From 682d68c3ade4f3d59e92ec65b554a1f0d1030217 Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Thu, 26 Oct 2023 17:56:34 -0500 Subject: [PATCH] Adding yaml schemas, separating out valinor.social to khazadtube.tv nginx as well --- .../ingress-nginx/app/certificate.yaml | 16 +-- .../ingress-nginx/app/externalsecret.yaml | 1 + .../ingress-nginx/app/helmrelease.yaml | 2 + .../ingress-nginx/app/kustomization.yaml | 1 + kubernetes/apps/network/ingress-nginx/ks.yaml | 20 ++++ .../ingress-nginx/peertube/certificate.yaml | 16 +++ .../ingress-nginx/peertube/helmrelease.yaml | 103 ++++++++++++++++++ .../ingress-nginx/peertube/kustomization.yaml | 8 ++ 8 files changed, 152 insertions(+), 15 deletions(-) create mode 100644 kubernetes/apps/network/ingress-nginx/peertube/certificate.yaml create mode 100644 kubernetes/apps/network/ingress-nginx/peertube/helmrelease.yaml create mode 100644 kubernetes/apps/network/ingress-nginx/peertube/kustomization.yaml diff --git a/kubernetes/apps/network/ingress-nginx/app/certificate.yaml b/kubernetes/apps/network/ingress-nginx/app/certificate.yaml index a9e83f8..5bd4ff3 100644 --- a/kubernetes/apps/network/ingress-nginx/app/certificate.yaml +++ b/kubernetes/apps/network/ingress-nginx/app/certificate.yaml @@ -1,4 +1,5 @@ --- +# yaml-language-server: $schema=https://ks.hsn.dev/cert-manager.io/certificate_v1.json apiVersion: cert-manager.io/v1 kind: Certificate metadata: @@ -13,18 +14,3 @@ spec: dnsNames: - "valinor.social" - "*.valinor.social" ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: "khazadtube-tv" - namespace: network -spec: - secretName: "khazadtube-tv-tls" - issuerRef: - name: letsencrypt-production - kind: ClusterIssuer - commonName: "khazadtube.tv" - dnsNames: - - "khazadtube.tv" - - "*.khazadtube.tv" diff --git a/kubernetes/apps/network/ingress-nginx/app/externalsecret.yaml b/kubernetes/apps/network/ingress-nginx/app/externalsecret.yaml index adc7b3d..b09b881 100644 --- a/kubernetes/apps/network/ingress-nginx/app/externalsecret.yaml +++ b/kubernetes/apps/network/ingress-nginx/app/externalsecret.yaml @@ -1,4 +1,5 @@ --- +# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: diff --git a/kubernetes/apps/network/ingress-nginx/app/helmrelease.yaml b/kubernetes/apps/network/ingress-nginx/app/helmrelease.yaml index 596f19d..a4b23c6 100644 --- a/kubernetes/apps/network/ingress-nginx/app/helmrelease.yaml +++ b/kubernetes/apps/network/ingress-nginx/app/helmrelease.yaml @@ -1,4 +1,5 @@ --- +# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta1.json apiVersion: helm.toolkit.fluxcd.io/v2beta1 kind: HelmRelease metadata: @@ -20,6 +21,7 @@ spec: updateStrategy: type: RollingUpdate allowSnippetAnnotations: true + enableAnnotationValidations: true service: enabled: true type: LoadBalancer diff --git a/kubernetes/apps/network/ingress-nginx/app/kustomization.yaml b/kubernetes/apps/network/ingress-nginx/app/kustomization.yaml index 2b58b05..c9f7d6c 100644 --- a/kubernetes/apps/network/ingress-nginx/app/kustomization.yaml +++ b/kubernetes/apps/network/ingress-nginx/app/kustomization.yaml @@ -1,4 +1,5 @@ --- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization.json apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: network diff --git a/kubernetes/apps/network/ingress-nginx/ks.yaml b/kubernetes/apps/network/ingress-nginx/ks.yaml index f42d8e7..1a40677 100644 --- a/kubernetes/apps/network/ingress-nginx/ks.yaml +++ b/kubernetes/apps/network/ingress-nginx/ks.yaml @@ -1,4 +1,24 @@ --- +# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: cluster-apps-ingress-nginx + namespace: flux-system + labels: + substitution.flux.home.arpa/enabled: "true" +spec: + interval: 10m + path: "./kubernetes/apps/network/ingress-nginx/app" + prune: true + sourceRef: + kind: GitRepository + name: valinor + wait: true + dependsOn: + - name: cluster-apps-cert-manager-issuers +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: diff --git a/kubernetes/apps/network/ingress-nginx/peertube/certificate.yaml b/kubernetes/apps/network/ingress-nginx/peertube/certificate.yaml new file mode 100644 index 0000000..755fe6a --- /dev/null +++ b/kubernetes/apps/network/ingress-nginx/peertube/certificate.yaml @@ -0,0 +1,16 @@ +--- +# yaml-language-server: $schema=https://ks.hsn.dev/cert-manager.io/certificate_v1.json +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: "khazadtube-tv" + namespace: network +spec: + secretName: "khazadtube-tv-tls" + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: "khazadtube.tv" + dnsNames: + - "khazadtube.tv" + - "*.khazadtube.tv" diff --git a/kubernetes/apps/network/ingress-nginx/peertube/helmrelease.yaml b/kubernetes/apps/network/ingress-nginx/peertube/helmrelease.yaml new file mode 100644 index 0000000..5d797b9 --- /dev/null +++ b/kubernetes/apps/network/ingress-nginx/peertube/helmrelease.yaml @@ -0,0 +1,103 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta1.json +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: ingress-nginx-peertube +spec: + interval: 30m + chart: + spec: + chart: ingress-nginx + version: 4.8.3 + sourceRef: + kind: HelmRepository + name: ingress-nginx + namespace: flux-system + interval: 30m + values: + controller: + replicaCount: 3 + updateStrategy: + type: RollingUpdate + allowSnippetAnnotations: true + enableAnnotationValidations: true + service: + enabled: true + type: LoadBalancer + annotations: + load-balancer.hetzner.cloud/location: fsn1 + load-balancer.hetzner.cloud/protocol: tcp + load-balancer.hetzner.cloud/name: peertube-nginx + load-balancer.hetzner.cloud/use-private-ip: true + load-balancer.hetzner.cloud/uses-proxyprotocol: true + + publishService: + enabled: true + + metrics: + enabled: true + serviceMonitor: + enabled: true + namespace: network + namespaceSelector: + any: true + + ingressClassResource: + name: peertube-nginx + default: false + + config: + block-user-agents: "GPTBot,~*GPTBot*,ChatGPT-User,~*ChatGPT-User*,Google-Extended,~*Google-Extended*,CCBot,~*CCBot*,Omgilibot,~*Omgilibot*,FacebookBot,~*FacebookBot*" # taken from https://github.com/superseriousbusiness/gotosocial/blob/main/internal/web/robots.go + client-header-timeout: 120 + client-body-buffer-size: "100M" + client-body-timeout: 120 + enable-brotli: "true" + enable-ocsp: "true" + enable-real-ip: "true" + use-proxy-protocol: "true" + hide-headers: Server,X-Powered-By + hsts-max-age: "31449600" + keep-alive: 120 + keep-alive-requests: 10000 + proxy-body-size: 0 + proxy-buffer-size: "16k" + ssl-protocols: "TLSv1.3 TLSv1.2" + use-forwarded-headers: "true" + server-snippet: | + resolver local=on ipv6=off; + ssl-echd-curve: "secp384r1" + + extraArgs: + default-ssl-certificate: "network/khazadtube-tv-tls" + + topologySpreadConstraints: + - maxSkew: 2 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: DoNotSchedule + labelSelector: + matchLabels: + app.kubernetes.io/instance: ingress-nginx-peertube + app.kubernetes.io/component: controller + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app.kubernetes.io/component + operator: In + values: + - controller + - key: app.kubernetes.io/instance + operator: In + values: + - ingress-nginx-peertube + topologyKey: kubernetes.io/hostname + + resources: + requests: + cpu: 23m + memory: 381M + + defaultBackend: + enabled: false diff --git a/kubernetes/apps/network/ingress-nginx/peertube/kustomization.yaml b/kubernetes/apps/network/ingress-nginx/peertube/kustomization.yaml new file mode 100644 index 0000000..dac1ce5 --- /dev/null +++ b/kubernetes/apps/network/ingress-nginx/peertube/kustomization.yaml @@ -0,0 +1,8 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization.json +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: network +resources: + - ./helmrelease.yaml + - ./certificate.yaml