kube/alrest: harden against upcoming docker hub changes

Signed-off-by: Xe Iaso <me@xeiaso.net>

5 files changed, 66 insertions, 4 deletions

diff --git a/kube/alrest/gitea/cfg/anubis/botPolicies.json b/kube/alrest/gitea/cfg/anubis/botPolicies.json
new file mode 100644
index 0000000..8ca88e1
--- /dev/null
+++ b/kube/alrest/gitea/cfg/anubis/botPolicies.json
@@ -0,0 +1,64 @@
+{
+  "bots": [
+    {
+      "name": "amazonbot",
+      "user_agent_regex": "Amazonbot",
+      "action": "DENY"
+    },
+    {
+      "name": "googlebot",
+      "user_agent_regex": "\\+http\\:\\/\\/www\\.google\\.com/bot\\.html",
+      "action": "ALLOW"
+    },
+    {
+      "name": "bingbot",
+      "user_agent_regex": "\\+http\\:\\/\\/www\\.bing\\.com/bingbot\\.htm",
+      "action": "ALLOW"
+    },
+    {
+      "name": "us-artificial-intelligence-scraper",
+      "user_agent_regex": "\\+https\\:\\/\\/github\\.com\\/US-Artificial-Intelligence\\/scraper",
+      "action": "DENY"
+    },
+    {
+      "name": "well-known",
+      "path_regex": "^/.well-known/.*$",
+      "action": "ALLOW"
+    },
+    {
+      "name": "favicon",
+      "path_regex": "^/favicon.ico$",
+      "action": "ALLOW"
+    },
+    {
+      "name": "robots-txt",
+      "path_regex": "^/robots.txt$",
+      "action": "ALLOW"
+    },
+    {
+      "name": "rss-readers",
+      "path_regex": ".*\\.(rss|xml|atom|json)$",
+      "action": "ALLOW"
+    },
+    {
+      "name": "lightpanda",
+      "user_agent_regex": "^Lightpanda/.*$",
+      "action": "DENY"
+    },
+    {
+      "name": "headless-chrome",
+      "user_agent_regex": "HeadlessChrome",
+      "action": "DENY"
+    },
+    {
+      "name": "headless-chromium",
+      "user_agent_regex": "HeadlessChromium",
+      "action": "DENY"
+    },
+    {
+      "name": "generic-browser",
+      "user_agent_regex": "Mozilla",
+      "action": "CHALLENGE"
+    }
+  ]
+}
\ No newline at end of file
diff --git a/kube/alrest/minio/deployment.yaml b/kube/alrest/minio/deployment.yaml
index 356bc35..738ca78 100644
--- a/kube/alrest/minio/deployment.yaml
+++ b/kube/alrest/minio/deployment.yaml
@@ -27,7 +27,7 @@ spec:
         volumeMounts:
         - name: data 
           mountPath: /data
-        image: minio/minio:latest
+        image: quay.io/minio/minio:latest
         imagePullPolicy: Always
         args:
         - server
diff --git a/kube/alrest/pocket-id/deployment.yaml b/kube/alrest/pocket-id/deployment.yaml
index 3051834..5c77bb1 100644
--- a/kube/alrest/pocket-id/deployment.yaml
+++ b/kube/alrest/pocket-id/deployment.yaml
@@ -20,7 +20,7 @@ spec:
           claimName: pocket-id
       containers:
       - name: main
-        image: ghcr.io/pocket-id/pocket-id:v0.33.0
+        image: ghcr.io/pocket-id/pocket-id:v0.35.0
         imagePullPolicy: IfNotPresent
         securityContext:
           runAsUser: 1000
diff --git a/kube/alrest/registry/deployment.yaml b/kube/alrest/registry/deployment.yaml
index 34dd3a8..1b0ef2d 100644
--- a/kube/alrest/registry/deployment.yaml
+++ b/kube/alrest/registry/deployment.yaml
@@ -30,7 +30,6 @@ spec:
       containers:
         - name: registry
           image: registry:2
-          imagePullPolicy: "Always"
           resources:
             limits:
               cpu: "500m"
diff --git a/kube/alrest/registry/pull-through/dockerhub/deployment.yaml b/kube/alrest/registry/pull-through/dockerhub/deployment.yaml
index 4b475d3..3096bb4 100644
--- a/kube/alrest/registry/pull-through/dockerhub/deployment.yaml
+++ b/kube/alrest/registry/pull-through/dockerhub/deployment.yaml
@@ -30,7 +30,6 @@ spec:
       containers:
         - name: registry
           image: registry:2
-          imagePullPolicy: "Always"
           resources:
             limits:
               cpu: "500m"