viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

use ingress factory for all hosted ingresses [ci skip]

Browse source
This commit is contained in:
Viktor Barzin 2025-01-14 22:53:04 +00:00
parent 8713946352
commit d0e68769e7
No known key found for this signature in database
GPG key ID: 4056458DBDBF8863
41 changed files with 392 additions and 1628 deletions
Download patch file Download diff file Expand all files Collapse all files

48
modules/kubernetes/actualbudget/factory/main.tf
View file

@ -62,7 +62,7 @@ resource "kubernetes_deployment" "actualbudget" {
resource "kubernetes_service" "actualbudget" {
metadata {
name = "actualbudget-${var.name}"
name = "budget-${var.name}"
namespace = "actualbudget"
labels = {
app = "actualbudget-${var.name}"
@ -81,43 +81,13 @@ resource "kubernetes_service" "actualbudget" {
}
}
resource "kubernetes_ingress_v1" "actualbudget" {
metadata {
name = "actualbudget-ingress-${var.name}"
namespace = "actualbudget"
annotations = {
"kubernetes.io/ingress.class" = "nginx"
"nginx.ingress.kubernetes.io/client-max-body-size" : "0"
"nginx.ingress.kubernetes.io/proxy-body-size" : "0",
# "nginx.ingress.kubernetes.io/auth-url" : "https://oauth2.viktorbarzin.me/oauth2/auth"
# "nginx.ingress.kubernetes.io/auth-signin" : "https://oauth2.viktorbarzin.me/oauth2/start?rd=/redirect/$http_host$escaped_request_uri"
# "nginx.ingress.kubernetes.io/auth-url" : "http://ak-outpost-authentik-embedded-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx"
# "nginx.ingress.kubernetes.io/auth-signin" : "https://authentik.viktorbarzin.me/outpost.goauthentik.io/start?rd=$scheme%3A%2F%2F$host$escaped_request_uri"
# "nginx.ingress.kubernetes.io/auth-response-headers" : "Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid"
# "nginx.ingress.kubernetes.io/auth-snippet" : "proxy_set_header X-Forwarded-Host $http_host;"
}
}
spec {
tls {
hosts = ["budget-${var.name}.viktorbarzin.me"]
secret_name = var.tls_secret_name
}
rule {
host = "budget-${var.name}.viktorbarzin.me"
http {
path {
path = "/"
backend {
service {
name = "actualbudget-${var.name}"
port {
number = 80
}
}
}
}
}
}
module "ingress" {
source = "../../ingress_factory"
namespace = "actualbudget"
name = "budget-${var.name}"
tls_secret_name = var.tls_secret_name
extra_annotations = {
"nginx.ingress.kubernetes.io/proxy-body-size" : "0",
"nginx.ingress.kubernetes.io/client-max-body-size" : "0"
}
}

39
modules/kubernetes/audiobookshelf/main.tf
View file

@ -122,37 +122,14 @@ resource "kubernetes_service" "audiobookshelf" {
}
}
resource "kubernetes_ingress_v1" "audiobookshelf" {
metadata {
name = "audiobookshelf"
namespace = "audiobookshelf"
annotations = {
"kubernetes.io/ingress.class" = "nginx"
"nginx.ingress.kubernetes.io/proxy-body-size" : "20000m"
}
}
spec {
tls {
hosts = ["audiobookshelf.viktorbarzin.me"]
secret_name = var.tls_secret_name
}
rule {
host = "audiobookshelf.viktorbarzin.me"
http {
path {
path = "/"
backend {
service {
name = "audiobookshelf"
port {
number = 80
}
}
}
}
}
}
module "ingress" {
source = "../ingress_factory"
namespace = "audiobookshelf"
name = "audiobookshelf"
tls_secret_name = var.tls_secret_name
extra_annotations = {
"nginx.ingress.kubernetes.io/proxy-body-size" : "0",
"nginx.ingress.kubernetes.io/client-max-body-size" : "0"
}
}

78
modules/kubernetes/calibre/main.tf
View file

@ -113,66 +113,26 @@ resource "kubernetes_service" "calibre" {
}
}
}
resource "kubernetes_ingress_v1" "calibre" {
metadata {
name = "calibre"
namespace = "calibre"
annotations = {
"kubernetes.io/ingress.class" = "nginx"
"nginx.ingress.kubernetes.io/proxy-body-size" : "5000m"
"gethomepage.dev/enabled" = "true"
"gethomepage.dev/description" = "Book library"
# gethomepage.dev/group: Media
"gethomepage.dev/icon" : "calibre-web.png"
"gethomepage.dev/name" = "Calibre"
"gethomepage.dev/widget.type" = "calibreweb"
"gethomepage.dev/widget.url" = "https://calibre.viktorbarzin.me"
"gethomepage.dev/widget.username" = var.homepage_username
"gethomepage.dev/widget.password" = var.homepage_password
"gethomepage.dev/pod-selector" = ""
# gethomepage.dev/weight: 10 # optional
# gethomepage.dev/instance: "public" # optional
}
}
module "ingress" {
source = "../ingress_factory"
namespace = "calibre"
name = "calibre"
tls_secret_name = var.tls_secret_name
extra_annotations = {
"nginx.ingress.kubernetes.io/proxy-body-size" : "5000m"
spec {
tls {
hosts = ["calibre.viktorbarzin.me"]
secret_name = var.tls_secret_name
}
rule {
host = "calibre.viktorbarzin.me"
http {
path {
path = "/"
backend {
service {
name = "calibre"
port {
number = 80
}
}
}
}
}
}
rule {
host = "books.viktorbarzin.me"
http {
path {
path = "/"
backend {
service {
name = "calibre"
port {
number = 80
}
}
}
}
}
}
"gethomepage.dev/enabled" = "true"
"gethomepage.dev/description" = "Book library"
# gethomepage.dev/group: Media
"gethomepage.dev/icon" : "calibre-web.png"
"gethomepage.dev/name" = "Calibre"
"gethomepage.dev/widget.type" = "calibreweb"
"gethomepage.dev/widget.url" = "https://calibre.viktorbarzin.me"
"gethomepage.dev/widget.username" = var.homepage_username
"gethomepage.dev/widget.password" = var.homepage_password
"gethomepage.dev/pod-selector" = ""
# gethomepage.dev/weight: 10 # optional
# gethomepage.dev/instance: "public" # optional
}
}

42
modules/kubernetes/changedetection/main.tf
View file

@ -120,40 +120,10 @@ resource "kubernetes_service" "changedetection" {
}
}
resource "kubernetes_ingress_v1" "changedetection" {
metadata {
name = "changedetection-ingress"
namespace = "changedetection"
annotations = {
"kubernetes.io/ingress.class" = "nginx"
"nginx.ingress.kubernetes.io/auth-url" : "http://ak-outpost-authentik-embedded-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx"
"nginx.ingress.kubernetes.io/auth-signin" : "https://authentik.viktorbarzin.me/outpost.goauthentik.io/start?rd=$scheme%3A%2F%2F$host$escaped_request_uri"
"nginx.ingress.kubernetes.io/auth-response-headers" : "Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid"
"nginx.ingress.kubernetes.io/auth-snippet" : "proxy_set_header X-Forwarded-Host $http_host;"
}
}
spec {
tls {
hosts = ["changedetection.viktorbarzin.me"]
secret_name = var.tls_secret_name
}
rule {
host = "changedetection.viktorbarzin.me"
http {
path {
path = "/"
backend {
service {
name = "changedetection"
port {
number = 80
}
}
}
}
}
}
}
module "ingress" {
source = "../ingress_factory"
namespace = "changedetection"
name = "changedetection"
tls_secret_name = var.tls_secret_name
protected = true
}

40
modules/kubernetes/city-guesser/main.tf
View file

@ -107,40 +107,12 @@ resource "kubernetes_service" "city-guesser" {
# }
# }
resource "kubernetes_ingress_v1" "city-guesser" {
metadata {
name = "city-guesser-ingress"
namespace = "city-guesser"
annotations = {
"kubernetes.io/ingress.class" = "nginx"
# "nginx.ingress.kubernetes.io/auth-url" = "https://$host/oauth2/auth"
# "nginx.ingress.kubernetes.io/auth-signin" = "https://$host/oauth2/start?rd=$escaped_request_uri"
# "nginx.ingress.kubernetes.io/auth-response-headers" = "X-Auth-Request-User,X-Auth-Request-Email"
}
}
spec {
tls {
hosts = ["city-guesser.viktorbarzin.me"]
secret_name = var.tls_secret_name
}
rule {
host = "city-guesser.viktorbarzin.me"
http {
path {
path = "/"
backend {
service {
name = "city-guesser"
port {
number = 80
}
}
}
}
}
}
}
module "ingress" {
source = "../ingress_factory"
namespace = "city-guesser"
name = "city-guesser"
tls_secret_name = var.tls_secret_name
protected = true
}
# resource "kubernetes_ingress_v1" "city-guesser-oauth" {

34
modules/kubernetes/cloudflared/main.tf
View file

@ -83,37 +83,3 @@ resource "kubernetes_service" "cloudflared" {
}
}
resource "kubernetes_ingress_v1" "cloudflared" {
metadata {
name = "cloudflared"
namespace = "cloudflared"
annotations = {
"kubernetes.io/ingress.class" = "nginx"
"nginx.ingress.kubernetes.io/auth-url" : "https://oauth2.viktorbarzin.me/oauth2/auth"
"nginx.ingress.kubernetes.io/auth-signin" : "https://oauth2.viktorbarzin.me/oauth2/start?rd=/redirect/$http_host$escaped_request_uri"
}
}
spec {
tls {
hosts = ["cloudflared.viktorbarzin.me"]
secret_name = var.tls_secret_name
}
rule {
host = "cloudflared.viktorbarzin.me"
http {
path {
path = "/"
backend {
service {
name = "cloudflared"
port {
number = 80
}
}
}
}
}
}
}
}

38
modules/kubernetes/cyberchef/main.tf
View file

@ -54,7 +54,7 @@ resource "kubernetes_deployment" "cyberchef" {
resource "kubernetes_service" "cyberchef" {
metadata {
name = "cyberchef"
name = "cc"
namespace = "cyberchef"
labels = {
"app" = "cyberchef"
@ -73,36 +73,10 @@ resource "kubernetes_service" "cyberchef" {
}
}
resource "kubernetes_ingress_v1" "cyberchef" {
metadata {
name = "cyberchef"
namespace = "cyberchef"
annotations = {
"kubernetes.io/ingress.class" = "nginx"
}
}
spec {
tls {
hosts = ["cc.viktorbarzin.me"]
secret_name = var.tls_secret_name
}
rule {
host = "cc.viktorbarzin.me"
http {
path {
path = "/"
backend {
service {
name = "cyberchef"
port {
number = 80
}
}
}
}
}
}
}
module "ingress" {
source = "../ingress_factory"
namespace = "cyberchef"
name = "cc"
tls_secret_name = var.tls_secret_name
}

39
modules/kubernetes/dashy/main.tf
View file

@ -103,38 +103,11 @@ resource "kubernetes_service" "dashy" {
}
}
resource "kubernetes_ingress_v1" "dashy" {
metadata {
name = "dashy-ingress"
namespace = "dashy"
annotations = {
"kubernetes.io/ingress.class" = "nginx"
# "nginx.ingress.kubernetes.io/auth-url" : "https://oauth2.viktorbarzin.me/oauth2/auth"
# "nginx.ingress.kubernetes.io/auth-signin" : "https://oauth2.viktorbarzin.me/oauth2/start?rd=/redirect/$http_host$escaped_request_uri"
}
}
spec {
tls {
hosts = ["dashy.viktorbarzin.me"]
secret_name = var.tls_secret_name
}
rule {
host = "dashy.viktorbarzin.me"
http {
path {
path = "/"
backend {
service {
name = "dashy"
port {
number = 80
}
}
}
}
}
}
}
module "ingress" {
source = "../ingress_factory"
namespace = "dashy"
name = "dashy"
tls_secret_name = var.tls_secret_name
protected = true # hidden as we use homepage now
}

40
modules/kubernetes/dawarich/main.tf
View file

@ -216,39 +216,9 @@ resource "kubernetes_service" "dawarich" {
}
}
}
resource "kubernetes_ingress_v1" "dawarich" {
metadata {
name = "dawarich"
namespace = "dawarich"
annotations = {
"kubernetes.io/ingress.class" = "nginx"
# "nginx.ingress.kubernetes.io/auth-type" = "basic" # support only basic auth; can't use authentik
# "nginx.ingress.kubernetes.io/auth-secret" = kubernetes_secret.basic_auth.metadata[0].name
# "nginx.ingress.kubernetes.io/auth-realm" = "Authentication Required"
}
}
spec {
tls {
hosts = ["dawarich.viktorbarzin.me"]
secret_name = var.tls_secret_name
}
rule {
host = "dawarich.viktorbarzin.me"
http {
path {
path = "/"
backend {
service {
name = "dawarich"
port {
number = 80
}
}
}
}
}
}
}
module "ingress" {
source = "../ingress_factory"
namespace = "dawarich"
name = "dawarich"
tls_secret_name = var.tls_secret_name
}

98
modules/kubernetes/dbaas/main.tf
View file

@ -410,7 +410,7 @@ resource "kubernetes_deployment" "phpmyadmin" {
resource "kubernetes_service" "phpmyadmin" {
metadata {
name = "phpmyadmin"
name = "pma"
namespace = "dbaas"
}
spec {
@ -423,46 +423,14 @@ resource "kubernetes_service" "phpmyadmin" {
}
}
}
resource "kubernetes_ingress_v1" "phpmyadmin" {
metadata {
name = "phpmyadmin-ingress"
namespace = "dbaas"
annotations = {
"kubernetes.io/ingress.class" = "nginx"
# "nginx.ingress.kubernetes.io/auth-tls-verify-client" = "on"
# "nginx.ingress.kubernetes.io/auth-tls-secret" = "default/ca-secret"
# "nginx.ingress.kubernetes.io/auth-url" : "https://oauth2.viktorbarzin.me/oauth2/auth"
# "nginx.ingress.kubernetes.io/auth-signin" : "https://oauth2.viktorbarzin.me/oauth2/start?rd=/redirect/$http_host$escaped_request_uri"
"nginx.ingress.kubernetes.io/auth-url" : "http://ak-outpost-authentik-embedded-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx"
"nginx.ingress.kubernetes.io/auth-signin" : "https://authentik.viktorbarzin.me/outpost.goauthentik.io/start?rd=$scheme%3A%2F%2F$host$escaped_request_uri"
"nginx.ingress.kubernetes.io/auth-response-headers" : "Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid"
"nginx.ingress.kubernetes.io/auth-snippet" : "proxy_set_header X-Forwarded-Host $http_host;"
"nginx.ingress.kubernetes.io/proxy-body-size" : "50m"
}
}
spec {
tls {
hosts = ["pma.viktorbarzin.me"]
secret_name = var.tls_secret_name
}
rule {
host = "pma.viktorbarzin.me"
http {
path {
path = "/"
backend {
service {
name = "phpmyadmin"
port {
number = 80
}
}
}
}
}
}
module "ingress" {
source = "../ingress_factory"
namespace = "dbaas"
name = "pma"
tls_secret_name = var.tls_secret_name
protected = true
extra_annotations = {
"nginx.ingress.kubernetes.io/proxy-body-size" : "50m"
}
}
@ -866,48 +834,18 @@ resource "kubernetes_service" "pgadmin" {
}
}
}
resource "kubernetes_ingress_v1" "pgadmin" {
metadata {
name = "pgadmin"
namespace = "dbaas"
annotations = {
"kubernetes.io/ingress.class" = "nginx"
# "nginx.ingress.kubernetes.io/auth-tls-verify-client" = "on"
# "nginx.ingress.kubernetes.io/auth-tls-secret" = "default/ca-secret"
# "nginx.ingress.kubernetes.io/auth-url" : "https://oauth2.viktorbarzin.me/oauth2/auth"
# "nginx.ingress.kubernetes.io/auth-signin" : "https://oauth2.viktorbarzin.me/oauth2/start?rd=/redirect/$http_host$escaped_request_uri"
"nginx.ingress.kubernetes.io/auth-url" : "http://ak-outpost-authentik-embedded-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx"
"nginx.ingress.kubernetes.io/auth-signin" : "https://authentik.viktorbarzin.me/outpost.goauthentik.io/start?rd=$scheme%3A%2F%2F$host$escaped_request_uri"
"nginx.ingress.kubernetes.io/auth-response-headers" : "Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid"
"nginx.ingress.kubernetes.io/auth-snippet" : "proxy_set_header X-Forwarded-Host $http_host;"
"nginx.ingress.kubernetes.io/proxy-body-size" : "50m"
}
}
spec {
tls {
hosts = ["pgadmin.viktorbarzin.me"]
secret_name = var.tls_secret_name
}
rule {
host = "pgadmin.viktorbarzin.me"
http {
path {
path = "/"
backend {
service {
name = "pgadmin"
port {
number = 80
}
}
}
}
}
}
module "ingress-pgadmin" {
source = "../ingress_factory"
namespace = "dbaas"
name = "pgadmin"
tls_secret_name = var.tls_secret_name
protected = true
extra_annotations = {
"nginx.ingress.kubernetes.io/proxy-body-size" : "50m"
}
}
resource "kubernetes_cron_job_v1" "postgresql-backup" {
metadata {
name = "postgresql-backup"

40
modules/kubernetes/drone/main.tf
View file

@ -153,41 +153,15 @@ resource "kubernetes_service" "drone" {
}
}
resource "kubernetes_ingress_v1" "drone" {
metadata {
name = "drone-ingress"
namespace = "drone"
annotations = {
"kubernetes.io/ingress.class" = "nginx"
//"nginx.ingress.kubernetes.io/auth-tls-verify-client" = "on"
//"nginx.ingress.kubernetes.io/auth-tls-secret" = "default/ca-secret"
}
}
spec {
tls {
hosts = ["drone.viktorbarzin.me"]
secret_name = var.tls_secret_name
}
rule {
host = "drone.viktorbarzin.me"
http {
path {
path = "/"
backend {
service {
name = "drone"
port {
number = 80
}
}
}
}
}
}
}
module "ingress" {
source = "../ingress_factory"
namespace = "drone"
name = "drone"
tls_secret_name = var.tls_secret_name
protected = true
}
# Setup drone runner
resource "kubernetes_cluster_role" "drone" {
metadata {

58
modules/kubernetes/excalidraw/main.tf
View file

@ -51,9 +51,9 @@ resource "kubernetes_deployment" "excalidraw" {
}
}
resource "kubernetes_service" "finance_app" {
resource "kubernetes_service" "draw" {
metadata {
name = "excalidraw"
name = "draw"
namespace = "excalidraw"
labels = {
app = "excalidraw"
@ -71,52 +71,10 @@ resource "kubernetes_service" "finance_app" {
}
}
resource "kubernetes_ingress_v1" "finance_app" {
metadata {
name = "excalidraw"
namespace = "excalidraw"
annotations = {
"kubernetes.io/ingress.class" = "nginx"
}
}
spec {
tls {
hosts = ["excalidraw.viktorbarzin.me"]
secret_name = var.tls_secret_name
}
rule {
host = "excalidraw.viktorbarzin.me"
http {
path {
path = "/"
backend {
service {
name = "excalidraw"
port {
number = 80
}
}
}
}
}
}
rule {
host = "draw.viktorbarzin.me"
http {
path {
path = "/"
backend {
service {
name = "excalidraw"
port {
number = 80
}
}
}
}
}
}
}
module "ingress" {
source = "../ingress_factory"
namespace = "excalidraw"
name = "draw"
tls_secret_name = var.tls_secret_name
}

43
modules/kubernetes/f1-stream/main.tf
View file

@ -56,7 +56,7 @@ resource "kubernetes_deployment" "f1-stream" {
resource "kubernetes_service" "f1-stream" {
metadata {
name = "f1-stream"
name = "f1"
namespace = "f1-stream"
labels = {
"app" = "f1-stream"
@ -80,38 +80,13 @@ module "tls_secret" {
}
resource "kubernetes_ingress_v1" "f1-stream" {
metadata {
name = "f1-ingress"
namespace = "f1-stream"
annotations = {
"kubernetes.io/ingress.class" = "nginx"
"nginx.ingress.kubernetes.io/force-ssl-redirect" : "false"
"nginx.ingress.kubernetes.io/ssl-redirect" : "false"
# "nginx.ingress.kubernetes.io/temporal-redirect" : "http://f1.viktorbarzin.me"
}
}
spec {
tls {
hosts = ["f1.viktorbarzin.me"]
secret_name = var.tls_secret_name
}
rule {
host = "f1.viktorbarzin.me"
http {
path {
path = "/"
backend {
service {
name = "f1-stream"
port {
number = 80
}
}
}
}
}
}
module "ingress" {
source = "../ingress_factory"
namespace = "f1-stream"
name = "f1"
tls_secret_name = var.tls_secret_name
extra_annotations = {
"nginx.ingress.kubernetes.io/force-ssl-redirect" : "false"
"nginx.ingress.kubernetes.io/ssl-redirect" : "false"
}
}

42
modules/kubernetes/frigate/main.tf
View file

@ -236,39 +236,13 @@ resource "kubernetes_service" "frigate" {
}
}
resource "kubernetes_ingress_v1" "frigate" {
metadata {
name = "frigate"
namespace = "frigate"
annotations = {
"kubernetes.io/ingress.class" = "nginx"
"nginx.ingress.kubernetes.io/proxy-body-size" : "20000m"
"nginx.ingress.kubernetes.io/auth-url" : "https://oauth2.viktorbarzin.me/oauth2/auth"
"nginx.ingress.kubernetes.io/auth-signin" : "https://oauth2.viktorbarzin.me/oauth2/start?rd=/redirect/$http_host$escaped_request_uri"
}
}
spec {
tls {
hosts = ["frigate.viktorbarzin.me"]
secret_name = var.tls_secret_name
}
rule {
host = "frigate.viktorbarzin.me"
http {
path {
path = "/"
backend {
service {
name = "frigate"
port {
number = 80
}
}
}
}
}
}
module "ingress" {
source = "../ingress_factory"
namespace = "frigate"
name = "frigate"
tls_secret_name = var.tls_secret_name
protected = true
extra_annotations = {
"nginx.ingress.kubernetes.io/proxy-body-size" : "20000m"
}
}

41
modules/kubernetes/hackmd/main.tf
View file

@ -143,39 +143,12 @@ resource "kubernetes_service" "hackmd" {
}
}
}
resource "kubernetes_ingress_v1" "hackmd" {
metadata {
name = "hackmd-ingress"
namespace = "hackmd"
annotations = {
"kubernetes.io/ingress.class" = "nginx"
"nginx.ingress.kubernetes.io/affinity" = "cookie"
"nginx.ingress.kubernetes.io/affinity-mode" = "persistent"
"nginx.ingress.kubernetes.io/session-cookie-name" = "_sa_nginx"
}
}
spec {
tls {
hosts = ["hackmd.viktorbarzin.me"]
secret_name = var.tls_secret_name
}
rule {
host = "hackmd.viktorbarzin.me"
http {
path {
path = "/"
backend {
service {
name = "hackmd"
port {
number = 80
}
}
}
}
}
}
module "ingress" {
source = "../ingress_factory"
namespace = "hackmd"
name = "hackmd"
tls_secret_name = var.tls_secret_name
extra_annotations = {
"nginx.ingress.kubernetes.io/proxy-body-size" : "20000m"
}
}

156
modules/kubernetes/immich/main.tf
View file

@ -102,125 +102,63 @@ resource "helm_release" "immich" {
values = [templatefile("${path.module}/chart_values.tpl", { postgresql_password = var.postgresql_password })]
}
resource "kubernetes_ingress_v1" "immich" {
metadata {
name = "immich"
namespace = "immich"
annotations = {
"kubernetes.io/ingress.class" = "nginx"
# "nginx.ingress.kubernetes.io/auth-url" : "https://oauth2.viktorbarzin.me/oauth2/auth"
# "nginx.ingress.kubernetes.io/auth-signin" : "https://oauth2.viktorbarzin.me/oauth2/start?rd=/redirect/$http_host$escaped_request_uri"
# WARNING: When changing any of the below settings, ensure that large file uploads continue working
"nginx.ingress.kubernetes.io/proxy-read-timeout" : "6000",
"nginx.ingress.kubernetes.io/proxy-send-timeout" : "6000",
"nginx.ingress.kubernetes.io/proxy-connect-timeout" : "6000"
"nginx.ingress.kubernetes.io/client-max-body-size" : "0"
# "nginx.ingress.kubernetes.io/proxy-body-size" : "5G",
"nginx.ingress.kubernetes.io/proxy-body-size" : "0",
# "nginx.ingress.kubernetes.io/proxy-buffering" : "on"
# "nginx.ingress.kubernetes.io/proxy-max-temp-file-size" : "4096m"
# "nginx.ingress.kubernetes.io/proxy-request-buffering" : "off"
# "nginx.ingress.kubernetes.io/client-body-buffer-size" : "5G"
# "nginx.ingress.kubernetes.io/proxy-buffer-size" : "16k"
# "nginx.ingress.kubernetes.io/proxy-buffers-number" : "8"
module "ingress" {
source = "../ingress_factory"
namespace = "immich"
name = "immich"
tls_secret_name = var.tls_secret_name
port = 2283
service_name = "immich-server"
extra_annotations = {
"kubernetes.io/ingress.class" = "nginx"
# WARNING: When changing any of the below settings, ensure that large file uploads continue working
"nginx.ingress.kubernetes.io/proxy-read-timeout" : "6000",
"nginx.ingress.kubernetes.io/proxy-send-timeout" : "6000",
"nginx.ingress.kubernetes.io/proxy-connect-timeout" : "6000"
"nginx.ingress.kubernetes.io/client-max-body-size" : "0"
# "nginx.ingress.kubernetes.io/proxy-body-size" : "5G",
"nginx.ingress.kubernetes.io/proxy-body-size" : "0",
# "nginx.ingress.kubernetes.io/proxy-buffering" : "on"
# "nginx.ingress.kubernetes.io/proxy-max-temp-file-size" : "4096m"
# "nginx.ingress.kubernetes.io/proxy-request-buffering" : "off"
# "nginx.ingress.kubernetes.io/client-body-buffer-size" : "5G"
# "nginx.ingress.kubernetes.io/proxy-buffer-size" : "16k"
# "nginx.ingress.kubernetes.io/proxy-buffers-number" : "8"
# "nginx.ingress.kubernetes.io/client-body-buffer-size" : "5000m"
# "nginx.ingress.kubernetes.io/proxy-buffers-number" : "8"
# "nginx.ingress.kubernetes.io/proxy-buffer-size" : "16k"
# "nginx.ingress.kubernetes.io/proxy-body-size" : "0",
# "nginx.ingress.kubernetes.io/affinity" : "cookie"
# "nginx.ingress.kubernetes.io/affinity-mode" : "persistent"
# "nginx.ingress.kubernetes.io/session-cookie-change-on-failure" : true
# "nginx.ingress.kubernetes.io/session-cookie-expires" : 172800
# "nginx.ingress.kubernetes.io/session-cookie-max-age" : 172800
# "nginx.ingress.kubernetes.io/session-cookie-name" : "STICKY_SESSION"
# "nginx.ingress.kubernetes.io/use-regex" : false
"nginx.org/websocket-services" : "immich-server"
# "nginx.ingress.kubernetes.io/client-body-buffer-size" : "5000m"
# "nginx.ingress.kubernetes.io/proxy-buffers-number" : "8"
# "nginx.ingress.kubernetes.io/proxy-buffer-size" : "16k"
# "nginx.ingress.kubernetes.io/proxy-body-size" : "0",
# "nginx.ingress.kubernetes.io/affinity" : "cookie"
# "nginx.ingress.kubernetes.io/affinity-mode" : "persistent"
# "nginx.ingress.kubernetes.io/session-cookie-change-on-failure" : true
# "nginx.ingress.kubernetes.io/session-cookie-expires" : 172800
# "nginx.ingress.kubernetes.io/session-cookie-max-age" : 172800
# "nginx.ingress.kubernetes.io/session-cookie-name" : "STICKY_SESSION"
# "nginx.ingress.kubernetes.io/use-regex" : false
"nginx.org/websocket-services" : "immich-server"
"gethomepage.dev/enabled" = "true"
"gethomepage.dev/description" = "Photos library"
"gethomepage.dev/icon" = "immich.png"
"gethomepage.dev/name" = "Immich"
"gethomepage.dev/widget.type" = "immich"
"gethomepage.dev/widget.url" = "https://immich.viktorbarzin.me"
"gethomepage.dev/pod-selector" = ""
"gethomepage.dev/widget.key" = var.homepage_token
"gethomepage.dev/enabled" = "true"
"gethomepage.dev/description" = "Photos library"
"gethomepage.dev/icon" = "immich.png"
"gethomepage.dev/name" = "Immich"
"gethomepage.dev/widget.type" = "immich"
"gethomepage.dev/widget.url" = "https://immich.viktorbarzin.me"
"gethomepage.dev/pod-selector" = ""
"gethomepage.dev/widget.key" = var.homepage_token
# location ~* \.(png|jpg|jpeg|gif|webp|svg)$ {
# expires 1M;
# add_header Cache-Control "public, max-age=31536000, immutable";
# }
"nginx.ingress.kubernetes.io/configuration-snippet" = <<-EOF
# location ~* \.(png|jpg|jpeg|gif|webp|svg)$ {
# expires 1M;
# add_header Cache-Control "public, max-age=31536000, immutable";
# }
"nginx.ingress.kubernetes.io/configuration-snippet" = <<-EOF
proxy_cache static-cache;
proxy_cache_valid 404 1m;
proxy_cache_use_stale error timeout updating http_404 http_500 http_502 http_503 http_504;
proxy_cache_bypass $http_x_purge;
add_header X-Cache-Status $upstream_cache_status;
EOF
}
}
spec {
tls {
hosts = ["immich.viktorbarzin.me"]
secret_name = var.tls_secret_name
}
rule {
host = "immich.viktorbarzin.me"
http {
path {
path = "/"
backend {
service {
# name = "immich-proxy"
name = "immich-server" # after v1.88
port {
# number = 8080
# number = 3001
number = 2283
}
}
}
}
}
}
}
}
resource "kubernetes_ingress_v1" "photos" {
metadata {
name = "photos"
namespace = "immich"
annotations = {
"kubernetes.io/ingress.class" = "nginx"
"nginx.ingress.kubernetes.io/proxy-body-size" : "5000m"
}
}
spec {
tls {
hosts = ["photos.viktorbarzin.me"]
secret_name = var.tls_secret_name
}
rule {
host = "photos.viktorbarzin.me"
http {
path {
path = "/"
backend {
service {
# name = "immich-proxy"
name = "immich-server" # after v1.88
port {
# number = 8080
number = 3001
}
}
}
}
}
}
}
}

14
modules/kubernetes/ingress_factory/main.tf
View file

@ -1,5 +1,13 @@
variable "name" { type = string } // must match service name; translates to host
variable "name" { type = string }
variable "service_name" {
type = string
default = null # defaults to name
}
variable "host" {
type = string
default = null
}
variable "namespace" { type = string }
variable "external_name" {
type = string
@ -87,7 +95,7 @@ resource "kubernetes_ingress_v1" "proxied-ingress" {
secret_name = var.tls_secret_name
}
rule {
host = "${var.name}.viktorbarzin.me"
host = "${var.host != null ? var.host : var.name}.viktorbarzin.me"
http {
dynamic "path" {
# for_each = { for pr in var.ingress_path : pr => pr }
@ -98,7 +106,7 @@ resource "kubernetes_ingress_v1" "proxied-ingress" {
backend {
service {
name = var.name
name = var.service_name != null ? var.service_name : var.name
port {
number = var.port
}

40
modules/kubernetes/jsoncrack/main.tf
View file

@ -50,7 +50,7 @@ resource "kubernetes_deployment" "jsoncrack" {
resource "kubernetes_service" "jsoncrack" {
metadata {
name = "jsoncrack"
name = "json"
namespace = "jsoncrack"
labels = {
"app" = "jsoncrack"
@ -70,37 +70,9 @@ resource "kubernetes_service" "jsoncrack" {
}
}
resource "kubernetes_ingress_v1" "jsoncrack" {
metadata {
name = "jsoncrack"
namespace = "jsoncrack"
annotations = {
"kubernetes.io/ingress.class" = "nginx"
"nginx.ingress.kubernetes.io/proxy-body-size" : "100000m"
}
}
spec {
tls {
hosts = ["json.viktorbarzin.me"]
secret_name = var.tls_secret_name
}
rule {
host = "json.viktorbarzin.me"
http {
path {
path = "/"
backend {
service {
name = "jsoncrack"
port {
number = 8080
}
}
}
}
}
}
}
module "ingress" {
source = "../ingress_factory"
namespace = "jsoncrack"
name = "json"
tls_secret_name = var.tls_secret_name
}

53
modules/kubernetes/k8s-dashboard/main.tf
View file

@ -76,50 +76,17 @@ resource "helm_release" "kubernetes-dashboard" {
# type = "kubernetes.io/service-account-token"
# }
resource "kubernetes_ingress_v1" "kubernetes-dashboard" {
metadata {
name = "kubernetes-dashboard"
namespace = "kubernetes-dashboard"
annotations = {
"kubernetes.io/ingress.class" = "nginx"
"nginx.ingress.kubernetes.io/backend-protocol" = "HTTPS"
# "nginx.ingress.kubernetes.io/force-ssl-redirect" = "true"
# "nginx.ingress.kubernetes.io/auth-tls-verify-client" = "on"
# "nginx.ingress.kubernetes.io/auth-tls-secret" = var.client_certificate_secret_name
# "nginx.ingress.kubernetes.io/auth-url" : "https://oauth2.viktorbarzin.me/oauth2/auth"
# "nginx.ingress.kubernetes.io/auth-signin" : "https://oauth2.viktorbarzin.me/oauth2/start?rd=/redirect/$http_host$escaped_request_uri"
"nginx.ingress.kubernetes.io/auth-url" : "http://ak-outpost-authentik-embedded-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx"
"nginx.ingress.kubernetes.io/auth-signin" : "https://authentik.viktorbarzin.me/outpost.goauthentik.io/start?rd=$scheme%3A%2F%2F$host$escaped_request_uri"
"nginx.ingress.kubernetes.io/auth-response-headers" : "Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid"
"nginx.ingress.kubernetes.io/auth-snippet" : "proxy_set_header X-Forwarded-Host $http_host;"
}
}
spec {
tls {
hosts = ["k8s.viktorbarzin.me"]
secret_name = var.tls_secret_name
}
rule {
host = "k8s.viktorbarzin.me"
http {
path {
path = "/"
backend {
service {
name = "kubernetes-dashboard-kong-proxy"
port {
number = 443
}
}
}
}
}
}
}
# depends_on = [module.dashboard]
module "ingress" {
source = "../ingress_factory"
namespace = "kubernetes-dashboard"
name = "kubernetes-dashboard"
service_name = "kubernetes-dashboard-kong-proxy"
host = "k8s"
tls_secret_name = var.tls_secret_name
protected = true
backend_protocol = "HTTPS"
port = 443
}
# create token with

38
modules/kubernetes/kms/main.tf
View file

@ -91,7 +91,7 @@ resource "kubernetes_deployment" "kms-web-page" {
resource "kubernetes_service" "kms-web-page" {
metadata {
name = "kms-web-page"
name = "kms"
namespace = "kms"
labels = {
"app" = "kms-web-page"
@ -109,37 +109,11 @@ resource "kubernetes_service" "kms-web-page" {
}
}
resource "kubernetes_ingress_v1" "kms-web-page" {
metadata {
name = "kms-web-page"
namespace = "kms"
annotations = {
"kubernetes.io/ingress.class" = "nginx"
}
}
spec {
tls {
hosts = ["kms.viktorbarzin.me"]
secret_name = var.tls_secret_name
}
rule {
host = "kms.viktorbarzin.me"
http {
path {
path = "/"
backend {
service {
name = "kms-web-page"
port {
number = 80
}
}
}
}
}
}
}
module "ingress" {
source = "../ingress_factory"
namespace = "kms"
name = "kms"
tls_secret_name = var.tls_secret_name
}
resource "kubernetes_deployment" "windows_kms" {

43
modules/kubernetes/linkwarden/main.tf
View file

@ -110,43 +110,10 @@ resource "kubernetes_service" "linkwarden" {
}
}
}
resource "kubernetes_ingress_v1" "linkwarden" {
metadata {
name = "linkwarden"
namespace = "linkwarden"
annotations = {
"kubernetes.io/ingress.class" = "nginx"
# "nginx.ingress.kubernetes.io/auth-url" : "https://oauth2.viktorbarzin.me/oauth2/auth"
# "nginx.ingress.kubernetes.io/auth-signin" : "https://oauth2.viktorbarzin.me/oauth2/start?rd=/redirect/$http_host$escaped_request_uri"
# "nginx.ingress.kubernetes.io/auth-url" : "http://ak-outpost-authentik-embedded-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx"
# "nginx.ingress.kubernetes.io/auth-signin" : "https://authentik.viktorbarzin.me/outpost.goauthentik.io/start?rd=$scheme%3A%2F%2F$host$escaped_request_uri"
# "nginx.ingress.kubernetes.io/auth-response-headers" : "Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid"
# "nginx.ingress.kubernetes.io/auth-snippet" : "proxy_set_header X-Forwarded-Host $http_host;"
"nginx.ingress.kubernetes.io/ssl-passthrough" : true
}
}
spec {
tls {
hosts = ["linkwarden.viktorbarzin.me"]
secret_name = var.tls_secret_name
}
rule {
host = "linkwarden.viktorbarzin.me"
http {
path {
path = "/"
backend {
service {
name = "linkwarden"
port {
number = 80
}
}
}
}
}
}
}
module "ingress" {
source = "../ingress_factory"
namespace = "linkwarden"
name = "linkwarden"
tls_secret_name = var.tls_secret_name
}

45
modules/kubernetes/mailserver/main.tf
View file

@ -482,43 +482,12 @@ resource "kubernetes_service" "mailserver" {
}
}
resource "kubernetes_ingress_v1" "roundcube" {
metadata {
name = "roundcube"
namespace = "mailserver"
annotations = {
"kubernetes.io/ingress.class" = "nginx"
# "nginx.ingress.kubernetes.io/auth-url" : "https://oauth2.viktorbarzin.me/oauth2/auth"
# "nginx.ingress.kubernetes.io/auth-signin" : "https://oauth2.viktorbarzin.me/oauth2/start?rd=/redirect/$http_host$escaped_request_uri"
"nginx.ingress.kubernetes.io/auth-url" : "http://ak-outpost-authentik-embedded-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx"
"nginx.ingress.kubernetes.io/auth-signin" : "https://authentik.viktorbarzin.me/outpost.goauthentik.io/start?rd=$scheme%3A%2F%2F$host$escaped_request_uri"
"nginx.ingress.kubernetes.io/auth-response-headers" : "Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid"
"nginx.ingress.kubernetes.io/auth-snippet" : "proxy_set_header X-Forwarded-Host $http_host;"
}
}
spec {
tls {
hosts = ["mail.viktorbarzin.me"]
secret_name = var.tls_secret_name
}
rule {
host = "mail.viktorbarzin.me"
http {
path {
path = "/"
backend {
service {
name = "mailserver"
port {
number = 80
}
}
}
}
}
}
}
module "ingress" {
source = "../ingress_factory"
namespace = "mailserver"
name = "mail"
service_name = "mailserver"
tls_secret_name = var.tls_secret_name
protected = true
}

37
modules/kubernetes/matrix/main.tf
View file

@ -89,36 +89,9 @@ resource "kubernetes_service" "matrix" {
}
}
resource "kubernetes_ingress_v1" "matrix" {
metadata {
name = "matrix"
namespace = "matrix"
annotations = {
"kubernetes.io/ingress.class" = "nginx"
}
}
spec {
tls {
hosts = ["matrix.viktorbarzin.me"]
secret_name = var.tls_secret_name
}
rule {
host = "matrix.viktorbarzin.me"
http {
path {
path = "/"
backend {
service {
name = "matrix"
port {
number = 80
}
}
}
}
}
}
}
module "ingress" {
source = "../ingress_factory"
namespace = "matrix"
name = "matrix"
tls_secret_name = var.tls_secret_name
}

44
modules/kubernetes/meshcentral/main.tf
View file

@ -132,46 +132,16 @@ resource "kubernetes_service" "meshcentral" {
}
port {
name = "https"
port = "443"
port = 443
protocol = "TCP"
}
}
}
resource "kubernetes_ingress_v1" "meshcentral" {
metadata {
name = "meshcentral"
namespace = "meshcentral"
annotations = {
"kubernetes.io/ingress.class" = "nginx"
"nginx.ingress.kubernetes.io/affinity" = "cookie"
"nginx.ingress.kubernetes.io/proxy-read-timeout" : "600s",
"nginx.ingress.kubernetes.io/proxy-send-timeout" : "600s",
"nginx.ingress.kubernetes.io/proxy-connect-timeout" : "600s"
# "nginx.ingress.kubernetes.io/backend-protocol" = "HTTPS"
}
}
spec {
tls {
hosts = ["meshcentral.viktorbarzin.me"]
secret_name = var.tls_secret_name
}
rule {
host = "meshcentral.viktorbarzin.me"
http {
path {
path = "/"
backend {
service {
name = "meshcentral"
port {
number = 443
}
}
}
}
}
}
}
module "ingress" {
source = "../ingress_factory"
namespace = "meshcentral"
name = "meshcentral"
tls_secret_name = var.tls_secret_name
port = 443
}

57
modules/kubernetes/netbox/main.tf
View file

@ -136,55 +136,10 @@ resource "kubernetes_service" "netbox" {
}
}
}
resource "kubernetes_ingress_v1" "netbox" {
metadata {
name = "netbox"
namespace = "netbox"
annotations = {
"kubernetes.io/ingress.class" = "nginx"
# "nginx.ingress.kubernetes.io/proxy-body-size" : "5000m"
"nginx.ingress.kubernetes.io/auth-url" : "https://oauth2.viktorbarzin.me/oauth2/auth"
"nginx.ingress.kubernetes.io/auth-signin" : "https://oauth2.viktorbarzin.me/oauth2/start?rd=/redirect/$http_host$escaped_request_uri"
}
}
spec {
tls {
hosts = ["netbox.viktorbarzin.me"]
secret_name = var.tls_secret_name
}
rule {
host = "netbox.viktorbarzin.me"
http {
path {
path = "/"
backend {
service {
name = "netbox"
port {
number = 80
}
}
}
}
}
}
rule {
host = "books.viktorbarzin.me"
http {
path {
path = "/"
backend {
service {
name = "netbox"
port {
number = 80
}
}
}
}
}
}
}
module "ingress" {
source = "../ingress_factory"
namespace = "netbox"
name = "netbox"
tls_secret_name = var.tls_secret_name
protected = true
}

44
modules/kubernetes/nextcloud/main.tf
View file

@ -150,40 +150,14 @@ resource "kubernetes_persistent_volume_claim" "nextcloud-data-pvc" {
}
}
resource "kubernetes_ingress_v1" "nextcloud" {
metadata {
name = "nextcloud-ingress"
namespace = "nextcloud"
annotations = {
"kubernetes.io/ingress.class" = "nginx"
"nginx.ingress.kubernetes.io/client-max-body-size" : "0"
"nginx.ingress.kubernetes.io/proxy-body-size" : "0",
# "nginx.ingress.kubernetes.io/auth-url" : "https://oauth2.viktorbarzin.me/oauth2/auth"
# "nginx.ingress.kubernetes.io/auth-signin" : "https://oauth2.viktorbarzin.me/oauth2/start?rd=/redirect/$http_host$escaped_request_uri"
}
}
spec {
tls {
hosts = ["nextcloud.viktorbarzin.me"]
secret_name = var.tls_secret_name
}
rule {
host = "nextcloud.viktorbarzin.me"
http {
path {
path = "/"
backend {
service {
name = "nextcloud"
port {
number = 8080
}
}
}
}
}
}
module "ingress" {
source = "../ingress_factory"
namespace = "nextcloud"
name = "nextcloud"
tls_secret_name = var.tls_secret_name
port = 8080
extra_annotations = {
"nginx.ingress.kubernetes.io/client-max-body-size" : "0"
"nginx.ingress.kubernetes.io/proxy-body-size" : "0",
}
}

38
modules/kubernetes/ntfy/main.tf
View file

@ -119,38 +119,10 @@ resource "kubernetes_service" "ntfy" {
}
}
resource "kubernetes_ingress_v1" "ntfy" {
metadata {
name = "ntfy"
namespace = "ntfy"
annotations = {
"kubernetes.io/ingress.class" = "nginx"
# "nginx.ingress.kubernetes.io/auth-url" : "https://oauth2.viktorbarzin.me/oauth2/auth"
# "nginx.ingress.kubernetes.io/auth-signin" : "https://oauth2.viktorbarzin.me/oauth2/start?rd=/redirect/$http_host$escaped_request_uri"
}
}
spec {
tls {
hosts = ["ntfy.viktorbarzin.me"]
secret_name = var.tls_secret_name
}
rule {
host = "ntfy.viktorbarzin.me"
http {
path {
path = "/"
backend {
service {
name = "ntfy"
port {
number = 80
}
}
}
}
}
}
}
module "ingress" {
source = "../ingress_factory"
namespace = "ntfy"
name = "ntfy"
tls_secret_name = var.tls_secret_name
}

38
modules/kubernetes/ollama/main.tf
View file

@ -128,36 +128,10 @@ resource "kubernetes_service" "ollama-ui" {
}
}
resource "kubernetes_ingress_v1" "ollama-ui" {
metadata {
name = "ollama"
namespace = "ollama"
annotations = {
"kubernetes.io/ingress.class" = "nginx"
}
}
spec {
tls {
hosts = ["ollama.viktorbarzin.me"]
secret_name = var.tls_secret_name
}
rule {
host = "ollama.viktorbarzin.me"
http {
path {
path = "/"
backend {
service {
name = "ollama-ui"
port {
number = 8080
}
}
}
}
}
}
}
module "ingress" {
source = "../ingress_factory"
namespace = "ollama"
name = "ollama"
tls_secret_name = var.tls_secret_name
port = 8080
}

43
modules/kubernetes/owntracks/main.tf
View file

@ -131,38 +131,15 @@ resource "kubernetes_service" "owntracks" {
}
}
resource "kubernetes_ingress_v1" "owntracks" {
metadata {
name = "owntracks"
namespace = "owntracks"
annotations = {
"kubernetes.io/ingress.class" = "nginx"
"nginx.ingress.kubernetes.io/auth-type" = "basic" # support only basic auth; can't use authentik
"nginx.ingress.kubernetes.io/auth-secret" = kubernetes_secret.basic_auth.metadata[0].name
"nginx.ingress.kubernetes.io/auth-realm" = "Authentication Required"
}
}
spec {
tls {
hosts = ["owntracks.viktorbarzin.me"]
secret_name = var.tls_secret_name
}
rule {
host = "owntracks.viktorbarzin.me"
http {
path {
path = "/"
backend {
service {
name = "owntracks"
port {
number = 443
}
}
}
}
}
}
module "ingress" {
source = "../ingress_factory"
namespace = "owntracks"
name = "owntracks"
tls_secret_name = var.tls_secret_name
port = 443
extra_annotations = {
"nginx.ingress.kubernetes.io/auth-type" = "basic" # support only basic auth; can't use authentik
"nginx.ingress.kubernetes.io/auth-secret" = kubernetes_secret.basic_auth.metadata[0].name
"nginx.ingress.kubernetes.io/auth-realm" = "Authentication Required"
}
}

91
modules/kubernetes/paperless-ngx/main.tf
View file

@ -142,70 +142,33 @@ resource "kubernetes_service" "paperless-ngx" {
}
}
module "ingress" {
source = "../ingress_factory"
namespace = "paperless-ngx"
name = "paperless-ngx"
service_name = "paperless-ngx"
host = "pdf"
tls_secret_name = var.tls_secret_name
port = 8000
extra_annotations = {
"nginx.ingress.kubernetes.io/proxy-body-size" : "0"
# see https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md#rate-limiting for all annotations
# "nginx.ingress.kubernetes.io/limit-rpm": "5"
resource "kubernetes_ingress_v1" "paperless-ngx" {
metadata {
name = "paperless-ngx"
namespace = "paperless-ngx"
annotations = {
"kubernetes.io/ingress.class" = "nginx"
"nginx.ingress.kubernetes.io/proxy-body-size" : "100000m"
# see https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md#rate-limiting for all annotations
# "nginx.ingress.kubernetes.io/limit-rpm": "5"
"gethomepage.dev/enabled" = "true"
"gethomepage.dev/description" = "Document library"
# gethomepage.dev/group: Media
"gethomepage.dev/icon" : "paperless-ngx.png"
"gethomepage.dev/name" = "Paperless-ngx"
"gethomepage.dev/widget.type" = "paperlessngx"
"gethomepage.dev/widget.url" = "https://pdf.viktorbarzin.me"
# "gethomepage.dev/widget.token" = var.homepage_token
"gethomepage.dev/widget.username" = var.homepage_username
"gethomepage.dev/widget.password" = var.homepage_password
"gethomepage.dev/widget.fields" = "[\"total\"]"
"gethomepage.dev/pod-selector" = ""
# gethomepage.dev/weight: 10 # optional
# gethomepage.dev/instance: "public" # optional
}
}
spec {
tls {
hosts = ["paperless-ngx.viktorbarzin.me"]
secret_name = var.tls_secret_name
}
rule {
host = "paperless-ngx.viktorbarzin.me"
http {
path {
path = "/"
backend {
service {
name = "paperless-ngx"
port {
number = 8000
}
}
}
}
}
}
rule {
host = "pdf.viktorbarzin.me"
http {
path {
path = "/"
backend {
service {
name = "paperless-ngx"
port {
number = 8000
}
}
}
}
}
}
"gethomepage.dev/enabled" = "true"
"gethomepage.dev/description" = "Document library"
# gethomepage.dev/group: Media
"gethomepage.dev/icon" : "paperless-ngx.png"
"gethomepage.dev/name" = "Paperless-ngx"
"gethomepage.dev/widget.type" = "paperlessngx"
"gethomepage.dev/widget.url" = "https://pdf.viktorbarzin.me"
# "gethomepage.dev/widget.token" = var.homepage_token
"gethomepage.dev/widget.username" = var.homepage_username
"gethomepage.dev/widget.password" = var.homepage_password
"gethomepage.dev/widget.fields" = "[\"total\"]"
"gethomepage.dev/pod-selector" = ""
# gethomepage.dev/weight: 10 # optional
# gethomepage.dev/instance: "public" # optional
}
}

53
modules/kubernetes/privatebin/main.tf
View file

@ -88,51 +88,10 @@ resource "kubernetes_service" "privatebin" {
}
}
resource "kubernetes_ingress_v1" "privatebin" {
metadata {
name = "privatebin-ingress"
namespace = "privatebin"
annotations = {
"kubernetes.io/ingress.class" = "nginx"
}
}
spec {
tls {
hosts = ["privatebin.viktorbarzin.me", "pb.viktorbarzin.me"]
secret_name = var.tls_secret_name
}
rule {
host = "privatebin.viktorbarzin.me"
http {
path {
path = "/"
backend {
service {
name = "privatebin"
port {
number = 80
}
}
}
}
}
}
rule {
host = "pb.viktorbarzin.me"
http {
path {
path = "/"
backend {
service {
name = "privatebin"
port {
number = 80
}
}
}
}
}
}
}
module "ingress" {
source = "../ingress_factory"
namespace = "privatebin"
name = "privatebin"
host = "pb"
tls_secret_name = var.tls_secret_name
}

46
modules/kubernetes/redis/main.tf
View file

@ -86,43 +86,11 @@ resource "kubernetes_service" "redis" {
}
}
}
resource "kubernetes_ingress_v1" "redis" {
metadata {
name = "redis"
namespace = "redis"
annotations = {
"kubernetes.io/ingress.class" = "nginx"
# "nginx.ingress.kubernetes.io/auth-url" : "https://oauth2.viktorbarzin.me/oauth2/auth"
# "nginx.ingress.kubernetes.io/auth-signin" : "https://oauth2.viktorbarzin.me/oauth2/start?rd=/redirect/$http_host$escaped_request_uri"
"nginx.ingress.kubernetes.io/auth-url" : "http://ak-outpost-authentik-embedded-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx"
"nginx.ingress.kubernetes.io/auth-signin" : "https://authentik.viktorbarzin.me/outpost.goauthentik.io/start?rd=$scheme%3A%2F%2F$host$escaped_request_uri"
"nginx.ingress.kubernetes.io/auth-response-headers" : "Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid"
"nginx.ingress.kubernetes.io/auth-snippet" : "proxy_set_header X-Forwarded-Host $http_host;"
"nginx.ingress.kubernetes.io/ssl-passthrough" : true
}
}
spec {
tls {
hosts = ["redis.viktorbarzin.me"]
secret_name = var.tls_secret_name
}
rule {
host = "redis.viktorbarzin.me"
http {
path {
path = "/"
backend {
service {
name = "redis"
port {
number = 8001
}
}
}
}
}
}
}
module "ingress" {
source = "../ingress_factory"
namespace = "redis"
name = "redis"
tls_secret_name = var.tls_secret_name
protected = true
port = 8001
}

39
modules/kubernetes/send/main.tf
View file

@ -106,35 +106,14 @@ resource "kubernetes_service" "send" {
}
}
}
resource "kubernetes_ingress_v1" "send" {
metadata {
name = "send"
namespace = "send"
annotations = {
"kubernetes.io/ingress.class" = "nginx"
}
}
spec {
tls {
hosts = ["send.viktorbarzin.me"]
secret_name = var.tls_secret_name
}
rule {
host = "send.viktorbarzin.me"
http {
path {
path = "/"
backend {
service {
name = "send"
port {
number = 1443
}
}
}
}
}
}
module "ingress" {
source = "../ingress_factory"
namespace = "send"
name = "send"
tls_secret_name = var.tls_secret_name
port = 1443
extra_annotations = {
"nginx.ingress.kubernetes.io/client-max-body-size" : "0"
"nginx.ingress.kubernetes.io/proxy-body-size" : "0",
}
}

114
modules/kubernetes/technitium/main.tf
View file

@ -39,7 +39,7 @@ resource "kubernetes_deployment" "technitium" {
template {
metadata {
annotations = {
"diun.enable" = "true"
"diun.enable" = "true"
# "diun.include_tags" = "^\\d+(?:\\.\\d+)?(?:\\.\\d+)?$"
"diun.include_tags" = "latest"
}
@ -159,93 +159,35 @@ resource "kubernetes_service" "technitium-dns" {
}
}
}
module "ingress" {
source = "../ingress_factory"
namespace = "technitium"
name = "technitium"
tls_secret_name = var.tls_secret_name
port = 5380
service_name = "technitium-web"
extra_annotations = {
"gethomepage.dev/enabled" = "true"
"gethomepage.dev/description" = "Internal DNS Server and Recursive Resolver"
# gethomepage.dev/group: Media
"gethomepage.dev/icon" : "technitium.png"
"gethomepage.dev/name" = "Technitium"
"gethomepage.dev/widget.type" = "technitium"
"gethomepage.dev/widget.url" = "http://technitium-web.technitium.svc.cluster.local:5380"
"gethomepage.dev/widget.key" = var.homepage_token
resource "kubernetes_ingress_v1" "technitium" {
metadata {
name = "technitium-ingress"
namespace = "technitium"
annotations = {
"kubernetes.io/ingress.class" = "nginx"
"nginx.ingress.kubernetes.io/affinity" = "cookie"
# "nginx.ingress.kubernetes.io/auth-tls-verify-client" = "on"
# "nginx.ingress.kubernetes.io/auth-tls-secret" = "default/ca-secret"
# "nginx.ingress.kubernetes.io/auth-url" : "https://oauth2.viktorbarzin.me/oauth2/auth"
# "nginx.ingress.kubernetes.io/auth-signin" : "https://oauth2.viktorbarzin.me/oauth2/start?rd=/redirect/$http_host$escaped_request_uri"
"nginx.ingress.kubernetes.io/auth-url" : "http://ak-outpost-authentik-embedded-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx"
"nginx.ingress.kubernetes.io/auth-signin" : "https://authentik.viktorbarzin.me/outpost.goauthentik.io/start?rd=$scheme%3A%2F%2F$host$escaped_request_uri"
"nginx.ingress.kubernetes.io/auth-response-headers" : "Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid"
"nginx.ingress.kubernetes.io/auth-snippet" : "proxy_set_header X-Forwarded-Host $http_host;"
"gethomepage.dev/enabled" = "true"
"gethomepage.dev/description" = "Internal DNS Server and Recursive Resolver"
# gethomepage.dev/group: Media
"gethomepage.dev/icon" : "technitium.png"
"gethomepage.dev/name" = "Technitium"
"gethomepage.dev/widget.type" = "technitium"
"gethomepage.dev/widget.url" = "http://technitium-web.technitium.svc.cluster.local:5380"
"gethomepage.dev/widget.key" = var.homepage_token
"gethomepage.dev/widget.range" = "LastWeek"
"gethomepage.dev/widget.fields" = "[\"totalQueries\", \"totalCached\", \"totalBlocked\", \"totalRecursive\"]"
"gethomepage.dev/pod-selector" = ""
}
}
spec {
tls {
hosts = ["technitium.viktorbarzin.me"]
secret_name = var.tls_secret_name
}
rule {
host = "technitium.viktorbarzin.me"
http {
path {
path = "/"
backend {
service {
name = "technitium-web"
port {
number = 5380
}
}
}
}
}
}
"gethomepage.dev/widget.range" = "LastWeek"
"gethomepage.dev/widget.fields" = "[\"totalQueries\", \"totalCached\", \"totalBlocked\", \"totalRecursive\"]"
"gethomepage.dev/pod-selector" = ""
}
}
resource "kubernetes_ingress_v1" "technitium-doh" {
metadata {
name = "technitium-doh-ingress"
namespace = "technitium"
annotations = {
"kubernetes.io/ingress.class" = "nginx"
}
}
spec {
tls {
hosts = ["dns.viktorbarzin.me"]
secret_name = var.tls_secret_name
}
rule {
host = "dns.viktorbarzin.me"
http {
path {
path = "/"
backend {
service {
name = "technitium-web"
port {
number = 80
}
}
}
}
}
}
}
module "ingress-doh" {
source = "../ingress_factory"
namespace = "technitium"
name = "technitium-doh"
tls_secret_name = var.tls_secret_name
host = "dns"
service_name = "technitium-web"
}

37
modules/kubernetes/travel_blog/main.tf
View file

@ -105,35 +105,10 @@ resource "kubernetes_service" "travel-blog" {
}
}
resource "kubernetes_ingress_v1" "travel-blog" {
metadata {
name = "travel-blog-ingress"
namespace = "travel-blog"
annotations = {
"kubernetes.io/ingress.class" = "nginx"
}
}
spec {
tls {
hosts = ["travel.viktorbarzin.me"]
secret_name = var.tls_secret_name
}
rule {
host = "travel.viktorbarzin.me"
http {
path {
path = "/"
backend {
service {
name = "travel-blog"
port {
number = 80
}
}
}
}
}
}
}
module "ingress" {
source = "../ingress_factory"
namespace = "travel-blog"
name = "travel"
tls_secret_name = var.tls_secret_name
service_name = "travel-blog"
}

61
modules/kubernetes/uptime-kuma/main.tf
View file

@ -89,49 +89,22 @@ resource "kubernetes_service" "uptime-kuma" {
}
}
}
resource "kubernetes_ingress_v1" "uptime-kuma" {
metadata {
name = "uptime-kuma"
namespace = "uptime-kuma"
annotations = {
"kubernetes.io/ingress.class" = "nginx"
"nginx.ingress.kubernetes.io/affinity" = "cookie"
"nginx.ingress.kubernetes.io/affinity-mode" = "persistent"
"nginx.ingress.kubernetes.io/session-cookie-name" = "_sa_nginx"
"nginx.org/websocket-services" = "uptime-kuma"
"gethomepage.dev/enabled" = "true"
"gethomepage.dev/description" = "Uptime monitor"
# gethomepage.dev/group: Media
"gethomepage.dev/icon" : "uptime-kuma.png"
"gethomepage.dev/name" = "Uptime Kuma"
"gethomepage.dev/widget.type" = "uptimekuma"
"gethomepage.dev/widget.url" = "https://uptime.viktorbarzin.me"
"gethomepage.dev/widget.slug" = "cluster-internal"
"gethomepage.dev/pod-selector" = ""
}
}
spec {
tls {
hosts = ["uptime.viktorbarzin.me"]
secret_name = var.tls_secret_name
}
rule {
host = "uptime.viktorbarzin.me"
http {
path {
path = "/"
backend {
service {
name = "uptime-kuma"
port {
number = 80
}
}
}
}
}
}
module "ingress" {
source = "../ingress_factory"
namespace = "uptime-kuma"
name = "uptime"
tls_secret_name = var.tls_secret_name
service_name = "uptime-kuma"
extra_annotations = {
"nginx.org/websocket-services" = "uptime-kuma"
"gethomepage.dev/enabled" = "true"
"gethomepage.dev/description" = "Uptime monitor"
# gethomepage.dev/group: Media
"gethomepage.dev/icon" : "uptime-kuma.png"
"gethomepage.dev/name" = "Uptime Kuma"
"gethomepage.dev/widget.type" = "uptimekuma"
"gethomepage.dev/widget.url" = "https://uptime.viktorbarzin.me"
"gethomepage.dev/widget.slug" = "cluster-internal"
"gethomepage.dev/pod-selector" = ""
}
}

82
modules/kubernetes/url-shortener/main.tf
View file

@ -170,45 +170,23 @@ resource "kubernetes_service" "shlink" {
}
}
resource "kubernetes_ingress_v1" "shlink" {
metadata {
name = "shlink-ingress"
namespace = "url"
annotations = {
"kubernetes.io/ingress.class" = "nginx"
"nginx.ingress.kubernetes.io/configuration-snippet" : <<-EOF
module "ingress" {
source = "../ingress_factory"
namespace = "url"
name = "url"
service_name = "shlink"
tls_secret_name = var.tls_secret_name
extra_annotations = {
"nginx.ingress.kubernetes.io/configuration-snippet" : <<-EOF
more_set_headers "Host: $host";
more_set_headers "X-Real-IP: $remote_addr";
more_set_headers "X-Forwarded-For: $proxy_add_x_forwarded_for";
more_set_headers "X-Forwarded-Proto: $scheme";
EOF
}
}
spec {
tls {
hosts = ["url.viktorbarzin.me"]
secret_name = var.tls_secret_name
}
rule {
host = "url.viktorbarzin.me"
http {
path {
path = "/"
backend {
service {
name = "shlink"
port {
number = 80
}
}
}
}
}
}
}
}
# Shlink web client
resource "kubernetes_config_map" "shlink-web" {
@ -309,39 +287,11 @@ resource "kubernetes_service" "shlink-web" {
}
}
resource "kubernetes_ingress_v1" "shlink-web" {
metadata {
name = "shlink-web-ingress"
namespace = "url"
annotations = {
"kubernetes.io/ingress.class" = "nginx"
# "nginx.ingress.kubernetes.io/auth-tls-verify-client" = "on"
# "nginx.ingress.kubernetes.io/auth-tls-secret" = "default/ca-secret"
"nginx.ingress.kubernetes.io/auth-url" : "https://oauth2.viktorbarzin.me/oauth2/auth"
"nginx.ingress.kubernetes.io/auth-signin" : "https://oauth2.viktorbarzin.me/oauth2/start?rd=/redirect/$http_host$escaped_request_uri"
}
}
spec {
tls {
hosts = ["shlink.viktorbarzin.me"]
secret_name = var.tls_secret_name
}
rule {
host = "shlink.viktorbarzin.me"
http {
path {
path = "/"
backend {
service {
name = "shlink-web"
port {
number = 80
}
}
}
}
}
}
}
module "ingress-web" {
source = "../ingress_factory"
namespace = "url"
name = "shlink"
service_name = "shlink-web"
tls_secret_name = var.tls_secret_name
protected = true
}

41
modules/kubernetes/vaultwarden/main.tf
View file

@ -122,40 +122,9 @@ resource "kubernetes_service" "vaultwarden" {
}
}
resource "kubernetes_ingress_v1" "vaultwarden" {
metadata {
name = "vaultwarden"
namespace = "vaultwarden"
annotations = {
"kubernetes.io/ingress.class" = "nginx"
"nginx.ingress.kubernetes.io/affinity" = "cookie"
# "nginx.ingress.kubernetes.io/auth-tls-verify-client" = "on"
# "nginx.ingress.kubernetes.io/auth-tls-secret" = "default/ca-secret"
# "nginx.ingress.kubernetes.io/auth-url" : "https://oauth2.viktorbarzin.me/oauth2/auth"
# "nginx.ingress.kubernetes.io/auth-signin" : "https://oauth2.viktorbarzin.me/oauth2/start?rd=/redirect/$http_host$escaped_request_uri"
}
}
spec {
tls {
hosts = ["vaultwarden.viktorbarzin.me"]
secret_name = var.tls_secret_name
}
rule {
host = "vaultwarden.viktorbarzin.me"
http {
path {
path = "/"
backend {
service {
name = "vaultwarden"
port {
number = 80
}
}
}
}
}
}
}
module "ingress" {
source = "../ingress_factory"
namespace = "vaultwarden"
name = "vaultwarden"
tls_secret_name = var.tls_secret_name
}

46
modules/kubernetes/youtube_dl/main.tf
View file

@ -115,42 +115,14 @@ resource "kubernetes_service" "ytdlp" {
}
}
}
resource "kubernetes_ingress_v1" "ytdlp" {
metadata {
name = "ytdlp-ingress"
namespace = "ytdlp"
annotations = {
"kubernetes.io/ingress.class" = "nginx"
"nginx.ingress.kubernetes.io/affinity" = "cookie"
"nginx.ingress.kubernetes.io/client-max-body-size" : "0"
"nginx.ingress.kubernetes.io/proxy-body-size" : "0",
# "nginx.ingress.kubernetes.io/auth-tls-verify-client" = "on"
# "nginx.ingress.kubernetes.io/auth-tls-secret" = "default/ca-secret"
# "nginx.ingress.kubernetes.io/auth-url" : "https://oauth2.viktorbarzin.me/oauth2/auth"
# "nginx.ingress.kubernetes.io/auth-signin" : "https://oauth2.viktorbarzin.me/oauth2/start?rd=/redirect/$http_host$escaped_request_uri"
}
}
spec {
tls {
hosts = ["yt.viktorbarzin.me"]
secret_name = var.tls_secret_name
}
rule {
host = "yt.viktorbarzin.me"
http {
path {
path = "/"
backend {
service {
name = "ytdlp"
port {
number = 80
}
}
}
}
}
}
module "ingress" {
source = "../ingress_factory"
namespace = "ytdlp"
name = "ytdlp"
tls_secret_name = var.tls_secret_name
host = "yt"
extra_annotations = {
"nginx.ingress.kubernetes.io/client-max-body-size" : "0"
"nginx.ingress.kubernetes.io/proxy-body-size" : "0",
}
}

BIN
terraform.tfstate
View file

Binary file not shown.

BIN
terraform.tfvars
View file

Binary file not shown.