diff --git a/modules/kubernetes/actualbudget/factory/main.tf b/modules/kubernetes/actualbudget/factory/main.tf
index 4e539171..fc615705 100644
--- a/modules/kubernetes/actualbudget/factory/main.tf
+++ b/modules/kubernetes/actualbudget/factory/main.tf
@@ -90,4 +90,5 @@ module "ingress" {
"nginx.ingress.kubernetes.io/proxy-body-size" : "0",
"nginx.ingress.kubernetes.io/client-max-body-size" : "0"
}
+ rybbit_site_id = "3e6b6b68088a"
}
diff --git a/modules/kubernetes/audiobookshelf/main.tf b/modules/kubernetes/audiobookshelf/main.tf
index 8aecd62a..f3e6759e 100644
--- a/modules/kubernetes/audiobookshelf/main.tf
+++ b/modules/kubernetes/audiobookshelf/main.tf
@@ -131,5 +131,6 @@ module "ingress" {
"nginx.ingress.kubernetes.io/proxy-body-size" : "0",
"nginx.ingress.kubernetes.io/client-max-body-size" : "0"
}
+ rybbit_site_id = "b38fda4285df"
}
diff --git a/modules/kubernetes/blog/main.tf b/modules/kubernetes/blog/main.tf
index 827a1dac..fbf14df6 100644
--- a/modules/kubernetes/blog/main.tf
+++ b/modules/kubernetes/blog/main.tf
@@ -111,7 +111,22 @@ resource "kubernetes_ingress_v1" "blog" {
name = "blog-ingress"
namespace = "website"
annotations = {
- "kubernetes.io/ingress.class" = "nginx"
+ "kubernetes.io/ingress.class" = "nginx"
+ "nginx.ingress.kubernetes.io/configuration-snippet" = <<-EOT
+ # Only modify HTML
+ sub_filter_types text/html;
+ sub_filter_once off;
+
+ # Disable compression so sub_filter works
+ proxy_set_header Accept-Encoding "";
+
+ # Inject analytics before
+ sub_filter '' '
+
+ ';
+ EOT
}
}
diff --git a/modules/kubernetes/calibre/main.tf b/modules/kubernetes/calibre/main.tf
index ce35559b..1cda9b9d 100644
--- a/modules/kubernetes/calibre/main.tf
+++ b/modules/kubernetes/calibre/main.tf
@@ -233,6 +233,7 @@ module "ingress" {
# gethomepage.dev/weight: 10 # optional
# gethomepage.dev/instance: "public" # optional
}
+ rybbit_site_id = "17a5c7fbb077"
}
# Stacks - Anna's Archive Download Manager
@@ -321,4 +322,5 @@ module "stacks-ingress" {
service_name = "annas-archive-stacks"
tls_secret_name = var.tls_secret_name
protected = true
+ rybbit_site_id = "ce5f8aed6bbb"
}
diff --git a/modules/kubernetes/crowdsec/main.tf b/modules/kubernetes/crowdsec/main.tf
index b5491322..baf3b0a6 100644
--- a/modules/kubernetes/crowdsec/main.tf
+++ b/modules/kubernetes/crowdsec/main.tf
@@ -66,7 +66,7 @@ resource "helm_release" "crowdsec" {
create_namespace = true
name = "crowdsec"
atomic = true
- version = "0.19.4"
+ version = "0.21.0"
repository = "https://crowdsecurity.github.io/helm-charts"
chart = "crowdsec"
@@ -172,5 +172,6 @@ module "ingress" {
}
EOF
}
+ rybbit_site_id = "d09137795ccc"
}
diff --git a/modules/kubernetes/cyberchef/main.tf b/modules/kubernetes/cyberchef/main.tf
index f1320f37..e6db2fe8 100644
--- a/modules/kubernetes/cyberchef/main.tf
+++ b/modules/kubernetes/cyberchef/main.tf
@@ -79,4 +79,5 @@ module "ingress" {
namespace = "cyberchef"
name = "cc"
tls_secret_name = var.tls_secret_name
+ rybbit_site_id = "7c460afc68c4"
}
diff --git a/modules/kubernetes/dawarich/main.tf b/modules/kubernetes/dawarich/main.tf
index 1c31a753..617b1e01 100644
--- a/modules/kubernetes/dawarich/main.tf
+++ b/modules/kubernetes/dawarich/main.tf
@@ -317,4 +317,16 @@ module "ingress" {
namespace = "dawarich"
name = "dawarich"
tls_secret_name = var.tls_secret_name
+ extra_annotations = {
+ "nginx.ingress.kubernetes.io/limit-connections" : 100
+ "nginx.ingress.kubernetes.io/limit-rps" : 50
+ "nginx.ingress.kubernetes.io/limit-rpm" : 1000
+ "nginx.ingress.kubernetes.io/limit-burst-multiplier" : 500
+ "nginx.ingress.kubernetes.io/limit-rate-after" : 1000
+ "nginx.ingress.kubernetes.io/configuration-snippet" = <<-EOF
+ limit_req_status 429;
+ limit_conn_status 429;
+ EOF
+ }
+ rybbit_site_id = "0abfd409f2fb"
}
diff --git a/modules/kubernetes/f1-stream/main.tf b/modules/kubernetes/f1-stream/main.tf
index fbd300e3..6239e9ac 100644
--- a/modules/kubernetes/f1-stream/main.tf
+++ b/modules/kubernetes/f1-stream/main.tf
@@ -89,4 +89,5 @@ module "ingress" {
"nginx.ingress.kubernetes.io/force-ssl-redirect" : "false"
"nginx.ingress.kubernetes.io/ssl-redirect" : "false"
}
+ rybbit_site_id = "7e69786f66d5"
}
diff --git a/modules/kubernetes/immich/frame.tf b/modules/kubernetes/immich/frame.tf
index 9fe4b2bc..b81d29c5 100644
--- a/modules/kubernetes/immich/frame.tf
+++ b/modules/kubernetes/immich/frame.tf
@@ -112,4 +112,5 @@ module "ingress" {
name = "highlights-immich"
tls_secret_name = var.tls_secret_name
service_name = "immich-frame"
+ rybbit_site_id = "602167601c6b"
}
diff --git a/modules/kubernetes/immich/main.tf b/modules/kubernetes/immich/main.tf
index e486f9f0..a8b2df9c 100644
--- a/modules/kubernetes/immich/main.tf
+++ b/modules/kubernetes/immich/main.tf
@@ -326,6 +326,24 @@ resource "kubernetes_ingress_v1" "ingress" {
directio 4m;
sendfile off;
aio on;
+
+ limit_req_status 429;
+ limit_conn_status 429;
+
+ # Rybbit Analytics
+ # Only modify HTML
+ sub_filter_types text/html;
+ sub_filter_once off;
+
+ # Disable compression so sub_filter works
+ proxy_set_header Accept-Encoding "";
+
+ # Inject analytics before
+ sub_filter '' '
+
+ ';
EOF
"nginx.ingress.kubernetes.io/enable-modsecurity" : "false" # this is important!!!; setting it to true enables buffering and can lead to ooms when ploading big files
diff --git a/modules/kubernetes/ingress_factory/main.tf b/modules/kubernetes/ingress_factory/main.tf
index 63a4b7a7..525ae785 100644
--- a/modules/kubernetes/ingress_factory/main.tf
+++ b/modules/kubernetes/ingress_factory/main.tf
@@ -55,6 +55,10 @@ variable "root_domain" {
default = "viktorbarzin.me"
type = string
}
+variable "rybbit_site_id" {
+ default = null
+ type = string
+}
resource "kubernetes_service" "proxied-service" {
@@ -111,32 +115,49 @@ resource "kubernetes_ingress_v1" "proxied-ingress" {
"nginx.ingress.kubernetes.io/configuration-snippet" = <<-EOF
limit_req_status 429;
limit_conn_status 429;
+ ${var.rybbit_site_id != null ? <<-JS
+ # Rybbit Analytics
+ # Only modify HTML
+ sub_filter_types text/html;
+ sub_filter_once off;
+
+ # Disable compression so sub_filter works
+ proxy_set_header Accept-Encoding "";
+
+ # Inject analytics before
+ sub_filter '' '
+
+ ';
+ JS
+ : ""
+ }
EOF
- }, var.extra_annotations)
+ }, var.extra_annotations)
+}
+
+spec {
+ tls {
+ hosts = ["${var.name}.${var.root_domain}"] # TODO: refactor me to be easier to use
+ secret_name = var.tls_secret_name
}
+ rule {
+ host = "${var.host != null ? var.host : var.name}.${var.root_domain}"
+ http {
+ dynamic "path" {
+ # for_each = { for pr in var.ingress_path : pr => pr }
+ for_each = var.ingress_path
- spec {
- tls {
- hosts = ["${var.name}.${var.root_domain}"]
- secret_name = var.tls_secret_name
- }
- rule {
- host = "${var.host != null ? var.host : var.name}.${var.root_domain}"
- http {
- dynamic "path" {
- # for_each = { for pr in var.ingress_path : pr => pr }
- for_each = var.ingress_path
+ content {
+ path = path.value
+ backend {
+ service {
- content {
- path = path.value
- backend {
- service {
-
- name = var.service_name != null ? var.service_name : var.name
- port {
- number = var.port
- }
+ name = var.service_name != null ? var.service_name : var.name
+ port {
+ number = var.port
}
}
}
@@ -145,4 +166,5 @@ resource "kubernetes_ingress_v1" "proxied-ingress" {
}
}
}
+}
diff --git a/modules/kubernetes/mailserver/roundcubemail.tf b/modules/kubernetes/mailserver/roundcubemail.tf
index 8b2a5687..d1217db8 100644
--- a/modules/kubernetes/mailserver/roundcubemail.tf
+++ b/modules/kubernetes/mailserver/roundcubemail.tf
@@ -191,4 +191,5 @@ module "ingress" {
name = "mail"
service_name = "roundcubemail"
tls_secret_name = var.tls_secret_name
+ rybbit_site_id = "082f164faa7d"
}
diff --git a/modules/kubernetes/navidrome/main.tf b/modules/kubernetes/navidrome/main.tf
index cf6c28a3..3fcb9d2c 100644
--- a/modules/kubernetes/navidrome/main.tf
+++ b/modules/kubernetes/navidrome/main.tf
@@ -115,4 +115,5 @@ module "ingress" {
namespace = "navidrome"
name = "navidrome"
tls_secret_name = var.tls_secret_name
+ rybbit_site_id = "8a3844ff75ba"
}
diff --git a/modules/kubernetes/networking-toolbox/main.tf b/modules/kubernetes/networking-toolbox/main.tf
index be9bda95..e7cf3771 100644
--- a/modules/kubernetes/networking-toolbox/main.tf
+++ b/modules/kubernetes/networking-toolbox/main.tf
@@ -76,4 +76,5 @@ module "ingress" {
name = "networking-toolbox"
tls_secret_name = var.tls_secret_name
protected = true
+ rybbit_site_id = "50e38577e41c"
}
diff --git a/modules/kubernetes/nextcloud/main.tf b/modules/kubernetes/nextcloud/main.tf
index 312d4814..04757403 100644
--- a/modules/kubernetes/nextcloud/main.tf
+++ b/modules/kubernetes/nextcloud/main.tf
@@ -157,6 +157,7 @@ module "ingress" {
"nginx.ingress.kubernetes.io/limit-rps" : 1000 # Increased to allow webdav syncing
"nginx.ingress.kubernetes.io/limit-rpm" : 60000
}
+ rybbit_site_id = "5a3bfe59a3fe"
}
module "whiteboard_ingress" {
diff --git a/modules/kubernetes/nginx-ingress/main.tf b/modules/kubernetes/nginx-ingress/main.tf
index ab10ad86..27e5f6ee 100644
--- a/modules/kubernetes/nginx-ingress/main.tf
+++ b/modules/kubernetes/nginx-ingress/main.tf
@@ -363,6 +363,7 @@ resource "kubernetes_config_map" "udp_services" {
}
data = {
53 : "technitium/technitium-dns:53"
+ # 8554 : "frigate/frigate:8554"
}
}
resource "kubernetes_config_map" "tcp_services" {
@@ -372,6 +373,7 @@ resource "kubernetes_config_map" "tcp_services" {
}
data = {
# 9443 : "wireguard/xray:7443" // reality
+ # 8554 : "frigate/frigate:8554"
}
}
resource "kubernetes_service" "ingress_nginx_controller" {
@@ -406,6 +408,16 @@ resource "kubernetes_service" "ingress_nginx_controller" {
target_port = "dns"
}
# port {
+ # name = "frigate-rtsptcp"
+ # port = 8554
+ # protocol = "TCP"
+ # }
+ # port {
+ # name = "frigate-rtspudp"
+ # port = 8554
+ # protocol = "UDP"
+ # }
+ # port {
# name = "xray-reality"
# protocol = "TCP"
# port = 9443 # expose tcp port here
@@ -605,6 +617,16 @@ resource "kubernetes_deployment" "ingress_nginx_controller" {
container_port = 8443
protocol = "TCP"
}
+ # port {
+ # name = "frigate-rtsptcp"
+ # container_port = 8554
+ # protocol = "TCP"
+ # }
+ # port {
+ # name = "frigate-rtspudp"
+ # container_port = 8554
+ # protocol = "UDP"
+ # }
port {
name = "metrics"
container_port = 10254
diff --git a/modules/kubernetes/ollama/main.tf b/modules/kubernetes/ollama/main.tf
index 4147df46..de92c405 100644
--- a/modules/kubernetes/ollama/main.tf
+++ b/modules/kubernetes/ollama/main.tf
@@ -234,4 +234,5 @@ module "ingress" {
service_name = "ollama-ui"
tls_secret_name = var.tls_secret_name
port = 80
+ rybbit_site_id = "e73bebea399f"
}
diff --git a/modules/kubernetes/paperless-ngx/main.tf b/modules/kubernetes/paperless-ngx/main.tf
index 860288f4..675f9f12 100644
--- a/modules/kubernetes/paperless-ngx/main.tf
+++ b/modules/kubernetes/paperless-ngx/main.tf
@@ -171,5 +171,6 @@ module "ingress" {
# gethomepage.dev/weight: 10 # optional
# gethomepage.dev/instance: "public" # optional
}
+ rybbit_site_id = "be6d140cbed8"
}
diff --git a/modules/kubernetes/privatebin/main.tf b/modules/kubernetes/privatebin/main.tf
index 524c4d28..8dea2445 100644
--- a/modules/kubernetes/privatebin/main.tf
+++ b/modules/kubernetes/privatebin/main.tf
@@ -94,4 +94,5 @@ module "ingress" {
name = "privatebin"
host = "pb"
tls_secret_name = var.tls_secret_name
+ rybbit_site_id = "3ae810b0476d"
}
diff --git a/modules/kubernetes/real-estate-crawler/main.tf b/modules/kubernetes/real-estate-crawler/main.tf
index 3a420dcc..099902a6 100644
--- a/modules/kubernetes/real-estate-crawler/main.tf
+++ b/modules/kubernetes/real-estate-crawler/main.tf
@@ -214,6 +214,26 @@ resource "kubernetes_ingress_v1" "proxied-ingress" {
# "nginx.ingress.kubernetes.io/auth-url" : var.protected ? "http://ak-outpost-authentik-embedded-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx" : null
# "nginx.ingress.kubernetes.io/auth-signin" : var.protected ? "https://authentik.viktorbarzin.me/outpost.goauthentik.io/start?rd=$scheme%3A%2F%2F$host$escaped_request_uri" : null
# "nginx.ingress.kubernetes.io/auth-snippet" : var.protected ? "proxy_set_header X-Forwarded-Host $http_host;" : null
+
+ "nginx.ingress.kubernetes.io/configuration-snippet" = <<-EOF
+ limit_req_status 429;
+ limit_conn_status 429;
+
+ # Rybbit Analytics
+ # Only modify HTML
+ sub_filter_types text/html;
+ sub_filter_once off;
+
+ # Disable compression so sub_filter works
+ proxy_set_header Accept-Encoding "";
+
+ # Inject analytics before
+ sub_filter '' '
+
+ ';
+ EOF
}
diff --git a/modules/kubernetes/reverse_proxy/factory/main.tf b/modules/kubernetes/reverse_proxy/factory/main.tf
index f98f5281..a3d8ad69 100644
--- a/modules/kubernetes/reverse_proxy/factory/main.tf
+++ b/modules/kubernetes/reverse_proxy/factory/main.tf
@@ -33,6 +33,10 @@ variable "proxy_timeout" {
variable "extra_annotations" {
default = {}
}
+variable "rybbit_site_id" {
+ default = null
+ type = string
+}
resource "kubernetes_service" "proxied-service" {
@@ -81,39 +85,62 @@ resource "kubernetes_ingress_v1" "proxied-ingress" {
"nginx.ingress.kubernetes.io/proxy-send-timeout" : var.proxy_timeout
"nginx.ingress.kubernetes.io/proxy-read-timeout" : var.proxy_timeout
- }, var.extra_annotations)
+ "nginx.ingress.kubernetes.io/configuration-snippet" = <<-EOF
+ limit_req_status 429;
+ limit_conn_status 429;
+ ${var.rybbit_site_id != null ? <<-JS
+ # Rybbit Analytics
+ # Only modify HTML
+ sub_filter_types text/html;
+ sub_filter_once off;
+
+ # Disable compression so sub_filter works
+ proxy_set_header Accept-Encoding "";
+
+ # Inject analytics before
+ sub_filter '' '
+
+ ';
+ JS
+ : ""
+ }
+ EOF
+
+ }, var.extra_annotations)
+}
+
+spec {
+ tls {
+ hosts = ["${var.name}.viktorbarzin.me"]
+ secret_name = var.tls_secret_name
}
+ rule {
+ host = "${var.name}.viktorbarzin.me"
+ http {
+ dynamic "path" {
+ # for_each = { for pr in var.ingress_path : pr => pr }
+ for_each = var.ingress_path
- spec {
- tls {
- hosts = ["${var.name}.viktorbarzin.me"]
- secret_name = var.tls_secret_name
- }
- rule {
- host = "${var.name}.viktorbarzin.me"
- http {
- dynamic "path" {
- # for_each = { for pr in var.ingress_path : pr => pr }
- for_each = var.ingress_path
+ content {
+ path = path.value
+ backend {
+ service {
- content {
- path = path.value
- backend {
- service {
-
- name = var.name
- port {
- number = var.port
- }
+ name = var.name
+ port {
+ number = var.port
}
}
}
}
- # path {
- # # path = var.ingress_path
- # path = each.value
- # }
}
+ # path {
+ # # path = var.ingress_path
+ # path = each.value
+ # }
}
}
}
+}
diff --git a/modules/kubernetes/reverse_proxy/main.tf b/modules/kubernetes/reverse_proxy/main.tf
index 8bc65330..9f459271 100644
--- a/modules/kubernetes/reverse_proxy/main.tf
+++ b/modules/kubernetes/reverse_proxy/main.tf
@@ -43,7 +43,8 @@ module "pfsense" {
"gethomepage.dev/widget.wan" = "vmx0"
# "gethomepage.dev/pod-selector" : ""
}
- depends_on = [kubernetes_namespace.reverse-proxy]
+ depends_on = [kubernetes_namespace.reverse-proxy]
+ rybbit_site_id = "b029580e5a7c"
}
# https://nas.viktorbarzin.me/
@@ -56,6 +57,7 @@ module "nas" {
backend_protocol = "HTTPS"
max_body_size = "0m"
depends_on = [kubernetes_namespace.reverse-proxy]
+ rybbit_site_id = "1e11f8449f7d"
}
# https://files.viktorbarzin.me/
@@ -117,7 +119,8 @@ module "truenas" {
# "gethomepage.dev/widget.enablePools" : "true"
# "gethomepage.dev/pod-selector" : ""
}
- depends_on = [kubernetes_namespace.reverse-proxy]
+ depends_on = [kubernetes_namespace.reverse-proxy]
+ rybbit_site_id = "b66fbd3cb58a"
}
# https://r730.viktorbarzin.me/
@@ -141,6 +144,7 @@ module "proxmox" {
backend_protocol = "HTTPS"
max_body_size = "0" # unlimited
depends_on = [kubernetes_namespace.reverse-proxy]
+ rybbit_site_id = "190a7ad3e1c7"
}
# https://valchedrym.viktorbarzin.me/
@@ -198,6 +202,7 @@ module "ha-sofia" {
tls_secret_name = var.tls_secret_name
depends_on = [kubernetes_namespace.reverse-proxy]
protected = false
+ rybbit_site_id = "590fc392690a"
}
# https://ha-london.viktorbarzin.me/
diff --git a/modules/kubernetes/send/main.tf b/modules/kubernetes/send/main.tf
index 7a53004d..e08f63c9 100644
--- a/modules/kubernetes/send/main.tf
+++ b/modules/kubernetes/send/main.tf
@@ -116,4 +116,5 @@ module "ingress" {
"nginx.ingress.kubernetes.io/client-max-body-size" : "0"
"nginx.ingress.kubernetes.io/proxy-body-size" : "0",
}
+ rybbit_site_id = "c1b8f8aa831b"
}
diff --git a/modules/kubernetes/stirling-pdf/main.tf b/modules/kubernetes/stirling-pdf/main.tf
index aef5d02e..16958bd8 100644
--- a/modules/kubernetes/stirling-pdf/main.tf
+++ b/modules/kubernetes/stirling-pdf/main.tf
@@ -86,4 +86,5 @@ module "ingress" {
namespace = "stirling-pdf"
name = "stirling-pdf"
tls_secret_name = var.tls_secret_name
+ rybbit_site_id = "a55ac54ec749"
}
diff --git a/modules/kubernetes/uptime-kuma/main.tf b/modules/kubernetes/uptime-kuma/main.tf
index c136ecce..ee76a93e 100644
--- a/modules/kubernetes/uptime-kuma/main.tf
+++ b/modules/kubernetes/uptime-kuma/main.tf
@@ -107,6 +107,7 @@ module "ingress" {
"gethomepage.dev/widget.slug" = "cluster-internal"
"gethomepage.dev/pod-selector" = ""
}
+ rybbit_site_id = "8fef77b1f7fe"
}
# CronJob for daily SQLite backups # no longer needed as we're using the mysql
diff --git a/modules/kubernetes/vaultwarden/main.tf b/modules/kubernetes/vaultwarden/main.tf
index c60db6d7..7d053959 100644
--- a/modules/kubernetes/vaultwarden/main.tf
+++ b/modules/kubernetes/vaultwarden/main.tf
@@ -127,4 +127,5 @@ module "ingress" {
namespace = "vaultwarden"
name = "vaultwarden"
tls_secret_name = var.tls_secret_name
+ rybbit_site_id = "b8fc85e18683"
}