Add custom error pages and Nginx configuration for proxy module
- Introduced custom HTML error pages for various HTTP status codes (400, 401, 403, 404, 408, 429, 500, 502, 503, 504) in the proxy module. - Created a .gitignore file to exclude non-HTML files in the error resources directory. - Updated Nginx configuration to serve custom error pages for upstream errors. - Added new Nginx configuration templates for handling HTTP and stream protocols. - Implemented Wireguard configuration templates and associated variables for secure connections. - Established Kubernetes resources for Stunnel and Wireguard, including deployment, service accounts, and config maps. - Defined variables for the Stunnel and Wireguard modules to facilitate configuration. - Created a new Wol Proxy module with Kubernetes resources for deployment and service management.
This commit is contained in:
@@ -54,6 +54,10 @@ module "mail" {
|
||||
mail_crypt_public_key = var.mail_crypt_public_key
|
||||
|
||||
ca_pem = var.root_ca_pem
|
||||
|
||||
# For now we need to use host networking because of the fail2ban integration
|
||||
postfix_use_host_networking = true
|
||||
dovecot_use_host_networking = true
|
||||
}
|
||||
|
||||
module "gitea" {
|
||||
@@ -116,11 +120,18 @@ module "ssh_locker_web" {
|
||||
socket_path = "/var/run/ssh_locker/provision.sock"
|
||||
}
|
||||
|
||||
module "reverse_proxy" {
|
||||
source = "../../modules/apps/nginx-reverse-proxy"
|
||||
module "proxy" {
|
||||
source = "../../modules/utils/proxy"
|
||||
|
||||
services = local.reverse_proxy_services
|
||||
wireguard_config = local.reverse_proxy_wireguard_config
|
||||
auth_token = var.nginx_token_bearer
|
||||
services = local.proxy_services
|
||||
streams = local.streams
|
||||
wireguard_config = local.wireguard_config
|
||||
}
|
||||
|
||||
module "prometheus" {
|
||||
source = "../../modules/utils/prometheus"
|
||||
|
||||
persistent_folder = "${local.persistent_folder}/monitoring"
|
||||
config = file("${path.module}/resources/prometheus.yml")
|
||||
}
|
||||
|
||||
@@ -79,39 +79,52 @@ locals {
|
||||
#reverse proxy settings
|
||||
|
||||
streams = {
|
||||
"imap" = {
|
||||
port = 993
|
||||
upstream = "imap.mail.svc.cluster.local"
|
||||
protocol = "tcp"
|
||||
}
|
||||
"smtps" = {
|
||||
port = 465
|
||||
upstream = "smtps.mail.svc.cluster.local"
|
||||
protocol = "tcp"
|
||||
}
|
||||
# For now disabled, because this messes with fail2ban on the host
|
||||
# since the ip is lost and replaced with the nginx ingress controller ip
|
||||
# to fix this we might need to setup logging on the stream and cross reference
|
||||
# with postfix/dovecot logs and then ban the ip on the host
|
||||
# "imap" = {
|
||||
# port = 993
|
||||
# upstream = "imap.mail.svc.cluster.local"
|
||||
# protocol = "tcp"
|
||||
# }
|
||||
# "smtps" = {
|
||||
# port = 465
|
||||
# upstream = "smtps.mail.svc.cluster.local"
|
||||
# protocol = "tcp"
|
||||
# }
|
||||
"21115-tcp" = {
|
||||
port = 21115
|
||||
upstream = "tcp.rustdesk.svc.cluster.local"
|
||||
protocol = "tcp"
|
||||
port = 21115
|
||||
host_port = 21115
|
||||
upstream = "tcp.rustdesk.svc.cluster.local"
|
||||
protocol = "tcp"
|
||||
}
|
||||
"21116-tcp" = {
|
||||
port = 21116
|
||||
upstream = "tcp.rustdesk.svc.cluster.local"
|
||||
protocol = "tcp"
|
||||
port = 21116
|
||||
host_port = 21116
|
||||
upstream = "tcp.rustdesk.svc.cluster.local"
|
||||
protocol = "tcp"
|
||||
}
|
||||
"21116-udp" = {
|
||||
port = 21116
|
||||
upstream = "udp.rustdesk.svc.cluster.local"
|
||||
protocol = "udp"
|
||||
port = 21116
|
||||
host_port = 21116
|
||||
upstream = "udp.rustdesk.svc.cluster.local"
|
||||
protocol = "udp"
|
||||
}
|
||||
"21117-tcp" = {
|
||||
port = 21117
|
||||
upstream = "tcp.rustdesk.svc.cluster.local"
|
||||
port = 21117
|
||||
host_port = 21117
|
||||
upstream = "tcp.rustdesk.svc.cluster.local"
|
||||
protocol = "tcp"
|
||||
}
|
||||
"9090-tcp" = {
|
||||
port = 9090
|
||||
upstream = "prometheus.prometheus.svc.cluster.local"
|
||||
protocol = "tcp"
|
||||
}
|
||||
}
|
||||
|
||||
reverse_proxy_wireguard_config = {
|
||||
wireguard_config = {
|
||||
private_key = var.wireguard_1_private_key
|
||||
public_key = var.wireguard_1_public_key
|
||||
pre_shared_key = var.wireguard_1_pre_shared_key
|
||||
@@ -125,7 +138,7 @@ locals {
|
||||
]
|
||||
}
|
||||
|
||||
reverse_proxy_services = {
|
||||
proxy_services = {
|
||||
"open-webui" = {
|
||||
http_port = 8080
|
||||
https_port = 8443
|
||||
|
||||
@@ -0,0 +1,40 @@
|
||||
global:
|
||||
scrape_interval: 5s
|
||||
evaluation_interval: 5s
|
||||
rule_files:
|
||||
- /etc/prometheus/prometheus.rules
|
||||
scrape_configs:
|
||||
- job_name: kubernetes-nodes-cadvisor
|
||||
scrape_interval: 10s
|
||||
scrape_timeout: 10s
|
||||
scheme: https # remove if you want to scrape metrics on insecure port
|
||||
tls_config:
|
||||
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
|
||||
insecure_skip_verify: true
|
||||
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
kubernetes_sd_configs:
|
||||
- role: node
|
||||
relabel_configs:
|
||||
- action: labelmap
|
||||
regex: __meta_kubernetes_node_label_(.+)
|
||||
# Only for Kubernetes ^1.7.3.
|
||||
# See: https://github.com/prometheus/prometheus/issues/2916
|
||||
- target_label: __address__
|
||||
replacement: kubernetes.default.svc:443
|
||||
- source_labels: [__meta_kubernetes_node_name]
|
||||
regex: (.+)
|
||||
target_label: __metrics_path__
|
||||
replacement: /api/v1/nodes/${1}/proxy/metrics/cadvisor
|
||||
metric_relabel_configs:
|
||||
- action: replace
|
||||
source_labels: [id]
|
||||
regex: '^/machine\.slice/machine-rkt\\x2d([^\\]+)\\.+/([^/]+)\.service$'
|
||||
target_label: rkt_container_name
|
||||
replacement: "${2}-${1}"
|
||||
- action: replace
|
||||
source_labels: [id]
|
||||
regex: '^/system\.slice/(.+)\.service$'
|
||||
target_label: systemd_service_name
|
||||
replacement: "${1}"
|
||||
remote_write:
|
||||
- url: "http://prometheus.reverse-proxy.svc.cluster.local:9090/api/v1/write"
|
||||
Reference in New Issue
Block a user