Add custom error pages and Nginx configuration for proxy module

- Introduced custom HTML error pages for various HTTP status codes (400, 401, 403, 404, 408, 429, 500, 502, 503, 504) in the proxy module.
- Created a .gitignore file to exclude non-HTML files in the error resources directory.
- Updated Nginx configuration to serve custom error pages for upstream errors.
- Added new Nginx configuration templates for handling HTTP and stream protocols.
- Implemented Wireguard configuration templates and associated variables for secure connections.
- Established Kubernetes resources for Stunnel and Wireguard, including deployment, service accounts, and config maps.
- Defined variables for the Stunnel and Wireguard modules to facilitate configuration.
- Created a new Wol Proxy module with Kubernetes resources for deployment and service management.
This commit is contained in:
2025-10-02 00:19:01 +02:00
parent 4d00986273
commit e6a3f3affd
62 changed files with 1517 additions and 99 deletions
+4
View File
@@ -0,0 +1,4 @@
locals {
app_version = var.tag
monitoring_folder = "${var.persistent_folder}/grafana"
}
+136
View File
@@ -0,0 +1,136 @@
resource "kubernetes_deployment" "grafana" {
metadata {
name = "grafana"
namespace = kubernetes_namespace.grafana.metadata[0].name
labels = {
app = "grafana"
}
}
spec {
selector {
match_labels = {
app = "grafana"
}
}
template {
metadata {
labels = {
app = "grafana"
}
}
spec {
container {
name = "grafana"
image = "grafana/grafana:${local.app_version}"
image_pull_policy = "IfNotPresent"
security_context {
run_as_user = 1000
run_as_non_root = true
privileged = false
allow_privilege_escalation = false
}
port {
name = "http-grafana"
container_port = 3000
protocol = "TCP"
}
readiness_probe {
http_get {
path = "/robots.txt"
port = 3000
scheme = "HTTP"
}
failure_threshold = 3
initial_delay_seconds = 10
period_seconds = 30
success_threshold = 1
timeout_seconds = 2
}
liveness_probe {
tcp_socket {
port = 3000
}
failure_threshold = 3
initial_delay_seconds = 30
period_seconds = 10
success_threshold = 1
timeout_seconds = 1
}
resources {
requests = {
cpu = "250m"
memory = "750Mi"
}
}
volume_mount {
name = "grafana-pv"
mount_path = "/var/lib/grafana"
}
}
volume {
name = "grafana-pv"
host_path {
path = local.monitoring_folder
}
}
}
}
}
}
resource "kubernetes_service" "grafana" {
metadata {
name = "grafana"
namespace = kubernetes_namespace.grafana.metadata[0].name
}
spec {
selector = {
app = "grafana"
}
port {
port = 3000
protocol = "TCP"
target_port = "http-grafana"
}
session_affinity = "None"
type = "ClusterIP"
}
}
resource "kubernetes_ingress_v1" "grafana" {
metadata {
name = "ingress"
namespace = kubernetes_namespace.grafana.metadata[0].name
annotations = {
"kubernetes.io/ingress.class" = "public"
"cert-manager.io/cluster-issuer" = "letsencrypt-prod"
"kubernetes.io/tls-acme" = "true"
"nginx.ingress.kubernetes.io/ssl-redirect" = "true"
}
}
spec {
tls {
hosts = [var.fqdn]
secret_name = "grafana-tls"
}
rule {
host = var.fqdn
http {
path {
backend {
service {
name = kubernetes_service.grafana.metadata[0].name
port {
number = 3000
}
}
}
}
}
}
}
}
+5
View File
@@ -0,0 +1,5 @@
resource "kubernetes_namespace" "grafana" {
metadata {
name = "grafana"
}
}
@@ -0,0 +1,38 @@
global:
scrape_interval: 5s
evaluation_interval: 5s
rule_files:
- /etc/prometheus/prometheus.rules
scrape_configs:
- job_name: kubernetes-nodes-cadvisor
scrape_interval: 10s
scrape_timeout: 10s
scheme: https # remove if you want to scrape metrics on insecure port
tls_config:
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
insecure_skip_verify: true
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
kubernetes_sd_configs:
- role: node
relabel_configs:
- action: labelmap
regex: __meta_kubernetes_node_label_(.+)
# Only for Kubernetes ^1.7.3.
# See: https://github.com/prometheus/prometheus/issues/2916
- target_label: __address__
replacement: kubernetes.default.svc:443
- source_labels: [__meta_kubernetes_node_name]
regex: (.+)
target_label: __metrics_path__
replacement: /api/v1/nodes/${1}/proxy/metrics/cadvisor
metric_relabel_configs:
- action: replace
source_labels: [id]
regex: '^/machine\.slice/machine-rkt\\x2d([^\\]+)\\.+/([^/]+)\.service$'
target_label: rkt_container_name
replacement: "${2}-${1}"
- action: replace
source_labels: [id]
regex: '^/system\.slice/(.+)\.service$'
target_label: systemd_service_name
replacement: "${1}"
@@ -0,0 +1,126 @@
global:
scrape_interval: 5s
evaluation_interval: 5s
rule_files:
- /etc/prometheus/prometheus.rules
alerting:
alertmanagers:
- scheme: http
static_configs:
- targets:
- "alertmanager.monitoring.svc:9093"
scrape_configs:
- job_name: "node-exporter"
kubernetes_sd_configs:
- role: endpoints
relabel_configs:
- source_labels: [__meta_kubernetes_endpoints_name]
regex: "node-exporter"
action: keep
- job_name: "kubernetes-apiservers"
kubernetes_sd_configs:
- role: endpoints
scheme: https
tls_config:
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
relabel_configs:
- source_labels:
[
__meta_kubernetes_namespace,
__meta_kubernetes_service_name,
__meta_kubernetes_endpoint_port_name,
]
action: keep
regex: default;kubernetes;https
- job_name: "kubernetes-nodes"
scheme: https
tls_config:
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
kubernetes_sd_configs:
- role: node
relabel_configs:
- action: labelmap
regex: __meta_kubernetes_node_label_(.+)
- target_label: __address__
replacement: kubernetes.default.svc:443
- source_labels: [__meta_kubernetes_node_name]
regex: (.+)
target_label: __metrics_path__
replacement: /api/v1/nodes/$${1}/proxy/metrics
- job_name: "kubernetes-pods"
kubernetes_sd_configs:
- role: pod
relabel_configs:
- source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape]
action: keep
regex: true
- source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path]
action: replace
target_label: __metrics_path__
regex: (.+)
- source_labels:
[__address__, __meta_kubernetes_pod_annotation_prometheus_io_port]
action: replace
regex: ([^:]+)(?::\d+)?;(\d+)
replacement: $1:$2
target_label: __address__
- action: labelmap
regex: __meta_kubernetes_pod_label_(.+)
- source_labels: [__meta_kubernetes_namespace]
action: replace
target_label: kubernetes_namespace
- source_labels: [__meta_kubernetes_pod_name]
action: replace
target_label: kubernetes_pod_name
- job_name: "kube-state-metrics"
static_configs:
- targets: ["kube-state-metrics.kube-system.svc.cluster.local:8080"]
- job_name: "kubernetes-cadvisor"
scheme: https
tls_config:
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
kubernetes_sd_configs:
- role: node
relabel_configs:
- action: labelmap
regex: __meta_kubernetes_node_label_(.+)
- target_label: __address__
replacement: kubernetes.default.svc:443
- source_labels: [__meta_kubernetes_node_name]
regex: (.+)
target_label: __metrics_path__
replacement: /api/v1/nodes/$${1}/proxy/metrics/cadvisor
- job_name: "kubernetes-service-endpoints"
kubernetes_sd_configs:
- role: endpoints
relabel_configs:
- source_labels:
[__meta_kubernetes_service_annotation_prometheus_io_scrape]
action: keep
regex: true
- source_labels:
[__meta_kubernetes_service_annotation_prometheus_io_scheme]
action: replace
target_label: __scheme__
regex: (https?)
- source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path]
action: replace
target_label: __metrics_path__
regex: (.+)
- source_labels:
[__address__, __meta_kubernetes_service_annotation_prometheus_io_port]
action: replace
target_label: __address__
regex: ([^:]+)(?::\d+)?;(\d+)
replacement: $1:$2
- action: labelmap
regex: __meta_kubernetes_service_label_(.+)
- source_labels: [__meta_kubernetes_namespace]
action: replace
target_label: kubernetes_namespace
- source_labels: [__meta_kubernetes_service_name]
action: replace
target_label: kubernetes_name
@@ -0,0 +1,22 @@
variable "fqdn" {
description = "The fully qualified domain name for the app server"
type = string
default = ""
}
variable "issuer" {
description = "The issuer for the certificate"
type = string
default = "internal-ca"
}
variable "tag" {
description = "Grafana image tag"
type = string
default = "latest"
}
variable "persistent_folder" {
description = "The path to the persistent folder"
type = string
}
+31 -5
View File
@@ -59,7 +59,7 @@ resource "kubernetes_deployment" "dovecot" {
}
}
strategy {
type = "RollingUpdate"
type = var.dovecot_use_host_networking ? "Recreate" : "RollingUpdate"
}
template {
metadata {
@@ -81,6 +81,7 @@ resource "kubernetes_deployment" "dovecot" {
image = "dovecot/dovecot:${var.dovecot_tag}"
port {
container_port = 31993
host_port = var.dovecot_use_host_networking ? 993 : null
}
port {
name = "lmtp"
@@ -118,6 +119,19 @@ resource "kubernetes_deployment" "dovecot" {
mount_path = "/etc/mail-crypt"
read_only = true
}
volume_mount {
name = "dovecot-logs"
mount_path = "/var/log/dovecot"
read_only = false
}
volume_mount {
name = "tmp"
mount_path = "/tmp"
}
volume_mount {
name = "dovecot-run"
mount_path = "/var/run/dovecot"
}
}
container {
name = "stunnel"
@@ -194,6 +208,20 @@ resource "kubernetes_deployment" "dovecot" {
}
}
}
volume {
name = "dovecot-logs"
host_path {
path = "/var/log/dovecot"
}
}
volume {
name = "tmp"
empty_dir {}
}
volume {
name = "dovecot-run"
empty_dir {}
}
}
}
}
@@ -245,8 +273,7 @@ resource "kubernetes_service" "dovecot_lmtp" {
port = 31024
target_port = 31024
}
type = "ClusterIP"
cluster_ip = "None"
type = "ClusterIP"
}
}
@@ -265,7 +292,6 @@ resource "kubernetes_service" "dovecot_auth" {
port = 31000
target_port = 31000
}
type = "ClusterIP"
cluster_ip = "None"
type = "ClusterIP"
}
}
+3 -3
View File
@@ -36,7 +36,7 @@ resource "kubernetes_deployment" "postfix" {
}
}
strategy {
type = "RollingUpdate"
type = "Recreate"
}
template {
metadata {
@@ -56,6 +56,7 @@ resource "kubernetes_deployment" "postfix" {
image = "tozd/postfix:${var.postfix_tag}"
port {
container_port = 465
host_port = var.postfix_use_host_networking ? 465 : null
}
dynamic "env" {
for_each = local.postfix_env_vars
@@ -189,8 +190,7 @@ resource "kubernetes_service" "postfix" {
target_port = 465
}
type = "ClusterIP"
cluster_ip = "None"
type = "ClusterIP"
}
lifecycle {
@@ -71,8 +71,6 @@ mail_attribute {
}
}
log_path = /dev/stdout
imap_hibernate_timeout = 5s
mail_plugins {
@@ -242,9 +240,10 @@ crypt_global_private_key main {
}
crypt_global_public_key_file = /etc/mail-crypt/ecpubkey.pem
log_path = /dev/stdout
info_log_path = /dev/stdout
debug_log_path = /dev/stdout
log_path = /var/log/dovecot/default.log
info_log_path = /var/log/dovecot/info.log
debug_log_path = /var/log/dovecot/debug.log
# Enable verbose logging
# auth_verbose = yes
@@ -39,7 +39,7 @@ postconf -e "smtpd_sasl_type=dovecot"
postconf -e "smtpd_sasl_path=inet:localhost:31000"
postconf -e "smtpd_sasl_auth_enable=yes"
postconf -e "smtpd_sasl_security_options=noanonymous"
postconf -e "smtpd_recipient_restrictions=permit_sasl_authenticated, reject"
postconf -e "smtpd_recipient_restrictions=permit_sasl_authenticated, reject_unauth_destination"
postconf -e "smtpd_relay_restrictions=permit_sasl_authenticated, reject_unauth_destination"
postconf -e "smtpd_sasl_authenticated_header=yes"
postconf -e "smtpd_tls_wrappermode=yes"
@@ -68,7 +68,8 @@ smtps inet n - n - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject_unauth_destination
" | sudo tee -a /etc/postfix/master.cf
/usr/sbin/postfix -c /etc/postfix start
+12
View File
@@ -92,3 +92,15 @@ variable "ca_pem" {
type = string
sensitive = true
}
variable "postfix_use_host_networking" {
description = "Whether to use host networking for the Postfix container"
type = bool
default = false
}
variable "dovecot_use_host_networking" {
description = "Whether to use host networking for the Dovecot container"
type = bool
default = false
}
@@ -1,74 +0,0 @@
locals {
wireguard_version = "1.0.20210914-r4-ls54"
wireguard_config = try(templatefile("${path.module}/resources/wireguard/wireguard.conf.tpl", {
wireguard_private_key = var.wireguard_config.private_key
wireguard_public_key = var.wireguard_config.public_key
wireguard_pre_shared_key = var.wireguard_config.pre_shared_key
wireguard_address = var.wireguard_config.address
wireguard_dns = var.wireguard_config.dns
wireguard_allowed_ips = join(", ", var.wireguard_config.allowed_ips)
wireguard_endpoint = "${var.wireguard_config.endpoint}:${var.wireguard_config.endpoint_port}"
}), "null")
wireguard_config_checksum = nonsensitive(sha256(local.wireguard_config))
default_headers = {
"Host" : "$host",
"X-Real-IP" : "$remote_addr",
"X-Forwarded-For" : "$proxy_add_x_forwarded_for",
"X-Forwarded-Proto" : "$scheme",
"X-Forwarded-Host" : "$host",
"X-Forwarded-Port" : "$server_port",
}
nginx_config = file("${path.module}/resources/nginx/nginx.conf")
nginx_config_checksum = sha256(local.nginx_config)
services_config = {
for k, v in var.services : "${k}.conf" => coalesce(v.config, templatefile("${path.module}/resources/nginx/conf.d/default.conf.tpl", {
errors = local.error_codes
http_port = v.http_port
https_port = v.https_port
upstream = v.upstream
resolver = v.resolver
ingress = v.ingress
service_http_port = v.service_http_port
service_https_port = v.service_https_port
tls = v.tls
fqdn = length(v.fqdn) > 0 ? join(" ", v.fqdn) : k
auth = length([for l in v.locations : true if l.private]) > 0
locations = [for l in v.locations : {
path = l.path
headers = merge(l.headers, coalesce(v.default_headers, local.default_headers))
private = l.private
upstream = l.upstream
resolver = l.resolver
rewrite = l.rewrite
}]
custom_snippet = v.custom_snippet
}))
}
services_config_checksum = sha256(jsonencode(local.services_config))
streams_config = {
for k, v in var.streams : "${k}.conf" => templatefile("${path.module}/resources/nginx/streams.d/stream.conf.tpl", {
name = k
port = v.port
upstream = v.upstream
custom_snippet = v.custom_snippet
upstream_port = coalesce(v.upstream_port, v.port)
resolver = v.resolver
protocol = upper(v.protocol)
})
}
streams_config_checksum = sha256(jsonencode(local.streams_config))
auth_script = file("${path.module}/resources/auth/auth_server.py")
auth_script_checksum = sha256(local.auth_script)
error_codes = [for f in fileset("${path.module}/resources/errors", "*.html") : split(".", f)[0]]
errors_pages = {
for f in local.error_codes :
"${f}.html" => file("${path.module}/resources/errors/${f}.html")
}
errors_pages_checksum = sha256(jsonencode(local.errors_pages))
}
@@ -1,537 +0,0 @@
resource "kubernetes_namespace" "reverse_proxy" {
metadata {
annotations = {
name = "reverse-proxy"
}
labels = {
name = "reverse-proxy"
}
name = "reverse-proxy"
}
}
resource "kubernetes_service_account" "reverse-proxy_service_account" {
metadata {
name = "reverse-proxy-app-sa"
namespace = kubernetes_namespace.reverse_proxy.metadata[0].name
}
automount_service_account_token = false
}
resource "kubernetes_service" "services" {
for_each = var.services
metadata {
name = format("%s", replace(each.key, ".", "-"))
namespace = kubernetes_namespace.reverse_proxy.metadata[0].name
}
spec {
port {
name = "http"
port = each.value.service_http_port
target_port = substr(format("http-%s", replace(each.key, ".", "-")), 0, 15)
}
dynamic "port" {
for_each = each.value.tls ? [1] : []
content {
name = "https"
port = each.value.service_https_port
target_port = substr(format("https-%s", replace(each.key, ".", "-")), 0, 15)
}
}
selector = {
app = "reverse-proxy"
}
type = "ClusterIP"
cluster_ip = "None"
}
}
resource "kubernetes_manifest" "internal_cert" {
manifest = {
apiVersion = "cert-manager.io/v1"
kind = "Certificate"
metadata = {
name = "internal-cert"
namespace = kubernetes_namespace.reverse_proxy.metadata[0].name
}
spec = {
secretName = "internal-cert"
issuerRef = {
name = var.issuer_name
kind = "ClusterIssuer"
}
commonName = "reverse-proxy.internal"
dnsNames = flatten([for _, v in var.services : v.fqdn if v.tls == true])
}
}
}
resource "kubernetes_config_map" "wireguard_config" {
count = local.wireguard_config != "null" ? 1 : 0
metadata {
name = "wireguard-config"
namespace = kubernetes_namespace.reverse_proxy.metadata[0].name
}
data = {
"wireguard.conf" = local.wireguard_config
}
}
resource "kubernetes_config_map" "nginx_config" {
metadata {
name = "nginx-config"
namespace = kubernetes_namespace.reverse_proxy.metadata[0].name
}
data = {
"nginx.conf" = local.nginx_config
}
}
resource "kubernetes_config_map" "nginx_default_config" {
metadata {
name = "nginx-default-config"
namespace = kubernetes_namespace.reverse_proxy.metadata[0].name
}
data = local.services_config
}
resource "kubernetes_config_map" "nginx_streams_config" {
metadata {
name = "nginx-streams-config"
namespace = kubernetes_namespace.reverse_proxy.metadata[0].name
}
data = local.streams_config
}
resource "kubernetes_config_map" "nginx_custom_50x_page" {
metadata {
name = "nginx-errors"
namespace = kubernetes_namespace.reverse_proxy.metadata[0].name
}
data = {
for k, v in local.errors_pages : k => v
}
}
resource "kubernetes_config_map" "auth_script" {
metadata {
name = "auth-script"
namespace = kubernetes_namespace.reverse_proxy.metadata[0].name
}
data = {
"auth_server.py" = local.auth_script
}
}
resource "kubernetes_ingress_v1" "ingress" {
for_each = { for k, v in var.services : k => v if lookup(v, "ingress", true) && length(v.fqdn) > 0 }
metadata {
name = format("%s", replace(each.key, ".", "-"))
namespace = kubernetes_namespace.reverse_proxy.metadata[0].name
annotations = merge({
"kubernetes.io/ingress.class" = "public"
"cert-manager.io/cluster-issuer" = "letsencrypt-prod"
},
each.value.custom_ingress_annotations,
each.value.tls ? {
"nginx.org/ssl-services" = format("%s", replace(each.key, ".", "-"))
"nginx.org/ssl-redirect" = "true"
"nginx.org/redirect-to-https" = "true"
"nginx.ingress.kubernetes.io/backend-protocol" = "HTTPS"
} : {}
)
}
spec {
tls {
hosts = each.value.fqdn
secret_name = format("reverse-proxy-%s-tls", replace(each.key, ".", "-"))
}
dynamic "rule" {
for_each = each.value.fqdn
content {
host = rule.value
http {
path {
backend {
service {
name = format("%s", replace(each.key, ".", "-"))
port {
name = each.value.tls ? "https" : "http"
}
}
}
}
}
}
}
}
}
resource "kubernetes_secret" "auth_token" {
count = var.auth_token != "" ? 1 : 0
metadata {
name = "auth-token-secret"
namespace = kubernetes_namespace.reverse_proxy.metadata[0].name
}
data = {
token = var.auth_token
}
type = "Opaque"
}
resource "kubernetes_deployment" "reverse_proxy" {
metadata {
name = "reverse-proxy"
namespace = kubernetes_namespace.reverse_proxy.metadata[0].name
annotations = {
"security.alpha.kubernetes.io/unsafe-sysctls" = "net.ipv4.conf.all.src_valid_mark=1"
}
}
spec {
replicas = 1
selector {
match_labels = {
app = "reverse-proxy"
}
}
strategy {
type = "Recreate"
}
template {
metadata {
labels = {
app = "reverse-proxy"
}
annotations = {
"checksum/nginx" = local.nginx_config_checksum
"checksum/services" = local.services_config_checksum
"checksum/wireguard" = local.wireguard_config_checksum
"checksum/auth_server" = local.auth_script_checksum
"checksum/custom_50x" = local.errors_pages_checksum
"checksum/streams" = local.streams_config_checksum
}
}
spec {
dynamic "container" {
for_each = nonsensitive(local.wireguard_config) != "null" ? [1] : []
content {
name = "wireguard"
image = "linuxserver/wireguard:${local.wireguard_version}"
resources {
requests = {
memory = "64Mi"
}
}
liveness_probe {
exec {
command = [
"/bin/sh",
"-c",
"wg show | grep -q transfer"
]
}
initial_delay_seconds = 90
period_seconds = 90
}
security_context {
privileged = true
capabilities {
add = ["NET_ADMIN"]
}
read_only_root_filesystem = true
}
env {
name = "PUID"
value = "1000"
}
env {
name = "PGID"
value = "1000"
}
env {
name = "TZ"
value = "Europe/Berlin"
}
volume_mount {
name = "wireguard-config"
mount_path = "/config/wg_confs"
read_only = true
}
volume_mount {
name = "lib-modules"
mount_path = "/lib/modules"
read_only = true
}
volume_mount {
name = "wireguard-run"
mount_path = "/run"
}
}
}
dynamic "container" {
for_each = nonsensitive(var.auth_token) != "" ? [1] : []
content {
name = "auth-sidecar"
image = "python:3.11-slim"
command = ["python", "/app/auth_server.py"]
env {
name = "AUTH_TOKEN"
value_from {
secret_key_ref {
name = kubernetes_secret.auth_token[0].metadata[0].name
key = "token"
}
}
}
volume_mount {
name = "auth-script"
mount_path = "/app"
read_only = true
}
port {
container_port = 5000
name = "auth"
}
security_context {
read_only_root_filesystem = true
run_as_group = 1000
run_as_user = 1000
allow_privilege_escalation = false
run_as_non_root = true
}
}
}
container {
name = "reverse-proxy"
image = "nginx:${var.tag}"
image_pull_policy = "Always"
resources {
requests = {
memory = "100Mi"
}
}
security_context {
allow_privilege_escalation = false
read_only_root_filesystem = true
}
readiness_probe {
http_get {
path = "/health"
port = 8888
}
initial_delay_seconds = 5
period_seconds = 10
}
liveness_probe {
http_get {
path = "/health"
port = 8888
}
initial_delay_seconds = 5
period_seconds = 10
failure_threshold = 10
timeout_seconds = 5
success_threshold = 1
}
dynamic "port" {
for_each = { for k, v in var.services : k => v.http_port }
content {
container_port = port.value
name = substr(format("http-%s", replace(port.key, ".", "-")), 0, 15)
}
}
dynamic "port" {
for_each = { for k, v in var.services : k => v.https_port if v.tls }
content {
container_port = port.value
name = substr(format("https-%s", replace(port.key, ".", "-")), 0, 15)
}
}
dynamic "port" {
for_each = var.streams
content {
container_port = port.value.port
name = substr(format("stream-%s", replace(port.key, ".", "-")), 0, 15)
host_port = port.value.port
protocol = upper(port.value.protocol)
}
}
volume_mount {
name = "nginx"
mount_path = "/etc/nginx/nginx.conf"
sub_path = "nginx.conf"
read_only = true
}
volume_mount {
name = "services"
mount_path = "/etc/nginx/conf.d/"
read_only = true
}
volume_mount {
name = "streams"
mount_path = "/etc/nginx/streams.d/"
read_only = true
}
volume_mount {
name = "nginx-errors"
mount_path = "/usr/share/nginx/html/errors"
read_only = true
}
volume_mount {
name = "nginx-tmp"
mount_path = "/tmp"
}
dynamic "volume_mount" {
for_each = length([for v in var.services : v.tls if v.tls == true]) > 0 ? [1] : []
content {
name = "tls"
mount_path = "/etc/ssl/certs/private"
read_only = true
}
}
}
dynamic "volume" {
for_each = nonsensitive(local.wireguard_config) != "null" ? [1] : []
content {
name = "wireguard-config"
config_map {
name = nonsensitive(kubernetes_config_map.wireguard_config[0].metadata[0].name)
}
}
}
dynamic "volume" {
for_each = nonsensitive(local.wireguard_config) != "null" ? [1] : []
content {
name = "lib-modules"
host_path {
path = "/lib/modules"
}
}
}
dynamic "volume" {
for_each = nonsensitive(local.wireguard_config) != "null" ? [1] : []
content {
name = "wireguard-run"
empty_dir {
medium = "Memory"
}
}
}
volume {
name = "auth-script"
config_map {
name = kubernetes_config_map.auth_script.metadata[0].name
}
}
volume {
name = "nginx"
config_map {
name = kubernetes_config_map.nginx_config.metadata[0].name
}
}
volume {
name = "services"
config_map {
name = kubernetes_config_map.nginx_default_config.metadata[0].name
}
}
volume {
name = "streams"
config_map {
name = kubernetes_config_map.nginx_streams_config.metadata[0].name
}
}
volume {
name = "nginx-errors"
config_map {
name = kubernetes_config_map.nginx_custom_50x_page.metadata[0].name
}
}
volume {
name = "nginx-tmp"
empty_dir {
}
}
dynamic "volume" {
for_each = length([for v in var.services : v.tls if v.tls == true]) > 0 ? [1] : []
content {
name = "tls"
secret {
secret_name = kubernetes_manifest.internal_cert.manifest["metadata"]["name"]
items {
key = "tls.crt"
path = "tls.crt"
}
items {
key = "tls.key"
path = "tls.key"
}
}
}
}
}
}
}
lifecycle {
ignore_changes = [spec[0].template[0].metadata[0].annotations["kubectl.kubernetes.io/restartedAt"]]
}
}
@@ -1,13 +0,0 @@
terraform {
required_version = "~>1.8"
required_providers {
kubernetes = {
source = "hashicorp/kubernetes"
version = "2.36.0"
}
scaleway = {
source = "scaleway/scaleway"
version = "~>2.13"
}
}
}
@@ -1,40 +0,0 @@
import os
import logging
from http.server import BaseHTTPRequestHandler, HTTPServer
# Configure logging
logging.basicConfig(
level=logging.INFO,
format="%(asctime)s [%(levelname)s] %(message)s"
)
EXPECTED_TOKEN = os.getenv("AUTH_TOKEN", "")
class AuthHandler(BaseHTTPRequestHandler):
def do_GET(self):
auth = self.headers.get('Authorization')
# Log request info
client_ip = self.client_address[0]
logging.info(f"Auth request from {client_ip}")
if auth == f"Bearer {EXPECTED_TOKEN}":
logging.info("Authentication successful")
self.send_response(200)
else:
logging.warning("Authentication failed")
self.send_response(401)
self.end_headers()
def log_message(self, format, *args):
# Suppress default BaseHTTPRequestHandler logging
return
if __name__ == '__main__':
if not EXPECTED_TOKEN:
logging.error("AUTH_TOKEN environment variable not set. Exiting.")
exit(1)
server = HTTPServer(('', 5000), AuthHandler)
logging.info("Auth server running on port 5000...")
server.serve_forever()
@@ -1 +0,0 @@
!*.html
@@ -1,40 +0,0 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>400 - Bad Request</title>
<style>
* { box-sizing: border-box; }
body {
margin: 0;
font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;
background-color: #121212;
color: #ffffff;
display: flex;
justify-content: center;
align-items: center;
height: 100vh;
text-align: center;
padding: 20px;
}
.container {
max-width: 500px;
}
.icon {
font-size: 80px;
margin-bottom: 20px;
color: #f39c12;
}
h1 { font-size: 2rem; margin-bottom: 10px; }
p { font-size: 1rem; color: #cccccc; }
</style>
</head>
<body>
<div class="container">
<div class="icon"></div>
<h1>400 - Bad Request</h1>
<p>Oops! The server couldn't understand your request.</p>
</div>
</body>
</html>
@@ -1,40 +0,0 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>401 - Unauthorized</title>
<style>
* { box-sizing: border-box; }
body {
margin: 0;
font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;
background-color: #121212;
color: #ffffff;
display: flex;
justify-content: center;
align-items: center;
height: 100vh;
text-align: center;
padding: 20px;
}
.container {
max-width: 500px;
}
.icon {
font-size: 80px;
margin-bottom: 20px;
color: #f39c12;
}
h1 { font-size: 2rem; margin-bottom: 10px; }
p { font-size: 1rem; color: #cccccc; }
</style>
</head>
<body>
<div class="container">
<div class="icon">🔒</div>
<h1>401 - Unauthorized</h1>
<p>You need to log in to access this resource.</p>
</div>
</body>
</html>
@@ -1,40 +0,0 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>403 - Forbidden</title>
<style>
* { box-sizing: border-box; }
body {
margin: 0;
font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;
background-color: #121212;
color: #ffffff;
display: flex;
justify-content: center;
align-items: center;
height: 100vh;
text-align: center;
padding: 20px;
}
.container {
max-width: 500px;
}
.icon {
font-size: 80px;
margin-bottom: 20px;
color: #f39c12;
}
h1 { font-size: 2rem; margin-bottom: 10px; }
p { font-size: 1rem; color: #cccccc; }
</style>
</head>
<body>
<div class="container">
<div class="icon">🚫</div>
<h1>403 - Forbidden</h1>
<p>You don't have permission to view this page.</p>
</div>
</body>
</html>
@@ -1,40 +0,0 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>404 - Page Not Found</title>
<style>
* { box-sizing: border-box; }
body {
margin: 0;
font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;
background-color: #121212;
color: #ffffff;
display: flex;
justify-content: center;
align-items: center;
height: 100vh;
text-align: center;
padding: 20px;
}
.container {
max-width: 500px;
}
.icon {
font-size: 80px;
margin-bottom: 20px;
color: #f39c12;
}
h1 { font-size: 2rem; margin-bottom: 10px; }
p { font-size: 1rem; color: #cccccc; }
</style>
</head>
<body>
<div class="container">
<div class="icon">🔍</div>
<h1>404 - Page Not Found</h1>
<p>We couldn't find the page you're looking for.</p>
</div>
</body>
</html>
@@ -1,40 +0,0 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>408 - Request Timeout</title>
<style>
* { box-sizing: border-box; }
body {
margin: 0;
font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;
background-color: #121212;
color: #ffffff;
display: flex;
justify-content: center;
align-items: center;
height: 100vh;
text-align: center;
padding: 20px;
}
.container {
max-width: 500px;
}
.icon {
font-size: 80px;
margin-bottom: 20px;
color: #f39c12;
}
h1 { font-size: 2rem; margin-bottom: 10px; }
p { font-size: 1rem; color: #cccccc; }
</style>
</head>
<body>
<div class="container">
<div class="icon"></div>
<h1>408 - Request Timeout</h1>
<p>The server took too long to respond. Try again later.</p>
</div>
</body>
</html>
@@ -1,40 +0,0 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>429 - Too Many Requests</title>
<style>
* { box-sizing: border-box; }
body {
margin: 0;
font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;
background-color: #121212;
color: #ffffff;
display: flex;
justify-content: center;
align-items: center;
height: 100vh;
text-align: center;
padding: 20px;
}
.container {
max-width: 500px;
}
.icon {
font-size: 80px;
margin-bottom: 20px;
color: #f39c12;
}
h1 { font-size: 2rem; margin-bottom: 10px; }
p { font-size: 1rem; color: #cccccc; }
</style>
</head>
<body>
<div class="container">
<div class="icon">🚦</div>
<h1>429 - Too Many Requests</h1>
<p>You're making too many requests. Please slow down.</p>
</div>
</body>
</html>
@@ -1,40 +0,0 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>500 - Internal Server Error</title>
<style>
* { box-sizing: border-box; }
body {
margin: 0;
font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;
background-color: #121212;
color: #ffffff;
display: flex;
justify-content: center;
align-items: center;
height: 100vh;
text-align: center;
padding: 20px;
}
.container {
max-width: 500px;
}
.icon {
font-size: 80px;
margin-bottom: 20px;
color: #f39c12;
}
h1 { font-size: 2rem; margin-bottom: 10px; }
p { font-size: 1rem; color: #cccccc; }
</style>
</head>
<body>
<div class="container">
<div class="icon">⚠️</div>
<h1>500 - Internal Server Error</h1>
<p>Something went wrong on our end. We're working on it.</p>
</div>
</body>
</html>
@@ -1,40 +0,0 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>502 - Bad Gateway</title>
<style>
* { box-sizing: border-box; }
body {
margin: 0;
font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;
background-color: #121212;
color: #ffffff;
display: flex;
justify-content: center;
align-items: center;
height: 100vh;
text-align: center;
padding: 20px;
}
.container {
max-width: 500px;
}
.icon {
font-size: 80px;
margin-bottom: 20px;
color: #f39c12;
}
h1 { font-size: 2rem; margin-bottom: 10px; }
p { font-size: 1rem; color: #cccccc; }
</style>
</head>
<body>
<div class="container">
<div class="icon">🔌</div>
<h1>502 - Bad Gateway</h1>
<p>The server received an invalid response from upstream.</p>
</div>
</body>
</html>
@@ -1,40 +0,0 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>503 - Service Unavailable</title>
<style>
* { box-sizing: border-box; }
body {
margin: 0;
font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;
background-color: #121212;
color: #ffffff;
display: flex;
justify-content: center;
align-items: center;
height: 100vh;
text-align: center;
padding: 20px;
}
.container {
max-width: 500px;
}
.icon {
font-size: 80px;
margin-bottom: 20px;
color: #f39c12;
}
h1 { font-size: 2rem; margin-bottom: 10px; }
p { font-size: 1rem; color: #cccccc; }
</style>
</head>
<body>
<div class="container">
<div class="icon">🛠️</div>
<h1>503 - Service Unavailable</h1>
<p>We're doing some maintenance. Please check back soon.</p>
</div>
</body>
</html>
@@ -1,40 +0,0 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>504 - Gateway Timeout</title>
<style>
* { box-sizing: border-box; }
body {
margin: 0;
font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;
background-color: #121212;
color: #ffffff;
display: flex;
justify-content: center;
align-items: center;
height: 100vh;
text-align: center;
padding: 20px;
}
.container {
max-width: 500px;
}
.icon {
font-size: 80px;
margin-bottom: 20px;
color: #f39c12;
}
h1 { font-size: 2rem; margin-bottom: 10px; }
p { font-size: 1rem; color: #cccccc; }
</style>
</head>
<body>
<div class="container">
<div class="icon">📡</div>
<h1>504 - Gateway Timeout</h1>
<p>The upstream server didn't respond in time.</p>
</div>
</body>
</html>
@@ -1,54 +0,0 @@
server {
listen ${http_port};
%{ if tls ~}
listen ${https_port} ssl;
ssl_certificate /etc/ssl/certs/private/tls.crt;
ssl_certificate_key /etc/ssl/certs/private/tls.key;
ssl_protocols TLSv1.2 TLSv1.3;
%{ endif ~}
server_name ${fqdn};
# Custom error page for upstream errors
%{ for e in errors ~}
error_page ${e} /errors/${e}.html;
location = /errors/${e}.html {
root /usr/share/nginx/html;
internal;
}
%{ endfor ~}
%{ if custom_snippet != "" ~}
${custom_snippet}
%{ endif ~}
%{ if auth ~}
location = /auth {
internal;
proxy_pass http://localhost:5000/;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header Authorization $http_authorization;
}
%{ endif }
%{ for l in locations ~}
location ${l.path} {
%{ if l.resolver == "" ~}
%{ if resolver != "" ~}
resolver ${resolver};
%{ endif ~}
%{ else ~}
resolver ${l.resolver};
%{ endif ~}
%{ if l.private ~}
auth_request /auth<;
%{ endif ~}
set $upstream "%{ if l.upstream != "" ~}${l.upstream}%{ else ~}${upstream}%{ endif ~}";
%{ if l.rewrite != "" ~}
rewrite ${l.rewrite};
%{ endif ~}
proxy_pass $upstream;
proxy_http_version 1.1;
%{ for k,v in l.headers ~}
proxy_set_header ${k} ${v};
%{ endfor ~}
proxy_intercept_errors on;
}
%{ endfor ~}
}
@@ -1,48 +0,0 @@
worker_processes auto;
error_log /dev/stderr warn;
pid /tmp/nginx.pid;
events {
worker_connections 1024;
}
http {
proxy_temp_path /tmp/proxy_temp;
client_body_temp_path /tmp/client_temp;
fastcgi_temp_path /tmp/fastcgi_temp;
uwsgi_temp_path /tmp/uwsgi_temp;
scgi_temp_path /tmp/scgi_temp;
client_max_body_size 10M;
proxy_buffering off;
proxy_request_buffering off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /dev/stdout main;
sendfile on;
keepalive_timeout 65;
server {
listen 8888;
server_name _;
location /health {
access_log off;
return 200 "OK";
}
}
include /etc/nginx/conf.d/*.conf;
}
stream {
include /etc/nginx/streams.d/*.conf;
}
@@ -1,13 +0,0 @@
upstream ${name} {
%{ if resolver != "" ~}
resolver ${resolver};
%{ endif ~}
server ${upstream}:${upstream_port};
}
server {
listen %{ if protocol == "UDP" ~}${port} udp;%{ else ~}${port};%{ endif }
%{ if custom_snippet != "" ~}
${custom_snippet}
%{ endif ~}
proxy_pass ${name};
}
@@ -1,10 +0,0 @@
[Interface]
PrivateKey = ${wireguard_private_key}
Address = ${wireguard_address}
[Peer]
PublicKey = ${wireguard_public_key}
PresharedKey = ${wireguard_pre_shared_key}
AllowedIPs = ${wireguard_allowed_ips}
Endpoint = ${wireguard_endpoint}
PersistentKeepalive = 25
@@ -1,75 +0,0 @@
variable "tag" {
description = "The version of the nginx server to install"
type = string
default = "stable-alpine"
}
variable "wireguard_config" {
description = "The Wireguard configuration file"
type = object({
private_key = string
public_key = string
pre_shared_key = string
endpoint = string
endpoint_port = number
address = string
dns = string
allowed_ips = list(string)
})
default = null
sensitive = true
}
variable "issuer_name" {
description = "The name of the issuer to use for TLS certificates, internal certificates"
type = string
default = "internal-ca"
}
variable "services" {
description = "A list of services to be deployed"
type = map(object({
fqdn = optional(list(string), [])
custom_ingress_annotations = optional(map(string), {})
annotations = optional(map(string), {})
upstream = optional(string, "")
resolver = optional(string, "")
default_headers = optional(map(string), {}),
http_port = optional(number, 80)
https_port = optional(number, 443)
tls = optional(bool, false)
ingress = optional(bool, true)
service_http_port = optional(number, 80)
service_https_port = optional(number, 443)
locations = optional(list(object({
path = string,
headers = optional(map(string), {}),
private = optional(bool, false),
upstream = optional(string, ""),
resolver = optional(string, "")
rewrite = optional(string, "")
})), [])
custom_snippet = optional(string, "")
config = optional(string, "")
}))
}
variable "auth_token" {
description = "The authentication token to use for the reverse proxy"
type = string
sensitive = true
default = ""
}
variable "streams" {
description = "A list of streams to be deployed"
type = map(object({
port = number
upstream = string
custom_snippet = optional(string, "")
resolver = optional(string, "")
upstream_port = optional(number, null)
protocol = optional(string, "TCP")
}))
default = {}
}
+1 -2
View File
@@ -46,8 +46,7 @@ resource "kubernetes_service" "website" {
app = format("website-%s", replace(each.key, ".", "-"))
}
type = "ClusterIP"
cluster_ip = "None"
type = "ClusterIP"
}
}
@@ -1,34 +0,0 @@
# resource "kubernetes_ingress_v1" "proxy" {
# metadata {
# name = "ingress"
# namespace = kubernetes_namespace.proxy.metadata[0].name
# annotations = {
# "kubernetes.io/ingress.class" = "public"
# "cert-manager.io/cluster-issuer" = "letsencrypt-prod"
# "kubernetes.io/tls-acme" = "true"
# "nginx.ingress.kubernetes.io/ssl-redirect" = "true"
# }
# }
# spec {
# tls {
# hosts = [var.fqdn]
# secret_name = "proxy-tls"
# }
# rule {
# host = var.fqdn
# http {
# path {
# backend {
# service {
# name = "upstream"
# port {
# number = var.proxy_port
# }
# }
# }
# }
# }
# }
# }
# }
-5
View File
@@ -1,5 +0,0 @@
resource "kubernetes_namespace" "proxy" {
metadata {
name = var.namespace
}
}
-123
View File
@@ -1,123 +0,0 @@
resource "kubernetes_service_account" "proxy" {
metadata {
name = "wol-proxy-sa"
namespace = kubernetes_namespace.proxy.metadata[0].name
}
automount_service_account_token = false
}
resource "kubernetes_deployment" "proxy" {
metadata {
name = "wol-proxy"
namespace = kubernetes_namespace.proxy.metadata[0].name
labels = {
app = "wol-proxy"
}
}
spec {
replicas = 1
selector {
match_labels = {
app = "wol-proxy"
}
}
strategy {
type = "Recreate"
}
template {
metadata {
labels = {
app = "wol-proxy"
}
}
spec {
service_account_name = kubernetes_service_account.proxy.metadata[0].name
automount_service_account_token = false
host_network = true
container {
name = "app"
image = "a13labs/wol_proxy:${var.tag}"
image_pull_policy = "Always"
security_context {
capabilities {
add = ["NET_RAW"]
}
}
port {
name = "upstream"
container_port = var.proxy_port
}
env {
name = "UPSTREAM_MAC"
value = var.upstream.mac
}
env {
name = "UPSTREAM_IP"
value = var.upstream.ip
}
env {
name = "UPSTREAM_PORT"
value = var.upstream.port
}
env {
name = "UPSTREAM_SCHEME"
value = var.upstream.scheme
}
env {
name = "PROXY_PORT"
value = var.proxy_port
}
readiness_probe {
tcp_socket {
port = var.proxy_port
}
initial_delay_seconds = 5
period_seconds = 10
failure_threshold = 10
}
}
}
}
}
}
resource "kubernetes_service" "proxy" {
metadata {
name = "upstream"
namespace = kubernetes_namespace.proxy.metadata[0].name
}
spec {
selector = {
app = "wol-proxy"
}
port {
name = "upstream"
port = var.proxy_port
target_port = var.proxy_port
}
}
lifecycle {
ignore_changes = [
metadata[0].annotations
]
}
}
@@ -1,32 +0,0 @@
variable "upstream" {
description = "Configuration for the upstream proxy"
type = object({
mac = optional(string, "")
ip = optional(string, "")
port = optional(string, "")
scheme = optional(string, "http")
})
}
# variable "fqdn" {
# description = "The fully qualified domain name for the app server"
# type = string
# }
variable "tag" {
description = "The version of app to install"
type = string
default = "v0.4.0"
}
variable "namespace" {
description = "The namespace for the proxy"
type = string
default = "wol-proxy"
}
variable "proxy_port" {
description = "The port on which the proxy will listen"
type = number
default = 8080
}