rule 7 description 'Rule: accept_vyos_api'
|
set firewall name trusted-local rule 7 description 'Rule: accept_wireguard'
|
||||||
set firewall name trusted-local rule 7 destination port '8443'
|
set firewall name trusted-local rule 7 destination port '51820'
|
||||||
set firewall name trusted-local rule 7 protocol 'tcp'
|
set firewall name trusted-local rule 7 protocol 'udp'
|
||||||
set firewall name trusted-local rule 8 action 'accept'
|
set firewall name trusted-local rule 8 action 'accept'
|
||||||
set firewall name trusted-local rule 8 description 'Rule: accept_discovery_from_sonos_players'
|
set firewall name trusted-local rule 8 description 'Rule: accept_vyos_api'
|
||||||
set firewall name trusted-local rule 8 destination port '1900,1901,1902'
|
set firewall name trusted-local rule 8 destination port '8443'
|
||||||
set firewall name trusted-local rule 8 protocol 'udp'
|
set firewall name trusted-local rule 8 protocol 'tcp'
|
||||||
set firewall name trusted-local rule 8 source group address-group 'sonos_players'
|
|
||||||
set firewall name trusted-local rule 9 action 'accept'
|
set firewall name trusted-local rule 9 action 'accept'
|
||||||
set firewall name trusted-local rule 9 description 'Rule: accept_discovery_from_sonos_controllers'
|
set firewall name trusted-local rule 9 description 'Rule: accept_discovery_from_sonos_players'
|
||||||
set firewall name trusted-local rule 9 destination port '1900,1901,1902,57621'
|
set firewall name trusted-local rule 9 destination port '1900,1901,1902'
|
||||||
set firewall name trusted-local rule 9 protocol 'udp'
|
set firewall name trusted-local rule 9 protocol 'udp'
|
||||||
set firewall name trusted-local rule 9 source group address-group 'sonos_controllers'
|
set firewall name trusted-local rule 9 source group address-group 'sonos_players'
|
||||||
|
set firewall name trusted-local rule 10 action 'accept'
|
||||||
|
set firewall name trusted-local rule 10 description 'Rule: accept_discovery_from_sonos_controllers'
|
||||||
|
set firewall name trusted-local rule 10 destination port '1900,1901,1902,57621'
|
||||||
|
set firewall name trusted-local rule 10 protocol 'udp'
|
||||||
|
set firewall name trusted-local rule 10 source group address-group 'sonos_controllers'
|
||||||
|
|
||||||
# From TRUSTED to SERVERS
|
# From TRUSTED to SERVERS
|
||||||
set firewall name trusted-servers default-action 'accept'
|
set firewall name trusted-servers default-action 'accept'
|
||||||
|
|
|
@ -112,8 +112,6 @@ set firewall group address-group unifi_devices address '10.1.0.24'
|
||||||
set firewall group address-group vector_journald_allowed address '10.1.3.56'
|
set firewall group address-group vector_journald_allowed address '10.1.3.56'
|
||||||
set firewall group address-group vector_journald_allowed address '10.1.3.60'
|
set firewall group address-group vector_journald_allowed address '10.1.3.60'
|
||||||
|
|
||||||
set firewall group address-group vyos_chronyd address '10.5.0.5'
|
|
||||||
|
|
||||||
set firewall group address-group vyos_coredns address '10.5.0.3'
|
set firewall group address-group vyos_coredns address '10.5.0.3'
|
||||||
|
|
||||||
set firewall group address-group vyos_dnsdist address '10.5.0.4'
|
set firewall group address-group vyos_dnsdist address '10.5.0.4'
|
||||||
|
|
|
@ -6,6 +6,9 @@ set system static-host-mapping host-name gateway.jahanson.tech alias ipv4.hsn.de
|
||||||
# Unifi controller
|
# Unifi controller
|
||||||
set system static-host-mapping host-name unifi inet 10.5.0.10
|
set system static-host-mapping host-name unifi inet 10.5.0.10
|
||||||
|
|
||||||
|
# 1Password Connect
|
||||||
|
set system static-host-mapping host-name onepassword-connect.hsn.dev inet 10.5.0.5
|
||||||
|
|
||||||
# NAS
|
# NAS
|
||||||
set system static-host-mapping host-name elessar.jahanson.tech inet 10.1.1.11
|
set system static-host-mapping host-name elessar.jahanson.tech inet 10.1.1.11
|
||||||
set system static-host-mapping host-name elessar.jahanson.tech alias nas.jahanson.tech
|
set system static-host-mapping host-name elessar.jahanson.tech alias nas.jahanson.tech
|
||||||
|
|
|
@ -15,52 +15,54 @@ defaults
|
||||||
log global
|
log global
|
||||||
option httplog
|
option httplog
|
||||||
option dontlognull
|
option dontlognull
|
||||||
option http-server-close
|
option http-server-close
|
||||||
option forwardfor except 127.0.0.0/8
|
option forwardfor except 127.0.0.0/8
|
||||||
option redispatch
|
option redispatch
|
||||||
retries 1
|
retries 3
|
||||||
timeout http-request 10s
|
timeout http-request 10s
|
||||||
timeout queue 20s
|
timeout queue 20s
|
||||||
timeout connect 5s
|
timeout connect 10s
|
||||||
timeout client 20s
|
timeout client 1h
|
||||||
timeout server 20s
|
timeout server 1h
|
||||||
timeout http-keep-alive 10s
|
timeout http-keep-alive 10s
|
||||||
timeout check 10s
|
timeout check 10s
|
||||||
|
|
||||||
#---------------------------------------------------------------------
|
#---------------------------------------------------------------------
|
||||||
# apiserver frontend which proxys to the control plane nodes
|
# apiserver frontend which proxys to the control plane nodes
|
||||||
#---------------------------------------------------------------------
|
#---------------------------------------------------------------------
|
||||||
frontend k8s_apiserver
|
frontend k8s_apiserver
|
||||||
bind *:6443
|
bind *:6443
|
||||||
mode tcp
|
mode tcp
|
||||||
option tcplog
|
option tcplog
|
||||||
default_backend k8s_controlplane
|
default_backend k8s_controlplane
|
||||||
|
|
||||||
frontend talos_apiserver
|
frontend talos_apiserver
|
||||||
bind *:50000
|
bind *:50000
|
||||||
mode tcp
|
mode tcp
|
||||||
option tcplog
|
option tcplog
|
||||||
default_backend talos_controlplane
|
default_backend talos_controlplane
|
||||||
|
|
||||||
#---------------------------------------------------------------------
|
#---------------------------------------------------------------------
|
||||||
# round robin balancing for apiserver
|
# round robin balancing for apiserver
|
||||||
#---------------------------------------------------------------------
|
#---------------------------------------------------------------------
|
||||||
backend k8s_controlplane
|
backend k8s_controlplane
|
||||||
option httpchk GET /healthz
|
option httpchk GET /healthz
|
||||||
http-check expect status 200
|
http-check expect status 200
|
||||||
mode tcp
|
mode tcp
|
||||||
option ssl-hello-chk
|
option ssl-hello-chk
|
||||||
balance roundrobin
|
balance roundrobin
|
||||||
server worker1 gandalf.jahanson.tech:6443 check
|
server worker1 10.1.1.31:6443 check
|
||||||
server worker2 glamdring.jahanson.tech:6443 check
|
server worker2 10.1.1.32:6443 check
|
||||||
server worker3 lembas.jahanson.tech:6443 check
|
server worker3 10.1.1.33:6443 check
|
||||||
|
server worker4 10.1.1.34:6443 check
|
||||||
backend talos_controlplane
|
|
||||||
option httpchk GET /healthz
|
backend talos_controlplane
|
||||||
http-check expect status 200
|
option httpchk GET /healthz
|
||||||
mode tcp
|
http-check expect status 200
|
||||||
option ssl-hello-chk
|
mode tcp
|
||||||
balance roundrobin
|
option ssl-hello-chk
|
||||||
server worker1 gandalf.jahanson.tech:50000 check
|
balance roundrobin
|
||||||
server worker2 glamdring.jahanson.tech:50000 check
|
server worker1 10.1.1.31:50000 check
|
||||||
server worker3 lembas.jahanson.tech:50000 check
|
server worker2 10.1.1.32:50000 check
|
||||||
|
server worker3 10.1.1.33:50000 check
|
||||||
|
server worker4 10.1.1.34:50000 check
|
||||||
|
|
|
@ -7,6 +7,13 @@
|
||||||
# Clean dangling container network files
|
# Clean dangling container network files
|
||||||
# rm /var/lib/cni/networks/services/10.5.*
|
# rm /var/lib/cni/networks/services/10.5.*
|
||||||
|
|
||||||
|
# Fix for containers requiring a custom user/group id
|
||||||
|
# and Vyos not preserving file perms on upgrade
|
||||||
|
mkdir -p /tmp/onepassword/data
|
||||||
|
chown -R 999 /tmp/onepassword/data
|
||||||
|
mkdir -p /tmp/bind/cache
|
||||||
|
chown -R 104 /tmp/bind/cache
|
||||||
|
|
||||||
# Mount USB Backup Drive
|
# Mount USB Backup Drive
|
||||||
# backupdest=/media/usb-backup
|
# backupdest=/media/usb-backup
|
||||||
# mkdir -p "$backupdest"
|
# mkdir -p "$backupdest"
|
||||||
|
|
Reference in a new issue