diff --git a/stacks/platform/modules/reverse_proxy/factory/main.tf b/stacks/platform/modules/reverse_proxy/factory/main.tf index 1af42844..1cbb149c 100644 --- a/stacks/platform/modules/reverse_proxy/factory/main.tf +++ b/stacks/platform/modules/reverse_proxy/factory/main.tf @@ -41,6 +41,10 @@ variable "extra_middlewares" { type = list(string) default = [] } +variable "skip_global_rate_limit" { + type = bool + default = false +} resource "kubernetes_service" "proxied-service" { @@ -71,7 +75,8 @@ resource "kubernetes_ingress_v1" "proxied-ingress" { namespace = var.namespace annotations = merge({ "traefik.ingress.kubernetes.io/router.middlewares" = join(",", compact(concat([ - "traefik-rate-limit@kubernetescrd", + "traefik-retry@kubernetescrd", + var.skip_global_rate_limit ? null : "traefik-rate-limit@kubernetescrd", var.custom_content_security_policy == null ? "traefik-csp-headers@kubernetescrd" : null, "traefik-crowdsec@kubernetescrd", var.protected ? "traefik-authentik-forward-auth@kubernetescrd" : null, diff --git a/stacks/reverse-proxy/modules/reverse_proxy/factory/main.tf b/stacks/reverse-proxy/modules/reverse_proxy/factory/main.tf index 1af42844..1cbb149c 100644 --- a/stacks/reverse-proxy/modules/reverse_proxy/factory/main.tf +++ b/stacks/reverse-proxy/modules/reverse_proxy/factory/main.tf @@ -41,6 +41,10 @@ variable "extra_middlewares" { type = list(string) default = [] } +variable "skip_global_rate_limit" { + type = bool + default = false +} resource "kubernetes_service" "proxied-service" { @@ -71,7 +75,8 @@ resource "kubernetes_ingress_v1" "proxied-ingress" { namespace = var.namespace annotations = merge({ "traefik.ingress.kubernetes.io/router.middlewares" = join(",", compact(concat([ - "traefik-rate-limit@kubernetescrd", + "traefik-retry@kubernetescrd", + var.skip_global_rate_limit ? null : "traefik-rate-limit@kubernetescrd", var.custom_content_security_policy == null ? "traefik-csp-headers@kubernetescrd" : null, "traefik-crowdsec@kubernetescrd", var.protected ? "traefik-authentik-forward-auth@kubernetescrd" : null, diff --git a/stacks/reverse-proxy/modules/reverse_proxy/main.tf b/stacks/reverse-proxy/modules/reverse_proxy/main.tf index c30aa01c..6498c21b 100644 --- a/stacks/reverse-proxy/modules/reverse_proxy/main.tf +++ b/stacks/reverse-proxy/modules/reverse_proxy/main.tf @@ -274,15 +274,36 @@ module "mladost3" { # } # https://ha-sofia.viktorbarzin.me/ +resource "kubernetes_manifest" "ha_sofia_rate_limit" { + manifest = { + apiVersion = "traefik.io/v1alpha1" + kind = "Middleware" + metadata = { + name = "ha-sofia-rate-limit" + namespace = "reverse-proxy" + } + spec = { + rateLimit = { + average = 100 + burst = 200 + } + } + } +} + module "ha-sofia" { - source = "./factory" - name = "ha-sofia" - external_name = "ha-sofia.viktorbarzin.lan" - port = 8123 - tls_secret_name = var.tls_secret_name - depends_on = [kubernetes_namespace.reverse-proxy] - protected = false - rybbit_site_id = "590fc392690a" + source = "./factory" + name = "ha-sofia" + external_name = "ha-sofia.viktorbarzin.lan" + port = 8123 + tls_secret_name = var.tls_secret_name + depends_on = [kubernetes_namespace.reverse-proxy] + protected = false + rybbit_site_id = "590fc392690a" + skip_global_rate_limit = true + extra_middlewares = [ + "reverse-proxy-ha-sofia-rate-limit@kubernetescrd", + ] extra_annotations = { "gethomepage.dev/enabled" = "true" "gethomepage.dev/name" = "Home Assistant Sofia" @@ -293,6 +314,21 @@ module "ha-sofia" { } } +# https://music-assistant.viktorbarzin.me/ +module "music-assistant" { + source = "./factory" + name = "music-assistant" + external_name = "ha-sofia.viktorbarzin.lan" + port = 8095 + tls_secret_name = var.tls_secret_name + depends_on = [kubernetes_namespace.reverse-proxy] + protected = false + skip_global_rate_limit = true + extra_middlewares = [ + "reverse-proxy-ha-sofia-rate-limit@kubernetescrd", + ] +} + # https://ha-london.viktorbarzin.me/ module "ha-london" { source = "./factory"