mirror of
https://git.sr.ht/~magic_rb/dotfiles
synced 2024-12-01 20:46:12 +01:00
304 lines
6.3 KiB
Nix
304 lines
6.3 KiB
Nix
{
|
|
pkgs,
|
|
inputs,
|
|
uterranix-lib,
|
|
elib,
|
|
config,
|
|
...
|
|
}: let
|
|
inherit
|
|
(uterranix-lib)
|
|
tf
|
|
;
|
|
inherit
|
|
(elib)
|
|
copyNixNGImage
|
|
;
|
|
in {
|
|
imports = [
|
|
(copyNixNGImage {
|
|
name = "website";
|
|
image =
|
|
(inputs.nix-snapshotter.packages.${pkgs.stdenv.system}.nix-snapshotter.buildImage {
|
|
name = "website";
|
|
resolvedByNix = true;
|
|
config.entrypoint = ["${inputs.self.nixngConfigurations.website.config.system.build.toplevel}/init"];
|
|
})
|
|
.image;
|
|
hosts = [
|
|
"blowhole.hosts.in.redalder.org"
|
|
];
|
|
})
|
|
];
|
|
|
|
resource."kubernetes_namespace"."ingress" = {
|
|
metadata = {
|
|
name = "ingress";
|
|
|
|
# has to be kept in sync with `prepare` profile
|
|
labels = {
|
|
"istio.io/rev" = config.uk3s.istio.revision;
|
|
};
|
|
};
|
|
};
|
|
|
|
resource."kubernetes_namespace"."website" = {
|
|
metadata = {
|
|
name = "website";
|
|
|
|
labels = {
|
|
visibility = "public";
|
|
# has to be kept in sync with `prepare` profile
|
|
"istio.io/rev" = config.uk3s.istio.revision;
|
|
};
|
|
};
|
|
};
|
|
|
|
resource."kubernetes_manifest"."metallb-pool" = {
|
|
manifest = {
|
|
apiVersion = "metallb.io/v1beta1";
|
|
kind = "IPAddressPool";
|
|
metadata = {
|
|
name = "first-pool";
|
|
namespace = "metallb-system";
|
|
};
|
|
spec = {
|
|
addresses = [
|
|
"172.26.96.2/32"
|
|
];
|
|
};
|
|
};
|
|
};
|
|
|
|
resource."kubernetes_manifest"."website-deployment" = {
|
|
manifest = {
|
|
apiVersion = "apps/v1";
|
|
kind = "Deployment";
|
|
metadata = {
|
|
name = "website";
|
|
namespace = "website";
|
|
labels = {
|
|
app = "website";
|
|
};
|
|
};
|
|
spec = {
|
|
replicas = 3;
|
|
selector = {
|
|
matchLabels = {
|
|
app = "website";
|
|
};
|
|
};
|
|
template = {
|
|
metadata = {
|
|
labels = {
|
|
app = "website";
|
|
};
|
|
annotations = {
|
|
"sidecar.istio.io/interceptionMode" = "TPROXY";
|
|
};
|
|
};
|
|
spec = {
|
|
containers = [
|
|
{
|
|
name = "nginx";
|
|
image =
|
|
tf "data.external.nixng-image-website.result.out";
|
|
ports = [
|
|
{
|
|
containerPort = 80;
|
|
}
|
|
];
|
|
}
|
|
];
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
resource."kubernetes_manifest"."website-service" = {
|
|
manifest = {
|
|
apiVersion = "v1";
|
|
kind = "Service";
|
|
metadata = {
|
|
name = "website";
|
|
namespace = "website";
|
|
};
|
|
spec = {
|
|
ports = [
|
|
{
|
|
port = 80;
|
|
protocol = "TCP";
|
|
targetPort = 80;
|
|
}
|
|
];
|
|
selector = {
|
|
app = "website";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
resource."kubernetes_manifest"."website-gateway" = {
|
|
manifest = {
|
|
apiVersion = "gateway.networking.k8s.io/v1";
|
|
kind = "Gateway";
|
|
metadata = {
|
|
name = "website";
|
|
namespace = "ingress";
|
|
};
|
|
spec = {
|
|
gatewayClassName = "istio";
|
|
listeners = [
|
|
{
|
|
name = "http";
|
|
port = "80";
|
|
protocol = "HTTP";
|
|
allowedRoutes = {
|
|
namespaces = {
|
|
from = "All";
|
|
selector.matchLabels.visibility = "public";
|
|
};
|
|
};
|
|
}
|
|
];
|
|
addresses = [
|
|
{
|
|
type = "IPAddress";
|
|
value = "172.26.96.2";
|
|
}
|
|
];
|
|
infrastructure = {
|
|
annotations = {
|
|
"metallb.universe.tf/allow-shared-ip" = "172.26.96.2";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
resource."kubernetes_manifest"."website-reference-grant" = {
|
|
manifest = {
|
|
apiVersion = "gateway.networking.k8s.io/v1alpha2";
|
|
kind = "ReferenceGrant";
|
|
metadata = {
|
|
name = "website";
|
|
namespace = "website";
|
|
};
|
|
spec = {
|
|
from = [
|
|
{
|
|
group = "gateway.networking.k8s.io";
|
|
kind = "HTTPRoute";
|
|
namespace = "ingress";
|
|
}
|
|
];
|
|
to = [
|
|
{
|
|
group = "";
|
|
kind = "Service";
|
|
name = "website";
|
|
}
|
|
];
|
|
};
|
|
};
|
|
};
|
|
|
|
resource."kubernetes_manifest"."website_authorization_policy" = {
|
|
manifest = {
|
|
apiVersion = "security.istio.io/v1";
|
|
kind = "AuthorizationPolicy";
|
|
metadata = {
|
|
name = "website";
|
|
namespace = "website";
|
|
};
|
|
spec = {
|
|
action = "ALLOW";
|
|
rules = [
|
|
{
|
|
from = [
|
|
{
|
|
source = {
|
|
namespaces = ["ingress"];
|
|
};
|
|
}
|
|
];
|
|
to = [
|
|
{
|
|
operation = {
|
|
methods = ["GET"];
|
|
paths = ["/*"];
|
|
};
|
|
}
|
|
];
|
|
}
|
|
];
|
|
selector = {
|
|
matchLabels.app = "website";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
resource."kubernetes_manifest"."ingress_authorization_policy" = {
|
|
manifest = {
|
|
apiVersion = "security.istio.io/v1";
|
|
kind = "AuthorizationPolicy";
|
|
metadata = {
|
|
name = "ingress";
|
|
namespace = "ingress";
|
|
};
|
|
spec = {
|
|
action = "ALLOW";
|
|
rules = [
|
|
{
|
|
from = [
|
|
{
|
|
source = {
|
|
ipBlocks = ["0.0.0.0/0"];
|
|
};
|
|
}
|
|
];
|
|
to = [
|
|
{
|
|
operation = {
|
|
methods = ["*"];
|
|
paths = ["/*"];
|
|
};
|
|
}
|
|
];
|
|
}
|
|
];
|
|
};
|
|
};
|
|
};
|
|
|
|
resource."kubernetes_manifest"."website-httproute" = {
|
|
manifest = {
|
|
apiVersion = "gateway.networking.k8s.io/v1";
|
|
kind = "HTTPRoute";
|
|
metadata = {
|
|
name = "website";
|
|
namespace = "ingress";
|
|
};
|
|
spec = {
|
|
parentRefs = [
|
|
{name = "website";}
|
|
];
|
|
hostnames = ["redalder.org"];
|
|
rules = [
|
|
{
|
|
backendRefs = [
|
|
{
|
|
name = "website";
|
|
namespace = "website";
|
|
port = 80;
|
|
}
|
|
];
|
|
}
|
|
];
|
|
};
|
|
};
|
|
};
|
|
}
|