From 7afd3e758ea2fb1369ebc082e009a27099b2149e Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Thu, 18 Dec 2025 08:53:16 +0000 Subject: [PATCH] add rybbit monitoring to ingresses [ci skip] --- .../kubernetes/actualbudget/factory/main.tf | 1 + modules/kubernetes/audiobookshelf/main.tf | 1 + modules/kubernetes/blog/main.tf | 17 +++- modules/kubernetes/calibre/main.tf | 2 + modules/kubernetes/crowdsec/main.tf | 3 +- modules/kubernetes/cyberchef/main.tf | 1 + modules/kubernetes/dawarich/main.tf | 12 +++ modules/kubernetes/f1-stream/main.tf | 1 + modules/kubernetes/immich/frame.tf | 1 + modules/kubernetes/immich/main.tf | 18 +++++ modules/kubernetes/ingress_factory/main.tf | 64 ++++++++++----- .../kubernetes/mailserver/roundcubemail.tf | 1 + modules/kubernetes/navidrome/main.tf | 1 + modules/kubernetes/networking-toolbox/main.tf | 1 + modules/kubernetes/nextcloud/main.tf | 1 + modules/kubernetes/nginx-ingress/main.tf | 22 ++++++ modules/kubernetes/ollama/main.tf | 1 + modules/kubernetes/paperless-ngx/main.tf | 1 + modules/kubernetes/privatebin/main.tf | 1 + .../kubernetes/real-estate-crawler/main.tf | 20 +++++ .../kubernetes/reverse_proxy/factory/main.tf | 77 +++++++++++++------ modules/kubernetes/reverse_proxy/main.tf | 9 ++- modules/kubernetes/send/main.tf | 1 + modules/kubernetes/stirling-pdf/main.tf | 1 + modules/kubernetes/uptime-kuma/main.tf | 1 + modules/kubernetes/vaultwarden/main.tf | 1 + 26 files changed, 210 insertions(+), 50 deletions(-) diff --git a/modules/kubernetes/actualbudget/factory/main.tf b/modules/kubernetes/actualbudget/factory/main.tf index 4e539171..fc615705 100644 --- a/modules/kubernetes/actualbudget/factory/main.tf +++ b/modules/kubernetes/actualbudget/factory/main.tf @@ -90,4 +90,5 @@ module "ingress" { "nginx.ingress.kubernetes.io/proxy-body-size" : "0", "nginx.ingress.kubernetes.io/client-max-body-size" : "0" } + rybbit_site_id = "3e6b6b68088a" } diff --git a/modules/kubernetes/audiobookshelf/main.tf b/modules/kubernetes/audiobookshelf/main.tf index 8aecd62a..f3e6759e 100644 --- a/modules/kubernetes/audiobookshelf/main.tf +++ b/modules/kubernetes/audiobookshelf/main.tf @@ -131,5 +131,6 @@ module "ingress" { "nginx.ingress.kubernetes.io/proxy-body-size" : "0", "nginx.ingress.kubernetes.io/client-max-body-size" : "0" } + rybbit_site_id = "b38fda4285df" } diff --git a/modules/kubernetes/blog/main.tf b/modules/kubernetes/blog/main.tf index 827a1dac..fbf14df6 100644 --- a/modules/kubernetes/blog/main.tf +++ b/modules/kubernetes/blog/main.tf @@ -111,7 +111,22 @@ resource "kubernetes_ingress_v1" "blog" { name = "blog-ingress" namespace = "website" annotations = { - "kubernetes.io/ingress.class" = "nginx" + "kubernetes.io/ingress.class" = "nginx" + "nginx.ingress.kubernetes.io/configuration-snippet" = <<-EOT + # Only modify HTML + sub_filter_types text/html; + sub_filter_once off; + + # Disable compression so sub_filter works + proxy_set_header Accept-Encoding ""; + + # Inject analytics before + sub_filter '' ' + + '; + EOT } } diff --git a/modules/kubernetes/calibre/main.tf b/modules/kubernetes/calibre/main.tf index ce35559b..1cda9b9d 100644 --- a/modules/kubernetes/calibre/main.tf +++ b/modules/kubernetes/calibre/main.tf @@ -233,6 +233,7 @@ module "ingress" { # gethomepage.dev/weight: 10 # optional # gethomepage.dev/instance: "public" # optional } + rybbit_site_id = "17a5c7fbb077" } # Stacks - Anna's Archive Download Manager @@ -321,4 +322,5 @@ module "stacks-ingress" { service_name = "annas-archive-stacks" tls_secret_name = var.tls_secret_name protected = true + rybbit_site_id = "ce5f8aed6bbb" } diff --git a/modules/kubernetes/crowdsec/main.tf b/modules/kubernetes/crowdsec/main.tf index b5491322..baf3b0a6 100644 --- a/modules/kubernetes/crowdsec/main.tf +++ b/modules/kubernetes/crowdsec/main.tf @@ -66,7 +66,7 @@ resource "helm_release" "crowdsec" { create_namespace = true name = "crowdsec" atomic = true - version = "0.19.4" + version = "0.21.0" repository = "https://crowdsecurity.github.io/helm-charts" chart = "crowdsec" @@ -172,5 +172,6 @@ module "ingress" { } EOF } + rybbit_site_id = "d09137795ccc" } diff --git a/modules/kubernetes/cyberchef/main.tf b/modules/kubernetes/cyberchef/main.tf index f1320f37..e6db2fe8 100644 --- a/modules/kubernetes/cyberchef/main.tf +++ b/modules/kubernetes/cyberchef/main.tf @@ -79,4 +79,5 @@ module "ingress" { namespace = "cyberchef" name = "cc" tls_secret_name = var.tls_secret_name + rybbit_site_id = "7c460afc68c4" } diff --git a/modules/kubernetes/dawarich/main.tf b/modules/kubernetes/dawarich/main.tf index 1c31a753..617b1e01 100644 --- a/modules/kubernetes/dawarich/main.tf +++ b/modules/kubernetes/dawarich/main.tf @@ -317,4 +317,16 @@ module "ingress" { namespace = "dawarich" name = "dawarich" tls_secret_name = var.tls_secret_name + extra_annotations = { + "nginx.ingress.kubernetes.io/limit-connections" : 100 + "nginx.ingress.kubernetes.io/limit-rps" : 50 + "nginx.ingress.kubernetes.io/limit-rpm" : 1000 + "nginx.ingress.kubernetes.io/limit-burst-multiplier" : 500 + "nginx.ingress.kubernetes.io/limit-rate-after" : 1000 + "nginx.ingress.kubernetes.io/configuration-snippet" = <<-EOF + limit_req_status 429; + limit_conn_status 429; + EOF + } + rybbit_site_id = "0abfd409f2fb" } diff --git a/modules/kubernetes/f1-stream/main.tf b/modules/kubernetes/f1-stream/main.tf index fbd300e3..6239e9ac 100644 --- a/modules/kubernetes/f1-stream/main.tf +++ b/modules/kubernetes/f1-stream/main.tf @@ -89,4 +89,5 @@ module "ingress" { "nginx.ingress.kubernetes.io/force-ssl-redirect" : "false" "nginx.ingress.kubernetes.io/ssl-redirect" : "false" } + rybbit_site_id = "7e69786f66d5" } diff --git a/modules/kubernetes/immich/frame.tf b/modules/kubernetes/immich/frame.tf index 9fe4b2bc..b81d29c5 100644 --- a/modules/kubernetes/immich/frame.tf +++ b/modules/kubernetes/immich/frame.tf @@ -112,4 +112,5 @@ module "ingress" { name = "highlights-immich" tls_secret_name = var.tls_secret_name service_name = "immich-frame" + rybbit_site_id = "602167601c6b" } diff --git a/modules/kubernetes/immich/main.tf b/modules/kubernetes/immich/main.tf index e486f9f0..a8b2df9c 100644 --- a/modules/kubernetes/immich/main.tf +++ b/modules/kubernetes/immich/main.tf @@ -326,6 +326,24 @@ resource "kubernetes_ingress_v1" "ingress" { directio 4m; sendfile off; aio on; + + limit_req_status 429; + limit_conn_status 429; + + # Rybbit Analytics + # Only modify HTML + sub_filter_types text/html; + sub_filter_once off; + + # Disable compression so sub_filter works + proxy_set_header Accept-Encoding ""; + + # Inject analytics before + sub_filter '' ' + + '; EOF "nginx.ingress.kubernetes.io/enable-modsecurity" : "false" # this is important!!!; setting it to true enables buffering and can lead to ooms when ploading big files diff --git a/modules/kubernetes/ingress_factory/main.tf b/modules/kubernetes/ingress_factory/main.tf index 63a4b7a7..525ae785 100644 --- a/modules/kubernetes/ingress_factory/main.tf +++ b/modules/kubernetes/ingress_factory/main.tf @@ -55,6 +55,10 @@ variable "root_domain" { default = "viktorbarzin.me" type = string } +variable "rybbit_site_id" { + default = null + type = string +} resource "kubernetes_service" "proxied-service" { @@ -111,32 +115,49 @@ resource "kubernetes_ingress_v1" "proxied-ingress" { "nginx.ingress.kubernetes.io/configuration-snippet" = <<-EOF limit_req_status 429; limit_conn_status 429; + ${var.rybbit_site_id != null ? <<-JS + # Rybbit Analytics + # Only modify HTML + sub_filter_types text/html; + sub_filter_once off; + + # Disable compression so sub_filter works + proxy_set_header Accept-Encoding ""; + + # Inject analytics before + sub_filter '' ' + + '; + JS + : "" + } EOF - }, var.extra_annotations) + }, var.extra_annotations) +} + +spec { + tls { + hosts = ["${var.name}.${var.root_domain}"] # TODO: refactor me to be easier to use + secret_name = var.tls_secret_name } + rule { + host = "${var.host != null ? var.host : var.name}.${var.root_domain}" + http { + dynamic "path" { + # for_each = { for pr in var.ingress_path : pr => pr } + for_each = var.ingress_path - spec { - tls { - hosts = ["${var.name}.${var.root_domain}"] - secret_name = var.tls_secret_name - } - rule { - host = "${var.host != null ? var.host : var.name}.${var.root_domain}" - http { - dynamic "path" { - # for_each = { for pr in var.ingress_path : pr => pr } - for_each = var.ingress_path + content { + path = path.value + backend { + service { - content { - path = path.value - backend { - service { - - name = var.service_name != null ? var.service_name : var.name - port { - number = var.port - } + name = var.service_name != null ? var.service_name : var.name + port { + number = var.port } } } @@ -145,4 +166,5 @@ resource "kubernetes_ingress_v1" "proxied-ingress" { } } } +} diff --git a/modules/kubernetes/mailserver/roundcubemail.tf b/modules/kubernetes/mailserver/roundcubemail.tf index 8b2a5687..d1217db8 100644 --- a/modules/kubernetes/mailserver/roundcubemail.tf +++ b/modules/kubernetes/mailserver/roundcubemail.tf @@ -191,4 +191,5 @@ module "ingress" { name = "mail" service_name = "roundcubemail" tls_secret_name = var.tls_secret_name + rybbit_site_id = "082f164faa7d" } diff --git a/modules/kubernetes/navidrome/main.tf b/modules/kubernetes/navidrome/main.tf index cf6c28a3..3fcb9d2c 100644 --- a/modules/kubernetes/navidrome/main.tf +++ b/modules/kubernetes/navidrome/main.tf @@ -115,4 +115,5 @@ module "ingress" { namespace = "navidrome" name = "navidrome" tls_secret_name = var.tls_secret_name + rybbit_site_id = "8a3844ff75ba" } diff --git a/modules/kubernetes/networking-toolbox/main.tf b/modules/kubernetes/networking-toolbox/main.tf index be9bda95..e7cf3771 100644 --- a/modules/kubernetes/networking-toolbox/main.tf +++ b/modules/kubernetes/networking-toolbox/main.tf @@ -76,4 +76,5 @@ module "ingress" { name = "networking-toolbox" tls_secret_name = var.tls_secret_name protected = true + rybbit_site_id = "50e38577e41c" } diff --git a/modules/kubernetes/nextcloud/main.tf b/modules/kubernetes/nextcloud/main.tf index 312d4814..04757403 100644 --- a/modules/kubernetes/nextcloud/main.tf +++ b/modules/kubernetes/nextcloud/main.tf @@ -157,6 +157,7 @@ module "ingress" { "nginx.ingress.kubernetes.io/limit-rps" : 1000 # Increased to allow webdav syncing "nginx.ingress.kubernetes.io/limit-rpm" : 60000 } + rybbit_site_id = "5a3bfe59a3fe" } module "whiteboard_ingress" { diff --git a/modules/kubernetes/nginx-ingress/main.tf b/modules/kubernetes/nginx-ingress/main.tf index ab10ad86..27e5f6ee 100644 --- a/modules/kubernetes/nginx-ingress/main.tf +++ b/modules/kubernetes/nginx-ingress/main.tf @@ -363,6 +363,7 @@ resource "kubernetes_config_map" "udp_services" { } data = { 53 : "technitium/technitium-dns:53" + # 8554 : "frigate/frigate:8554" } } resource "kubernetes_config_map" "tcp_services" { @@ -372,6 +373,7 @@ resource "kubernetes_config_map" "tcp_services" { } data = { # 9443 : "wireguard/xray:7443" // reality + # 8554 : "frigate/frigate:8554" } } resource "kubernetes_service" "ingress_nginx_controller" { @@ -406,6 +408,16 @@ resource "kubernetes_service" "ingress_nginx_controller" { target_port = "dns" } # port { + # name = "frigate-rtsptcp" + # port = 8554 + # protocol = "TCP" + # } + # port { + # name = "frigate-rtspudp" + # port = 8554 + # protocol = "UDP" + # } + # port { # name = "xray-reality" # protocol = "TCP" # port = 9443 # expose tcp port here @@ -605,6 +617,16 @@ resource "kubernetes_deployment" "ingress_nginx_controller" { container_port = 8443 protocol = "TCP" } + # port { + # name = "frigate-rtsptcp" + # container_port = 8554 + # protocol = "TCP" + # } + # port { + # name = "frigate-rtspudp" + # container_port = 8554 + # protocol = "UDP" + # } port { name = "metrics" container_port = 10254 diff --git a/modules/kubernetes/ollama/main.tf b/modules/kubernetes/ollama/main.tf index 4147df46..de92c405 100644 --- a/modules/kubernetes/ollama/main.tf +++ b/modules/kubernetes/ollama/main.tf @@ -234,4 +234,5 @@ module "ingress" { service_name = "ollama-ui" tls_secret_name = var.tls_secret_name port = 80 + rybbit_site_id = "e73bebea399f" } diff --git a/modules/kubernetes/paperless-ngx/main.tf b/modules/kubernetes/paperless-ngx/main.tf index 860288f4..675f9f12 100644 --- a/modules/kubernetes/paperless-ngx/main.tf +++ b/modules/kubernetes/paperless-ngx/main.tf @@ -171,5 +171,6 @@ module "ingress" { # gethomepage.dev/weight: 10 # optional # gethomepage.dev/instance: "public" # optional } + rybbit_site_id = "be6d140cbed8" } diff --git a/modules/kubernetes/privatebin/main.tf b/modules/kubernetes/privatebin/main.tf index 524c4d28..8dea2445 100644 --- a/modules/kubernetes/privatebin/main.tf +++ b/modules/kubernetes/privatebin/main.tf @@ -94,4 +94,5 @@ module "ingress" { name = "privatebin" host = "pb" tls_secret_name = var.tls_secret_name + rybbit_site_id = "3ae810b0476d" } diff --git a/modules/kubernetes/real-estate-crawler/main.tf b/modules/kubernetes/real-estate-crawler/main.tf index 3a420dcc..099902a6 100644 --- a/modules/kubernetes/real-estate-crawler/main.tf +++ b/modules/kubernetes/real-estate-crawler/main.tf @@ -214,6 +214,26 @@ resource "kubernetes_ingress_v1" "proxied-ingress" { # "nginx.ingress.kubernetes.io/auth-url" : var.protected ? "http://ak-outpost-authentik-embedded-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx" : null # "nginx.ingress.kubernetes.io/auth-signin" : var.protected ? "https://authentik.viktorbarzin.me/outpost.goauthentik.io/start?rd=$scheme%3A%2F%2F$host$escaped_request_uri" : null # "nginx.ingress.kubernetes.io/auth-snippet" : var.protected ? "proxy_set_header X-Forwarded-Host $http_host;" : null + + "nginx.ingress.kubernetes.io/configuration-snippet" = <<-EOF + limit_req_status 429; + limit_conn_status 429; + + # Rybbit Analytics + # Only modify HTML + sub_filter_types text/html; + sub_filter_once off; + + # Disable compression so sub_filter works + proxy_set_header Accept-Encoding ""; + + # Inject analytics before + sub_filter '' ' + + '; + EOF } diff --git a/modules/kubernetes/reverse_proxy/factory/main.tf b/modules/kubernetes/reverse_proxy/factory/main.tf index f98f5281..a3d8ad69 100644 --- a/modules/kubernetes/reverse_proxy/factory/main.tf +++ b/modules/kubernetes/reverse_proxy/factory/main.tf @@ -33,6 +33,10 @@ variable "proxy_timeout" { variable "extra_annotations" { default = {} } +variable "rybbit_site_id" { + default = null + type = string +} resource "kubernetes_service" "proxied-service" { @@ -81,39 +85,62 @@ resource "kubernetes_ingress_v1" "proxied-ingress" { "nginx.ingress.kubernetes.io/proxy-send-timeout" : var.proxy_timeout "nginx.ingress.kubernetes.io/proxy-read-timeout" : var.proxy_timeout - }, var.extra_annotations) + "nginx.ingress.kubernetes.io/configuration-snippet" = <<-EOF + limit_req_status 429; + limit_conn_status 429; + ${var.rybbit_site_id != null ? <<-JS + # Rybbit Analytics + # Only modify HTML + sub_filter_types text/html; + sub_filter_once off; + + # Disable compression so sub_filter works + proxy_set_header Accept-Encoding ""; + + # Inject analytics before + sub_filter '' ' + + '; + JS + : "" + } + EOF + + }, var.extra_annotations) +} + +spec { + tls { + hosts = ["${var.name}.viktorbarzin.me"] + secret_name = var.tls_secret_name } + rule { + host = "${var.name}.viktorbarzin.me" + http { + dynamic "path" { + # for_each = { for pr in var.ingress_path : pr => pr } + for_each = var.ingress_path - spec { - tls { - hosts = ["${var.name}.viktorbarzin.me"] - secret_name = var.tls_secret_name - } - rule { - host = "${var.name}.viktorbarzin.me" - http { - dynamic "path" { - # for_each = { for pr in var.ingress_path : pr => pr } - for_each = var.ingress_path + content { + path = path.value + backend { + service { - content { - path = path.value - backend { - service { - - name = var.name - port { - number = var.port - } + name = var.name + port { + number = var.port } } } } - # path { - # # path = var.ingress_path - # path = each.value - # } } + # path { + # # path = var.ingress_path + # path = each.value + # } } } } +} diff --git a/modules/kubernetes/reverse_proxy/main.tf b/modules/kubernetes/reverse_proxy/main.tf index 8bc65330..9f459271 100644 --- a/modules/kubernetes/reverse_proxy/main.tf +++ b/modules/kubernetes/reverse_proxy/main.tf @@ -43,7 +43,8 @@ module "pfsense" { "gethomepage.dev/widget.wan" = "vmx0" # "gethomepage.dev/pod-selector" : "" } - depends_on = [kubernetes_namespace.reverse-proxy] + depends_on = [kubernetes_namespace.reverse-proxy] + rybbit_site_id = "b029580e5a7c" } # https://nas.viktorbarzin.me/ @@ -56,6 +57,7 @@ module "nas" { backend_protocol = "HTTPS" max_body_size = "0m" depends_on = [kubernetes_namespace.reverse-proxy] + rybbit_site_id = "1e11f8449f7d" } # https://files.viktorbarzin.me/ @@ -117,7 +119,8 @@ module "truenas" { # "gethomepage.dev/widget.enablePools" : "true" # "gethomepage.dev/pod-selector" : "" } - depends_on = [kubernetes_namespace.reverse-proxy] + depends_on = [kubernetes_namespace.reverse-proxy] + rybbit_site_id = "b66fbd3cb58a" } # https://r730.viktorbarzin.me/ @@ -141,6 +144,7 @@ module "proxmox" { backend_protocol = "HTTPS" max_body_size = "0" # unlimited depends_on = [kubernetes_namespace.reverse-proxy] + rybbit_site_id = "190a7ad3e1c7" } # https://valchedrym.viktorbarzin.me/ @@ -198,6 +202,7 @@ module "ha-sofia" { tls_secret_name = var.tls_secret_name depends_on = [kubernetes_namespace.reverse-proxy] protected = false + rybbit_site_id = "590fc392690a" } # https://ha-london.viktorbarzin.me/ diff --git a/modules/kubernetes/send/main.tf b/modules/kubernetes/send/main.tf index 7a53004d..e08f63c9 100644 --- a/modules/kubernetes/send/main.tf +++ b/modules/kubernetes/send/main.tf @@ -116,4 +116,5 @@ module "ingress" { "nginx.ingress.kubernetes.io/client-max-body-size" : "0" "nginx.ingress.kubernetes.io/proxy-body-size" : "0", } + rybbit_site_id = "c1b8f8aa831b" } diff --git a/modules/kubernetes/stirling-pdf/main.tf b/modules/kubernetes/stirling-pdf/main.tf index aef5d02e..16958bd8 100644 --- a/modules/kubernetes/stirling-pdf/main.tf +++ b/modules/kubernetes/stirling-pdf/main.tf @@ -86,4 +86,5 @@ module "ingress" { namespace = "stirling-pdf" name = "stirling-pdf" tls_secret_name = var.tls_secret_name + rybbit_site_id = "a55ac54ec749" } diff --git a/modules/kubernetes/uptime-kuma/main.tf b/modules/kubernetes/uptime-kuma/main.tf index c136ecce..ee76a93e 100644 --- a/modules/kubernetes/uptime-kuma/main.tf +++ b/modules/kubernetes/uptime-kuma/main.tf @@ -107,6 +107,7 @@ module "ingress" { "gethomepage.dev/widget.slug" = "cluster-internal" "gethomepage.dev/pod-selector" = "" } + rybbit_site_id = "8fef77b1f7fe" } # CronJob for daily SQLite backups # no longer needed as we're using the mysql diff --git a/modules/kubernetes/vaultwarden/main.tf b/modules/kubernetes/vaultwarden/main.tf index c60db6d7..7d053959 100644 --- a/modules/kubernetes/vaultwarden/main.tf +++ b/modules/kubernetes/vaultwarden/main.tf @@ -127,4 +127,5 @@ module "ingress" { namespace = "vaultwarden" name = "vaultwarden" tls_secret_name = var.tls_secret_name + rybbit_site_id = "b8fc85e18683" }