Compare commits
4 commits
f0127c37dd
...
ee9b154e4c
Author | SHA1 | Date | |
---|---|---|---|
|
ee9b154e4c | ||
a4fb1c6fb2 | |||
51100a76cc | |||
417bdccf18 |
9 changed files with 24 additions and 146 deletions
|
@ -3,6 +3,21 @@
|
||||||
# Container networks
|
# Container networks
|
||||||
set container network containers prefix '10.5.0.0/24'
|
set container network containers prefix '10.5.0.0/24'
|
||||||
|
|
||||||
|
# bind
|
||||||
|
set container name bind cap-add 'net-bind-service'
|
||||||
|
set container name bind image 'docker.io/internetsystemsconsortium/bind9:9.19'
|
||||||
|
set container name bind command '/usr/sbin/named -4 -f -c /etc/bind/named.conf -u bind'
|
||||||
|
set container name bind memory '0'
|
||||||
|
set container name bind network containers address '10.5.0.3'
|
||||||
|
set container name bind restart 'on-failure'
|
||||||
|
set container name bind shared-memory '0'
|
||||||
|
set container name bind volume config destination '/etc/bind'
|
||||||
|
set container name bind volume config source '/config/containers/bind/config'
|
||||||
|
set container name bind volume config mode 'ro'
|
||||||
|
set container name bind volume cache source '/tmp/bind/cache'
|
||||||
|
set container name bind volume cache destination '/var/cache/bind'
|
||||||
|
set container name bind volume cache mode 'rw'
|
||||||
|
|
||||||
# haproxy-k8s-api
|
# haproxy-k8s-api
|
||||||
set container name haproxy-k8s-api image 'docker.io/library/haproxy:2.9.0'
|
set container name haproxy-k8s-api image 'docker.io/library/haproxy:2.9.0'
|
||||||
set container name haproxy-k8s-api memory '0'
|
set container name haproxy-k8s-api memory '0'
|
||||||
|
@ -13,16 +28,6 @@ set container name haproxy-k8s-api volume config source '/config/containers/hapr
|
||||||
set container name haproxy-k8s-api volume config destination '/usr/local/etc/haproxy/haproxy.cfg'
|
set container name haproxy-k8s-api volume config destination '/usr/local/etc/haproxy/haproxy.cfg'
|
||||||
set container name haproxy-k8s-api volume config mode 'ro'
|
set container name haproxy-k8s-api volume config mode 'ro'
|
||||||
|
|
||||||
# haproxy-k3s-api
|
|
||||||
set container name haproxy-k3s-api image 'docker.io/library/haproxy:2.9.0'
|
|
||||||
set container name haproxy-k3s-api memory '0'
|
|
||||||
set container name haproxy-k3s-api network containers address '10.5.0.3'
|
|
||||||
set container name haproxy-k3s-api restart 'on-failure'
|
|
||||||
set container name haproxy-k3s-api shared-memory '0'
|
|
||||||
set container name haproxy-k3s-api volume config source '/config/containers/haproxy-k3s/config/haproxy.cfg'
|
|
||||||
set container name haproxy-k3s-api volume config destination '/usr/local/etc/haproxy/haproxy.cfg'
|
|
||||||
set container name haproxy-k3s-api volume config mode 'ro'
|
|
||||||
|
|
||||||
# node-exporter
|
# node-exporter
|
||||||
set container name node-exporter environment procfs value '/host/proc'
|
set container name node-exporter environment procfs value '/host/proc'
|
||||||
set container name node-exporter environment rootfs value '/host/rootfs'
|
set container name node-exporter environment rootfs value '/host/rootfs'
|
||||||
|
@ -80,7 +85,7 @@ set container name unifi environment RUNAS_UID0 value 'false'
|
||||||
set container name unifi environment TZ value 'America/Chicago'
|
set container name unifi environment TZ value 'America/Chicago'
|
||||||
set container name unifi environment PGID value '102'
|
set container name unifi environment PGID value '102'
|
||||||
set container name unifi environment PUID value '999'
|
set container name unifi environment PUID value '999'
|
||||||
set container name unifi image 'ghcr.io/goofball222/unifi:8.0.24'
|
set container name unifi image 'ghcr.io/goofball222/unifi:8.0.26'
|
||||||
set container name unifi memory '0'
|
set container name unifi memory '0'
|
||||||
set container name unifi network containers address '10.5.0.10'
|
set container name unifi network containers address '10.5.0.10'
|
||||||
set container name unifi restart 'on-failure'
|
set container name unifi restart 'on-failure'
|
||||||
|
|
|
@ -413,6 +413,10 @@ set firewall ipv4 name containers-lan rule 999 log
|
||||||
set firewall ipv4 name containers-local default-action 'drop'
|
set firewall ipv4 name containers-local default-action 'drop'
|
||||||
set firewall ipv4 name containers-local description 'From CONTAINERS to LOCAL'
|
set firewall ipv4 name containers-local description 'From CONTAINERS to LOCAL'
|
||||||
set firewall ipv4 name containers-local default-log
|
set firewall ipv4 name containers-local default-log
|
||||||
|
set firewall ipv4 name containers-local rule 40 action 'accept'
|
||||||
|
set firewall ipv4 name containers-local rule 40 description 'Rule: accept_dns'
|
||||||
|
set firewall ipv4 name containers-local rule 40 destination port 'domain,domain-s'
|
||||||
|
set firewall ipv4 name containers-local rule 40 protocol 'tcp_udp'
|
||||||
set firewall ipv4 name containers-local rule 50 action 'accept'
|
set firewall ipv4 name containers-local rule 50 action 'accept'
|
||||||
set firewall ipv4 name containers-local rule 50 description 'Rule: accept_dhcp'
|
set firewall ipv4 name containers-local rule 50 description 'Rule: accept_dhcp'
|
||||||
set firewall ipv4 name containers-local rule 50 destination port '67,68'
|
set firewall ipv4 name containers-local rule 50 destination port '67,68'
|
||||||
|
|
|
@ -45,7 +45,7 @@ set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-ma
|
||||||
|
|
||||||
# k8s prod workers
|
# k8s prod workers
|
||||||
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping nenya ip-address '10.1.1.41'
|
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping nenya ip-address '10.1.1.41'
|
||||||
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping nenya mac-address 'c8:1f:66:10:4d:b9'
|
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping nenya mac-address '00:a0:98:1a:5e:ed'
|
||||||
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping vilya ip-address '10.1.1.42'
|
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping vilya ip-address '10.1.1.42'
|
||||||
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping vilya mac-address 'c8:1f:66:10:51:d9'
|
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping vilya mac-address 'c8:1f:66:10:51:d9'
|
||||||
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping gollum ip-address '10.1.1.43'
|
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping gollum ip-address '10.1.1.43'
|
||||||
|
@ -65,8 +65,6 @@ set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-ma
|
||||||
# VMs
|
# VMs
|
||||||
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping tulkas ip-address '10.1.1.53'
|
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping tulkas ip-address '10.1.1.53'
|
||||||
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping tulkas mac-address '26:82:2F:16:7A:36'
|
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping tulkas mac-address '26:82:2F:16:7A:36'
|
||||||
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping qbee ip-address '10.1.1.55'
|
|
||||||
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping qbee mac-address '00:a0:98:00:a6:72'
|
|
||||||
|
|
||||||
|
|
||||||
# k8s prod masters
|
# k8s prod masters
|
||||||
|
|
1
containers/.gitignore
vendored
1
containers/.gitignore
vendored
|
@ -7,6 +7,5 @@
|
||||||
!/bind/
|
!/bind/
|
||||||
!/dnsdist/
|
!/dnsdist/
|
||||||
!/haproxy/
|
!/haproxy/
|
||||||
!/haproxy-k3s/
|
|
||||||
!/unifi/
|
!/unifi/
|
||||||
!/vector-agent/
|
!/vector-agent/
|
||||||
|
|
|
@ -1,30 +0,0 @@
|
||||||
; Make sure to update the epoch time in the SOA records so coreDNS picks up the changes automatically
|
|
||||||
; https://www.epochconverter.com/
|
|
||||||
|
|
||||||
; SOA Records
|
|
||||||
$TTL 3600
|
|
||||||
$ORIGIN hsn.dev.
|
|
||||||
@ 3600 IN SOA gateway.jahanson.tech. gateway.jahanson.tech. (
|
|
||||||
1696362449 ; serial number (epoch timestamp)
|
|
||||||
7200 ; refresh period
|
|
||||||
3600 ; retry period
|
|
||||||
1209600 ; expire time
|
|
||||||
3600 ; minimum ttl
|
|
||||||
)
|
|
||||||
|
|
||||||
; NS Records
|
|
||||||
@ IN NS gateway.jahanson.tech.
|
|
||||||
|
|
||||||
; Containers
|
|
||||||
@ IN A 104.26.2.197
|
|
||||||
@ IN A 104.26.3.197
|
|
||||||
@ IN A 172.67.72.148
|
|
||||||
blog IN A 20.64.91.58
|
|
||||||
onepassword-connect IN A 10.5.0.5
|
|
||||||
git IN A 40.124.184.64
|
|
||||||
varda IN A 136.243.8.106
|
|
||||||
|
|
||||||
; CNAME Records
|
|
||||||
s3 IN CNAME nas.jahanson.tech.
|
|
||||||
minio IN CNAME nas.jahanson.tech.
|
|
||||||
vpn IN CNAME gateway.jahanson.tech.
|
|
|
@ -5,7 +5,7 @@
|
||||||
$TTL 3600
|
$TTL 3600
|
||||||
$ORIGIN jahanson.tech.
|
$ORIGIN jahanson.tech.
|
||||||
@ 3600 IN SOA gateway.jahanson.tech. gateway.jahanson.tech. (
|
@ 3600 IN SOA gateway.jahanson.tech. gateway.jahanson.tech. (
|
||||||
1686507728 ; serial number (epoch timestamp)
|
1705263395 ; serial number (epoch timestamp)
|
||||||
7200 ; refresh period
|
7200 ; refresh period
|
||||||
3600 ; retry period
|
3600 ; retry period
|
||||||
1209600 ; expire time
|
1209600 ; expire time
|
||||||
|
@ -21,31 +21,6 @@ gateway IN A 10.1.0.1
|
||||||
; Servers
|
; Servers
|
||||||
elessar IN A 10.1.1.11
|
elessar IN A 10.1.1.11
|
||||||
sting IN A 10.1.1.12
|
sting IN A 10.1.1.12
|
||||||
gandalf IN A 10.1.1.31
|
|
||||||
glamdring IN A 10.1.1.32
|
|
||||||
shadowfax IN A 10.1.1.33
|
|
||||||
nenya IN A 10.1.1.41
|
|
||||||
vilya IN A 10.1.1.42
|
|
||||||
narya IN A 10.1.1.43
|
|
||||||
nahar IN A 10.1.1.44
|
|
||||||
thror IN A 10.1.1.45
|
|
||||||
thrain IN A 10.1.1.46
|
|
||||||
nextcloud IN A 10.1.1.51
|
|
||||||
frodo IN A 10.1.1.52
|
|
||||||
tulkas IN A 10.1.1.53
|
|
||||||
galadriel IN A 10.1.1.61
|
|
||||||
elrond IN A 10.1.1.62
|
|
||||||
cirdan IN A 10.1.1.63
|
|
||||||
|
|
||||||
; IOT
|
|
||||||
livingroom-vacuum IN A 10.1.3.18
|
|
||||||
|
|
||||||
; Video
|
|
||||||
driveway-camera IN A 10.1.4.12
|
|
||||||
|
|
||||||
; Containers
|
|
||||||
morgoth IN A 10.5.0.2
|
|
||||||
|
|
||||||
; CNAME records
|
; CNAME records
|
||||||
nas IN CNAME elessar.jahanson.tech.
|
nas IN CNAME elessar.jahanson.tech.
|
||||||
pikvm IN CNAME frodo.jahanson.tech.
|
|
||||||
|
|
9
containers/haproxy-k3s/.gitignore
vendored
9
containers/haproxy-k3s/.gitignore
vendored
|
@ -1,9 +0,0 @@
|
||||||
# Ignore everything
|
|
||||||
/*
|
|
||||||
|
|
||||||
# Track certain files and directories
|
|
||||||
!.gitignore
|
|
||||||
|
|
||||||
!/config/
|
|
||||||
/config/*
|
|
||||||
!/config/haproxy.cfg
|
|
|
@ -1,48 +0,0 @@
|
||||||
#---------------------------------------------------------------------
|
|
||||||
# Global settings
|
|
||||||
#---------------------------------------------------------------------
|
|
||||||
global
|
|
||||||
log /dev/log local0
|
|
||||||
log /dev/log local1 notice
|
|
||||||
daemon
|
|
||||||
|
|
||||||
#---------------------------------------------------------------------
|
|
||||||
# common defaults that all the 'listen' and 'backend' sections will
|
|
||||||
# use if not designated in their block
|
|
||||||
#---------------------------------------------------------------------
|
|
||||||
defaults
|
|
||||||
mode http
|
|
||||||
log global
|
|
||||||
option httplog
|
|
||||||
option dontlognull
|
|
||||||
option http-server-close
|
|
||||||
option forwardfor except 127.0.0.0/8
|
|
||||||
option redispatch
|
|
||||||
retries 3
|
|
||||||
timeout http-request 10s
|
|
||||||
timeout queue 20s
|
|
||||||
timeout connect 10s
|
|
||||||
timeout client 1h
|
|
||||||
timeout server 1h
|
|
||||||
timeout http-keep-alive 10s
|
|
||||||
timeout check 10s
|
|
||||||
|
|
||||||
#---------------------------------------------------------------------
|
|
||||||
# apiserver frontend which proxys to the control plane nodes
|
|
||||||
#---------------------------------------------------------------------
|
|
||||||
frontend k8s_apiserver
|
|
||||||
bind *:6443
|
|
||||||
mode tcp
|
|
||||||
option tcplog
|
|
||||||
default_backend k8s_controlplane
|
|
||||||
|
|
||||||
#---------------------------------------------------------------------
|
|
||||||
# round robin balancing for apiserver
|
|
||||||
#---------------------------------------------------------------------
|
|
||||||
backend k8s_controlplane
|
|
||||||
option httpchk GET /healthz
|
|
||||||
http-check expect status 200
|
|
||||||
mode tcp
|
|
||||||
option ssl-hello-chk
|
|
||||||
balance roundrobin
|
|
||||||
server worker2 10.1.1.55:6443 check
|
|
|
@ -36,12 +36,6 @@ frontend k8s_apiserver
|
||||||
option tcplog
|
option tcplog
|
||||||
default_backend k8s_controlplane
|
default_backend k8s_controlplane
|
||||||
|
|
||||||
frontend talos_apiserver
|
|
||||||
bind *:50000
|
|
||||||
mode tcp
|
|
||||||
option tcplog
|
|
||||||
default_backend talos_controlplane
|
|
||||||
|
|
||||||
#---------------------------------------------------------------------
|
#---------------------------------------------------------------------
|
||||||
# round robin balancing for apiserver
|
# round robin balancing for apiserver
|
||||||
#---------------------------------------------------------------------
|
#---------------------------------------------------------------------
|
||||||
|
@ -54,13 +48,3 @@ backend k8s_controlplane
|
||||||
server worker1 10.1.1.61:6443 check
|
server worker1 10.1.1.61:6443 check
|
||||||
server worker2 10.1.1.62:6443 check
|
server worker2 10.1.1.62:6443 check
|
||||||
server worker3 10.1.1.63:6443 check
|
server worker3 10.1.1.63:6443 check
|
||||||
|
|
||||||
backend talos_controlplane
|
|
||||||
option httpchk GET /healthz
|
|
||||||
http-check expect status 200
|
|
||||||
mode tcp
|
|
||||||
option ssl-hello-chk
|
|
||||||
balance roundrobin
|
|
||||||
server worker1 10.1.1.61:50000 check
|
|
||||||
server worker2 10.1.1.62:50000 check
|
|
||||||
server worker3 10.1.1.63:50000 check
|
|
||||||
|
|
Reference in a new issue