You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

373 lines
8.4 KiB

  1. apiVersion: v1
  2. kind: ConfigMap
  3. metadata:
  4. name: core-config
  5. namespace: nginx
  6. data:
  7. nginx.conf: |
  8. events {
  9. }
  10. http {
  11. include /etc/nginx/mime.types;
  12. default_type application/octet-stream;
  13. sendfile on;
  14. # send access logs to graylog
  15. log_format graylog2_json escape=json '{ "timestamp": "$time_iso8601", '
  16. '"remote_addr": "$remote_addr", '
  17. '"body_bytes_sent": $body_bytes_sent, '
  18. '"request_time": $request_time, '
  19. '"response_status": $status, '
  20. '"request": "$request", '
  21. '"request_method": "$request_method", '
  22. '"host": "$host",'
  23. '"upstream_cache_status": "$upstream_cache_status",'
  24. '"upstream_addr": "$upstream_addr",'
  25. '"http_x_forwarded_for": "$http_x_forwarded_for",'
  26. '"http_referrer": "$http_referer", '
  27. '"http_user_agent": "$http_user_agent" }';
  28. access_log syslog:server=logs.tobias-huebner.org:12401 graylog2_json;
  29. keepalive_timeout 65;
  30. include /etc/nginx/conf.d/*.conf;
  31. resolver 10.2.0.10 valid=60s;
  32. # https redirect
  33. server {
  34. listen 80 default_server;
  35. server_name _;
  36. return 301 https://$host$request_uri;
  37. }
  38. }
  39. ---
  40. apiVersion: v1
  41. kind: ConfigMap
  42. metadata:
  43. name: sites-config
  44. namespace: nginx
  45. data:
  46. # certificates for all my domains
  47. ssl.conf: |
  48. ssl_certificate /master-cert/tls.crt;
  49. ssl_certificate_key /master-cert/tls.key;
  50. nexus_jitcom.WAITING_conf: |
  51. server {
  52. listen 443 ssl;
  53. listen [::]:443 ssl;
  54. server_name nexus.tobias-huebner.org;
  55. client_max_body_size 1G;
  56. include /etc/nginx/conf.d/ssl.conf;
  57. location / {
  58. proxy_pass http://nexus.jitcom:8081;
  59. # private jitcom docker registry listens on 8080
  60. if ($http_user_agent ~ docker ) {
  61. proxy_pass http://nexus.jitcom:8080;
  62. }
  63. proxy_set_header Host $host;
  64. proxy_set_header X-Real-IP $remote_addr;
  65. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  66. proxy_set_header X-Forwarded-Proto "https";
  67. }
  68. }
  69. rocket.conf: |
  70. server {
  71. listen 443 ssl;
  72. listen [::]:443 ssl;
  73. server_name rocket.tobias-huebner.org;
  74. include /etc/nginx/conf.d/ssl.conf;
  75. ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  76. client_max_body_size 1G;
  77. location / {
  78. set $endpoint http://chat.rocket.svc.cluster.local;
  79. proxy_pass $endpoint$request_uri;
  80. proxy_set_header Upgrade $http_ugrade;
  81. proxy_set_header Connection "upgrade";
  82. proxy_set_header Host $http_host;
  83. proxy_set_header X-Real-IP $remote_addr;
  84. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  85. proxy_set_header X-Forwarded-Proto https;
  86. proxy_set_header X-Nginx-Proxy true;
  87. proxy_redirect off;
  88. }
  89. }
  90. nexus_th.conf: |
  91. server {
  92. listen 443 ssl;
  93. listen [::]:443 ssl;
  94. server_name nexus.tobias-huebner.org;
  95. client_max_body_size 1G;
  96. include /etc/nginx/conf.d/ssl.conf;
  97. location / {
  98. # needs to be a variable so that the resolver kicks in, weird but that it is what it is
  99. set $endpoint http://nexus.tobias-huebner.svc.cluster.local;
  100. proxy_pass $endpoint:8081$request_uri;
  101. # tobias huebner docker registry listens on 8090
  102. if ($http_user_agent ~ docker ) {
  103. proxy_pass $endpoint:8090$request_uri;
  104. }
  105. proxy_set_header Host $host;
  106. proxy_set_header X-Real-IP $remote_addr;
  107. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  108. proxy_set_header X-Forwarded-Proto "https";
  109. }
  110. }
  111. ghost_th.conf: |
  112. server {
  113. listen 443 ssl;
  114. listen [::]:443 ssl;
  115. server_name blog.tobias-huebner.org;
  116. client_max_body_size 1G;
  117. include /etc/nginx/conf.d/ssl.conf;
  118. location / {
  119. # needs to be a variable so that the resolver kicks in, weird but that it is what it is
  120. set $endpoint http://ghost.tobias-huebner.svc.cluster.local;
  121. proxy_pass $endpoint$request_uri;
  122. proxy_set_header Host $host;
  123. proxy_set_header X-Real-IP $remote_addr;
  124. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  125. proxy_set_header X-Forwarded-Proto "https";
  126. }
  127. }
  128. wiki_th.conf: |
  129. server {
  130. listen 443 ssl;
  131. listen [::]:443 ssl;
  132. include /etc/nginx/conf.d/ssl.conf;
  133. server_name wiki.tobias-huebner.org;
  134. location / {
  135. set $endpoint http://wiki.tobias-huebner.svc.cluster.local;
  136. proxy_pass $endpoint$request_uri;
  137. proxy_set_header Host $http_host;
  138. proxy_set_header X-Real-IP $remote_addr;
  139. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  140. proxy_set_header X-Forwarded-Proto $scheme;
  141. }
  142. }
  143. wiki_jitcom.WAITING_conf: |
  144. server {
  145. listen 443 ssl;
  146. listen [::]:443 ssl;
  147. include /etc/nginx/conf.d/ssl.conf;
  148. server_name wiki.jitcom.info;
  149. location / {
  150. proxy_pass http://wiki.jitcom.info;
  151. proxy_set_header Host $http_host;
  152. proxy_set_header X-Real-IP $remote_addr;
  153. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  154. proxy_set_header X-Forwarded-Proto $scheme;
  155. }
  156. }
  157. logs_th.conf: |
  158. server {
  159. listen 443 ssl;
  160. listen [::]:443 ssl;
  161. include /etc/nginx/conf.d/ssl.conf;
  162. server_name logs.tobias-huebner.org;
  163. location / {
  164. set $endpoint http://graylog.graylog.svc.cluster.local:9000;
  165. proxy_pass $endpoint$request_uri;
  166. }
  167. }
  168. gitea_th.conf: |
  169. server {
  170. listen 443 ssl;
  171. listen [::]:443 ssl;
  172. client_max_body_size 1G;
  173. include /etc/nginx/conf.d/ssl.conf;
  174. server_name gitea.tobias-huebner.org;
  175. location / {
  176. set $endpoint http://gitea.tobias-huebner.svc.cluster.local;
  177. proxy_pass $endpoint$request_uri;
  178. }
  179. }
  180. gitea_jitcom.conf: |
  181. server {
  182. listen 443 ssl;
  183. listen [::]:443 ssl;
  184. client_max_body_size 1G;
  185. include /etc/nginx/conf.d/ssl.conf;
  186. server_name gitea.jitcom.info;
  187. location / {
  188. set $endpoint http://gitea.jitcom.svc.cluster.local;
  189. proxy_pass $endpoint$request_uri;
  190. }
  191. }
  192. homepage_th.conf: |
  193. server {
  194. listen 443 ssl;
  195. listen [::]:443 ssl;
  196. client_max_body_size 1G;
  197. server_name tobias-huebner.org;
  198. include /etc/nginx/conf.d/ssl.conf;
  199. location / {
  200. set $endpoint http://nginx.tobias-huebner.svc.cluster.local;
  201. proxy_pass $endpoint$request_uri;
  202. }
  203. location /api {
  204. set $endpoint http://th-api.tobias-huebner.svc.cluster.local;
  205. proxy_pass $endpoint$request_uri;
  206. }
  207. }
  208. ---
  209. apiVersion: apps/v1
  210. kind: Deployment
  211. metadata:
  212. namespace: nginx
  213. name: nginx
  214. spec:
  215. selector:
  216. matchLabels:
  217. app: nginx
  218. replicas: 1
  219. template:
  220. metadata:
  221. labels:
  222. app: nginx
  223. spec:
  224. containers:
  225. - name: nginx
  226. image: nginx:1.14.2
  227. volumeMounts:
  228. - name: master-cert
  229. mountPath: /master-cert
  230. - name: sites-config
  231. mountPath: /etc/nginx/conf.d
  232. - name: core-config
  233. mountPath: /etc/nginx/nginx.conf
  234. subPath: nginx.conf
  235. volumes:
  236. - name: master-cert
  237. secret:
  238. secretName: master-cert
  239. - name: core-config
  240. configMap:
  241. name: core-config
  242. - name: sites-config
  243. configMap:
  244. name: sites-config
  245. ---
  246. apiVersion: v1
  247. kind: Service
  248. metadata:
  249. name: svc-v6
  250. namespace: nginx
  251. spec:
  252. externalIPs:
  253. - 2a02:8106:33:3300::112
  254. - 2a02:8106:33:3300::80
  255. ipFamily: IPv6
  256. ports:
  257. - name: https
  258. protocol: TCP
  259. port: 443
  260. targetPort: 443
  261. - name: http
  262. protocol: TCP
  263. port: 80
  264. targetPort: 80
  265. selector:
  266. app: nginx
  267. ---
  268. apiVersion: v1
  269. kind: Service
  270. metadata:
  271. name: svc-v4
  272. namespace: nginx
  273. spec:
  274. selector:
  275. app: nginx
  276. externalIPs:
  277. - 10.0.0.80
  278. ipFamily: IPv4
  279. ports:
  280. - name: https
  281. protocol: TCP
  282. port: 443
  283. targetPort: 443
  284. - name: http
  285. protocol: TCP
  286. port: 80
  287. targetPort: 80