1.0.0 Release IaaS

2026-03-15 04:41:02 +09:00
commit a7365da431
292 changed files with 36059 additions and 0 deletions
--- a/config/services/containers/common/caddy/build/caddy.containerfile.j2
+++ b/config/services/containers/common/caddy/build/caddy.containerfile.j2
@@ -0,0 +1,17 @@
+FROM docker.io/library/caddy:{{ version['containers']['caddy'] }}-builder-alpine AS builder
+
+RUN xcaddy build \
+{% if node['name'] == 'auth' %}
+--with github.com/caddy-dns/rfc2136 \
+--with github.com/hslatman/caddy-crowdsec-bouncer/crowdsec \
+--with github.com/hslatman/caddy-crowdsec-bouncer/http
+{% else %}
+--with github.com/caddy-dns/rfc2136
+{% endif %}
+
+FROM docker.io/library/caddy:{{ version['containers']['caddy'] }}
+
+COPY --from=builder /usr/bin/caddy /usr/bin/caddy
+COPY ./ilnmors_root_ca.crt /usr/local/share/ca-certificates/ilnmors_root_ca.crt
+
+RUN update-ca-certificates
--- a/config/services/containers/common/caddy/caddy.container.j2
+++ b/config/services/containers/common/caddy/caddy.container.j2
@@ -0,0 +1,49 @@
+[Quadlet]
+DefaultDependencies=false
+
+[Unit]
+Description=Caddy
+
+{% if node['name'] == "infra" %}
+After=ca.service
+Requires=ca.service
+{% else %}
+After=network-online.target
+Wants=network-online.target
+{% endif %}
+
+
+[Container]
+Image=ilnmors.internal/{{ node['name'] }}/caddy:{{ version['containers']['caddy'] }}
+
+ContainerName=caddy_{{ node['name'] }}
+HostName=caddy_{{ node['name'] }}
+{% if node['name'] == 'infra' %}
+AddHost={{ infra_uri['ca']['domain'] }}:host-gateway
+AddHost={{ infra_uri['prometheus']['domain'] }}:host-gateway
+AddHost={{ infra_uri['loki']['domain'] }}:host-gateway
+{% endif %}
+
+PublishPort=2080:80/tcp
+PublishPort=2443:443/tcp
+
+Volume=%h/containers/caddy/etc:/etc/caddy:ro
+Volume=%h/containers/caddy/data:/data:rw
+{% if node['name'] == 'auth' %}
+Volume=/var/log/caddy:/log:rw
+{% endif %}
+
+Environment="TZ=Asia/Seoul"
+
+Secret=CADDY_ACME_KEY,target=/run/secrets/CADDY_ACME_KEY
+{% if node['name'] == 'auth' %}
+Secret=CADDY_CROWDSEC_KEY,target=/run/secrets/CADDY_CROWDSEC_KEY
+{% endif %}
+
+[Service]
+Restart=always
+RestartSec=10s
+TimeoutStopSec=120
+
+[Install]
+WantedBy=default.target
--- a/config/services/containers/common/caddy/etc/auth/Caddyfile.j2
+++ b/config/services/containers/common/caddy/etc/auth/Caddyfile.j2
@@ -0,0 +1,62 @@
+{
+        # CrowdSec LAPI connection
+        crowdsec {
+                api_url https://{{ infra_uri['crowdsec']['domain'] }}:{{ infra_uri['crowdsec']['ports']['https'] }} 
+                api_key "{file./run/secrets/CADDY_CROWDSEC_KEY}"
+        }
+}
+
+# Snippets
+# CrowdSec log for parser
+(crowdsec_log) {
+        log {
+                output file /log/access.log {
+                        mode 0644
+                        roll_size 100MiB
+                        roll_keep 1
+                }
+        format json
+        }
+}
+# Private TLS ACME with DNS-01-challenge
+(private_tls) {
+        tls {
+                issuer acme {
+                        dir https://{{ infra_uri['ca']['domain'] }}:{{ infra_uri['ca']['ports']['https'] }}/acme/acme@ilnmors.internal/directory
+                        dns rfc2136 {
+                                server {{ infra_uri['bind']['domain'] }}:{{ infra_uri['bind']['ports']['dns'] }}
+                                key_name acme-key
+                                key_alg hmac-sha256
+                                key "{file./run/secrets/CADDY_ACME_KEY}"
+                        }
+                }
+        }
+}
+
+# Public domain
+authelia.ilnmors.com {
+        import crowdsec_log
+        route {
+                crowdsec
+                reverse_proxy host.containers.internal:9091
+        }
+}
+test.ilnmors.com {
+        import crowdsec_log
+        route {
+                crowdsec
+                forward_auth host.containers.internal:9091 {
+                        # Authelia Forward Auth endpoint URI
+                        uri /api/authz/forward-auth
+                        copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
+                }
+                root * /usr/share/caddy
+                file_server
+        }
+}
+
+# Internal domain
+auth.ilnmors.internal {
+        import private_tls
+        metrics
+}
--- a/config/services/containers/common/caddy/etc/infra/Caddyfile.j2
+++ b/config/services/containers/common/caddy/etc/infra/Caddyfile.j2
@@ -0,0 +1,40 @@
+# Private TLS ACME with DNS-01-challenge
+(private_tls) {
+        tls {
+                issuer acme {
+                        dir https://{{ infra_uri['ca']['domain'] }}:{{ infra_uri['ca']['ports']['https'] }}/acme/acme@ilnmors.internal/directory
+                        dns rfc2136 {
+                                server {{ infra_uri['bind']['domain'] }}:{{ infra_uri['bind']['ports']['dns'] }}
+                                key_name acme-key
+                                key_alg hmac-sha256
+                                key "{file./run/secrets/CADDY_ACME_KEY}"
+                        }
+                }
+        }
+}
+
+infra.ilnmors.internal {
+        import private_tls
+        metrics
+}
+
+{{ infra_uri['ldap']['domain'] }} {
+        import private_tls
+        route {
+            reverse_proxy host.containers.internal:{{ infra_uri['ldap']['ports']['http'] }}
+        }
+}
+
+{{ infra_uri['prometheus']['domain'] }} {
+        import private_tls
+        route {
+                reverse_proxy https://{{ infra_uri['prometheus']['domain'] }}:{{ infra_uri['prometheus']['ports']['https'] }}
+        }
+}
+
+grafana.ilnmors.internal {
+        import private_tls
+        route {
+                reverse_proxy host.containers.internal:3000
+        }
+}