diff --git a/cluster/apps/default/cdn/helm-release.yaml b/cluster/apps/default/cdn/helm-release.yaml new file mode 100644 index 0000000..4a12a38 --- /dev/null +++ b/cluster/apps/default/cdn/helm-release.yaml @@ -0,0 +1,62 @@ +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: nginx-cdn + namespace: default +spec: + interval: 5m + chart: + spec: + chart: app-template + version: 1.3.x + sourceRef: + kind: HelmRepository + name: bjws-charts + namespace: flux-system + + values: + image: + repository: oci.seedno.de/seednode/nginx + tag: latest + + service: + main: + ports: + http: + port: 80 + + probes: + liveness: + enabled: false + + ingress: + main: + enabled: true + annotations: + cert-manager.io/cluster-issuer: letsencrypt-production + traefik.ingress.kubernetes.io/router.entrypoints: websecure + hosts: + - host: &host "cdn.${SECRET_NEW_DOMAIN}" + paths: + - path: / + pathType: Prefix + tls: + - hosts: + - *host + secretName: wildcard-main-tls + + persistence: + data: + enabled: true + type: hostPath + hostPath: /mnt/MainPool/Kubernetes/cdn + readOnly: true + mountPath: /data + config: + enabled: true + type: configMap + name: nginx-cdn-configmap + + resources: + requests: + cpu: 1m \ No newline at end of file diff --git a/cluster/apps/default/cdn/kustomization.yaml b/cluster/apps/default/cdn/kustomization.yaml new file mode 100644 index 0000000..692760a --- /dev/null +++ b/cluster/apps/default/cdn/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./env-secret.sops.yaml +- ./helm-release.yaml +configMapGenerator: +- name: nginx-cdn-configmap + files: + - ./nginx.conf \ No newline at end of file diff --git a/cluster/apps/default/cdn/nginx.conf b/cluster/apps/default/cdn/nginx.conf new file mode 100644 index 0000000..e4c8fdc --- /dev/null +++ b/cluster/apps/default/cdn/nginx.conf @@ -0,0 +1,30 @@ +events {} +http { + server { + listen 80 backlog=16384; + root /var/www/html; + # security headers + add_header X-XSS-Protection "1; mode=block" always; + add_header X-Content-Type-Options "nosniff" always; + add_header Referrer-Policy "no-referrer-when-downgrade" always; + add_header Content-Security-Policy "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always; + add_header Permissions-Policy "interest-cohort=()" always; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + location / { + root /data; + sendfile on; + sendfile_max_chunk 128m; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + limit_except GET HEAD { deny all; } +# autoindex on; + default_type application/octet-stream; + charset UTF-8; + + fancyindex on; + fancyindex_exact_size off; # human readable file sizes + } + } +} \ No newline at end of file diff --git a/cluster/apps/default/kustomization.yaml b/cluster/apps/default/kustomization.yaml index df89140..2093ea9 100644 --- a/cluster/apps/default/kustomization.yaml +++ b/cluster/apps/default/kustomization.yaml @@ -1,4 +1,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- ./fireflyiii \ No newline at end of file +- ./fireflyiii +- ./cdn \ No newline at end of file