Add 'cdn'

2023-04-18 18:42:58 -04:00 · 2023-04-18 18:42:58 -04:00 · 771d61be78
parent 6817a04edd
commit 771d61be78
4 changed files with 103 additions and 1 deletions
--- a/cluster/apps/default/cdn/helm-release.yaml
+++ b/cluster/apps/default/cdn/helm-release.yaml
@ -0,0 +1,62 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: nginx-cdn
+  namespace: default
+spec:
+  interval: 5m
+  chart:
+    spec:
+      chart: app-template
+      version: 1.3.x
+      sourceRef:
+        kind: HelmRepository
+        name: bjws-charts
+        namespace: flux-system
+
+  values:
+    image:
+      repository: oci.seedno.de/seednode/nginx
+      tag: latest
+
+    service:
+      main:
+        ports:
+          http:
+            port: 80
+
+    probes:
+      liveness:
+        enabled: false
+
+    ingress:
+      main:
+        enabled: true
+        annotations:
+          cert-manager.io/cluster-issuer: letsencrypt-production
+          traefik.ingress.kubernetes.io/router.entrypoints: websecure
+        hosts:
+          - host: &host "cdn.${SECRET_NEW_DOMAIN}"
+            paths:
+              - path: /
+                pathType: Prefix
+        tls:
+          - hosts:
+              - *host
+            secretName: wildcard-main-tls
+            
+    persistence:
+      data:
+        enabled: true
+        type: hostPath
+        hostPath: /mnt/MainPool/Kubernetes/cdn
+        readOnly: true
+        mountPath: /data
+      config:
+        enabled: true
+        type: configMap
+        name: nginx-cdn-configmap
+
+    resources:
+      requests:
+        cpu: 1m
--- a/cluster/apps/default/cdn/kustomization.yaml
+++ b/cluster/apps/default/cdn/kustomization.yaml
@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ./env-secret.sops.yaml
+- ./helm-release.yaml
+configMapGenerator:
+- name: nginx-cdn-configmap
+  files:
+  - ./nginx.conf
--- a/cluster/apps/default/cdn/nginx.conf
+++ b/cluster/apps/default/cdn/nginx.conf
@ -0,0 +1,30 @@
+events {}
+http {
+  server {
+    listen 80 backlog=16384;
+    root /var/www/html;
+    # security headers
+    add_header X-XSS-Protection          "1; mode=block" always;
+    add_header X-Content-Type-Options    "nosniff" always;
+    add_header Referrer-Policy           "no-referrer-when-downgrade" always;
+    add_header Content-Security-Policy   "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always;
+    add_header Permissions-Policy        "interest-cohort=()" always;
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
+    location / {
+      root /data;
+      sendfile           on;
+      sendfile_max_chunk 128m;
+      tcp_nopush on;
+      tcp_nodelay       on;
+      keepalive_timeout 65;
+      limit_except GET HEAD { deny all; }
+#      autoindex on;
+      default_type application/octet-stream;
+      charset UTF-8;
+
+      fancyindex on;
+      fancyindex_exact_size off; # human readable file sizes
+    }
+  }
+}
--- a/cluster/apps/default/kustomization.yaml
+++ b/cluster/apps/default/kustomization.yaml
@ -1,4 +1,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
- ./fireflyiii
+- ./fireflyiii
+- ./cdn