feat: initial commit

2025-04-01 17:40:03 +00:00 · 2025-04-01 17:40:03 +00:00 · 38f495e3f4
commit 38f495e3f4
457 changed files with 40577 additions and 0 deletions
--- a/environments/production/modules/reverse_proxy/files/.gitignore
+++ b/environments/production/modules/reverse_proxy/files/.gitignore
@ -0,0 +1 @@
+cert/
--- a/environments/production/modules/reverse_proxy/files/conf.d/auth.amy.mov
+++ b/environments/production/modules/reverse_proxy/files/conf.d/auth.amy.mov
@ -0,0 +1,137 @@
+map $http_upgrade $connection_upgrade_keepalive {
+    default upgrade;
+    ''      '';
+}
+
+server {
+  listen 443 ssl;
+  server_name auth.amy.mov;
+  resolver 192.168.1.155;
+  
+  location / {
+    proxy_http_version 1.1;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header Host $http_host;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection $connection_upgrade_keepalive;
+
+    proxy_pass http://authentik.cluster:9000;
+  }
+}
+
+server {
+  listen                  443 ssl;
+  server_name             garage.amy.mov;
+
+  proxy_buffers 8 16k;
+  proxy_buffer_size 32k;
+
+  location / {
+    # Where should the authenticated requests go
+    proxy_pass http://garage.cluster:3909;
+    
+    proxy_set_header Host $host;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection $connection_upgrade_keepalive;
+
+    auth_request     /outpost.goauthentik.io/auth/nginx;
+    error_page       401 = @goauthentik_proxy_signin;
+    auth_request_set $auth_cookie $upstream_http_set_cookie;
+    add_header       Set-Cookie $auth_cookie;
+
+    auth_request_set $authentik_username $upstream_http_x_authentik_username;
+    auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
+    auth_request_set $authentik_entitlements $upstream_http_x_authentik_entitlements;
+    auth_request_set $authentik_email $upstream_http_x_authentik_email;
+    auth_request_set $authentik_name $upstream_http_x_authentik_name;
+    auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
+
+    proxy_set_header X-authentik-username $authentik_username;
+    proxy_set_header X-authentik-groups $authentik_groups;
+    proxy_set_header X-authentik-entitlements $authentik_entitlements;
+    proxy_set_header X-authentik-email $authentik_email;
+    proxy_set_header X-authentik-name $authentik_name;
+    proxy_set_header X-authentik-uid $authentik_uid;
+  }
+
+  # All requests to /outpost.goauthentik.io must be accessible without authentication
+  location /outpost.goauthentik.io {
+    proxy_pass              http://authentik.cluster:9000/outpost.goauthentik.io;
+
+    # Note: ensure the Host header matches your external authentik URL:
+    proxy_set_header        Host $host;
+
+    proxy_set_header        X-Original-URL $scheme://$http_host$request_uri;
+    add_header              Set-Cookie $auth_cookie;
+    auth_request_set        $auth_cookie $upstream_http_set_cookie;
+    proxy_pass_request_body off;
+    proxy_set_header        Content-Length "";
+  }
+
+  location @goauthentik_proxy_signin {
+    internal;
+    add_header Set-Cookie $auth_cookie;
+    return 302 /outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
+  }
+}
+
+server {
+  listen                  443 ssl;
+  server_name             calibre.amy.mov;
+
+  proxy_buffers 8 16k;
+  proxy_buffer_size 32k;
+
+  location / {
+    # Where should the authenticated requests go
+    proxy_pass http://calibre.cluster:8080;
+    
+    proxy_set_header Host $host;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection $connection_upgrade_keepalive;
+
+    auth_request     /outpost.goauthentik.io/auth/nginx;
+    error_page       401 = @goauthentik_proxy_signin;
+    auth_request_set $auth_cookie $upstream_http_set_cookie;
+    add_header       Set-Cookie $auth_cookie;
+
+    auth_request_set $authentik_username $upstream_http_x_authentik_username;
+    auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
+    auth_request_set $authentik_entitlements $upstream_http_x_authentik_entitlements;
+    auth_request_set $authentik_email $upstream_http_x_authentik_email;
+    auth_request_set $authentik_name $upstream_http_x_authentik_name;
+    auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
+
+    proxy_set_header X-authentik-username $authentik_username;
+    proxy_set_header X-authentik-groups $authentik_groups;
+    proxy_set_header X-authentik-entitlements $authentik_entitlements;
+    proxy_set_header X-authentik-email $authentik_email;
+    proxy_set_header X-authentik-name $authentik_name;
+    proxy_set_header X-authentik-uid $authentik_uid;
+
+    # Since we're overwriting the Basic Auth headers
+    auth_request_set $authentik_auth $upstream_http_authorization;
+    proxy_set_header Authorization $authentik_auth;
+  }
+
+  # All requests to /outpost.goauthentik.io must be accessible without authentication
+  location /outpost.goauthentik.io {
+    proxy_pass              http://authentik.cluster:9000/outpost.goauthentik.io;
+
+    # Note: ensure the Host header matches your external authentik URL:
+    proxy_set_header        Host $host;
+
+    proxy_set_header        X-Original-URL $scheme://$http_host$request_uri;
+    add_header              Set-Cookie $auth_cookie;
+    auth_request_set        $auth_cookie $upstream_http_set_cookie;
+    proxy_pass_request_body off;
+    proxy_set_header        Content-Length "";
+  }
+
+  location @goauthentik_proxy_signin {
+    internal;
+    add_header Set-Cookie $auth_cookie;
+    return 302 /outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
+  }
+}
--- a/environments/production/modules/reverse_proxy/files/conf.d/blog.amy.mov
+++ b/environments/production/modules/reverse_proxy/files/conf.d/blog.amy.mov
@ -0,0 +1,13 @@
+server {
+  listen 443 ssl;
+  server_name blog.amy.mov;
+  
+  location / {
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header Host $http_host;
+
+    proxy_pass http://192.168.1.210:2368;
+  }
+}
--- a/environments/production/modules/reverse_proxy/files/conf.d/cloud.amy.mov
+++ b/environments/production/modules/reverse_proxy/files/conf.d/cloud.amy.mov
@ -0,0 +1,13 @@
+# !! Managed by Puppet !!
+
+server {
+  listen 443 ssl;
+  server_name cloud.amy.mov;
+
+  location / {
+    proxy_pass https://owncloud.cluster:9200;
+
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+  }
+}
--- a/environments/production/modules/reverse_proxy/files/conf.d/fedi.amy.mov
+++ b/environments/production/modules/reverse_proxy/files/conf.d/fedi.amy.mov
@ -0,0 +1,13 @@
+# !! Managed by Puppet !!
+
+server {
+  listen 443 ssl;
+  server_name fedi.amy.mov;
+
+  location / {
+    proxy_pass http://192.168.1.201:3000;
+
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+  }
+}
--- a/environments/production/modules/reverse_proxy/files/conf.d/forge.amy.mov
+++ b/environments/production/modules/reverse_proxy/files/conf.d/forge.amy.mov
@ -0,0 +1,14 @@
+# !! Managed by Puppet !!
+
+server {
+  listen 443 ssl;
+  server_name forge.amy.mov;
+  resolver 192.168.1.155;
+
+  location / {
+    proxy_pass http://forgejo.cluster:3000;
+
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+  }
+}
--- a/environments/production/modules/reverse_proxy/files/conf.d/internal-s3.amy.mov
+++ b/environments/production/modules/reverse_proxy/files/conf.d/internal-s3.amy.mov
@ -0,0 +1,11 @@
+server {
+  listen 443 ssl;
+  server_name internal-s3.amy.mov;
+  resolver 192.168.1.155;
+
+  location / {
+    proxy_set_header Host internal-s3.amy.mov;
+    
+    proxy_pass http://garage.cluster:3900;
+  }
+}
--- a/environments/production/modules/reverse_proxy/files/conf.d/pg.amy.mov
+++ b/environments/production/modules/reverse_proxy/files/conf.d/pg.amy.mov
@ -0,0 +1,13 @@
+server {
+  listen 443 ssl;
+  server_name pg.amy.mov;
+
+  location / {
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header Host $http_host;
+
+    proxy_pass http://postgresql.cluster;
+  }
+}
--- a/environments/production/modules/reverse_proxy/files/conf.d/s3.amy.mov
+++ b/environments/production/modules/reverse_proxy/files/conf.d/s3.amy.mov
@ -0,0 +1,15 @@
+server {
+  listen 443 ssl;
+  server_name s3.amy.mov;
+  resolver 192.168.1.155;
+
+  # Rewriting path based buckets to vhost buckets, ie:
+  # s3.amy.mov/test-bucket => test-bucket.s3.amy.mov  
+  location ~ ^/([^/]+)(.*)$ {
+    # Set the host so Garage thinks we are coming from a vhost
+    proxy_set_header Host $1.s3.amy.mov;
+
+    # But pass the path ($2) to the real proxy
+    proxy_pass http://garage.cluster:3902$2;
+  }
+}
--- a/environments/production/modules/reverse_proxy/files/conf.d/secrets.amy.mov
+++ b/environments/production/modules/reverse_proxy/files/conf.d/secrets.amy.mov
@ -0,0 +1,13 @@
+server {
+  listen 443 ssl;
+  server_name secrets.amy.mov;
+  
+  location / {
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header Host $http_host;
+
+    proxy_pass http://infisical.cluster:8080;
+  }
+}
--- a/environments/production/modules/reverse_proxy/files/nginx.conf
+++ b/environments/production/modules/reverse_proxy/files/nginx.conf
@ -0,0 +1,31 @@
+# !! Managed by Puppet !!
+
+user www-data;
+worker_processes auto;
+
+pid /run/nginx.pid;
+
+events {
+	worker_connections 768;
+}
+
+http {
+  access_log /var/log/nginx/access.log;
+  error_log /var/log/nginx/error.log;
+
+	sendfile on;
+	tcp_nopush on;
+	types_hash_max_size 2048;
+
+	client_max_body_size 15M;
+
+	include /etc/nginx/mime.types;
+	default_type application/octet-stream;
+	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; 
+	ssl_prefer_server_ciphers on;
+
+	ssl_certificate     /etc/nginx/cert/cf.pem;
+  ssl_certificate_key /etc/nginx/cert/cf.key;
+
+	include /etc/nginx/conf.d/*;
+}