diff --git a/redxen.eu/config.mk b/redxen.eu/config.mk index 649bee1..a661371 100644 --- a/redxen.eu/config.mk +++ b/redxen.eu/config.mk @@ -168,6 +168,12 @@ redxen.eu/daemons/murmurd/${BUILD_ID_OUT}: %/${BUILD_ID_OUT} : \ redxen.eu/data/postgres-cert/murmur/${BUILD_ID_OUT} \ redxen.eu/data/selfsigned/${BUILD_ID_OUT} +# Relays +redxen.eu/daemons/haproxy/${BUILD_ID_OUT}: %/${BUILD_ID_OUT} : \ + %/main.cfg \ + redxen.eu/data/letsencrypt/${BUILD_ID_OUT} \ + redxen.eu/data/haproxy-errpages/${BUILD_ID_OUT} + # Data redxen.eu/data/branding/${BUILD_ID_OUT}: %/${BUILD_ID_OUT} : \ %/logo.svg diff --git a/redxen.eu/daemons/haproxy/Containerfile b/redxen.eu/daemons/haproxy/Containerfile new file mode 100644 index 0000000..62378b3 --- /dev/null +++ b/redxen.eu/daemons/haproxy/Containerfile @@ -0,0 +1,19 @@ +FROM alpine AS preparer + +WORKDIR /root +RUN \ + --mount=type=bind,from=redxen.eu/data/letsencrypt:latest,src=/redxen.eu,dst=/run/letsencrypt \ + cat \ + /run/letsencrypt/certs/public.crt \ + /run/letsencrypt/certs/ca.crt \ + /run/letsencrypt/keys/private.key \ + > full.crt + +FROM haproxy:lts-alpine + +COPY --from=preparer /root/full.crt /etc/redxen/letsencrypt/full.crt +COPY --from=redxen.eu/data/haproxy-errpages /root/haproxy-errpages/ /etc/redxen/haproxy/errorpages/ + +ADD main.cfg /usr/local/etc/haproxy/haproxy.cfg + +RUN haproxy -c -f /usr/local/etc/haproxy/haproxy.cfg diff --git a/redxen.eu/daemons/haproxy/main.cfg b/redxen.eu/daemons/haproxy/main.cfg new file mode 100644 index 0000000..2a9472a --- /dev/null +++ b/redxen.eu/daemons/haproxy/main.cfg @@ -0,0 +1,146 @@ +global + maxconn 2048 + maxconnrate 40 + + log 127.0.0.1:514 local0 info + +defaults + mode http + + log global + + retries 3 + + option forwardfor + option http-keep-alive + option httplog + option tcp-smart-connect + option tcpka + option abortonclose + + balance roundrobin + + compression algo gzip + + timeout http-request 10s + timeout connect 10s + timeout client 60s + timeout server 240s + timeout http-keep-alive 240s + + default-server resolvers local init-addr libc,none resolve-opts prevent-dup-ip check + + errorfile 400 /etc/redxen/haproxy/errorpages/400.http + errorfile 403 /etc/redxen/haproxy/errorpages/403.http + errorfile 408 /etc/redxen/haproxy/errorpages/408.http + errorfile 500 /etc/redxen/haproxy/errorpages/500.http + errorfile 502 /etc/redxen/haproxy/errorpages/502.http + errorfile 503 /etc/redxen/haproxy/errorpages/503.http + errorfile 504 /etc/redxen/haproxy/errorpages/504.http + +resolvers local + nameserver unbound 127.0.0.1:53 + + resolve_retries 2 + + timeout retry 300ms + + hold other 100ms + hold refused 100ms + hold nx 100ms + hold timeout 3s + hold valid 60s + +listen git-gitea + mode tcp + bind ipv4@*:2442,ipv6@*:2442 + option tcp-check + server-template gitssh 1 _gitssh._tcp.routinginfo.internal + +frontend metrics + mode http + bind ipv4@:7581,ipv6@:7581 + + http-request use-service prometheus-exporter if { path /metrics } + +frontend http + mode http + bind ipv4@:443,ipv6@:443 ssl crt /etc/redxen/letsencrypt/full.crt alpn h2,http/1.1 + bind ipv4@:80,ipv6@:80 + + http-response set-header X-Forwarded-Proto https + http-response set-header X-XSS-Protection 1;\ mode=block + http-response set-header X-Content-Type-Options nosniff + http-response set-header Referrer-Policy no-referrer-when-downgrade + http-response set-header Strict-Transport-Security max-age=31536000;\ includeSubDomains;\ preload + + acl root path / + + acl home hdr_beg(host) -i redxen + acl stats hdr_beg(host) -i stats.redxen + acl fedi hdr_beg(host) -i social.redxen + acl git hdr_beg(host) -i git.redxen + acl btdown hdr_beg(host) -i sd.redxen + acl btdaemon hdr_beg(host) -i seed.redxen + acl packs hdr_beg(host) -i packages.redxen + acl cal hdr_beg(host) -i cal.redxen + + redirect location https://en.uncyclopedia.co/wiki/South_Africa code 302 if fedi + redirect prefix /web code 302 if btdaemon root + + use_backend backend-home if home + use_backend backend-stats if stats + #use_backend backend-fedi if fedi + use_backend backend-git if git + use_backend backend-btdown if btdown + use_backend backend-btdaemon if btdaemon + use_backend backend-packages if packs + use_backend backend-radicale if cal + # Fallback to wssproxy to bypass SNI/domain filters + use_backend backend-wssproxy + +backend backend-home + server-template root 1 _root._tcp.routinginfo.internal + option httpchk HEAD / HTTP/1.1 + http-check send hdr Host redxen.eu + +backend backend-stats + server-template grafana 2 _grafana._tcp.routinginfo.internal + option httpchk HEAD / HTTP/1.1 + http-check send hdr Host stats.redxen.eu + +#backend backend-fedi +# server-template pleroma 1 _pleroma._tcp.routinginfo.internal +# option httpchk HEAD / HTTP/1.1 +# http-check send hdr Host social.redxen.eu + +backend backend-git + server-template gitea 1 _gitea._tcp.routinginfo.internal + option httpchk GET /caskd/corelibs HTTP/1.1 + http-check send hdr Host gitea.redxen.eu + timeout check 10s + +backend backend-btdown + server-template seedown 1 _seedown._tcp.routinginfo.internal + option httpchk HEAD / HTTP/1.1 + http-check send hdr Host sd.redxen.eu + +backend backend-btdaemon + server-template transmission 1 _transmission._tcp.routinginfo.internal + +backend backend-packages + server-template packages 1 _packages._tcp.routinginfo.internal + option httpchk HEAD / HTTP/1.1 + http-check send hdr Host packages.redxen.eu + +backend backend-radicale + server-template radicale 1 _radicale._tcp.routinginfo.internal + option httpchk HEAD / HTTP/1.1 + http-check send hdr Host cal.redxen.eu + http-check expect status 401 + +backend backend-wssproxy + server-template wssproxy 1 _wssproxy._tcp.routinginfo.internal + option httpchk HEAD / HTTP/1.1 + http-check send hdr Host localhost + http-check expect status 404 diff --git a/redxen.eu/daemons/nsd/nsd.conf b/redxen.eu/daemons/nsd/nsd.conf index b7d6ac6..ced130f 100644 --- a/redxen.eu/daemons/nsd/nsd.conf +++ b/redxen.eu/daemons/nsd/nsd.conf @@ -1,5 +1,4 @@ server: - server-count: 4 database: "" username: "" logfile: "/dev/stdout" diff --git a/redxen.eu/daemons/prometheus/config.yaml b/redxen.eu/daemons/prometheus/config.yaml index 3320bba..4c0f470 100644 --- a/redxen.eu/daemons/prometheus/config.yaml +++ b/redxen.eu/daemons/prometheus/config.yaml @@ -1,5 +1,5 @@ global: - scrape_interval: 5s + scrape_interval: 10s scrape_configs: - job_name: "linux" @@ -26,3 +26,19 @@ scrape_configs: dns_sd_configs: - names: [ 'ceph.prometheus.routinginfo.internal' ] type: 'SRV' + - job_name: "libvirt" + dns_sd_configs: + - names: [ 'libvirt.prometheus.routinginfo.internal' ] + type: 'SRV' + - job_name: "smartctl" + scrape_interval: 1m # Less important and also takes longer to query + scrape_timeout: 30s # Handle scraping delays + dns_sd_configs: + - names: [ 'smartctl_exporters.prometheus.routinginfo.internal' ] + type: 'SRV' + - job_name: "ipmi" + scrape_interval: 1m # Less important and also takes longer to query + scrape_timeout: 30s # Handle scraping delays + dns_sd_configs: + - names: [ 'ipmi.prometheus.routinginfo.internal' ] + type: 'SRV' diff --git a/redxen.eu/daemons/promtail/Containerfile b/redxen.eu/daemons/promtail/Containerfile new file mode 100644 index 0000000..4283b65 --- /dev/null +++ b/redxen.eu/daemons/promtail/Containerfile @@ -0,0 +1,10 @@ +FROM alpine:latest + +RUN --network=host apk add \ + loki-promtail + +WORKDIR /etc/redxen/promtail/ + +ADD config.yaml config.yaml + +CMD ["promtail", "-config.file=config.yaml"] diff --git a/redxen.eu/daemons/promtail/config.yaml b/redxen.eu/daemons/promtail/config.yaml new file mode 100644 index 0000000..c4d54a6 --- /dev/null +++ b/redxen.eu/daemons/promtail/config.yaml @@ -0,0 +1,26 @@ +server: + disable: true + +clients: + - url: "http://loki.routinginfo.internal:7553/loki/api/v1/push" + +positions: + filename: "/tmp/positions.yaml" + +scrape_configs: + - job_name: "rsyslog" + syslog: + listen_address: localhost:7590 + use_incoming_timestamp: true + label_structured_data: yes + labels: + job: "rsyslog" + relabel_configs: + - source_labels: ["__syslog_connection_ip_address"] + target_label: "ip_address" + - source_labels: ["__syslog_message_severity"] + target_label: "severity" + - source_labels: ["__syslog_message_facility"] + target_label: "facility" + - source_labels: ["__syslog_message_hostname"] + target_label: "host" diff --git a/redxen.eu/daemons/promtail/runner.sh b/redxen.eu/daemons/promtail/runner.sh new file mode 100755 index 0000000..7fc0522 --- /dev/null +++ b/redxen.eu/daemons/promtail/runner.sh @@ -0,0 +1,9 @@ +#!/bin/sh + +podman create \ + --replace \ + --read-only \ + --network=host \ + --name promtail \ + -v '/etc/resolv.conf:/etc/resolv.conf:ro' \ + redxen.eu/daemons/promtail:latest diff --git a/redxen.eu/daemons/rsyslogd/Containerfile b/redxen.eu/daemons/rsyslogd/Containerfile new file mode 100644 index 0000000..0e5c50c --- /dev/null +++ b/redxen.eu/daemons/rsyslogd/Containerfile @@ -0,0 +1,5 @@ +FROM alpine + +RUN --network=host apk add rsyslog + +ADD rsyslogd.conf /etc/rsyslog/rsyslogd.conf diff --git a/redxen.eu/daemons/rsyslogd/rsyslogd.conf b/redxen.eu/daemons/rsyslogd/rsyslogd.conf new file mode 100644 index 0000000..2f2b53b --- /dev/null +++ b/redxen.eu/daemons/rsyslogd/rsyslogd.conf @@ -0,0 +1,26 @@ +$WorkDirectory /var/lib/rsyslog +$FileOwner root +$FileGroup adm +$FileCreateMode 0640 +$DirCreateMode 0755 +$Umask 0022 +$AbortOnUncleanConfig on + +#### Modules #### + +# Provides --MARK-- message capability. +module(load="immark") + +# Provides support for local system logging (e.g. via logger command). +module(load="imuxsock") + +# Reads kernel messages. +module(load="imklog") + +# Accepts messages via udp. +module(load="imudp") +input(type="imudp" port="514") + +# Relay logs to promtail +module(load="omprog") +action(type="omfwd" Protocol="tcp" Target="127.0.0.1" Port="7590" Template="RSYSLOG_SyslogProtocol23Format" TCP_Framing="octet-counted") diff --git a/redxen.eu/data/haproxy-errpages/Containerfile b/redxen.eu/data/haproxy-errpages/Containerfile new file mode 100644 index 0000000..1e0caa3 --- /dev/null +++ b/redxen.eu/data/haproxy-errpages/Containerfile @@ -0,0 +1,5 @@ +FROM alpine + +WORKDIR /root +RUN --network=host apk add git +RUN --network=host git clone https://git.redxen.eu/RedXen/haproxy-errpages