amy/fruit-bowl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: initial commit

Browse source
This commit is contained in:
amy 2025-04-01 17:40:03 +00:00
commit 38f495e3f4
457 changed files with 40577 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

1
environments/production/modules/reverse_proxy/files/.gitignore vendored Normal file
View file

@ -0,0 +1 @@
cert/

137
environments/production/modules/reverse_proxy/files/conf.d/auth.amy.mov Normal file
View file

@ -0,0 +1,137 @@
map $http_upgrade $connection_upgrade_keepalive {
default upgrade;
'' '';
}
server {
listen 443 ssl;
server_name auth.amy.mov;
resolver 192.168.1.155;
location / {
proxy_http_version 1.1;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade_keepalive;
proxy_pass http://authentik.cluster:9000;
}
}
server {
listen 443 ssl;
server_name garage.amy.mov;
proxy_buffers 8 16k;
proxy_buffer_size 32k;
location / {
# Where should the authenticated requests go
proxy_pass http://garage.cluster:3909;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade_keepalive;
auth_request /outpost.goauthentik.io/auth/nginx;
error_page 401 = @goauthentik_proxy_signin;
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
auth_request_set $authentik_username $upstream_http_x_authentik_username;
auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
auth_request_set $authentik_entitlements $upstream_http_x_authentik_entitlements;
auth_request_set $authentik_email $upstream_http_x_authentik_email;
auth_request_set $authentik_name $upstream_http_x_authentik_name;
auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
proxy_set_header X-authentik-username $authentik_username;
proxy_set_header X-authentik-groups $authentik_groups;
proxy_set_header X-authentik-entitlements $authentik_entitlements;
proxy_set_header X-authentik-email $authentik_email;
proxy_set_header X-authentik-name $authentik_name;
proxy_set_header X-authentik-uid $authentik_uid;
}
# All requests to /outpost.goauthentik.io must be accessible without authentication
location /outpost.goauthentik.io {
proxy_pass http://authentik.cluster:9000/outpost.goauthentik.io;
# Note: ensure the Host header matches your external authentik URL:
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
add_header Set-Cookie $auth_cookie;
auth_request_set $auth_cookie $upstream_http_set_cookie;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
}
location @goauthentik_proxy_signin {
internal;
add_header Set-Cookie $auth_cookie;
return 302 /outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
}
}
server {
listen 443 ssl;
server_name calibre.amy.mov;
proxy_buffers 8 16k;
proxy_buffer_size 32k;
location / {
# Where should the authenticated requests go
proxy_pass http://calibre.cluster:8080;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade_keepalive;
auth_request /outpost.goauthentik.io/auth/nginx;
error_page 401 = @goauthentik_proxy_signin;
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
auth_request_set $authentik_username $upstream_http_x_authentik_username;
auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
auth_request_set $authentik_entitlements $upstream_http_x_authentik_entitlements;
auth_request_set $authentik_email $upstream_http_x_authentik_email;
auth_request_set $authentik_name $upstream_http_x_authentik_name;
auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
proxy_set_header X-authentik-username $authentik_username;
proxy_set_header X-authentik-groups $authentik_groups;
proxy_set_header X-authentik-entitlements $authentik_entitlements;
proxy_set_header X-authentik-email $authentik_email;
proxy_set_header X-authentik-name $authentik_name;
proxy_set_header X-authentik-uid $authentik_uid;
# Since we're overwriting the Basic Auth headers
auth_request_set $authentik_auth $upstream_http_authorization;
proxy_set_header Authorization $authentik_auth;
}
# All requests to /outpost.goauthentik.io must be accessible without authentication
location /outpost.goauthentik.io {
proxy_pass http://authentik.cluster:9000/outpost.goauthentik.io;
# Note: ensure the Host header matches your external authentik URL:
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
add_header Set-Cookie $auth_cookie;
auth_request_set $auth_cookie $upstream_http_set_cookie;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
}
location @goauthentik_proxy_signin {
internal;
add_header Set-Cookie $auth_cookie;
return 302 /outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
}
}

13
environments/production/modules/reverse_proxy/files/conf.d/blog.amy.mov Normal file
View file

@ -0,0 +1,13 @@
server {
listen 443 ssl;
server_name blog.amy.mov;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_pass http://192.168.1.210:2368;
}
}

13
environments/production/modules/reverse_proxy/files/conf.d/cloud.amy.mov Normal file
View file

@ -0,0 +1,13 @@
# !! Managed by Puppet !!
server {
listen 443 ssl;
server_name cloud.amy.mov;
location / {
proxy_pass https://owncloud.cluster:9200;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}

13
environments/production/modules/reverse_proxy/files/conf.d/fedi.amy.mov Normal file
View file

@ -0,0 +1,13 @@
# !! Managed by Puppet !!
server {
listen 443 ssl;
server_name fedi.amy.mov;
location / {
proxy_pass http://192.168.1.201:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}

14
environments/production/modules/reverse_proxy/files/conf.d/forge.amy.mov Normal file
View file

@ -0,0 +1,14 @@
# !! Managed by Puppet !!
server {
listen 443 ssl;
server_name forge.amy.mov;
resolver 192.168.1.155;
location / {
proxy_pass http://forgejo.cluster:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}

11
environments/production/modules/reverse_proxy/files/conf.d/internal-s3.amy.mov Normal file
View file

@ -0,0 +1,11 @@
server {
listen 443 ssl;
server_name internal-s3.amy.mov;
resolver 192.168.1.155;
location / {
proxy_set_header Host internal-s3.amy.mov;
proxy_pass http://garage.cluster:3900;
}
}

13
environments/production/modules/reverse_proxy/files/conf.d/pg.amy.mov Normal file
View file

@ -0,0 +1,13 @@
server {
listen 443 ssl;
server_name pg.amy.mov;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_pass http://postgresql.cluster;
}
}

15
environments/production/modules/reverse_proxy/files/conf.d/s3.amy.mov Normal file
View file

@ -0,0 +1,15 @@
server {
listen 443 ssl;
server_name s3.amy.mov;
resolver 192.168.1.155;
# Rewriting path based buckets to vhost buckets, ie:
# s3.amy.mov/test-bucket => test-bucket.s3.amy.mov
location ~ ^/([^/]+)(.*)$ {
# Set the host so Garage thinks we are coming from a vhost
proxy_set_header Host $1.s3.amy.mov;
# But pass the path ($2) to the real proxy
proxy_pass http://garage.cluster:3902$2;
}
}

13
environments/production/modules/reverse_proxy/files/conf.d/secrets.amy.mov Normal file
View file

@ -0,0 +1,13 @@
server {
listen 443 ssl;
server_name secrets.amy.mov;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_pass http://infisical.cluster:8080;
}
}

31
environments/production/modules/reverse_proxy/files/nginx.conf Normal file
View file

@ -0,0 +1,31 @@
# !! Managed by Puppet !!
user www-data;
worker_processes auto;
pid /run/nginx.pid;
events {
worker_connections 768;
}
http {
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
sendfile on;
tcp_nopush on;
types_hash_max_size 2048;
client_max_body_size 15M;
include /etc/nginx/mime.types;
default_type application/octet-stream;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_certificate /etc/nginx/cert/cf.pem;
ssl_certificate_key /etc/nginx/cert/cf.key;
include /etc/nginx/conf.d/*;
}

56
environments/production/modules/reverse_proxy/manifests/init.pp Normal file
View file

@ -0,0 +1,56 @@
class reverse_proxy {
contain reverse_proxy::install
contain reverse_proxy::config
contain reverse_proxy::service
}
class reverse_proxy::install {
package { 'nginx':
ensure => installed,
}
}
define reverse_proxy::conf_file (
$dest_base,
$source_base,
$group = 'www-data',
$owner = 'www-data',
$mode = '0640',
) {
file { "${dest_base}/${name}":
source => "${source_base}/${name}",
ensure => 'present',
group => $group,
owner => $owner,
mode => $mode,
notify => Service['nginx'],
}
}
class reverse_proxy::config {
$config_files = [
# Make our dirs first
'conf.d', 'cert',
# Then we can populate them
'conf.d/fedi.amy.mov', 'conf.d/s3.amy.mov', 'conf.d/blog.amy.mov', 'conf.d/auth.amy.mov', 'conf.d/pg.amy.mov',
'conf.d/forge.amy.mov', 'conf.d/cloud.amy.mov', 'conf.d/secrets.amy.mov',
'conf.d/internal-s3.amy.mov',
'cert/cf.key', 'cert/cf.pem',
'nginx.conf'
]
reverse_proxy::conf_file { $config_files:
source_base => 'puppet:///modules/reverse_proxy',
dest_base => '/etc/nginx'
}
}
class reverse_proxy::service {
service { 'nginx':
ensure => running,
enable => true,
}
}