lumin/homelab
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Move haproxy to a docker container

Browse source
This commit is contained in:
Ivan R. 2024-10-14 23:58:06 +05:00
parent 671c296a5d
commit f09891ef0d
No known key found for this signature in database
GPG key ID: 56C7BAAE859B302C
18 changed files with 143 additions and 51 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
README.md
View file

@ -1,20 +1,3 @@
# Home server configuration # Home server configuration
Available at [comfycamp.space](https://comfycamp.space). Available at [comfycamp.space](https://comfycamp.space).
## Ports
| Number | Protocol | Service | Public URL |
| --- | --- | --- | --- |
| 3000 | | Mastodon | [m.comfycamp.space](https://m.comfycamp.space) |
| 3001 | | Mastodon streaming | |
| 3002 | | Vaultwarden | |
| 3003 | | Minio console | |
| 3004 | | Forgejo | [git.comfycamp.space](https://git.comfycamp.space) |
| 3005 | | Synapse | |
| 3006 | | Comfycamp | [comfycamp.space](https://comfycamp.space) |
| 3478 | tcp/udp | Coturn | |
| 8022 | | Forgejo SSH | |
| 8448 | | Synapse/Haproxy | |
| 9000 | | Minio | |
| 49152 - 65535 | udp | Coturn | |

1
roles/comfycamp/tasks/main.yml
View file

@ -22,6 +22,7 @@
env_file: /etc/comfycamp/.env env_file: /etc/comfycamp/.env
networks: networks:
- name: postgresql - name: postgresql
- name: haproxy
ports: ports:
- 127.0.0.1:3006:4000 - 127.0.0.1:3006:4000
restart_policy: unless-stopped restart_policy: unless-stopped

1
roles/forgejo/tasks/forgejo.yml
View file

@ -26,6 +26,7 @@
- name: postgresql - name: postgresql
- name: redis-forgejo - name: redis-forgejo
- name: minio - name: minio
- name: haproxy
volumes: volumes:
- forgejo:/data - forgejo:/data
- /etc/timezone:/etc/timezone:ro - /etc/timezone:/etc/timezone:ro

8
roles/haproxy/files/errors/400.http Normal file
View file

@ -0,0 +1,8 @@
HTTP/1.0 400 Bad request
Cache-Control: no-cache
Connection: close
Content-Type: text/html
<html><body><h1>400 Bad request</h1>
Your browser sent an invalid request.
</body></html>

8
roles/haproxy/files/errors/403.http Normal file
View file

@ -0,0 +1,8 @@
HTTP/1.0 403 Forbidden
Cache-Control: no-cache
Connection: close
Content-Type: text/html
<html><body><h1>403 Forbidden</h1>
Request forbidden by administrative rules.
</body></html>

8
roles/haproxy/files/errors/408.http Normal file
View file

@ -0,0 +1,8 @@
HTTP/1.0 408 Request Time-out
Cache-Control: no-cache
Connection: close
Content-Type: text/html
<html><body><h1>408 Request Time-out</h1>
Your browser didn't send a complete request in time.
</body></html>

8
roles/haproxy/files/errors/500.http Normal file
View file

@ -0,0 +1,8 @@
HTTP/1.0 500 Internal Server Error
Cache-Control: no-cache
Connection: close
Content-Type: text/html
<html><body><h1>500 Internal Server Error</h1>
An internal server error occurred.
</body></html>

8
roles/haproxy/files/errors/502.http Normal file
View file

@ -0,0 +1,8 @@
HTTP/1.0 502 Bad Gateway
Cache-Control: no-cache
Connection: close
Content-Type: text/html
<html><body><h1>502 Bad Gateway</h1>
The server returned an invalid or incomplete response.
</body></html>

8
roles/haproxy/files/errors/503.http Normal file
View file

@ -0,0 +1,8 @@
HTTP/1.0 503 Service Unavailable
Cache-Control: no-cache
Connection: close
Content-Type: text/html
<html><body><h1>503 Service Unavailable</h1>
No server is available to handle this request.
</body></html>

8
roles/haproxy/files/errors/504.http Normal file
View file

@ -0,0 +1,8 @@
HTTP/1.0 504 Gateway Time-out
Cache-Control: no-cache
Connection: close
Content-Type: text/html
<html><body><h1>504 Gateway Time-out</h1>
The server didn't respond in time.
</body></html>

46
roles/haproxy/files/haproxy.cfg
View file

@ -1,16 +1,8 @@
global global
log /dev/log local0 log /dev/stderr local0
log /dev/log local1 notice log /dev/stderr local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy user haproxy
group haproxy group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
@ -25,18 +17,18 @@ defaults
timeout connect 5000 timeout connect 5000
timeout client 50000 timeout client 50000
timeout server 50000 timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http errorfile 400 /usr/local/etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http errorfile 403 /usr/local/etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http errorfile 408 /usr/local/etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http errorfile 500 /usr/local/etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http errorfile 502 /usr/local/etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http errorfile 503 /usr/local/etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http errorfile 504 /usr/local/etc/haproxy/errors/504.http
frontend www frontend www
mode http mode http
bind :80 bind :80
bind :443 ssl crt /etc/haproxy/certs bind :443 ssl crt /usr/local/etc/haproxy/certs
http-request redirect scheme https unless { ssl_fc } http-request redirect scheme https unless { ssl_fc }
http-request set-header X-Forwarded-Proto https if { ssl_fc } http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Forwarded-Proto http if !{ ssl_fc } http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
@ -62,7 +54,7 @@ frontend www
use_backend forgejo if acl_git use_backend forgejo if acl_git
frontend matrix-federation frontend matrix-federation
bind *:8448 ssl crt /etc/haproxy/certs bind *:8448 ssl crt /usr/local/etc/haproxy/certs
http-request set-header X-Forwarded-Proto https if { ssl_fc } http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Forwarded-Proto http if !{ ssl_fc } http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
@ -70,42 +62,42 @@ frontend matrix-federation
backend comfycamp backend comfycamp
mode http mode http
server green 127.0.0.1:3006 check server green comfycamp:4000 check
backend mastodon backend mastodon
mode http mode http
option forwardfor option forwardfor
server green 127.0.0.1:3000 check server green mastodon-web:3000 check
backend mastodon_streaming backend mastodon_streaming
mode http mode http
option forwardfor option forwardfor
option http-server-close option http-server-close
timeout tunnel 1h timeout tunnel 1h
server green 127.0.0.1:3001 check server green mastodon-streaming:4000 check
backend vaultwarden backend vaultwarden
mode http mode http
option forwardfor option forwardfor
server green 127.0.0.1:3002 check server green vaultwarden:80 check
backend minio_console backend minio_console
mode http mode http
option forwardfor option forwardfor
server green 127.0.0.1:3003 check server green minio:9001 check
backend minio backend minio
mode http mode http
http-response set-header Access-Control-Allow-Origin https://m.comfycamp.space http-response set-header Access-Control-Allow-Origin https://m.comfycamp.space
option forwardfor option forwardfor
server green 127.0.0.1:9000 check server green minio:9000 check
backend forgejo backend forgejo
mode http mode http
option forwardfor option forwardfor
server green 127.0.0.1:3004 check server green forgejo:3000 check
backend matrix backend matrix
mode http mode http
option forwardfor option forwardfor
server matrix 127.0.0.1:3005 server matrix synapse:8008

63
roles/haproxy/tasks/main.yml
View file

@ -1,18 +1,69 @@
--- ---
- name: Install haproxy - name: Create haproxy docker network
become: true become: true
ansible.builtin.apt: community.docker.docker_network:
name: haproxy name: haproxy
- name: Create haproxy dirs
become: true
ansible.builtin.file:
path: "{{ item }}"
state: directory
mode: "1755"
owner: root
group: root
loop:
- /etc/haproxy
- /etc/haproxy/errors
- name: Copy haproxy config to a temporary location
become: true
ansible.builtin.copy:
src: haproxy.cfg
dest: /tmp/haproxy.cfg
- name: Validate haproxy config
become: true
community.docker.docker_container:
name: haproxy-config-test
image: "{{ haproxy_image }}"
command: haproxy -c -f /tmp/haproxy.cfg
networks:
- name: haproxy
volumes:
- /tmp/haproxy.cfg:/tmp/haproxy.cfg
- /etc/haproxy/certs:/usr/local/etc/haproxy/certs:ro
detach: no
- name: Remove temporary container
become: true
community.docker.docker_container:
name: haproxy-config-test
state: absent
- name: Copy haproxy config - name: Copy haproxy config
become: true become: true
ansible.builtin.copy: ansible.builtin.copy:
src: haproxy.cfg src: haproxy.cfg
dest: /etc/haproxy/haproxy.cfg dest: /etc/haproxy/haproxy.cfg
validate: /usr/sbin/haproxy -f %s -c
register: haproxy register: haproxy
- name: Copy errors
become: true
ansible.builtin.copy:
src: errors/{{ item }}.http
dest: /etc/haproxy/errors/{{ item }}.http
loop: [400, 403, 408, 500, 502, 503, 504]
- name: Create haproxy container
become: true
community.docker.docker_container:
name: haproxy
image: "{{ haproxy_image }}"
networks:
- name: haproxy
volumes:
- /etc/haproxy:/usr/local/etc/haproxy:ro
sysctls:
net.ipv4.ip_unprivileged_port_start: 0
ports:
- 80:80
- 443:443
restart_policy: unless-stopped
- name: Reload haproxy - name: Reload haproxy
become: true become: true
when: haproxy.changed when: haproxy.changed
ansible.builtin.systemd_service: ansible.builtin.shell: docker kill -s HUP haproxy
name: haproxy
state: reloaded

1
roles/haproxy/vars/main.yml Normal file
View file

@ -0,0 +1 @@
haproxy_image: haproxy:3.0-bookworm

2
roles/mastodon/tasks/mastodon.yml
View file

@ -30,6 +30,7 @@
- name: redis-mastodon - name: redis-mastodon
- name: postgresql - name: postgresql
- name: minio - name: minio
- name: haproxy
ports: ports:
- 127.0.0.1:3000:3000 - 127.0.0.1:3000:3000
volumes: volumes:
@ -45,6 +46,7 @@
networks: networks:
- name: redis-mastodon - name: redis-mastodon
- name: postgresql - name: postgresql
- name: haproxy
ports: ports:
- 127.0.0.1:3001:4000 - 127.0.0.1:3001:4000
restart_policy: unless-stopped restart_policy: unless-stopped

1
roles/minio/tasks/main.yml
View file

@ -15,6 +15,7 @@
command: ["minio", "server", "--console-address", ":9001"] command: ["minio", "server", "--console-address", ":9001"]
networks: networks:
- name: minio - name: minio
- name: haproxy
volumes: volumes:
- minio:/data - minio:/data
ports: ports:

1
roles/synapse/tasks/synapse.yml
View file

@ -41,6 +41,7 @@
SYNAPSE_CONFIG_PATH: /etc/synapse/homeserver.yaml SYNAPSE_CONFIG_PATH: /etc/synapse/homeserver.yaml
networks: networks:
- name: postgresql - name: postgresql
- name: haproxy
ports: ports:
- 127.0.0.1:3005:8008/tcp - 127.0.0.1:3005:8008/tcp
restart_policy: unless-stopped restart_policy: unless-stopped

4
roles/tls/tasks/main.yml
View file

@ -32,7 +32,9 @@
ansible.builtin.file: ansible.builtin.file:
path: /etc/haproxy/certs path: /etc/haproxy/certs
state: directory state: directory
mode: '1750' mode: '1700'
owner: "99"
group: "99"
- name: Combine certificate and private key - name: Combine certificate and private key
become: true become: true
ansible.builtin.shell: ansible.builtin.shell:

1
roles/vaultwarden/tasks/main.yml
View file

@ -14,6 +14,7 @@
DATABASE_URL: "{{ db_url }}" DATABASE_URL: "{{ db_url }}"
networks: networks:
- name: postgresql - name: postgresql
- name: haproxy
ports: ports:
- 127.0.0.1:3002:80 - 127.0.0.1:3002:80
volumes: volumes: