sam/netbox-diode-project
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
netbox-diode-project/nginx/nginx.conf

80 lines
2.0 KiB
Nginx Configuration File
Raw Permalink Normal View History

Fix Diode stack configuration to match upstream architecture Major changes to align with the official netboxlabs/diode docker-compose: docker-compose.yml: - Upgrade Hydra from v2.2 to v25.4.0 (latest stable) - Fix env var names: drop DIODE_ prefix on ingester/reconciler/auth (DIODE_REDIS_HOST -> REDIS_HOST, DIODE_GRPC_PORT -> removed, etc.) - Remove AUTH_GRPC_TARGET from ingester — auth is handled by nginx via HTTP subrequests to diode-auth, not by the ingester directly - Point DIODE_AUTH_TOKEN_URL to diode-auth:8080/token (not Hydra) - Add Postgres connection vars to reconciler (MIGRATION_ENABLED, etc.) - Mount nginx.conf as /etc/nginx/conf.d/default.conf (not nginx.conf) - Use netboxlabs/diode-auth image for bootstrap (has hydra CLI + jq) - Add Hydra JWT strategy config (STRATEGIES_ACCESS_TOKEN: jwt) - Add orb-agent run command with explicit config path - Expose Hydra ports 4444/4445 for external token requests - Add Hydra DB env vars to Postgres for init script nginx/nginx.conf: - Rewrite to match official Diode nginx architecture - Auth via auth_request subrequests to diode-auth:8080 (HTTP) - gRPC pass to ingester/reconciler on :8081 after auth - Add /diode/auth proxy for token endpoint access - Add error handlers for 401/403 oauth2/client/bootstrap-clients.sh: - Rewrite to use hydra CLI (create/get oauth2-client) instead of raw wget calls to Hydra admin API - Use jq for JSON parsing instead of python3 - Idempotent: checks if client exists before creating setup.sh: - Fix OAuth2 scope: diode:ingester -> diode:ingest - Rewrite orb-agent config to match current agent.yaml schema (config_manager, policies with cron schedules, scope-based targets) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-27 21:51:40 -07:00
upstream diode-ingester {
server diode-ingester:8081;
}
upstream diode-reconciler {
server diode-reconciler:8081;
}
Add project infrastructure and configuration files Docker Compose stack, nginx config, OAuth2 client bootstrap, Hydra DB init, setup script, and gitignore for secrets. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-27 20:46:59 -07:00
Fix Diode stack configuration to match upstream architecture Major changes to align with the official netboxlabs/diode docker-compose: docker-compose.yml: - Upgrade Hydra from v2.2 to v25.4.0 (latest stable) - Fix env var names: drop DIODE_ prefix on ingester/reconciler/auth (DIODE_REDIS_HOST -> REDIS_HOST, DIODE_GRPC_PORT -> removed, etc.) - Remove AUTH_GRPC_TARGET from ingester — auth is handled by nginx via HTTP subrequests to diode-auth, not by the ingester directly - Point DIODE_AUTH_TOKEN_URL to diode-auth:8080/token (not Hydra) - Add Postgres connection vars to reconciler (MIGRATION_ENABLED, etc.) - Mount nginx.conf as /etc/nginx/conf.d/default.conf (not nginx.conf) - Use netboxlabs/diode-auth image for bootstrap (has hydra CLI + jq) - Add Hydra JWT strategy config (STRATEGIES_ACCESS_TOKEN: jwt) - Add orb-agent run command with explicit config path - Expose Hydra ports 4444/4445 for external token requests - Add Hydra DB env vars to Postgres for init script nginx/nginx.conf: - Rewrite to match official Diode nginx architecture - Auth via auth_request subrequests to diode-auth:8080 (HTTP) - gRPC pass to ingester/reconciler on :8081 after auth - Add /diode/auth proxy for token endpoint access - Add error handlers for 401/403 oauth2/client/bootstrap-clients.sh: - Rewrite to use hydra CLI (create/get oauth2-client) instead of raw wget calls to Hydra admin API - Use jq for JSON parsing instead of python3 - Idempotent: checks if client exists before creating setup.sh: - Fix OAuth2 scope: diode:ingester -> diode:ingest - Rewrite orb-agent config to match current agent.yaml schema (config_manager, policies with cron schedules, scope-based targets) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-27 21:51:40 -07:00
upstream diode-auth {
server diode-auth:8080;
Add project infrastructure and configuration files Docker Compose stack, nginx config, OAuth2 client bootstrap, Hydra DB init, setup script, and gitignore for secrets. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-27 20:46:59 -07:00
}
Fix Diode stack configuration to match upstream architecture Major changes to align with the official netboxlabs/diode docker-compose: docker-compose.yml: - Upgrade Hydra from v2.2 to v25.4.0 (latest stable) - Fix env var names: drop DIODE_ prefix on ingester/reconciler/auth (DIODE_REDIS_HOST -> REDIS_HOST, DIODE_GRPC_PORT -> removed, etc.) - Remove AUTH_GRPC_TARGET from ingester — auth is handled by nginx via HTTP subrequests to diode-auth, not by the ingester directly - Point DIODE_AUTH_TOKEN_URL to diode-auth:8080/token (not Hydra) - Add Postgres connection vars to reconciler (MIGRATION_ENABLED, etc.) - Mount nginx.conf as /etc/nginx/conf.d/default.conf (not nginx.conf) - Use netboxlabs/diode-auth image for bootstrap (has hydra CLI + jq) - Add Hydra JWT strategy config (STRATEGIES_ACCESS_TOKEN: jwt) - Add orb-agent run command with explicit config path - Expose Hydra ports 4444/4445 for external token requests - Add Hydra DB env vars to Postgres for init script nginx/nginx.conf: - Rewrite to match official Diode nginx architecture - Auth via auth_request subrequests to diode-auth:8080 (HTTP) - gRPC pass to ingester/reconciler on :8081 after auth - Add /diode/auth proxy for token endpoint access - Add error handlers for 401/403 oauth2/client/bootstrap-clients.sh: - Rewrite to use hydra CLI (create/get oauth2-client) instead of raw wget calls to Hydra admin API - Use jq for JSON parsing instead of python3 - Idempotent: checks if client exists before creating setup.sh: - Fix OAuth2 scope: diode:ingester -> diode:ingest - Rewrite orb-agent config to match current agent.yaml schema (config_manager, policies with cron schedules, scope-based targets) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-27 21:51:40 -07:00
server {
listen 8080;
listen [::]:8080;
http2 on;
server_name localhost;
client_max_body_size 25m;
location /auth/introspect {
internal;
proxy_method POST;
proxy_pass http://diode-auth/introspect;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Original-URI $request_uri;
}
location /diode/auth {
rewrite /diode/auth/(.*) /$1 break;
proxy_pass http://diode-auth;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /diode/diode.v1.IngesterService {
auth_request /auth/introspect;
auth_request_set $auth_status $upstream_status;
error_page 401 = @error401;
error_page 403 = @error403;
rewrite /diode/(.*) /$1 break;
grpc_pass grpc://diode-ingester;
grpc_set_header Host $host;
grpc_set_header X-Real-IP $remote_addr;
grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
grpc_set_header X-Forwarded-Proto $scheme;
}
location /diode/diode.v1.ReconcilerService {
auth_request /auth/introspect;
auth_request_set $auth_status $upstream_status;
error_page 401 = @error401;
error_page 403 = @error403;
rewrite /diode/(.*) /$1 break;
grpc_pass grpc://diode-reconciler;
grpc_set_header Host $host;
grpc_set_header X-Real-IP $remote_addr;
grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
grpc_set_header X-Forwarded-Proto $scheme;
}
location /health {
return 200 'OK';
add_header Content-Type text/plain;
}
location @error401 {
return 401 '{"error":"unauthorized","error_description":"Authentication required"}';
}
location @error403 {
return 403 '{"error":"forbidden","error_description":"Access denied"}';
}
Add project infrastructure and configuration files Docker Compose stack, nginx config, OAuth2 client bootstrap, Hydra DB init, setup script, and gitignore for secrets. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-27 20:46:59 -07:00
}
Reference in New Issue Copy Permalink