diff options
| author | Xe Iaso <me@xeiaso.net> | 2025-03-22 20:42:30 -0400 |
|---|---|---|
| committer | Xe Iaso <me@xeiaso.net> | 2025-03-22 20:43:06 -0400 |
| commit | c2a506403f36bbaf94f1b27af1a9786232cf0415 (patch) | |
| tree | 70bac8142a30fa47fa8a42c5fd25bc8935aa0fb9 | |
| parent | 46c1024254ced7cc20664e1cdd71462fc05133ce (diff) | |
| download | x-c2a506403f36bbaf94f1b27af1a9786232cf0415.tar.xz x-c2a506403f36bbaf94f1b27af1a9786232cf0415.zip | |
some experiments
Signed-off-by: Xe Iaso <me@xeiaso.net>
| -rw-r--r-- | kube/alrest/dns/files-xeiaso-net.yaml | 11 | ||||
| -rw-r--r-- | kube/alrest/gitea/deployment.yaml | 2 | ||||
| -rw-r--r-- | kube/alrest/pocket-id/deployment.yaml | 2 | ||||
| -rw-r--r-- | kube/alrest/vclus/cipra/anubistest/anubis/botPolicies.json | 64 | ||||
| -rw-r--r-- | kube/alrest/vclus/cipra/anubistest/deployment.yaml | 90 | ||||
| -rw-r--r-- | kube/alrest/vclus/cipra/anubistest/ingress.yaml | 47 | ||||
| -rw-r--r-- | kube/alrest/vclus/cipra/anubistest/kustomization.yaml | 12 | ||||
| -rw-r--r-- | kube/alrest/vclus/cipra/anubistest/service.yaml | 17 |
8 files changed, 243 insertions, 2 deletions
diff --git a/kube/alrest/dns/files-xeiaso-net.yaml b/kube/alrest/dns/files-xeiaso-net.yaml new file mode 100644 index 0000000..c0ae0b0 --- /dev/null +++ b/kube/alrest/dns/files-xeiaso-net.yaml @@ -0,0 +1,11 @@ +apiVersion: externaldns.k8s.io/v1alpha1 +kind: DNSEndpoint +metadata: + name: files-xeiaso-net-cname +spec: + endpoints: + - dnsName: "files.xeiaso.net" + recordTTL: 3600 + recordType: CNAME + targets: + - files.xeiaso.net.fly.storage.tigris.dev
\ No newline at end of file diff --git a/kube/alrest/gitea/deployment.yaml b/kube/alrest/gitea/deployment.yaml index 70c29a3..6af7492 100644 --- a/kube/alrest/gitea/deployment.yaml +++ b/kube/alrest/gitea/deployment.yaml @@ -150,7 +150,7 @@ spec: mountPath: "/xe/pki" readOnly: true - name: anubis - image: ghcr.io/xe/x/anubis:latest + image: ghcr.io/techarohq/anubis:pr-19 imagePullPolicy: Always env: - name: "BIND" diff --git a/kube/alrest/pocket-id/deployment.yaml b/kube/alrest/pocket-id/deployment.yaml index 78349d2..707936c 100644 --- a/kube/alrest/pocket-id/deployment.yaml +++ b/kube/alrest/pocket-id/deployment.yaml @@ -20,7 +20,7 @@ spec: claimName: pocket-id containers: - name: main - image: ghcr.io/pocket-id/pocket-id:v0.40.0 + image: ghcr.io/pocket-id/pocket-id:v0.43.1 imagePullPolicy: IfNotPresent securityContext: runAsUser: 1000 diff --git a/kube/alrest/vclus/cipra/anubistest/anubis/botPolicies.json b/kube/alrest/vclus/cipra/anubistest/anubis/botPolicies.json new file mode 100644 index 0000000..8ca88e1 --- /dev/null +++ b/kube/alrest/vclus/cipra/anubistest/anubis/botPolicies.json @@ -0,0 +1,64 @@ +{ + "bots": [ + { + "name": "amazonbot", + "user_agent_regex": "Amazonbot", + "action": "DENY" + }, + { + "name": "googlebot", + "user_agent_regex": "\\+http\\:\\/\\/www\\.google\\.com/bot\\.html", + "action": "ALLOW" + }, + { + "name": "bingbot", + "user_agent_regex": "\\+http\\:\\/\\/www\\.bing\\.com/bingbot\\.htm", + "action": "ALLOW" + }, + { + "name": "us-artificial-intelligence-scraper", + "user_agent_regex": "\\+https\\:\\/\\/github\\.com\\/US-Artificial-Intelligence\\/scraper", + "action": "DENY" + }, + { + "name": "well-known", + "path_regex": "^/.well-known/.*$", + "action": "ALLOW" + }, + { + "name": "favicon", + "path_regex": "^/favicon.ico$", + "action": "ALLOW" + }, + { + "name": "robots-txt", + "path_regex": "^/robots.txt$", + "action": "ALLOW" + }, + { + "name": "rss-readers", + "path_regex": ".*\\.(rss|xml|atom|json)$", + "action": "ALLOW" + }, + { + "name": "lightpanda", + "user_agent_regex": "^Lightpanda/.*$", + "action": "DENY" + }, + { + "name": "headless-chrome", + "user_agent_regex": "HeadlessChrome", + "action": "DENY" + }, + { + "name": "headless-chromium", + "user_agent_regex": "HeadlessChromium", + "action": "DENY" + }, + { + "name": "generic-browser", + "user_agent_regex": "Mozilla", + "action": "CHALLENGE" + } + ] +}
\ No newline at end of file diff --git a/kube/alrest/vclus/cipra/anubistest/deployment.yaml b/kube/alrest/vclus/cipra/anubistest/deployment.yaml new file mode 100644 index 0000000..e97d9e3 --- /dev/null +++ b/kube/alrest/vclus/cipra/anubistest/deployment.yaml @@ -0,0 +1,90 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: anubistest + labels: + xeiaso.net/thing: http +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + xeiaso.net/thing: http + template: + metadata: + labels: + xeiaso.net/thing: http + spec: + securityContext: + fsGroup: 1000 + volumes: + - name: anubis + configMap: + name: anubis-cfg + containers: + - name: main + image: ghcr.io/xe/x/httpdebug:latest + imagePullPolicy: Always + resources: + limits: + cpu: "500m" + memory: "256Mi" + requests: + cpu: "250m" + memory: "128Mi" + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + ports: + - name: http + containerPort: 3000 + protocol: TCP + - name: ssh + containerPort: 2222 + protocol: TCP + - name: anubis + image: reg.xeiaso.net/x/anubis:latest + imagePullPolicy: Always + env: + - name: "BIND" + value: ":8080" + - name: "DIFFICULTY" + value: "4" + - name: "METRICS_BIND" + value: ":9090" + - name: "POLICY_FNAME" + value: "/xe/cfg/anubis/botPolicies.json" + - name: "SERVE_ROBOTS_TXT" + value: "true" + - name: "TARGET" + value: "" + - name: "SLOG_LEVEL" + value: "debug" + volumeMounts: + - name: anubis + mountPath: /xe/cfg/anubis + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 250m + memory: 128Mi + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault diff --git a/kube/alrest/vclus/cipra/anubistest/ingress.yaml b/kube/alrest/vclus/cipra/anubistest/ingress.yaml new file mode 100644 index 0000000..c0ce936 --- /dev/null +++ b/kube/alrest/vclus/cipra/anubistest/ingress.yaml @@ -0,0 +1,47 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: anubistest + annotations: + cert-manager.io/cluster-issuer: "letsencrypt-prod" + nginx.ingress.kubernetes.io/proxy-body-size: 2048g + #nginx.ingress.kubernetes.io/auth-url: "https://$host/.within.website/x/cmd/anubis/api/check" + #nginx.ingress.kubernetes.io/auth-signin: "http://$host/.within.website/?redir=$scheme://$host$request_uri" + +spec: + ingressClassName: nginx + tls: + - hosts: + - anubistest.xelaso.net + secretName: anubistest-xelaso-net-public-tls + rules: + - host: anubistest.xelaso.net + http: + paths: + - pathType: Prefix + path: "/" + backend: + service: + name: anubistest + port: + name: http +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: anubistest-anubis + +spec: + ingressClassName: nginx + + rules: + - host: anubistest.xelaso.net + http: + paths: + - pathType: ImplementationSpecific + path: "/.within.website" + backend: + service: + name: anubistest + port: + name: anubis diff --git a/kube/alrest/vclus/cipra/anubistest/kustomization.yaml b/kube/alrest/vclus/cipra/anubistest/kustomization.yaml new file mode 100644 index 0000000..4a96b4c --- /dev/null +++ b/kube/alrest/vclus/cipra/anubistest/kustomization.yaml @@ -0,0 +1,12 @@ +resources: + - deployment.yaml + - service.yaml + - ingress.yaml + +namespace: default + +configMapGenerator: +- name: anubis-cfg + behavior: create + files: + - ./anubis/botPolicies.json
\ No newline at end of file diff --git a/kube/alrest/vclus/cipra/anubistest/service.yaml b/kube/alrest/vclus/cipra/anubistest/service.yaml new file mode 100644 index 0000000..410e3ea --- /dev/null +++ b/kube/alrest/vclus/cipra/anubistest/service.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Service +metadata: + name: anubistest +spec: + selector: + xeiaso.net/thing: http + ports: + - protocol: TCP + port: 80 + targetPort: 3000 + name: http + - name: anubis + port: 8080 + targetPort: 8080 + protocol: TCP + type: ClusterIP |