add tier to all deployments [ci skip]

modules/kubernetes/reverse_proxy/factory/main.tf

@@ -37,6 +37,10 @@ variable "rybbit_site_id" {
   default = null
   type    = string
 }
+variable "additional_configuration_snippet" {
+  default = ""
+  type    = string
+}
 
 
 resource "kubernetes_service" "proxied-service" {
@@ -90,6 +94,7 @@ resource "kubernetes_ingress_v1" "proxied-ingress" {
       "nginx.ingress.kubernetes.io/configuration-snippet" = <<-EOF
         limit_req_status 429;
         limit_conn_status 429;
+        ${var.additional_configuration_snippet}
         ${var.rybbit_site_id != null ? <<-JS
           # Rybbit Analytics
           # Only modify HTML

modules/kubernetes/reverse_proxy/main.tf

@@ -96,6 +96,23 @@ module "tp-link-gateway" {
   backend_protocol = "HTTPS"
   depends_on       = [kubernetes_namespace.reverse-proxy]
   protected        = true
+  # Doesn't work due to 413 due to GA/authentik cookie
+  #   additional_configuration_snippet = <<-EOF
+  #       # 1. Try to extract the sysauth cookie and its value
+  #       # This regex looks for 'sysauth=' followed by everything until a semicolon or end of string
+  #       set $sysauth_only "";
+  #       if ($http_cookie ~* "sysauth=([^;]+)") {
+  #           set $sysauth_only "sysauth=$1";
+  #       }
+
+  #       # 2. Overwrite the Cookie header. 
+  #       # If sysauth was found, only it is sent. If not found, no cookies are sent.
+  #       proxy_set_header Cookie $sysauth_only;
+  # EOF
+  #   extra_annotations = {
+  #     client-header-buffer-size : "16k"
+  #     large-client-header-buffers : "4 16k"
+  #   }
 }
 
 # https://truenas.viktorbarzin.me/