Add custom error pages and Nginx configuration for proxy module
- Introduced custom HTML error pages for various HTTP status codes (400, 401, 403, 404, 408, 429, 500, 502, 503, 504) in the proxy module. - Created a .gitignore file to exclude non-HTML files in the error resources directory. - Updated Nginx configuration to serve custom error pages for upstream errors. - Added new Nginx configuration templates for handling HTTP and stream protocols. - Implemented Wireguard configuration templates and associated variables for secure connections. - Established Kubernetes resources for Stunnel and Wireguard, including deployment, service accounts, and config maps. - Defined variables for the Stunnel and Wireguard modules to facilitate configuration. - Created a new Wol Proxy module with Kubernetes resources for deployment and service management.
This commit is contained in:
@@ -0,0 +1,4 @@
|
||||
locals {
|
||||
app_version = var.tag
|
||||
monitoring_folder = "${var.persistent_folder}/grafana"
|
||||
}
|
||||
@@ -0,0 +1,136 @@
|
||||
resource "kubernetes_deployment" "grafana" {
|
||||
|
||||
metadata {
|
||||
name = "grafana"
|
||||
namespace = kubernetes_namespace.grafana.metadata[0].name
|
||||
labels = {
|
||||
app = "grafana"
|
||||
}
|
||||
}
|
||||
spec {
|
||||
selector {
|
||||
match_labels = {
|
||||
app = "grafana"
|
||||
}
|
||||
}
|
||||
template {
|
||||
metadata {
|
||||
labels = {
|
||||
app = "grafana"
|
||||
}
|
||||
}
|
||||
spec {
|
||||
container {
|
||||
name = "grafana"
|
||||
image = "grafana/grafana:${local.app_version}"
|
||||
image_pull_policy = "IfNotPresent"
|
||||
security_context {
|
||||
run_as_user = 1000
|
||||
run_as_non_root = true
|
||||
privileged = false
|
||||
allow_privilege_escalation = false
|
||||
}
|
||||
port {
|
||||
name = "http-grafana"
|
||||
container_port = 3000
|
||||
protocol = "TCP"
|
||||
}
|
||||
readiness_probe {
|
||||
http_get {
|
||||
path = "/robots.txt"
|
||||
port = 3000
|
||||
scheme = "HTTP"
|
||||
}
|
||||
failure_threshold = 3
|
||||
initial_delay_seconds = 10
|
||||
period_seconds = 30
|
||||
success_threshold = 1
|
||||
timeout_seconds = 2
|
||||
}
|
||||
liveness_probe {
|
||||
tcp_socket {
|
||||
port = 3000
|
||||
}
|
||||
failure_threshold = 3
|
||||
initial_delay_seconds = 30
|
||||
period_seconds = 10
|
||||
success_threshold = 1
|
||||
timeout_seconds = 1
|
||||
}
|
||||
resources {
|
||||
requests = {
|
||||
cpu = "250m"
|
||||
memory = "750Mi"
|
||||
}
|
||||
}
|
||||
volume_mount {
|
||||
name = "grafana-pv"
|
||||
mount_path = "/var/lib/grafana"
|
||||
}
|
||||
}
|
||||
volume {
|
||||
name = "grafana-pv"
|
||||
host_path {
|
||||
path = local.monitoring_folder
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource "kubernetes_service" "grafana" {
|
||||
|
||||
metadata {
|
||||
name = "grafana"
|
||||
namespace = kubernetes_namespace.grafana.metadata[0].name
|
||||
}
|
||||
spec {
|
||||
selector = {
|
||||
app = "grafana"
|
||||
}
|
||||
port {
|
||||
port = 3000
|
||||
protocol = "TCP"
|
||||
target_port = "http-grafana"
|
||||
}
|
||||
session_affinity = "None"
|
||||
type = "ClusterIP"
|
||||
}
|
||||
}
|
||||
|
||||
resource "kubernetes_ingress_v1" "grafana" {
|
||||
|
||||
metadata {
|
||||
name = "ingress"
|
||||
namespace = kubernetes_namespace.grafana.metadata[0].name
|
||||
|
||||
annotations = {
|
||||
"kubernetes.io/ingress.class" = "public"
|
||||
"cert-manager.io/cluster-issuer" = "letsencrypt-prod"
|
||||
"kubernetes.io/tls-acme" = "true"
|
||||
"nginx.ingress.kubernetes.io/ssl-redirect" = "true"
|
||||
}
|
||||
}
|
||||
spec {
|
||||
tls {
|
||||
hosts = [var.fqdn]
|
||||
secret_name = "grafana-tls"
|
||||
}
|
||||
rule {
|
||||
host = var.fqdn
|
||||
http {
|
||||
path {
|
||||
backend {
|
||||
service {
|
||||
name = kubernetes_service.grafana.metadata[0].name
|
||||
port {
|
||||
number = 3000
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,5 @@
|
||||
resource "kubernetes_namespace" "grafana" {
|
||||
metadata {
|
||||
name = "grafana"
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,38 @@
|
||||
global:
|
||||
scrape_interval: 5s
|
||||
evaluation_interval: 5s
|
||||
rule_files:
|
||||
- /etc/prometheus/prometheus.rules
|
||||
scrape_configs:
|
||||
- job_name: kubernetes-nodes-cadvisor
|
||||
scrape_interval: 10s
|
||||
scrape_timeout: 10s
|
||||
scheme: https # remove if you want to scrape metrics on insecure port
|
||||
tls_config:
|
||||
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
|
||||
insecure_skip_verify: true
|
||||
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
kubernetes_sd_configs:
|
||||
- role: node
|
||||
relabel_configs:
|
||||
- action: labelmap
|
||||
regex: __meta_kubernetes_node_label_(.+)
|
||||
# Only for Kubernetes ^1.7.3.
|
||||
# See: https://github.com/prometheus/prometheus/issues/2916
|
||||
- target_label: __address__
|
||||
replacement: kubernetes.default.svc:443
|
||||
- source_labels: [__meta_kubernetes_node_name]
|
||||
regex: (.+)
|
||||
target_label: __metrics_path__
|
||||
replacement: /api/v1/nodes/${1}/proxy/metrics/cadvisor
|
||||
metric_relabel_configs:
|
||||
- action: replace
|
||||
source_labels: [id]
|
||||
regex: '^/machine\.slice/machine-rkt\\x2d([^\\]+)\\.+/([^/]+)\.service$'
|
||||
target_label: rkt_container_name
|
||||
replacement: "${2}-${1}"
|
||||
- action: replace
|
||||
source_labels: [id]
|
||||
regex: '^/system\.slice/(.+)\.service$'
|
||||
target_label: systemd_service_name
|
||||
replacement: "${1}"
|
||||
@@ -0,0 +1,126 @@
|
||||
global:
|
||||
scrape_interval: 5s
|
||||
evaluation_interval: 5s
|
||||
rule_files:
|
||||
- /etc/prometheus/prometheus.rules
|
||||
alerting:
|
||||
alertmanagers:
|
||||
- scheme: http
|
||||
static_configs:
|
||||
- targets:
|
||||
- "alertmanager.monitoring.svc:9093"
|
||||
scrape_configs:
|
||||
- job_name: "node-exporter"
|
||||
kubernetes_sd_configs:
|
||||
- role: endpoints
|
||||
relabel_configs:
|
||||
- source_labels: [__meta_kubernetes_endpoints_name]
|
||||
regex: "node-exporter"
|
||||
action: keep
|
||||
- job_name: "kubernetes-apiservers"
|
||||
kubernetes_sd_configs:
|
||||
- role: endpoints
|
||||
scheme: https
|
||||
tls_config:
|
||||
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
|
||||
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
relabel_configs:
|
||||
- source_labels:
|
||||
[
|
||||
__meta_kubernetes_namespace,
|
||||
__meta_kubernetes_service_name,
|
||||
__meta_kubernetes_endpoint_port_name,
|
||||
]
|
||||
action: keep
|
||||
regex: default;kubernetes;https
|
||||
- job_name: "kubernetes-nodes"
|
||||
scheme: https
|
||||
tls_config:
|
||||
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
|
||||
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
kubernetes_sd_configs:
|
||||
- role: node
|
||||
relabel_configs:
|
||||
- action: labelmap
|
||||
regex: __meta_kubernetes_node_label_(.+)
|
||||
- target_label: __address__
|
||||
replacement: kubernetes.default.svc:443
|
||||
- source_labels: [__meta_kubernetes_node_name]
|
||||
regex: (.+)
|
||||
target_label: __metrics_path__
|
||||
replacement: /api/v1/nodes/$${1}/proxy/metrics
|
||||
- job_name: "kubernetes-pods"
|
||||
kubernetes_sd_configs:
|
||||
- role: pod
|
||||
relabel_configs:
|
||||
- source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape]
|
||||
action: keep
|
||||
regex: true
|
||||
- source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path]
|
||||
action: replace
|
||||
target_label: __metrics_path__
|
||||
regex: (.+)
|
||||
- source_labels:
|
||||
[__address__, __meta_kubernetes_pod_annotation_prometheus_io_port]
|
||||
action: replace
|
||||
regex: ([^:]+)(?::\d+)?;(\d+)
|
||||
replacement: $1:$2
|
||||
target_label: __address__
|
||||
- action: labelmap
|
||||
regex: __meta_kubernetes_pod_label_(.+)
|
||||
- source_labels: [__meta_kubernetes_namespace]
|
||||
action: replace
|
||||
target_label: kubernetes_namespace
|
||||
- source_labels: [__meta_kubernetes_pod_name]
|
||||
action: replace
|
||||
target_label: kubernetes_pod_name
|
||||
- job_name: "kube-state-metrics"
|
||||
static_configs:
|
||||
- targets: ["kube-state-metrics.kube-system.svc.cluster.local:8080"]
|
||||
- job_name: "kubernetes-cadvisor"
|
||||
scheme: https
|
||||
tls_config:
|
||||
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
|
||||
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
kubernetes_sd_configs:
|
||||
- role: node
|
||||
relabel_configs:
|
||||
- action: labelmap
|
||||
regex: __meta_kubernetes_node_label_(.+)
|
||||
- target_label: __address__
|
||||
replacement: kubernetes.default.svc:443
|
||||
- source_labels: [__meta_kubernetes_node_name]
|
||||
regex: (.+)
|
||||
target_label: __metrics_path__
|
||||
replacement: /api/v1/nodes/$${1}/proxy/metrics/cadvisor
|
||||
- job_name: "kubernetes-service-endpoints"
|
||||
kubernetes_sd_configs:
|
||||
- role: endpoints
|
||||
relabel_configs:
|
||||
- source_labels:
|
||||
[__meta_kubernetes_service_annotation_prometheus_io_scrape]
|
||||
action: keep
|
||||
regex: true
|
||||
- source_labels:
|
||||
[__meta_kubernetes_service_annotation_prometheus_io_scheme]
|
||||
action: replace
|
||||
target_label: __scheme__
|
||||
regex: (https?)
|
||||
- source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path]
|
||||
action: replace
|
||||
target_label: __metrics_path__
|
||||
regex: (.+)
|
||||
- source_labels:
|
||||
[__address__, __meta_kubernetes_service_annotation_prometheus_io_port]
|
||||
action: replace
|
||||
target_label: __address__
|
||||
regex: ([^:]+)(?::\d+)?;(\d+)
|
||||
replacement: $1:$2
|
||||
- action: labelmap
|
||||
regex: __meta_kubernetes_service_label_(.+)
|
||||
- source_labels: [__meta_kubernetes_namespace]
|
||||
action: replace
|
||||
target_label: kubernetes_namespace
|
||||
- source_labels: [__meta_kubernetes_service_name]
|
||||
action: replace
|
||||
target_label: kubernetes_name
|
||||
@@ -0,0 +1,22 @@
|
||||
variable "fqdn" {
|
||||
description = "The fully qualified domain name for the app server"
|
||||
type = string
|
||||
default = ""
|
||||
}
|
||||
|
||||
variable "issuer" {
|
||||
description = "The issuer for the certificate"
|
||||
type = string
|
||||
default = "internal-ca"
|
||||
}
|
||||
|
||||
variable "tag" {
|
||||
description = "Grafana image tag"
|
||||
type = string
|
||||
default = "latest"
|
||||
}
|
||||
|
||||
variable "persistent_folder" {
|
||||
description = "The path to the persistent folder"
|
||||
type = string
|
||||
}
|
||||
@@ -59,7 +59,7 @@ resource "kubernetes_deployment" "dovecot" {
|
||||
}
|
||||
}
|
||||
strategy {
|
||||
type = "RollingUpdate"
|
||||
type = var.dovecot_use_host_networking ? "Recreate" : "RollingUpdate"
|
||||
}
|
||||
template {
|
||||
metadata {
|
||||
@@ -81,6 +81,7 @@ resource "kubernetes_deployment" "dovecot" {
|
||||
image = "dovecot/dovecot:${var.dovecot_tag}"
|
||||
port {
|
||||
container_port = 31993
|
||||
host_port = var.dovecot_use_host_networking ? 993 : null
|
||||
}
|
||||
port {
|
||||
name = "lmtp"
|
||||
@@ -118,6 +119,19 @@ resource "kubernetes_deployment" "dovecot" {
|
||||
mount_path = "/etc/mail-crypt"
|
||||
read_only = true
|
||||
}
|
||||
volume_mount {
|
||||
name = "dovecot-logs"
|
||||
mount_path = "/var/log/dovecot"
|
||||
read_only = false
|
||||
}
|
||||
volume_mount {
|
||||
name = "tmp"
|
||||
mount_path = "/tmp"
|
||||
}
|
||||
volume_mount {
|
||||
name = "dovecot-run"
|
||||
mount_path = "/var/run/dovecot"
|
||||
}
|
||||
}
|
||||
container {
|
||||
name = "stunnel"
|
||||
@@ -194,6 +208,20 @@ resource "kubernetes_deployment" "dovecot" {
|
||||
}
|
||||
}
|
||||
}
|
||||
volume {
|
||||
name = "dovecot-logs"
|
||||
host_path {
|
||||
path = "/var/log/dovecot"
|
||||
}
|
||||
}
|
||||
volume {
|
||||
name = "tmp"
|
||||
empty_dir {}
|
||||
}
|
||||
volume {
|
||||
name = "dovecot-run"
|
||||
empty_dir {}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -245,8 +273,7 @@ resource "kubernetes_service" "dovecot_lmtp" {
|
||||
port = 31024
|
||||
target_port = 31024
|
||||
}
|
||||
type = "ClusterIP"
|
||||
cluster_ip = "None"
|
||||
type = "ClusterIP"
|
||||
}
|
||||
}
|
||||
|
||||
@@ -265,7 +292,6 @@ resource "kubernetes_service" "dovecot_auth" {
|
||||
port = 31000
|
||||
target_port = 31000
|
||||
}
|
||||
type = "ClusterIP"
|
||||
cluster_ip = "None"
|
||||
type = "ClusterIP"
|
||||
}
|
||||
}
|
||||
|
||||
@@ -36,7 +36,7 @@ resource "kubernetes_deployment" "postfix" {
|
||||
}
|
||||
}
|
||||
strategy {
|
||||
type = "RollingUpdate"
|
||||
type = "Recreate"
|
||||
}
|
||||
template {
|
||||
metadata {
|
||||
@@ -56,6 +56,7 @@ resource "kubernetes_deployment" "postfix" {
|
||||
image = "tozd/postfix:${var.postfix_tag}"
|
||||
port {
|
||||
container_port = 465
|
||||
host_port = var.postfix_use_host_networking ? 465 : null
|
||||
}
|
||||
dynamic "env" {
|
||||
for_each = local.postfix_env_vars
|
||||
@@ -189,8 +190,7 @@ resource "kubernetes_service" "postfix" {
|
||||
target_port = 465
|
||||
}
|
||||
|
||||
type = "ClusterIP"
|
||||
cluster_ip = "None"
|
||||
type = "ClusterIP"
|
||||
}
|
||||
|
||||
lifecycle {
|
||||
|
||||
@@ -71,8 +71,6 @@ mail_attribute {
|
||||
}
|
||||
}
|
||||
|
||||
log_path = /dev/stdout
|
||||
|
||||
imap_hibernate_timeout = 5s
|
||||
|
||||
mail_plugins {
|
||||
@@ -242,9 +240,10 @@ crypt_global_private_key main {
|
||||
}
|
||||
crypt_global_public_key_file = /etc/mail-crypt/ecpubkey.pem
|
||||
|
||||
log_path = /dev/stdout
|
||||
info_log_path = /dev/stdout
|
||||
debug_log_path = /dev/stdout
|
||||
|
||||
log_path = /var/log/dovecot/default.log
|
||||
info_log_path = /var/log/dovecot/info.log
|
||||
debug_log_path = /var/log/dovecot/debug.log
|
||||
|
||||
# Enable verbose logging
|
||||
# auth_verbose = yes
|
||||
|
||||
@@ -39,7 +39,7 @@ postconf -e "smtpd_sasl_type=dovecot"
|
||||
postconf -e "smtpd_sasl_path=inet:localhost:31000"
|
||||
postconf -e "smtpd_sasl_auth_enable=yes"
|
||||
postconf -e "smtpd_sasl_security_options=noanonymous"
|
||||
postconf -e "smtpd_recipient_restrictions=permit_sasl_authenticated, reject"
|
||||
postconf -e "smtpd_recipient_restrictions=permit_sasl_authenticated, reject_unauth_destination"
|
||||
postconf -e "smtpd_relay_restrictions=permit_sasl_authenticated, reject_unauth_destination"
|
||||
postconf -e "smtpd_sasl_authenticated_header=yes"
|
||||
postconf -e "smtpd_tls_wrappermode=yes"
|
||||
@@ -68,7 +68,8 @@ smtps inet n - n - - smtpd
|
||||
-o syslog_name=postfix/smtps
|
||||
-o smtpd_tls_wrappermode=yes
|
||||
-o smtpd_sasl_auth_enable=yes
|
||||
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
|
||||
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination
|
||||
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject_unauth_destination
|
||||
" | sudo tee -a /etc/postfix/master.cf
|
||||
|
||||
/usr/sbin/postfix -c /etc/postfix start
|
||||
|
||||
@@ -92,3 +92,15 @@ variable "ca_pem" {
|
||||
type = string
|
||||
sensitive = true
|
||||
}
|
||||
|
||||
variable "postfix_use_host_networking" {
|
||||
description = "Whether to use host networking for the Postfix container"
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "dovecot_use_host_networking" {
|
||||
description = "Whether to use host networking for the Dovecot container"
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
@@ -1,74 +0,0 @@
|
||||
locals {
|
||||
wireguard_version = "1.0.20210914-r4-ls54"
|
||||
wireguard_config = try(templatefile("${path.module}/resources/wireguard/wireguard.conf.tpl", {
|
||||
wireguard_private_key = var.wireguard_config.private_key
|
||||
wireguard_public_key = var.wireguard_config.public_key
|
||||
wireguard_pre_shared_key = var.wireguard_config.pre_shared_key
|
||||
wireguard_address = var.wireguard_config.address
|
||||
wireguard_dns = var.wireguard_config.dns
|
||||
wireguard_allowed_ips = join(", ", var.wireguard_config.allowed_ips)
|
||||
wireguard_endpoint = "${var.wireguard_config.endpoint}:${var.wireguard_config.endpoint_port}"
|
||||
}), "null")
|
||||
wireguard_config_checksum = nonsensitive(sha256(local.wireguard_config))
|
||||
|
||||
default_headers = {
|
||||
"Host" : "$host",
|
||||
"X-Real-IP" : "$remote_addr",
|
||||
"X-Forwarded-For" : "$proxy_add_x_forwarded_for",
|
||||
"X-Forwarded-Proto" : "$scheme",
|
||||
"X-Forwarded-Host" : "$host",
|
||||
"X-Forwarded-Port" : "$server_port",
|
||||
}
|
||||
nginx_config = file("${path.module}/resources/nginx/nginx.conf")
|
||||
nginx_config_checksum = sha256(local.nginx_config)
|
||||
|
||||
services_config = {
|
||||
for k, v in var.services : "${k}.conf" => coalesce(v.config, templatefile("${path.module}/resources/nginx/conf.d/default.conf.tpl", {
|
||||
errors = local.error_codes
|
||||
http_port = v.http_port
|
||||
https_port = v.https_port
|
||||
upstream = v.upstream
|
||||
resolver = v.resolver
|
||||
ingress = v.ingress
|
||||
service_http_port = v.service_http_port
|
||||
service_https_port = v.service_https_port
|
||||
tls = v.tls
|
||||
fqdn = length(v.fqdn) > 0 ? join(" ", v.fqdn) : k
|
||||
auth = length([for l in v.locations : true if l.private]) > 0
|
||||
locations = [for l in v.locations : {
|
||||
path = l.path
|
||||
headers = merge(l.headers, coalesce(v.default_headers, local.default_headers))
|
||||
private = l.private
|
||||
upstream = l.upstream
|
||||
resolver = l.resolver
|
||||
rewrite = l.rewrite
|
||||
}]
|
||||
custom_snippet = v.custom_snippet
|
||||
}))
|
||||
}
|
||||
services_config_checksum = sha256(jsonencode(local.services_config))
|
||||
|
||||
streams_config = {
|
||||
for k, v in var.streams : "${k}.conf" => templatefile("${path.module}/resources/nginx/streams.d/stream.conf.tpl", {
|
||||
name = k
|
||||
port = v.port
|
||||
upstream = v.upstream
|
||||
custom_snippet = v.custom_snippet
|
||||
upstream_port = coalesce(v.upstream_port, v.port)
|
||||
resolver = v.resolver
|
||||
protocol = upper(v.protocol)
|
||||
})
|
||||
}
|
||||
streams_config_checksum = sha256(jsonencode(local.streams_config))
|
||||
|
||||
auth_script = file("${path.module}/resources/auth/auth_server.py")
|
||||
auth_script_checksum = sha256(local.auth_script)
|
||||
|
||||
error_codes = [for f in fileset("${path.module}/resources/errors", "*.html") : split(".", f)[0]]
|
||||
errors_pages = {
|
||||
for f in local.error_codes :
|
||||
"${f}.html" => file("${path.module}/resources/errors/${f}.html")
|
||||
}
|
||||
errors_pages_checksum = sha256(jsonencode(local.errors_pages))
|
||||
}
|
||||
|
||||
@@ -1,537 +0,0 @@
|
||||
resource "kubernetes_namespace" "reverse_proxy" {
|
||||
metadata {
|
||||
annotations = {
|
||||
name = "reverse-proxy"
|
||||
}
|
||||
|
||||
labels = {
|
||||
name = "reverse-proxy"
|
||||
}
|
||||
|
||||
name = "reverse-proxy"
|
||||
}
|
||||
}
|
||||
|
||||
resource "kubernetes_service_account" "reverse-proxy_service_account" {
|
||||
|
||||
metadata {
|
||||
name = "reverse-proxy-app-sa"
|
||||
namespace = kubernetes_namespace.reverse_proxy.metadata[0].name
|
||||
}
|
||||
|
||||
automount_service_account_token = false
|
||||
}
|
||||
|
||||
resource "kubernetes_service" "services" {
|
||||
for_each = var.services
|
||||
metadata {
|
||||
name = format("%s", replace(each.key, ".", "-"))
|
||||
namespace = kubernetes_namespace.reverse_proxy.metadata[0].name
|
||||
}
|
||||
spec {
|
||||
port {
|
||||
name = "http"
|
||||
port = each.value.service_http_port
|
||||
target_port = substr(format("http-%s", replace(each.key, ".", "-")), 0, 15)
|
||||
}
|
||||
dynamic "port" {
|
||||
for_each = each.value.tls ? [1] : []
|
||||
content {
|
||||
name = "https"
|
||||
port = each.value.service_https_port
|
||||
target_port = substr(format("https-%s", replace(each.key, ".", "-")), 0, 15)
|
||||
}
|
||||
}
|
||||
selector = {
|
||||
app = "reverse-proxy"
|
||||
}
|
||||
|
||||
type = "ClusterIP"
|
||||
cluster_ip = "None"
|
||||
}
|
||||
}
|
||||
|
||||
resource "kubernetes_manifest" "internal_cert" {
|
||||
|
||||
manifest = {
|
||||
apiVersion = "cert-manager.io/v1"
|
||||
kind = "Certificate"
|
||||
metadata = {
|
||||
name = "internal-cert"
|
||||
namespace = kubernetes_namespace.reverse_proxy.metadata[0].name
|
||||
}
|
||||
spec = {
|
||||
secretName = "internal-cert"
|
||||
issuerRef = {
|
||||
name = var.issuer_name
|
||||
kind = "ClusterIssuer"
|
||||
}
|
||||
commonName = "reverse-proxy.internal"
|
||||
dnsNames = flatten([for _, v in var.services : v.fqdn if v.tls == true])
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource "kubernetes_config_map" "wireguard_config" {
|
||||
count = local.wireguard_config != "null" ? 1 : 0
|
||||
metadata {
|
||||
name = "wireguard-config"
|
||||
namespace = kubernetes_namespace.reverse_proxy.metadata[0].name
|
||||
}
|
||||
|
||||
data = {
|
||||
"wireguard.conf" = local.wireguard_config
|
||||
}
|
||||
}
|
||||
|
||||
resource "kubernetes_config_map" "nginx_config" {
|
||||
metadata {
|
||||
name = "nginx-config"
|
||||
namespace = kubernetes_namespace.reverse_proxy.metadata[0].name
|
||||
}
|
||||
|
||||
data = {
|
||||
"nginx.conf" = local.nginx_config
|
||||
}
|
||||
}
|
||||
|
||||
resource "kubernetes_config_map" "nginx_default_config" {
|
||||
metadata {
|
||||
name = "nginx-default-config"
|
||||
namespace = kubernetes_namespace.reverse_proxy.metadata[0].name
|
||||
}
|
||||
|
||||
data = local.services_config
|
||||
}
|
||||
|
||||
resource "kubernetes_config_map" "nginx_streams_config" {
|
||||
metadata {
|
||||
name = "nginx-streams-config"
|
||||
namespace = kubernetes_namespace.reverse_proxy.metadata[0].name
|
||||
}
|
||||
|
||||
data = local.streams_config
|
||||
}
|
||||
|
||||
resource "kubernetes_config_map" "nginx_custom_50x_page" {
|
||||
|
||||
metadata {
|
||||
name = "nginx-errors"
|
||||
namespace = kubernetes_namespace.reverse_proxy.metadata[0].name
|
||||
}
|
||||
|
||||
data = {
|
||||
for k, v in local.errors_pages : k => v
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
resource "kubernetes_config_map" "auth_script" {
|
||||
metadata {
|
||||
name = "auth-script"
|
||||
namespace = kubernetes_namespace.reverse_proxy.metadata[0].name
|
||||
}
|
||||
|
||||
data = {
|
||||
"auth_server.py" = local.auth_script
|
||||
}
|
||||
}
|
||||
|
||||
resource "kubernetes_ingress_v1" "ingress" {
|
||||
for_each = { for k, v in var.services : k => v if lookup(v, "ingress", true) && length(v.fqdn) > 0 }
|
||||
metadata {
|
||||
name = format("%s", replace(each.key, ".", "-"))
|
||||
namespace = kubernetes_namespace.reverse_proxy.metadata[0].name
|
||||
|
||||
annotations = merge({
|
||||
"kubernetes.io/ingress.class" = "public"
|
||||
"cert-manager.io/cluster-issuer" = "letsencrypt-prod"
|
||||
},
|
||||
each.value.custom_ingress_annotations,
|
||||
each.value.tls ? {
|
||||
"nginx.org/ssl-services" = format("%s", replace(each.key, ".", "-"))
|
||||
"nginx.org/ssl-redirect" = "true"
|
||||
"nginx.org/redirect-to-https" = "true"
|
||||
"nginx.ingress.kubernetes.io/backend-protocol" = "HTTPS"
|
||||
} : {}
|
||||
)
|
||||
}
|
||||
spec {
|
||||
tls {
|
||||
hosts = each.value.fqdn
|
||||
secret_name = format("reverse-proxy-%s-tls", replace(each.key, ".", "-"))
|
||||
}
|
||||
dynamic "rule" {
|
||||
for_each = each.value.fqdn
|
||||
content {
|
||||
host = rule.value
|
||||
http {
|
||||
path {
|
||||
backend {
|
||||
service {
|
||||
name = format("%s", replace(each.key, ".", "-"))
|
||||
port {
|
||||
name = each.value.tls ? "https" : "http"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource "kubernetes_secret" "auth_token" {
|
||||
count = var.auth_token != "" ? 1 : 0
|
||||
metadata {
|
||||
name = "auth-token-secret"
|
||||
namespace = kubernetes_namespace.reverse_proxy.metadata[0].name
|
||||
}
|
||||
|
||||
data = {
|
||||
token = var.auth_token
|
||||
}
|
||||
|
||||
type = "Opaque"
|
||||
}
|
||||
|
||||
resource "kubernetes_deployment" "reverse_proxy" {
|
||||
|
||||
metadata {
|
||||
name = "reverse-proxy"
|
||||
namespace = kubernetes_namespace.reverse_proxy.metadata[0].name
|
||||
|
||||
annotations = {
|
||||
"security.alpha.kubernetes.io/unsafe-sysctls" = "net.ipv4.conf.all.src_valid_mark=1"
|
||||
}
|
||||
}
|
||||
|
||||
spec {
|
||||
replicas = 1
|
||||
|
||||
selector {
|
||||
match_labels = {
|
||||
app = "reverse-proxy"
|
||||
}
|
||||
}
|
||||
|
||||
strategy {
|
||||
type = "Recreate"
|
||||
}
|
||||
|
||||
template {
|
||||
metadata {
|
||||
labels = {
|
||||
app = "reverse-proxy"
|
||||
}
|
||||
annotations = {
|
||||
"checksum/nginx" = local.nginx_config_checksum
|
||||
"checksum/services" = local.services_config_checksum
|
||||
"checksum/wireguard" = local.wireguard_config_checksum
|
||||
"checksum/auth_server" = local.auth_script_checksum
|
||||
"checksum/custom_50x" = local.errors_pages_checksum
|
||||
"checksum/streams" = local.streams_config_checksum
|
||||
}
|
||||
}
|
||||
spec {
|
||||
dynamic "container" {
|
||||
for_each = nonsensitive(local.wireguard_config) != "null" ? [1] : []
|
||||
content {
|
||||
|
||||
name = "wireguard"
|
||||
image = "linuxserver/wireguard:${local.wireguard_version}"
|
||||
|
||||
resources {
|
||||
requests = {
|
||||
memory = "64Mi"
|
||||
}
|
||||
}
|
||||
|
||||
liveness_probe {
|
||||
exec {
|
||||
command = [
|
||||
"/bin/sh",
|
||||
"-c",
|
||||
"wg show | grep -q transfer"
|
||||
]
|
||||
}
|
||||
initial_delay_seconds = 90
|
||||
period_seconds = 90
|
||||
}
|
||||
|
||||
security_context {
|
||||
privileged = true
|
||||
capabilities {
|
||||
add = ["NET_ADMIN"]
|
||||
}
|
||||
read_only_root_filesystem = true
|
||||
}
|
||||
|
||||
env {
|
||||
name = "PUID"
|
||||
value = "1000"
|
||||
}
|
||||
|
||||
env {
|
||||
name = "PGID"
|
||||
value = "1000"
|
||||
}
|
||||
|
||||
env {
|
||||
name = "TZ"
|
||||
value = "Europe/Berlin"
|
||||
}
|
||||
|
||||
volume_mount {
|
||||
name = "wireguard-config"
|
||||
mount_path = "/config/wg_confs"
|
||||
read_only = true
|
||||
}
|
||||
|
||||
volume_mount {
|
||||
name = "lib-modules"
|
||||
mount_path = "/lib/modules"
|
||||
read_only = true
|
||||
}
|
||||
|
||||
volume_mount {
|
||||
name = "wireguard-run"
|
||||
mount_path = "/run"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
dynamic "container" {
|
||||
for_each = nonsensitive(var.auth_token) != "" ? [1] : []
|
||||
content {
|
||||
name = "auth-sidecar"
|
||||
image = "python:3.11-slim"
|
||||
|
||||
command = ["python", "/app/auth_server.py"]
|
||||
|
||||
env {
|
||||
name = "AUTH_TOKEN"
|
||||
value_from {
|
||||
secret_key_ref {
|
||||
name = kubernetes_secret.auth_token[0].metadata[0].name
|
||||
key = "token"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
volume_mount {
|
||||
name = "auth-script"
|
||||
mount_path = "/app"
|
||||
read_only = true
|
||||
}
|
||||
|
||||
port {
|
||||
container_port = 5000
|
||||
name = "auth"
|
||||
}
|
||||
|
||||
security_context {
|
||||
read_only_root_filesystem = true
|
||||
run_as_group = 1000
|
||||
run_as_user = 1000
|
||||
allow_privilege_escalation = false
|
||||
run_as_non_root = true
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
container {
|
||||
name = "reverse-proxy"
|
||||
image = "nginx:${var.tag}"
|
||||
image_pull_policy = "Always"
|
||||
|
||||
resources {
|
||||
requests = {
|
||||
memory = "100Mi"
|
||||
}
|
||||
}
|
||||
|
||||
security_context {
|
||||
allow_privilege_escalation = false
|
||||
read_only_root_filesystem = true
|
||||
}
|
||||
|
||||
readiness_probe {
|
||||
http_get {
|
||||
path = "/health"
|
||||
port = 8888
|
||||
}
|
||||
initial_delay_seconds = 5
|
||||
period_seconds = 10
|
||||
}
|
||||
|
||||
liveness_probe {
|
||||
http_get {
|
||||
path = "/health"
|
||||
port = 8888
|
||||
}
|
||||
initial_delay_seconds = 5
|
||||
period_seconds = 10
|
||||
failure_threshold = 10
|
||||
timeout_seconds = 5
|
||||
success_threshold = 1
|
||||
}
|
||||
|
||||
dynamic "port" {
|
||||
for_each = { for k, v in var.services : k => v.http_port }
|
||||
content {
|
||||
container_port = port.value
|
||||
name = substr(format("http-%s", replace(port.key, ".", "-")), 0, 15)
|
||||
}
|
||||
}
|
||||
|
||||
dynamic "port" {
|
||||
for_each = { for k, v in var.services : k => v.https_port if v.tls }
|
||||
content {
|
||||
container_port = port.value
|
||||
name = substr(format("https-%s", replace(port.key, ".", "-")), 0, 15)
|
||||
}
|
||||
}
|
||||
|
||||
dynamic "port" {
|
||||
for_each = var.streams
|
||||
content {
|
||||
container_port = port.value.port
|
||||
name = substr(format("stream-%s", replace(port.key, ".", "-")), 0, 15)
|
||||
host_port = port.value.port
|
||||
protocol = upper(port.value.protocol)
|
||||
}
|
||||
}
|
||||
volume_mount {
|
||||
name = "nginx"
|
||||
mount_path = "/etc/nginx/nginx.conf"
|
||||
sub_path = "nginx.conf"
|
||||
read_only = true
|
||||
}
|
||||
volume_mount {
|
||||
name = "services"
|
||||
mount_path = "/etc/nginx/conf.d/"
|
||||
read_only = true
|
||||
}
|
||||
volume_mount {
|
||||
name = "streams"
|
||||
mount_path = "/etc/nginx/streams.d/"
|
||||
read_only = true
|
||||
}
|
||||
volume_mount {
|
||||
name = "nginx-errors"
|
||||
mount_path = "/usr/share/nginx/html/errors"
|
||||
read_only = true
|
||||
}
|
||||
volume_mount {
|
||||
name = "nginx-tmp"
|
||||
mount_path = "/tmp"
|
||||
}
|
||||
dynamic "volume_mount" {
|
||||
for_each = length([for v in var.services : v.tls if v.tls == true]) > 0 ? [1] : []
|
||||
content {
|
||||
name = "tls"
|
||||
mount_path = "/etc/ssl/certs/private"
|
||||
read_only = true
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
dynamic "volume" {
|
||||
for_each = nonsensitive(local.wireguard_config) != "null" ? [1] : []
|
||||
content {
|
||||
name = "wireguard-config"
|
||||
config_map {
|
||||
name = nonsensitive(kubernetes_config_map.wireguard_config[0].metadata[0].name)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
dynamic "volume" {
|
||||
for_each = nonsensitive(local.wireguard_config) != "null" ? [1] : []
|
||||
content {
|
||||
name = "lib-modules"
|
||||
host_path {
|
||||
path = "/lib/modules"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
dynamic "volume" {
|
||||
for_each = nonsensitive(local.wireguard_config) != "null" ? [1] : []
|
||||
content {
|
||||
name = "wireguard-run"
|
||||
empty_dir {
|
||||
medium = "Memory"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
volume {
|
||||
name = "auth-script"
|
||||
config_map {
|
||||
name = kubernetes_config_map.auth_script.metadata[0].name
|
||||
}
|
||||
}
|
||||
|
||||
volume {
|
||||
name = "nginx"
|
||||
config_map {
|
||||
name = kubernetes_config_map.nginx_config.metadata[0].name
|
||||
}
|
||||
}
|
||||
|
||||
volume {
|
||||
name = "services"
|
||||
config_map {
|
||||
name = kubernetes_config_map.nginx_default_config.metadata[0].name
|
||||
}
|
||||
}
|
||||
|
||||
volume {
|
||||
name = "streams"
|
||||
config_map {
|
||||
name = kubernetes_config_map.nginx_streams_config.metadata[0].name
|
||||
}
|
||||
}
|
||||
|
||||
volume {
|
||||
name = "nginx-errors"
|
||||
config_map {
|
||||
name = kubernetes_config_map.nginx_custom_50x_page.metadata[0].name
|
||||
}
|
||||
}
|
||||
|
||||
volume {
|
||||
name = "nginx-tmp"
|
||||
empty_dir {
|
||||
}
|
||||
}
|
||||
|
||||
dynamic "volume" {
|
||||
for_each = length([for v in var.services : v.tls if v.tls == true]) > 0 ? [1] : []
|
||||
content {
|
||||
name = "tls"
|
||||
secret {
|
||||
secret_name = kubernetes_manifest.internal_cert.manifest["metadata"]["name"]
|
||||
items {
|
||||
key = "tls.crt"
|
||||
path = "tls.crt"
|
||||
}
|
||||
items {
|
||||
key = "tls.key"
|
||||
path = "tls.key"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
lifecycle {
|
||||
ignore_changes = [spec[0].template[0].metadata[0].annotations["kubectl.kubernetes.io/restartedAt"]]
|
||||
}
|
||||
}
|
||||
@@ -1,13 +0,0 @@
|
||||
terraform {
|
||||
required_version = "~>1.8"
|
||||
required_providers {
|
||||
kubernetes = {
|
||||
source = "hashicorp/kubernetes"
|
||||
version = "2.36.0"
|
||||
}
|
||||
scaleway = {
|
||||
source = "scaleway/scaleway"
|
||||
version = "~>2.13"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,40 +0,0 @@
|
||||
import os
|
||||
import logging
|
||||
from http.server import BaseHTTPRequestHandler, HTTPServer
|
||||
|
||||
# Configure logging
|
||||
logging.basicConfig(
|
||||
level=logging.INFO,
|
||||
format="%(asctime)s [%(levelname)s] %(message)s"
|
||||
)
|
||||
|
||||
EXPECTED_TOKEN = os.getenv("AUTH_TOKEN", "")
|
||||
|
||||
class AuthHandler(BaseHTTPRequestHandler):
|
||||
def do_GET(self):
|
||||
auth = self.headers.get('Authorization')
|
||||
|
||||
# Log request info
|
||||
client_ip = self.client_address[0]
|
||||
logging.info(f"Auth request from {client_ip}")
|
||||
|
||||
if auth == f"Bearer {EXPECTED_TOKEN}":
|
||||
logging.info("Authentication successful")
|
||||
self.send_response(200)
|
||||
else:
|
||||
logging.warning("Authentication failed")
|
||||
self.send_response(401)
|
||||
self.end_headers()
|
||||
|
||||
def log_message(self, format, *args):
|
||||
# Suppress default BaseHTTPRequestHandler logging
|
||||
return
|
||||
|
||||
if __name__ == '__main__':
|
||||
if not EXPECTED_TOKEN:
|
||||
logging.error("AUTH_TOKEN environment variable not set. Exiting.")
|
||||
exit(1)
|
||||
|
||||
server = HTTPServer(('', 5000), AuthHandler)
|
||||
logging.info("Auth server running on port 5000...")
|
||||
server.serve_forever()
|
||||
@@ -1 +0,0 @@
|
||||
!*.html
|
||||
@@ -1,40 +0,0 @@
|
||||
<!DOCTYPE html>
|
||||
<html lang="en">
|
||||
<head>
|
||||
<meta charset="UTF-8" />
|
||||
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
|
||||
<title>400 - Bad Request</title>
|
||||
<style>
|
||||
* { box-sizing: border-box; }
|
||||
body {
|
||||
margin: 0;
|
||||
font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;
|
||||
background-color: #121212;
|
||||
color: #ffffff;
|
||||
display: flex;
|
||||
justify-content: center;
|
||||
align-items: center;
|
||||
height: 100vh;
|
||||
text-align: center;
|
||||
padding: 20px;
|
||||
}
|
||||
.container {
|
||||
max-width: 500px;
|
||||
}
|
||||
.icon {
|
||||
font-size: 80px;
|
||||
margin-bottom: 20px;
|
||||
color: #f39c12;
|
||||
}
|
||||
h1 { font-size: 2rem; margin-bottom: 10px; }
|
||||
p { font-size: 1rem; color: #cccccc; }
|
||||
</style>
|
||||
</head>
|
||||
<body>
|
||||
<div class="container">
|
||||
<div class="icon">❌</div>
|
||||
<h1>400 - Bad Request</h1>
|
||||
<p>Oops! The server couldn't understand your request.</p>
|
||||
</div>
|
||||
</body>
|
||||
</html>
|
||||
@@ -1,40 +0,0 @@
|
||||
<!DOCTYPE html>
|
||||
<html lang="en">
|
||||
<head>
|
||||
<meta charset="UTF-8" />
|
||||
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
|
||||
<title>401 - Unauthorized</title>
|
||||
<style>
|
||||
* { box-sizing: border-box; }
|
||||
body {
|
||||
margin: 0;
|
||||
font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;
|
||||
background-color: #121212;
|
||||
color: #ffffff;
|
||||
display: flex;
|
||||
justify-content: center;
|
||||
align-items: center;
|
||||
height: 100vh;
|
||||
text-align: center;
|
||||
padding: 20px;
|
||||
}
|
||||
.container {
|
||||
max-width: 500px;
|
||||
}
|
||||
.icon {
|
||||
font-size: 80px;
|
||||
margin-bottom: 20px;
|
||||
color: #f39c12;
|
||||
}
|
||||
h1 { font-size: 2rem; margin-bottom: 10px; }
|
||||
p { font-size: 1rem; color: #cccccc; }
|
||||
</style>
|
||||
</head>
|
||||
<body>
|
||||
<div class="container">
|
||||
<div class="icon">🔒</div>
|
||||
<h1>401 - Unauthorized</h1>
|
||||
<p>You need to log in to access this resource.</p>
|
||||
</div>
|
||||
</body>
|
||||
</html>
|
||||
@@ -1,40 +0,0 @@
|
||||
<!DOCTYPE html>
|
||||
<html lang="en">
|
||||
<head>
|
||||
<meta charset="UTF-8" />
|
||||
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
|
||||
<title>403 - Forbidden</title>
|
||||
<style>
|
||||
* { box-sizing: border-box; }
|
||||
body {
|
||||
margin: 0;
|
||||
font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;
|
||||
background-color: #121212;
|
||||
color: #ffffff;
|
||||
display: flex;
|
||||
justify-content: center;
|
||||
align-items: center;
|
||||
height: 100vh;
|
||||
text-align: center;
|
||||
padding: 20px;
|
||||
}
|
||||
.container {
|
||||
max-width: 500px;
|
||||
}
|
||||
.icon {
|
||||
font-size: 80px;
|
||||
margin-bottom: 20px;
|
||||
color: #f39c12;
|
||||
}
|
||||
h1 { font-size: 2rem; margin-bottom: 10px; }
|
||||
p { font-size: 1rem; color: #cccccc; }
|
||||
</style>
|
||||
</head>
|
||||
<body>
|
||||
<div class="container">
|
||||
<div class="icon">🚫</div>
|
||||
<h1>403 - Forbidden</h1>
|
||||
<p>You don't have permission to view this page.</p>
|
||||
</div>
|
||||
</body>
|
||||
</html>
|
||||
@@ -1,40 +0,0 @@
|
||||
<!DOCTYPE html>
|
||||
<html lang="en">
|
||||
<head>
|
||||
<meta charset="UTF-8" />
|
||||
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
|
||||
<title>404 - Page Not Found</title>
|
||||
<style>
|
||||
* { box-sizing: border-box; }
|
||||
body {
|
||||
margin: 0;
|
||||
font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;
|
||||
background-color: #121212;
|
||||
color: #ffffff;
|
||||
display: flex;
|
||||
justify-content: center;
|
||||
align-items: center;
|
||||
height: 100vh;
|
||||
text-align: center;
|
||||
padding: 20px;
|
||||
}
|
||||
.container {
|
||||
max-width: 500px;
|
||||
}
|
||||
.icon {
|
||||
font-size: 80px;
|
||||
margin-bottom: 20px;
|
||||
color: #f39c12;
|
||||
}
|
||||
h1 { font-size: 2rem; margin-bottom: 10px; }
|
||||
p { font-size: 1rem; color: #cccccc; }
|
||||
</style>
|
||||
</head>
|
||||
<body>
|
||||
<div class="container">
|
||||
<div class="icon">🔍</div>
|
||||
<h1>404 - Page Not Found</h1>
|
||||
<p>We couldn't find the page you're looking for.</p>
|
||||
</div>
|
||||
</body>
|
||||
</html>
|
||||
@@ -1,40 +0,0 @@
|
||||
<!DOCTYPE html>
|
||||
<html lang="en">
|
||||
<head>
|
||||
<meta charset="UTF-8" />
|
||||
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
|
||||
<title>408 - Request Timeout</title>
|
||||
<style>
|
||||
* { box-sizing: border-box; }
|
||||
body {
|
||||
margin: 0;
|
||||
font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;
|
||||
background-color: #121212;
|
||||
color: #ffffff;
|
||||
display: flex;
|
||||
justify-content: center;
|
||||
align-items: center;
|
||||
height: 100vh;
|
||||
text-align: center;
|
||||
padding: 20px;
|
||||
}
|
||||
.container {
|
||||
max-width: 500px;
|
||||
}
|
||||
.icon {
|
||||
font-size: 80px;
|
||||
margin-bottom: 20px;
|
||||
color: #f39c12;
|
||||
}
|
||||
h1 { font-size: 2rem; margin-bottom: 10px; }
|
||||
p { font-size: 1rem; color: #cccccc; }
|
||||
</style>
|
||||
</head>
|
||||
<body>
|
||||
<div class="container">
|
||||
<div class="icon">⏳</div>
|
||||
<h1>408 - Request Timeout</h1>
|
||||
<p>The server took too long to respond. Try again later.</p>
|
||||
</div>
|
||||
</body>
|
||||
</html>
|
||||
@@ -1,40 +0,0 @@
|
||||
<!DOCTYPE html>
|
||||
<html lang="en">
|
||||
<head>
|
||||
<meta charset="UTF-8" />
|
||||
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
|
||||
<title>429 - Too Many Requests</title>
|
||||
<style>
|
||||
* { box-sizing: border-box; }
|
||||
body {
|
||||
margin: 0;
|
||||
font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;
|
||||
background-color: #121212;
|
||||
color: #ffffff;
|
||||
display: flex;
|
||||
justify-content: center;
|
||||
align-items: center;
|
||||
height: 100vh;
|
||||
text-align: center;
|
||||
padding: 20px;
|
||||
}
|
||||
.container {
|
||||
max-width: 500px;
|
||||
}
|
||||
.icon {
|
||||
font-size: 80px;
|
||||
margin-bottom: 20px;
|
||||
color: #f39c12;
|
||||
}
|
||||
h1 { font-size: 2rem; margin-bottom: 10px; }
|
||||
p { font-size: 1rem; color: #cccccc; }
|
||||
</style>
|
||||
</head>
|
||||
<body>
|
||||
<div class="container">
|
||||
<div class="icon">🚦</div>
|
||||
<h1>429 - Too Many Requests</h1>
|
||||
<p>You're making too many requests. Please slow down.</p>
|
||||
</div>
|
||||
</body>
|
||||
</html>
|
||||
@@ -1,40 +0,0 @@
|
||||
<!DOCTYPE html>
|
||||
<html lang="en">
|
||||
<head>
|
||||
<meta charset="UTF-8" />
|
||||
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
|
||||
<title>500 - Internal Server Error</title>
|
||||
<style>
|
||||
* { box-sizing: border-box; }
|
||||
body {
|
||||
margin: 0;
|
||||
font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;
|
||||
background-color: #121212;
|
||||
color: #ffffff;
|
||||
display: flex;
|
||||
justify-content: center;
|
||||
align-items: center;
|
||||
height: 100vh;
|
||||
text-align: center;
|
||||
padding: 20px;
|
||||
}
|
||||
.container {
|
||||
max-width: 500px;
|
||||
}
|
||||
.icon {
|
||||
font-size: 80px;
|
||||
margin-bottom: 20px;
|
||||
color: #f39c12;
|
||||
}
|
||||
h1 { font-size: 2rem; margin-bottom: 10px; }
|
||||
p { font-size: 1rem; color: #cccccc; }
|
||||
</style>
|
||||
</head>
|
||||
<body>
|
||||
<div class="container">
|
||||
<div class="icon">⚠️</div>
|
||||
<h1>500 - Internal Server Error</h1>
|
||||
<p>Something went wrong on our end. We're working on it.</p>
|
||||
</div>
|
||||
</body>
|
||||
</html>
|
||||
@@ -1,40 +0,0 @@
|
||||
<!DOCTYPE html>
|
||||
<html lang="en">
|
||||
<head>
|
||||
<meta charset="UTF-8" />
|
||||
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
|
||||
<title>502 - Bad Gateway</title>
|
||||
<style>
|
||||
* { box-sizing: border-box; }
|
||||
body {
|
||||
margin: 0;
|
||||
font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;
|
||||
background-color: #121212;
|
||||
color: #ffffff;
|
||||
display: flex;
|
||||
justify-content: center;
|
||||
align-items: center;
|
||||
height: 100vh;
|
||||
text-align: center;
|
||||
padding: 20px;
|
||||
}
|
||||
.container {
|
||||
max-width: 500px;
|
||||
}
|
||||
.icon {
|
||||
font-size: 80px;
|
||||
margin-bottom: 20px;
|
||||
color: #f39c12;
|
||||
}
|
||||
h1 { font-size: 2rem; margin-bottom: 10px; }
|
||||
p { font-size: 1rem; color: #cccccc; }
|
||||
</style>
|
||||
</head>
|
||||
<body>
|
||||
<div class="container">
|
||||
<div class="icon">🔌</div>
|
||||
<h1>502 - Bad Gateway</h1>
|
||||
<p>The server received an invalid response from upstream.</p>
|
||||
</div>
|
||||
</body>
|
||||
</html>
|
||||
@@ -1,40 +0,0 @@
|
||||
<!DOCTYPE html>
|
||||
<html lang="en">
|
||||
<head>
|
||||
<meta charset="UTF-8" />
|
||||
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
|
||||
<title>503 - Service Unavailable</title>
|
||||
<style>
|
||||
* { box-sizing: border-box; }
|
||||
body {
|
||||
margin: 0;
|
||||
font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;
|
||||
background-color: #121212;
|
||||
color: #ffffff;
|
||||
display: flex;
|
||||
justify-content: center;
|
||||
align-items: center;
|
||||
height: 100vh;
|
||||
text-align: center;
|
||||
padding: 20px;
|
||||
}
|
||||
.container {
|
||||
max-width: 500px;
|
||||
}
|
||||
.icon {
|
||||
font-size: 80px;
|
||||
margin-bottom: 20px;
|
||||
color: #f39c12;
|
||||
}
|
||||
h1 { font-size: 2rem; margin-bottom: 10px; }
|
||||
p { font-size: 1rem; color: #cccccc; }
|
||||
</style>
|
||||
</head>
|
||||
<body>
|
||||
<div class="container">
|
||||
<div class="icon">🛠️</div>
|
||||
<h1>503 - Service Unavailable</h1>
|
||||
<p>We're doing some maintenance. Please check back soon.</p>
|
||||
</div>
|
||||
</body>
|
||||
</html>
|
||||
@@ -1,40 +0,0 @@
|
||||
<!DOCTYPE html>
|
||||
<html lang="en">
|
||||
<head>
|
||||
<meta charset="UTF-8" />
|
||||
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
|
||||
<title>504 - Gateway Timeout</title>
|
||||
<style>
|
||||
* { box-sizing: border-box; }
|
||||
body {
|
||||
margin: 0;
|
||||
font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;
|
||||
background-color: #121212;
|
||||
color: #ffffff;
|
||||
display: flex;
|
||||
justify-content: center;
|
||||
align-items: center;
|
||||
height: 100vh;
|
||||
text-align: center;
|
||||
padding: 20px;
|
||||
}
|
||||
.container {
|
||||
max-width: 500px;
|
||||
}
|
||||
.icon {
|
||||
font-size: 80px;
|
||||
margin-bottom: 20px;
|
||||
color: #f39c12;
|
||||
}
|
||||
h1 { font-size: 2rem; margin-bottom: 10px; }
|
||||
p { font-size: 1rem; color: #cccccc; }
|
||||
</style>
|
||||
</head>
|
||||
<body>
|
||||
<div class="container">
|
||||
<div class="icon">📡</div>
|
||||
<h1>504 - Gateway Timeout</h1>
|
||||
<p>The upstream server didn't respond in time.</p>
|
||||
</div>
|
||||
</body>
|
||||
</html>
|
||||
@@ -1,54 +0,0 @@
|
||||
server {
|
||||
listen ${http_port};
|
||||
%{ if tls ~}
|
||||
listen ${https_port} ssl;
|
||||
ssl_certificate /etc/ssl/certs/private/tls.crt;
|
||||
ssl_certificate_key /etc/ssl/certs/private/tls.key;
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
%{ endif ~}
|
||||
server_name ${fqdn};
|
||||
# Custom error page for upstream errors
|
||||
%{ for e in errors ~}
|
||||
error_page ${e} /errors/${e}.html;
|
||||
location = /errors/${e}.html {
|
||||
root /usr/share/nginx/html;
|
||||
internal;
|
||||
}
|
||||
%{ endfor ~}
|
||||
%{ if custom_snippet != "" ~}
|
||||
${custom_snippet}
|
||||
%{ endif ~}
|
||||
%{ if auth ~}
|
||||
location = /auth {
|
||||
internal;
|
||||
proxy_pass http://localhost:5000/;
|
||||
proxy_pass_request_body off;
|
||||
proxy_set_header Content-Length "";
|
||||
proxy_set_header Authorization $http_authorization;
|
||||
}
|
||||
%{ endif }
|
||||
%{ for l in locations ~}
|
||||
location ${l.path} {
|
||||
%{ if l.resolver == "" ~}
|
||||
%{ if resolver != "" ~}
|
||||
resolver ${resolver};
|
||||
%{ endif ~}
|
||||
%{ else ~}
|
||||
resolver ${l.resolver};
|
||||
%{ endif ~}
|
||||
%{ if l.private ~}
|
||||
auth_request /auth<;
|
||||
%{ endif ~}
|
||||
set $upstream "%{ if l.upstream != "" ~}${l.upstream}%{ else ~}${upstream}%{ endif ~}";
|
||||
%{ if l.rewrite != "" ~}
|
||||
rewrite ${l.rewrite};
|
||||
%{ endif ~}
|
||||
proxy_pass $upstream;
|
||||
proxy_http_version 1.1;
|
||||
%{ for k,v in l.headers ~}
|
||||
proxy_set_header ${k} ${v};
|
||||
%{ endfor ~}
|
||||
proxy_intercept_errors on;
|
||||
}
|
||||
%{ endfor ~}
|
||||
}
|
||||
@@ -1,48 +0,0 @@
|
||||
worker_processes auto;
|
||||
|
||||
error_log /dev/stderr warn;
|
||||
pid /tmp/nginx.pid;
|
||||
|
||||
events {
|
||||
worker_connections 1024;
|
||||
}
|
||||
|
||||
http {
|
||||
proxy_temp_path /tmp/proxy_temp;
|
||||
client_body_temp_path /tmp/client_temp;
|
||||
fastcgi_temp_path /tmp/fastcgi_temp;
|
||||
uwsgi_temp_path /tmp/uwsgi_temp;
|
||||
scgi_temp_path /tmp/scgi_temp;
|
||||
|
||||
client_max_body_size 10M;
|
||||
proxy_buffering off;
|
||||
proxy_request_buffering off;
|
||||
|
||||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
||||
'$status $body_bytes_sent "$http_referer" '
|
||||
'"$http_user_agent" "$http_x_forwarded_for"';
|
||||
|
||||
access_log /dev/stdout main;
|
||||
|
||||
sendfile on;
|
||||
|
||||
keepalive_timeout 65;
|
||||
|
||||
server {
|
||||
listen 8888;
|
||||
server_name _;
|
||||
location /health {
|
||||
access_log off;
|
||||
return 200 "OK";
|
||||
}
|
||||
}
|
||||
|
||||
include /etc/nginx/conf.d/*.conf;
|
||||
}
|
||||
|
||||
stream {
|
||||
include /etc/nginx/streams.d/*.conf;
|
||||
}
|
||||
@@ -1,13 +0,0 @@
|
||||
upstream ${name} {
|
||||
%{ if resolver != "" ~}
|
||||
resolver ${resolver};
|
||||
%{ endif ~}
|
||||
server ${upstream}:${upstream_port};
|
||||
}
|
||||
server {
|
||||
listen %{ if protocol == "UDP" ~}${port} udp;%{ else ~}${port};%{ endif }
|
||||
%{ if custom_snippet != "" ~}
|
||||
${custom_snippet}
|
||||
%{ endif ~}
|
||||
proxy_pass ${name};
|
||||
}
|
||||
@@ -1,10 +0,0 @@
|
||||
[Interface]
|
||||
PrivateKey = ${wireguard_private_key}
|
||||
Address = ${wireguard_address}
|
||||
|
||||
[Peer]
|
||||
PublicKey = ${wireguard_public_key}
|
||||
PresharedKey = ${wireguard_pre_shared_key}
|
||||
AllowedIPs = ${wireguard_allowed_ips}
|
||||
Endpoint = ${wireguard_endpoint}
|
||||
PersistentKeepalive = 25
|
||||
@@ -1,75 +0,0 @@
|
||||
variable "tag" {
|
||||
description = "The version of the nginx server to install"
|
||||
type = string
|
||||
default = "stable-alpine"
|
||||
}
|
||||
|
||||
variable "wireguard_config" {
|
||||
description = "The Wireguard configuration file"
|
||||
type = object({
|
||||
private_key = string
|
||||
public_key = string
|
||||
pre_shared_key = string
|
||||
endpoint = string
|
||||
endpoint_port = number
|
||||
address = string
|
||||
dns = string
|
||||
allowed_ips = list(string)
|
||||
})
|
||||
default = null
|
||||
sensitive = true
|
||||
}
|
||||
|
||||
variable "issuer_name" {
|
||||
description = "The name of the issuer to use for TLS certificates, internal certificates"
|
||||
type = string
|
||||
default = "internal-ca"
|
||||
}
|
||||
|
||||
variable "services" {
|
||||
description = "A list of services to be deployed"
|
||||
type = map(object({
|
||||
fqdn = optional(list(string), [])
|
||||
custom_ingress_annotations = optional(map(string), {})
|
||||
annotations = optional(map(string), {})
|
||||
upstream = optional(string, "")
|
||||
resolver = optional(string, "")
|
||||
default_headers = optional(map(string), {}),
|
||||
http_port = optional(number, 80)
|
||||
https_port = optional(number, 443)
|
||||
tls = optional(bool, false)
|
||||
ingress = optional(bool, true)
|
||||
service_http_port = optional(number, 80)
|
||||
service_https_port = optional(number, 443)
|
||||
locations = optional(list(object({
|
||||
path = string,
|
||||
headers = optional(map(string), {}),
|
||||
private = optional(bool, false),
|
||||
upstream = optional(string, ""),
|
||||
resolver = optional(string, "")
|
||||
rewrite = optional(string, "")
|
||||
})), [])
|
||||
custom_snippet = optional(string, "")
|
||||
config = optional(string, "")
|
||||
}))
|
||||
}
|
||||
|
||||
variable "auth_token" {
|
||||
description = "The authentication token to use for the reverse proxy"
|
||||
type = string
|
||||
sensitive = true
|
||||
default = ""
|
||||
}
|
||||
|
||||
variable "streams" {
|
||||
description = "A list of streams to be deployed"
|
||||
type = map(object({
|
||||
port = number
|
||||
upstream = string
|
||||
custom_snippet = optional(string, "")
|
||||
resolver = optional(string, "")
|
||||
upstream_port = optional(number, null)
|
||||
protocol = optional(string, "TCP")
|
||||
}))
|
||||
default = {}
|
||||
}
|
||||
@@ -46,8 +46,7 @@ resource "kubernetes_service" "website" {
|
||||
app = format("website-%s", replace(each.key, ".", "-"))
|
||||
}
|
||||
|
||||
type = "ClusterIP"
|
||||
cluster_ip = "None"
|
||||
type = "ClusterIP"
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -1,34 +0,0 @@
|
||||
# resource "kubernetes_ingress_v1" "proxy" {
|
||||
# metadata {
|
||||
# name = "ingress"
|
||||
# namespace = kubernetes_namespace.proxy.metadata[0].name
|
||||
|
||||
# annotations = {
|
||||
# "kubernetes.io/ingress.class" = "public"
|
||||
# "cert-manager.io/cluster-issuer" = "letsencrypt-prod"
|
||||
# "kubernetes.io/tls-acme" = "true"
|
||||
# "nginx.ingress.kubernetes.io/ssl-redirect" = "true"
|
||||
# }
|
||||
# }
|
||||
# spec {
|
||||
# tls {
|
||||
# hosts = [var.fqdn]
|
||||
# secret_name = "proxy-tls"
|
||||
# }
|
||||
# rule {
|
||||
# host = var.fqdn
|
||||
# http {
|
||||
# path {
|
||||
# backend {
|
||||
# service {
|
||||
# name = "upstream"
|
||||
# port {
|
||||
# number = var.proxy_port
|
||||
# }
|
||||
# }
|
||||
# }
|
||||
# }
|
||||
# }
|
||||
# }
|
||||
# }
|
||||
# }
|
||||
@@ -1,5 +0,0 @@
|
||||
resource "kubernetes_namespace" "proxy" {
|
||||
metadata {
|
||||
name = var.namespace
|
||||
}
|
||||
}
|
||||
@@ -1,123 +0,0 @@
|
||||
resource "kubernetes_service_account" "proxy" {
|
||||
|
||||
metadata {
|
||||
name = "wol-proxy-sa"
|
||||
namespace = kubernetes_namespace.proxy.metadata[0].name
|
||||
}
|
||||
|
||||
automount_service_account_token = false
|
||||
}
|
||||
|
||||
resource "kubernetes_deployment" "proxy" {
|
||||
|
||||
metadata {
|
||||
name = "wol-proxy"
|
||||
namespace = kubernetes_namespace.proxy.metadata[0].name
|
||||
labels = {
|
||||
app = "wol-proxy"
|
||||
}
|
||||
}
|
||||
|
||||
spec {
|
||||
replicas = 1
|
||||
selector {
|
||||
match_labels = {
|
||||
app = "wol-proxy"
|
||||
}
|
||||
}
|
||||
|
||||
strategy {
|
||||
type = "Recreate"
|
||||
}
|
||||
|
||||
template {
|
||||
metadata {
|
||||
labels = {
|
||||
app = "wol-proxy"
|
||||
}
|
||||
}
|
||||
|
||||
spec {
|
||||
service_account_name = kubernetes_service_account.proxy.metadata[0].name
|
||||
automount_service_account_token = false
|
||||
|
||||
host_network = true
|
||||
container {
|
||||
name = "app"
|
||||
image = "a13labs/wol_proxy:${var.tag}"
|
||||
image_pull_policy = "Always"
|
||||
|
||||
security_context {
|
||||
capabilities {
|
||||
add = ["NET_RAW"]
|
||||
}
|
||||
}
|
||||
|
||||
port {
|
||||
name = "upstream"
|
||||
container_port = var.proxy_port
|
||||
}
|
||||
|
||||
env {
|
||||
name = "UPSTREAM_MAC"
|
||||
value = var.upstream.mac
|
||||
}
|
||||
|
||||
env {
|
||||
name = "UPSTREAM_IP"
|
||||
value = var.upstream.ip
|
||||
}
|
||||
|
||||
env {
|
||||
name = "UPSTREAM_PORT"
|
||||
value = var.upstream.port
|
||||
}
|
||||
|
||||
env {
|
||||
name = "UPSTREAM_SCHEME"
|
||||
value = var.upstream.scheme
|
||||
}
|
||||
|
||||
env {
|
||||
name = "PROXY_PORT"
|
||||
value = var.proxy_port
|
||||
}
|
||||
|
||||
readiness_probe {
|
||||
tcp_socket {
|
||||
port = var.proxy_port
|
||||
}
|
||||
initial_delay_seconds = 5
|
||||
period_seconds = 10
|
||||
failure_threshold = 10
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource "kubernetes_service" "proxy" {
|
||||
metadata {
|
||||
name = "upstream"
|
||||
namespace = kubernetes_namespace.proxy.metadata[0].name
|
||||
}
|
||||
|
||||
spec {
|
||||
selector = {
|
||||
app = "wol-proxy"
|
||||
}
|
||||
|
||||
port {
|
||||
name = "upstream"
|
||||
port = var.proxy_port
|
||||
target_port = var.proxy_port
|
||||
}
|
||||
}
|
||||
|
||||
lifecycle {
|
||||
ignore_changes = [
|
||||
metadata[0].annotations
|
||||
]
|
||||
}
|
||||
}
|
||||
@@ -1,32 +0,0 @@
|
||||
variable "upstream" {
|
||||
description = "Configuration for the upstream proxy"
|
||||
type = object({
|
||||
mac = optional(string, "")
|
||||
ip = optional(string, "")
|
||||
port = optional(string, "")
|
||||
scheme = optional(string, "http")
|
||||
})
|
||||
}
|
||||
|
||||
# variable "fqdn" {
|
||||
# description = "The fully qualified domain name for the app server"
|
||||
# type = string
|
||||
# }
|
||||
|
||||
variable "tag" {
|
||||
description = "The version of app to install"
|
||||
type = string
|
||||
default = "v0.4.0"
|
||||
}
|
||||
|
||||
variable "namespace" {
|
||||
description = "The namespace for the proxy"
|
||||
type = string
|
||||
default = "wol-proxy"
|
||||
}
|
||||
|
||||
variable "proxy_port" {
|
||||
description = "The port on which the proxy will listen"
|
||||
type = number
|
||||
default = 8080
|
||||
}
|
||||
Reference in New Issue
Block a user