Add custom error pages and Nginx configuration for proxy module

- Introduced custom HTML error pages for various HTTP status codes (400, 401, 403, 404, 408, 429, 500, 502, 503, 504) in the proxy module.
- Created a .gitignore file to exclude non-HTML files in the error resources directory.
- Updated Nginx configuration to serve custom error pages for upstream errors.
- Added new Nginx configuration templates for handling HTTP and stream protocols.
- Implemented Wireguard configuration templates and associated variables for secure connections.
- Established Kubernetes resources for Stunnel and Wireguard, including deployment, service accounts, and config maps.
- Defined variables for the Stunnel and Wireguard modules to facilitate configuration.
- Created a new Wol Proxy module with Kubernetes resources for deployment and service management.
This commit is contained in:
2025-10-02 00:19:01 +02:00
parent 4d00986273
commit e6a3f3affd
62 changed files with 1517 additions and 99 deletions
+15 -4
View File
@@ -54,6 +54,10 @@ module "mail" {
mail_crypt_public_key = var.mail_crypt_public_key
ca_pem = var.root_ca_pem
# For now we need to use host networking because of the fail2ban integration
postfix_use_host_networking = true
dovecot_use_host_networking = true
}
module "gitea" {
@@ -116,11 +120,18 @@ module "ssh_locker_web" {
socket_path = "/var/run/ssh_locker/provision.sock"
}
module "reverse_proxy" {
source = "../../modules/apps/nginx-reverse-proxy"
module "proxy" {
source = "../../modules/utils/proxy"
services = local.reverse_proxy_services
wireguard_config = local.reverse_proxy_wireguard_config
auth_token = var.nginx_token_bearer
services = local.proxy_services
streams = local.streams
wireguard_config = local.wireguard_config
}
module "prometheus" {
source = "../../modules/utils/prometheus"
persistent_folder = "${local.persistent_folder}/monitoring"
config = file("${path.module}/resources/prometheus.yml")
}
+36 -23
View File
@@ -79,39 +79,52 @@ locals {
#reverse proxy settings
streams = {
"imap" = {
port = 993
upstream = "imap.mail.svc.cluster.local"
protocol = "tcp"
}
"smtps" = {
port = 465
upstream = "smtps.mail.svc.cluster.local"
protocol = "tcp"
}
# For now disabled, because this messes with fail2ban on the host
# since the ip is lost and replaced with the nginx ingress controller ip
# to fix this we might need to setup logging on the stream and cross reference
# with postfix/dovecot logs and then ban the ip on the host
# "imap" = {
# port = 993
# upstream = "imap.mail.svc.cluster.local"
# protocol = "tcp"
# }
# "smtps" = {
# port = 465
# upstream = "smtps.mail.svc.cluster.local"
# protocol = "tcp"
# }
"21115-tcp" = {
port = 21115
upstream = "tcp.rustdesk.svc.cluster.local"
protocol = "tcp"
port = 21115
host_port = 21115
upstream = "tcp.rustdesk.svc.cluster.local"
protocol = "tcp"
}
"21116-tcp" = {
port = 21116
upstream = "tcp.rustdesk.svc.cluster.local"
protocol = "tcp"
port = 21116
host_port = 21116
upstream = "tcp.rustdesk.svc.cluster.local"
protocol = "tcp"
}
"21116-udp" = {
port = 21116
upstream = "udp.rustdesk.svc.cluster.local"
protocol = "udp"
port = 21116
host_port = 21116
upstream = "udp.rustdesk.svc.cluster.local"
protocol = "udp"
}
"21117-tcp" = {
port = 21117
upstream = "tcp.rustdesk.svc.cluster.local"
port = 21117
host_port = 21117
upstream = "tcp.rustdesk.svc.cluster.local"
protocol = "tcp"
}
"9090-tcp" = {
port = 9090
upstream = "prometheus.prometheus.svc.cluster.local"
protocol = "tcp"
}
}
reverse_proxy_wireguard_config = {
wireguard_config = {
private_key = var.wireguard_1_private_key
public_key = var.wireguard_1_public_key
pre_shared_key = var.wireguard_1_pre_shared_key
@@ -125,7 +138,7 @@ locals {
]
}
reverse_proxy_services = {
proxy_services = {
"open-webui" = {
http_port = 8080
https_port = 8443
@@ -0,0 +1,40 @@
global:
scrape_interval: 5s
evaluation_interval: 5s
rule_files:
- /etc/prometheus/prometheus.rules
scrape_configs:
- job_name: kubernetes-nodes-cadvisor
scrape_interval: 10s
scrape_timeout: 10s
scheme: https # remove if you want to scrape metrics on insecure port
tls_config:
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
insecure_skip_verify: true
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
kubernetes_sd_configs:
- role: node
relabel_configs:
- action: labelmap
regex: __meta_kubernetes_node_label_(.+)
# Only for Kubernetes ^1.7.3.
# See: https://github.com/prometheus/prometheus/issues/2916
- target_label: __address__
replacement: kubernetes.default.svc:443
- source_labels: [__meta_kubernetes_node_name]
regex: (.+)
target_label: __metrics_path__
replacement: /api/v1/nodes/${1}/proxy/metrics/cadvisor
metric_relabel_configs:
- action: replace
source_labels: [id]
regex: '^/machine\.slice/machine-rkt\\x2d([^\\]+)\\.+/([^/]+)\.service$'
target_label: rkt_container_name
replacement: "${2}-${1}"
- action: replace
source_labels: [id]
regex: '^/system\.slice/(.+)\.service$'
target_label: systemd_service_name
replacement: "${1}"
remote_write:
- url: "http://prometheus.reverse-proxy.svc.cluster.local:9090/api/v1/write"