viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

add rybbit monitoring to ingresses [ci skip]

Browse source
This commit is contained in:
Viktor Barzin 2025-12-18 08:53:16 +00:00
parent ca19b6b05b
commit 7afd3e758e
26 changed files with 210 additions and 50 deletions
Download patch file Download diff file Expand all files Collapse all files

1
modules/kubernetes/actualbudget/factory/main.tf
View file

@ -90,4 +90,5 @@ module "ingress" {
"nginx.ingress.kubernetes.io/proxy-body-size" : "0",
"nginx.ingress.kubernetes.io/client-max-body-size" : "0"
}
rybbit_site_id = "3e6b6b68088a"
}

1
modules/kubernetes/audiobookshelf/main.tf
View file

@ -131,5 +131,6 @@ module "ingress" {
"nginx.ingress.kubernetes.io/proxy-body-size" : "0",
"nginx.ingress.kubernetes.io/client-max-body-size" : "0"
}
rybbit_site_id = "b38fda4285df"
}

17
modules/kubernetes/blog/main.tf
View file

@ -111,7 +111,22 @@ resource "kubernetes_ingress_v1" "blog" {
name = "blog-ingress"
namespace = "website"
annotations = {
"kubernetes.io/ingress.class" = "nginx"
"kubernetes.io/ingress.class" = "nginx"
"nginx.ingress.kubernetes.io/configuration-snippet" = <<-EOT
# Only modify HTML
sub_filter_types text/html;
sub_filter_once off;
# Disable compression so sub_filter works
proxy_set_header Accept-Encoding "";
# Inject analytics before </head>
sub_filter '</head>' '
<script src="https://rybbit.viktorbarzin.me/api/script.js"
data-site-id="da853a2438d0"
defer></script>
</head>';
EOT
}
}

2
modules/kubernetes/calibre/main.tf
View file

@ -233,6 +233,7 @@ module "ingress" {
# gethomepage.dev/weight: 10 # optional
# gethomepage.dev/instance: "public" # optional
}
rybbit_site_id = "17a5c7fbb077"
}
# Stacks - Anna's Archive Download Manager
@ -321,4 +322,5 @@ module "stacks-ingress" {
service_name = "annas-archive-stacks"
tls_secret_name = var.tls_secret_name
protected = true
rybbit_site_id = "ce5f8aed6bbb"
}

3
modules/kubernetes/crowdsec/main.tf
View file

@ -66,7 +66,7 @@ resource "helm_release" "crowdsec" {
create_namespace = true
name = "crowdsec"
atomic = true
version = "0.19.4"
version = "0.21.0"
repository = "https://crowdsecurity.github.io/helm-charts"
chart = "crowdsec"
@ -172,5 +172,6 @@ module "ingress" {
}
EOF
}
rybbit_site_id = "d09137795ccc"
}

1
modules/kubernetes/cyberchef/main.tf
View file

@ -79,4 +79,5 @@ module "ingress" {
namespace = "cyberchef"
name = "cc"
tls_secret_name = var.tls_secret_name
rybbit_site_id = "7c460afc68c4"
}

12
modules/kubernetes/dawarich/main.tf
View file

@ -317,4 +317,16 @@ module "ingress" {
namespace = "dawarich"
name = "dawarich"
tls_secret_name = var.tls_secret_name
extra_annotations = {
"nginx.ingress.kubernetes.io/limit-connections" : 100
"nginx.ingress.kubernetes.io/limit-rps" : 50
"nginx.ingress.kubernetes.io/limit-rpm" : 1000
"nginx.ingress.kubernetes.io/limit-burst-multiplier" : 500
"nginx.ingress.kubernetes.io/limit-rate-after" : 1000
"nginx.ingress.kubernetes.io/configuration-snippet" = <<-EOF
limit_req_status 429;
limit_conn_status 429;
EOF
}
rybbit_site_id = "0abfd409f2fb"
}

1
modules/kubernetes/f1-stream/main.tf
View file

@ -89,4 +89,5 @@ module "ingress" {
"nginx.ingress.kubernetes.io/force-ssl-redirect" : "false"
"nginx.ingress.kubernetes.io/ssl-redirect" : "false"
}
rybbit_site_id = "7e69786f66d5"
}

1
modules/kubernetes/immich/frame.tf
View file

@ -112,4 +112,5 @@ module "ingress" {
name = "highlights-immich"
tls_secret_name = var.tls_secret_name
service_name = "immich-frame"
rybbit_site_id = "602167601c6b"
}

18
modules/kubernetes/immich/main.tf
View file

@ -326,6 +326,24 @@ resource "kubernetes_ingress_v1" "ingress" {
directio 4m;
sendfile off;
aio on;
limit_req_status 429;
limit_conn_status 429;
# Rybbit Analytics
# Only modify HTML
sub_filter_types text/html;
sub_filter_once off;
# Disable compression so sub_filter works
proxy_set_header Accept-Encoding "";
# Inject analytics before </head>
sub_filter '</head>' '
<script src="https://rybbit.viktorbarzin.me/api/script.js"
data-site-id="35eedb7a3d2b"
defer></script>
</head>';
EOF
"nginx.ingress.kubernetes.io/enable-modsecurity" : "false" # this is important!!!; setting it to true enables buffering and can lead to ooms when ploading big files

64
modules/kubernetes/ingress_factory/main.tf
View file

@ -55,6 +55,10 @@ variable "root_domain" {
default = "viktorbarzin.me"
type = string
}
variable "rybbit_site_id" {
default = null
type = string
}
resource "kubernetes_service" "proxied-service" {
@ -111,32 +115,49 @@ resource "kubernetes_ingress_v1" "proxied-ingress" {
"nginx.ingress.kubernetes.io/configuration-snippet" = <<-EOF
limit_req_status 429;
limit_conn_status 429;
${var.rybbit_site_id != null ? <<-JS
# Rybbit Analytics
# Only modify HTML
sub_filter_types text/html;
sub_filter_once off;
# Disable compression so sub_filter works
proxy_set_header Accept-Encoding "";
# Inject analytics before </head>
sub_filter '</head>' '
<script src="https://rybbit.viktorbarzin.me/api/script.js"
data-site-id="${var.rybbit_site_id}"
defer></script>
</head>';
JS
: ""
}
EOF
}, var.extra_annotations)
}, var.extra_annotations)
}
spec {
tls {
hosts = ["${var.name}.${var.root_domain}"] # TODO: refactor me to be easier to use
secret_name = var.tls_secret_name
}
rule {
host = "${var.host != null ? var.host : var.name}.${var.root_domain}"
http {
dynamic "path" {
# for_each = { for pr in var.ingress_path : pr => pr }
for_each = var.ingress_path
spec {
tls {
hosts = ["${var.name}.${var.root_domain}"]
secret_name = var.tls_secret_name
}
rule {
host = "${var.host != null ? var.host : var.name}.${var.root_domain}"
http {
dynamic "path" {
# for_each = { for pr in var.ingress_path : pr => pr }
for_each = var.ingress_path
content {
path = path.value
backend {
service {
content {
path = path.value
backend {
service {
name = var.service_name != null ? var.service_name : var.name
port {
number = var.port
}
name = var.service_name != null ? var.service_name : var.name
port {
number = var.port
}
}
}
@ -145,4 +166,5 @@ resource "kubernetes_ingress_v1" "proxied-ingress" {
}
}
}
}

1
modules/kubernetes/mailserver/roundcubemail.tf
View file

@ -191,4 +191,5 @@ module "ingress" {
name = "mail"
service_name = "roundcubemail"
tls_secret_name = var.tls_secret_name
rybbit_site_id = "082f164faa7d"
}

1
modules/kubernetes/navidrome/main.tf
View file

@ -115,4 +115,5 @@ module "ingress" {
namespace = "navidrome"
name = "navidrome"
tls_secret_name = var.tls_secret_name
rybbit_site_id = "8a3844ff75ba"
}

1
modules/kubernetes/networking-toolbox/main.tf
View file

@ -76,4 +76,5 @@ module "ingress" {
name = "networking-toolbox"
tls_secret_name = var.tls_secret_name
protected = true
rybbit_site_id = "50e38577e41c"
}

1
modules/kubernetes/nextcloud/main.tf
View file

@ -157,6 +157,7 @@ module "ingress" {
"nginx.ingress.kubernetes.io/limit-rps" : 1000 # Increased to allow webdav syncing
"nginx.ingress.kubernetes.io/limit-rpm" : 60000
}
rybbit_site_id = "5a3bfe59a3fe"
}
module "whiteboard_ingress" {

22
modules/kubernetes/nginx-ingress/main.tf
View file

@ -363,6 +363,7 @@ resource "kubernetes_config_map" "udp_services" {
}
data = {
53 : "technitium/technitium-dns:53"
# 8554 : "frigate/frigate:8554"
}
}
resource "kubernetes_config_map" "tcp_services" {
@ -372,6 +373,7 @@ resource "kubernetes_config_map" "tcp_services" {
}
data = {
# 9443 : "wireguard/xray:7443" // reality
# 8554 : "frigate/frigate:8554"
}
}
resource "kubernetes_service" "ingress_nginx_controller" {
@ -406,6 +408,16 @@ resource "kubernetes_service" "ingress_nginx_controller" {
target_port = "dns"
}
# port {
# name = "frigate-rtsptcp"
# port = 8554
# protocol = "TCP"
# }
# port {
# name = "frigate-rtspudp"
# port = 8554
# protocol = "UDP"
# }
# port {
# name = "xray-reality"
# protocol = "TCP"
# port = 9443 # expose tcp port here
@ -605,6 +617,16 @@ resource "kubernetes_deployment" "ingress_nginx_controller" {
container_port = 8443
protocol = "TCP"
}
# port {
# name = "frigate-rtsptcp"
# container_port = 8554
# protocol = "TCP"
# }
# port {
# name = "frigate-rtspudp"
# container_port = 8554
# protocol = "UDP"
# }
port {
name = "metrics"
container_port = 10254

1
modules/kubernetes/ollama/main.tf
View file

@ -234,4 +234,5 @@ module "ingress" {
service_name = "ollama-ui"
tls_secret_name = var.tls_secret_name
port = 80
rybbit_site_id = "e73bebea399f"
}

1
modules/kubernetes/paperless-ngx/main.tf
View file

@ -171,5 +171,6 @@ module "ingress" {
# gethomepage.dev/weight: 10 # optional
# gethomepage.dev/instance: "public" # optional
}
rybbit_site_id = "be6d140cbed8"
}

1
modules/kubernetes/privatebin/main.tf
View file

@ -94,4 +94,5 @@ module "ingress" {
name = "privatebin"
host = "pb"
tls_secret_name = var.tls_secret_name
rybbit_site_id = "3ae810b0476d"
}

20
modules/kubernetes/real-estate-crawler/main.tf
View file

@ -214,6 +214,26 @@ resource "kubernetes_ingress_v1" "proxied-ingress" {
# "nginx.ingress.kubernetes.io/auth-url" : var.protected ? "http://ak-outpost-authentik-embedded-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx" : null
# "nginx.ingress.kubernetes.io/auth-signin" : var.protected ? "https://authentik.viktorbarzin.me/outpost.goauthentik.io/start?rd=$scheme%3A%2F%2F$host$escaped_request_uri" : null
# "nginx.ingress.kubernetes.io/auth-snippet" : var.protected ? "proxy_set_header X-Forwarded-Host $http_host;" : null
"nginx.ingress.kubernetes.io/configuration-snippet" = <<-EOF
limit_req_status 429;
limit_conn_status 429;
# Rybbit Analytics
# Only modify HTML
sub_filter_types text/html;
sub_filter_once off;
# Disable compression so sub_filter works
proxy_set_header Accept-Encoding "";
# Inject analytics before </head>
sub_filter '</head>' '
<script src="https://rybbit.viktorbarzin.me/api/script.js"
data-site-id="edee05de453d"
defer></script>
</head>';
EOF
}

77
modules/kubernetes/reverse_proxy/factory/main.tf
View file

@ -33,6 +33,10 @@ variable "proxy_timeout" {
variable "extra_annotations" {
default = {}
}
variable "rybbit_site_id" {
default = null
type = string
}
resource "kubernetes_service" "proxied-service" {
@ -81,39 +85,62 @@ resource "kubernetes_ingress_v1" "proxied-ingress" {
"nginx.ingress.kubernetes.io/proxy-send-timeout" : var.proxy_timeout
"nginx.ingress.kubernetes.io/proxy-read-timeout" : var.proxy_timeout
}, var.extra_annotations)
"nginx.ingress.kubernetes.io/configuration-snippet" = <<-EOF
limit_req_status 429;
limit_conn_status 429;
${var.rybbit_site_id != null ? <<-JS
# Rybbit Analytics
# Only modify HTML
sub_filter_types text/html;
sub_filter_once off;
# Disable compression so sub_filter works
proxy_set_header Accept-Encoding "";
# Inject analytics before </head>
sub_filter '</head>' '
<script src="https://rybbit.viktorbarzin.me/api/script.js"
data-site-id="${var.rybbit_site_id}"
defer></script>
</head>';
JS
: ""
}
EOF
}, var.extra_annotations)
}
spec {
tls {
hosts = ["${var.name}.viktorbarzin.me"]
secret_name = var.tls_secret_name
}
rule {
host = "${var.name}.viktorbarzin.me"
http {
dynamic "path" {
# for_each = { for pr in var.ingress_path : pr => pr }
for_each = var.ingress_path
spec {
tls {
hosts = ["${var.name}.viktorbarzin.me"]
secret_name = var.tls_secret_name
}
rule {
host = "${var.name}.viktorbarzin.me"
http {
dynamic "path" {
# for_each = { for pr in var.ingress_path : pr => pr }
for_each = var.ingress_path
content {
path = path.value
backend {
service {
content {
path = path.value
backend {
service {
name = var.name
port {
number = var.port
}
name = var.name
port {
number = var.port
}
}
}
}
# path {
# # path = var.ingress_path
# path = each.value
# }
}
# path {
# # path = var.ingress_path
# path = each.value
# }
}
}
}
}

9
modules/kubernetes/reverse_proxy/main.tf
View file

@ -43,7 +43,8 @@ module "pfsense" {
"gethomepage.dev/widget.wan" = "vmx0"
# "gethomepage.dev/pod-selector" : ""
}
depends_on = [kubernetes_namespace.reverse-proxy]
depends_on = [kubernetes_namespace.reverse-proxy]
rybbit_site_id = "b029580e5a7c"
}
# https://nas.viktorbarzin.me/
@ -56,6 +57,7 @@ module "nas" {
backend_protocol = "HTTPS"
max_body_size = "0m"
depends_on = [kubernetes_namespace.reverse-proxy]
rybbit_site_id = "1e11f8449f7d"
}
# https://files.viktorbarzin.me/
@ -117,7 +119,8 @@ module "truenas" {
# "gethomepage.dev/widget.enablePools" : "true"
# "gethomepage.dev/pod-selector" : ""
}
depends_on = [kubernetes_namespace.reverse-proxy]
depends_on = [kubernetes_namespace.reverse-proxy]
rybbit_site_id = "b66fbd3cb58a"
}
# https://r730.viktorbarzin.me/
@ -141,6 +144,7 @@ module "proxmox" {
backend_protocol = "HTTPS"
max_body_size = "0" # unlimited
depends_on = [kubernetes_namespace.reverse-proxy]
rybbit_site_id = "190a7ad3e1c7"
}
# https://valchedrym.viktorbarzin.me/
@ -198,6 +202,7 @@ module "ha-sofia" {
tls_secret_name = var.tls_secret_name
depends_on = [kubernetes_namespace.reverse-proxy]
protected = false
rybbit_site_id = "590fc392690a"
}
# https://ha-london.viktorbarzin.me/

1
modules/kubernetes/send/main.tf
View file

@ -116,4 +116,5 @@ module "ingress" {
"nginx.ingress.kubernetes.io/client-max-body-size" : "0"
"nginx.ingress.kubernetes.io/proxy-body-size" : "0",
}
rybbit_site_id = "c1b8f8aa831b"
}

1
modules/kubernetes/stirling-pdf/main.tf
View file

@ -86,4 +86,5 @@ module "ingress" {
namespace = "stirling-pdf"
name = "stirling-pdf"
tls_secret_name = var.tls_secret_name
rybbit_site_id = "a55ac54ec749"
}

1
modules/kubernetes/uptime-kuma/main.tf
View file

@ -107,6 +107,7 @@ module "ingress" {
"gethomepage.dev/widget.slug" = "cluster-internal"
"gethomepage.dev/pod-selector" = ""
}
rybbit_site_id = "8fef77b1f7fe"
}
# CronJob for daily SQLite backups # no longer needed as we're using the mysql

1
modules/kubernetes/vaultwarden/main.tf
View file

@ -127,4 +127,5 @@ module "ingress" {
namespace = "vaultwarden"
name = "vaultwarden"
tls_secret_name = var.tls_secret_name
rybbit_site_id = "b8fc85e18683"
}