Moved 1password connect out of the cluster. A few firewall/static dns changes.
This commit is contained in:
parent
d0e61a8c90
commit
59cdb11409
7 changed files with 91 additions and 50 deletions
|
@ -83,6 +83,7 @@ else
|
|||
run delete container image "${image_id}"
|
||||
fi
|
||||
done
|
||||
# Clean annoying overlay* folders
|
||||
sudo find "/config" -name "overlay*" -type d -prune -exec rm -rf "{}" \;
|
||||
fi
|
||||
|
||||
|
|
|
@ -120,3 +120,29 @@ set container name unifi restart 'on-failure'
|
|||
set container name unifi shared-memory '0'
|
||||
set container name unifi volume data destination '/unifi'
|
||||
set container name unifi volume data source '/config/containers/unifi'
|
||||
|
||||
# onepassword-connect
|
||||
set container name onepassword-connect image 'docker.io/1password/connect-api:1.7.0'
|
||||
set container name onepassword-connect environment TZ value 'America/Chicago'
|
||||
set container name onepassword-connect memory '0'
|
||||
set container name onepassword-connect network services address '10.5.0.5'
|
||||
set container name onepassword-connect shared-memory '0'
|
||||
set container name onepassword-connect volume credentials source '/config/secrets/1password-credentials.json'
|
||||
set container name onepassword-connect volume credentials destination '/home/opuser/.op/1password-credentials.json'
|
||||
set container name onepassword-connect volume credentials mode 'ro'
|
||||
set container name onepassword-connect volume data source '/tmp/onepassword/data'
|
||||
set container name onepassword-connect volume data destination '/home/opuser/.op/data'
|
||||
set container name onepassword-connect volume data mode 'rw'
|
||||
|
||||
# onepassword-sync
|
||||
set container name onepassword-sync image 'docker.io/1password/connect-sync:1.7.0'
|
||||
set container name onepassword-sync environment TZ value 'America/Chicago'
|
||||
set container name onepassword-sync memory '0'
|
||||
set container name onepassword-sync shared-memory '0'
|
||||
set container name onepassword-sync network services address '10.5.0.6'
|
||||
set container name onepassword-sync volume credentials source '/config/secrets/1password-credentials.json'
|
||||
set container name onepassword-sync volume credentials destination '/home/opuser/.op/1password-credentials.json'
|
||||
set container name onepassword-sync volume credentials mode 'ro'
|
||||
set container name onepassword-connect volume data source '/tmp/onepassword/data'
|
||||
set container name onepassword-sync volume data destination '/home/opuser/.op/data'
|
||||
set container name onepassword-sync volume data mode 'rw'
|
|
@ -570,19 +570,23 @@ set firewall name trusted-local rule 6 destination port 'mdns'
|
|||
set firewall name trusted-local rule 6 protocol 'udp'
|
||||
set firewall name trusted-local rule 6 source port 'mdns'
|
||||
set firewall name trusted-local rule 7 action 'accept'
|
||||
set firewall name trusted-local rule 7 description 'Rule: accept_vyos_api'
|
||||
set firewall name trusted-local rule 7 destination port '8443'
|
||||
set firewall name trusted-local rule 7 protocol 'tcp'
|
||||
set firewall name trusted-local rule 7 description 'Rule: accept_wireguard'
|
||||
set firewall name trusted-local rule 7 destination port '51820'
|
||||
set firewall name trusted-local rule 7 protocol 'udp'
|
||||
set firewall name trusted-local rule 8 action 'accept'
|
||||
set firewall name trusted-local rule 8 description 'Rule: accept_discovery_from_sonos_players'
|
||||
set firewall name trusted-local rule 8 destination port '1900,1901,1902'
|
||||
set firewall name trusted-local rule 8 protocol 'udp'
|
||||
set firewall name trusted-local rule 8 source group address-group 'sonos_players'
|
||||
set firewall name trusted-local rule 8 description 'Rule: accept_vyos_api'
|
||||
set firewall name trusted-local rule 8 destination port '8443'
|
||||
set firewall name trusted-local rule 8 protocol 'tcp'
|
||||
set firewall name trusted-local rule 9 action 'accept'
|
||||
set firewall name trusted-local rule 9 description 'Rule: accept_discovery_from_sonos_controllers'
|
||||
set firewall name trusted-local rule 9 destination port '1900,1901,1902,57621'
|
||||
set firewall name trusted-local rule 9 description 'Rule: accept_discovery_from_sonos_players'
|
||||
set firewall name trusted-local rule 9 destination port '1900,1901,1902'
|
||||
set firewall name trusted-local rule 9 protocol 'udp'
|
||||
set firewall name trusted-local rule 9 source group address-group 'sonos_controllers'
|
||||
set firewall name trusted-local rule 9 source group address-group 'sonos_players'
|
||||
set firewall name trusted-local rule 10 action 'accept'
|
||||
set firewall name trusted-local rule 10 description 'Rule: accept_discovery_from_sonos_controllers'
|
||||
set firewall name trusted-local rule 10 destination port '1900,1901,1902,57621'
|
||||
set firewall name trusted-local rule 10 protocol 'udp'
|
||||
set firewall name trusted-local rule 10 source group address-group 'sonos_controllers'
|
||||
|
||||
# From TRUSTED to SERVERS
|
||||
set firewall name trusted-servers default-action 'accept'
|
||||
|
|
|
@ -112,8 +112,6 @@ set firewall group address-group unifi_devices address '10.1.0.24'
|
|||
set firewall group address-group vector_journald_allowed address '10.1.3.56'
|
||||
set firewall group address-group vector_journald_allowed address '10.1.3.60'
|
||||
|
||||
set firewall group address-group vyos_chronyd address '10.5.0.5'
|
||||
|
||||
set firewall group address-group vyos_coredns address '10.5.0.3'
|
||||
|
||||
set firewall group address-group vyos_dnsdist address '10.5.0.4'
|
||||
|
|
|
@ -6,6 +6,9 @@ set system static-host-mapping host-name gateway.jahanson.tech alias ipv4.hsn.de
|
|||
# Unifi controller
|
||||
set system static-host-mapping host-name unifi inet 10.5.0.10
|
||||
|
||||
# 1Password Connect
|
||||
set system static-host-mapping host-name onepassword-connect.hsn.dev inet 10.5.0.5
|
||||
|
||||
# NAS
|
||||
set system static-host-mapping host-name elessar.jahanson.tech inet 10.1.1.11
|
||||
set system static-host-mapping host-name elessar.jahanson.tech alias nas.jahanson.tech
|
||||
|
|
|
@ -15,52 +15,54 @@ defaults
|
|||
log global
|
||||
option httplog
|
||||
option dontlognull
|
||||
option http-server-close
|
||||
option http-server-close
|
||||
option forwardfor except 127.0.0.0/8
|
||||
option redispatch
|
||||
retries 1
|
||||
retries 3
|
||||
timeout http-request 10s
|
||||
timeout queue 20s
|
||||
timeout connect 5s
|
||||
timeout client 20s
|
||||
timeout server 20s
|
||||
timeout connect 10s
|
||||
timeout client 1h
|
||||
timeout server 1h
|
||||
timeout http-keep-alive 10s
|
||||
timeout check 10s
|
||||
|
||||
#---------------------------------------------------------------------
|
||||
# apiserver frontend which proxys to the control plane nodes
|
||||
# apiserver frontend which proxys to the control plane nodes
|
||||
#---------------------------------------------------------------------
|
||||
frontend k8s_apiserver
|
||||
bind *:6443
|
||||
mode tcp
|
||||
option tcplog
|
||||
default_backend k8s_controlplane
|
||||
|
||||
frontend talos_apiserver
|
||||
bind *:50000
|
||||
mode tcp
|
||||
option tcplog
|
||||
default_backend talos_controlplane
|
||||
|
||||
frontend k8s_apiserver
|
||||
bind *:6443
|
||||
mode tcp
|
||||
option tcplog
|
||||
default_backend k8s_controlplane
|
||||
|
||||
frontend talos_apiserver
|
||||
bind *:50000
|
||||
mode tcp
|
||||
option tcplog
|
||||
default_backend talos_controlplane
|
||||
|
||||
#---------------------------------------------------------------------
|
||||
# round robin balancing for apiserver
|
||||
# round robin balancing for apiserver
|
||||
#---------------------------------------------------------------------
|
||||
backend k8s_controlplane
|
||||
option httpchk GET /healthz
|
||||
http-check expect status 200
|
||||
mode tcp
|
||||
option ssl-hello-chk
|
||||
balance roundrobin
|
||||
server worker1 gandalf.jahanson.tech:6443 check
|
||||
server worker2 glamdring.jahanson.tech:6443 check
|
||||
server worker3 lembas.jahanson.tech:6443 check
|
||||
|
||||
backend talos_controlplane
|
||||
option httpchk GET /healthz
|
||||
http-check expect status 200
|
||||
mode tcp
|
||||
option ssl-hello-chk
|
||||
balance roundrobin
|
||||
server worker1 gandalf.jahanson.tech:50000 check
|
||||
server worker2 glamdring.jahanson.tech:50000 check
|
||||
server worker3 lembas.jahanson.tech:50000 check
|
||||
backend k8s_controlplane
|
||||
option httpchk GET /healthz
|
||||
http-check expect status 200
|
||||
mode tcp
|
||||
option ssl-hello-chk
|
||||
balance roundrobin
|
||||
server worker1 10.1.1.31:6443 check
|
||||
server worker2 10.1.1.32:6443 check
|
||||
server worker3 10.1.1.33:6443 check
|
||||
server worker4 10.1.1.34:6443 check
|
||||
|
||||
backend talos_controlplane
|
||||
option httpchk GET /healthz
|
||||
http-check expect status 200
|
||||
mode tcp
|
||||
option ssl-hello-chk
|
||||
balance roundrobin
|
||||
server worker1 10.1.1.31:50000 check
|
||||
server worker2 10.1.1.32:50000 check
|
||||
server worker3 10.1.1.33:50000 check
|
||||
server worker4 10.1.1.34:50000 check
|
||||
|
|
|
@ -7,6 +7,13 @@
|
|||
# Clean dangling container network files
|
||||
# rm /var/lib/cni/networks/services/10.5.*
|
||||
|
||||
# Fix for containers requiring a custom user/group id
|
||||
# and Vyos not preserving file perms on upgrade
|
||||
mkdir -p /tmp/onepassword/data
|
||||
chown -R 999 /tmp/onepassword/data
|
||||
mkdir -p /tmp/bind/cache
|
||||
chown -R 104 /tmp/bind/cache
|
||||
|
||||
# Mount USB Backup Drive
|
||||
# backupdest=/media/usb-backup
|
||||
# mkdir -p "$backupdest"
|
||||
|
|
Reference in a new issue